10 CFR 50.73(a)(2)(vii), Common Cause Inoperability

From kanterella
Jump to: navigation, search

Common Cause Inoperability

An LER is required for a common cause inoperability of independent trains or channels.

§ 50.73(a)(2)(vii) “Any event where a single cause or condition caused at least one independent train or channel to become inoperable in multiple systems or two independent trains or channels to become inoperable in a single system designed to:

(A) Shut down the reactor and maintain it in a safe shutdown condition;
(B) Remove residual heat;
(C) Control the release of radioactive material; or
(D) Mitigate the consequences of an accident.”

An LER is required for a common cause inoperability of independent trains or channels.

Discussion

This criterion requires those events to be reported in which a single cause or condition caused independent trains or channels to become inoperable. Common causes may include such factors as high ambient temperatures, heatup from energization, inadequate preventive maintenance, oil contamination of air systems, incorrect lubrication, use of nonqualified components, or manufacturing or design flaws. The event is reportable if the independent trains or channels were inoperable at the same time, regardless of whether or not they were discovered at the same time. (Example 2 below illustrates a case in which the second failure was discovered 3 days later than the first.) An event or failure that results in or involves the failure of independent portions of more than one train or channel in the same or different systems is reportable. For example, if a cause or condition caused components in train A and B of a single system to become inoperable, even if additional trains (e.g., train C) were still available, the event must be reported. In addition, if the cause or condition caused components in train A of one system and in train B of another system (i.e., the train that is assumed in the safety analysis to be independent) to become inoperable, the event must be reported. However, if a cause or condition caused components in train A of one system and train A of another system (i.e., trains that are not assumed in the safety analysis to be independent), the event need not be reported unless it meets one or more of the other reporting criteria.

Trains or channels, for reportability purposes, are defined as those redundant, independent trains or channels designed to provide protection against single failures. Many engineered safety systems containing active components are designed with at least a two-train system.

Each independent train in a two-train system can normally satisfy all of the safety system requirements to safely shut down the plant or satisfy those criteria that have to be met following an accident.

This criterion does not include those cases in which one train of a system or a component was removed from service as part of a planned evolution, in accordance with an approved procedure, and in accordance with the plant’s TS. For example, if the licensee removes part of a system from service to perform maintenance, and the TS permit the resulting configuration, and the system or component is returned to service within the time limit specified in the TS, the action need not be reported under this paragraph. However, if, while the train or component is out of service, the licensee identifies a condition that could have prevented the whole system from performing its intended function (e.g., the licensee finds a set of relays that is wired incorrectly), that condition must be reported.

Analysis of events reported under this part of the rule may identify previously unrecognized common cause (or dependent) failures and system interactions. Such failures can be simultaneous failures that occur because of a single initiating cause (i.e., the single cause or mechanism serves as a common input to the failures), or the failures can be sequential (i.e., cascading failures), such as the case in which a single component failure results in the failure of one or more additional components.

Examples

(1) Incorrect Lubrication Degrades Main Steam Isolation Valve Operation

During monthly operability tests, the licensee found that the Unit 2B inboard MSIV did not stroke properly as a result of a solenoid-operated valve failure. Both units were shut down from 100-percent power, and the solenoid-operated valves piloting all 16 MSIVs were inspected. The licensee found that the solenoid-operated valves on all 16 MSIVs were damaged. The three-way and four-way valves and solenoid pilot valves on all 16 MSIVs had a hardened, sticky substance in their ports and on their O-rings. As a result, motion of all the solenoid-operated valves was impaired, resulting in instrument air leakage and the inability to operate all of the MSIVs satisfactorily. The licensee also examined unused spares in the warehouse and found that the lubricant had dried out in those valves, leaving a residue. Several of the warehouse spares were bench tested. They were found to be degraded and also leaked. The root cause of the event was use of an incorrect lubricant.

The event is reportable (1) because a single cause or condition caused multiple independent trains of the main steam isolation system (a system designed to control the release of radioactive material and mitigate the consequences of an accident) to become inoperable (10 CFR 50.73(a)(2)(vii)(C) and (D)), and (2) because a single condition could have prevented fulfillment of a safety function (10 CFR 50.73(a)(2)(v)).

(2) Marine Growth Causing Emergency Service Water To Become Inoperable (Common Mode Failure Mechanism)

With Unit 1 at 74-percent power and Unit 2 at 100-percent power, emergency service water (ESW) pump 1A was declared inoperable because its flow rate was too low to meet acceptance criteria. Three days later, with both units at the same conditions, ESW pump 1C was declared inoperable for the same reason. The ESW pumps are the source of water from the intake canal during a design-basis accident. In both cases, the cause was marine growth of hydroids and barnacles on the impeller and suction of the pumps. Following maintenance, both pumps passed their performance tests and were placed in service. Pump testing frequency was increased to more closely monitor pump performance.

This event is reportable because a single cause or condition caused two independent trains to become inoperable in a single system designed to mitigate the consequences of an accident (10 CFR 50.73(a)(2)(vii)(D)).

(3) Testing Indicated Several Inoperable Snubbers

The licensee found 11 inoperable snubbers during periodic testing. All of the snubbers failed to lock up in tension and/or compression. These failures did not render their respective systems inoperable but did render trains inoperable. Improper lockup settings and/or excessive seal bypass caused these snubbers to malfunction. These snubbers were designed for low-probability seismic events. Numerous previous similar events have been reported by this licensee.

This condition is reportable because the condition indicated a generic common mode problem that caused numerous multiple independent trains in one or more safety systems to become inoperable. The potential existed for numerous snubbers in several systems to fail following a seismic event, rendering several trains inoperable (10 CFR 50.73(a)(2)(vii)).

(4) Stuck High-Pressure Injection System Check Valves as a Result of Corroded Flappers

The licensee reported that check valves in three of four high-pressure injection (HPI) lines were stuck closed. The unit had been shut down for refueling and maintenance.

A special test of the check valves revealed that three stop check valves failed to open when a differential pressure up to the capacity of the pump was applied. Further review showed that the common cause of valve failure was the flappers corroding shut.

The event is reportable because a single cause or condition caused at least two independent trains of the HPI system to become inoperable. This system is designed to remove residual heat and mitigate the consequences of an accident. The condition is therefore reportable under 10 CFR 50.73(a)(2)(vii)(B) and (D) (common cause failure in systems designed to remove residual heat and mitigate accidents).