Report a Safety Concern
Search
Home NRC Library Document Collections Generic Communications Regulatory Issue Summaries 1999

99-003: Resolution of Generic Issue 145, Actions to Reduce Common-Cause Failures

October 13, 1999

To top of page

ADDRESSEES

All holders of operating licenses for nuclear power reactors, except for those licensees who have permanently ceased operations and have certified that fuel has been permanently removed from the reactor vessel.

To top of page

INTENT

The U.S. Nuclear Regulatory Commission is issuing this regulatory issue summary (RIS) to notify nuclear power reactor licensees about the staff's resolution of Generic Issue (GI) 145, "Actions to Reduce Common-Cause Failures," and to communicate the broad insights that have been developed from the staff's review of the common-cause failure (CCF) events identified in licensee event reports during the 15-year period between 1980 and 1995. This RIS does not transmit any new requirements or staff positions. No specific action or written response is required.

To top of page

BACKGROUND INFORMATION

Prevention of CCFs is very important to ensuring nuclear power reactor safety. For highly redundant systems, CCFs can be a major cause of system failure. The accident at Three Mile Island in 1979 and the loss of main and auxiliary feedwater incident at Davis-Besse in 1985 were examples of occurrences involving CCFs. NRC studies have shown the importance of CCFs, and probabilistic risk assessments (PRAs) routinely identify CCFs as important contributors to potential core damage sequences and risk. Licensee event reports and operating experience studies have identified actual and potentially significant CCFs. GI-145 was established to determine whether additional cost-effective actions to reduce the potential for significant common-cause failures were appropriate.

To resolve GI-145 and to address deficiencies related to the availability and analysis of CCF data, the staff developed a CCF database and CCF analysis software package for addressing the CCF aspect of system reliability analyses and related risk-informed applications. The CCF database contains (1) guidance on the screening and interpretation of data and (2) relevant event data to provide a more uniform and cost-effective way of performing CCF analyses. In July 1998, the NRC issued Administrative Letter 98-04, "Availability of Common-Cause Failure Database." This administrative letter notified nuclear power reactor licensees of the availability of the CCF database, CCF analysis software, and associated technical reports that had been developed by the NRC. As noted in the administrative letter, the quantitative results of the CCF data collection effort is described in NUREG/CR-6268, "Common-Cause Failure Database and Analysis System." Additionally, by letter dated July 30, 1998, the NRC sent nuclear power reactor licensees a CD-ROM containing the CCF database together with supporting technical documentation, including an analysis software package, to aid in system reliability analyses and risk-informed applications. Some quantitative insights about the data were also published in NUREG/CR-5497, "Common-Cause Failure Parameter Estimations," for use in PRA studies.

To top of page

SUMMARY OF ISSUE

With the dissemination of NUREG/CR-6268 information in Administrative Letter 98-04 and the distribution of the CD-ROM on the CCF database and its use, the staff concluded that the objectives of GI-145 had been substantially achieved without the need for developing new or revised requirements. This conclusion was based in large measure on the recognition that the existing infrastructure of regulations, operating experience review processes, probabilistic risk assessments programs, licensee safety review processes, and NRC regulatory oversight programs provide a robust framework for identifying and correcting potentially significant CCFs. The existing NRC infrastructure has been further strengthened, for example, by providing CCF insights for NRC inspections and the dissemination of NUREG/CR-6268 information in support of consistent and correct treatment of CCFs in PRAs. An additional basis for closure of GI-145 is the recognition that the trend in yearly occurrence rate for complete(1) CCF events has steadily declined over the last two decades, as is shown in Figure 1. Note, however, that caution should be used in extrapolating the fitted trend lines.

Although the general insights from the analysis of the CCF data are documented in Volume 1 of NUREG/CR-6268, the staff determined that it would be beneficial to augment Administrative Letter 98-04 with a summary that specifically highlights for nuclear reactor licensees the CCF event insights in NUREG/CR-6268. Accordingly, the general observations from the analysis of the CCF event data are summarized in the paragraphs that follow.

To top of page

General Insights From CCF Events

Basic information about the nature of CCF events is shown in Figures 2 and 3. These figures illustrate the distribution of the proximate causes and coupling factors,(2) respectively, for CCF events during 1980-1995. This information presents a general picture of the types of events that may be expected to occur, and which design features might be most susceptible to CCF events.

Yearly occurence rate for completed CCF events, consisting of a vertical bar graph with violet colored bars (the color represents Estimated). The left side contains a scale (measured by the vertical bars) with the following: Occurence Rate for Complete CCF Events (per year); at the bottom is zero, then ascending are 0.05, 0.1, 0.15, 0.2, 0.25, 0.3, 0.35 at the top; The bottom scale consists of Year values from 80 through 95; There are 3 different lines running through the graph on top of the veritcal bars: a solid line; a dashed line; and a dotted line. A key at the bottom contains these values: the purple colored bars represent Estimated; solid line represents Fitted; dashed line represents 5% Bound; dotted line represents 95% Bound

To top of page

Figure 1. Yearly occurrence rate for complete CCF events

These figures also illustrate the different characteristics of partial CCF events(3) and complete CCF events.

A general review of the actual events and the distributions presented in Figures 2 and 3 reveals the following insights regarding CCF events:

  • A major programmatic contributor to CCF events is maintenance practices. The frequency of scheduled maintenance has been a factor in wear out-caused and aging-caused events. Additionally, the quality of the maintenance, in terms of both the maintenance procedures and the performance of the maintenance activities, is a key factor. Similar events have occurred at different plants—lubrication of circuit breakers (too much, too little, or too long between lubrications) and improperly set torque switches and limit switches on motor-operated valves that are reported as misadjustment and not as set point drift. This indicates the importance of the review of maintenance practices in minimizing CCF potential.
  • Another significant contributor to CCFs is design problems. Many of the design-related CCF events resulted from a design modification, indicating that the modification review processes were not sufficiently rigorous and resulted in conditions that introduced susceptibility to CCF.
  • Human errors related to procedural problems caused a small percentage of the total events. However, the impact of the individual events was usually greater, since the human errors often defeated the programmatic controls (e.g., procedures, vendor maintenance guidance). This is illustrated by comparing Figures 2b and 2a, which show that human errors cause a larger portion of complete CCF events than partial CCF events. Examples of events caused by human error are (1) simultaneously draining all emergency diesel generator day tanks for a chemistry surveillance and (2) having redundant pump motor breakers racked out as the plant changed mode from shutdown to power.
  • A vast majority of the CCF events are not due to multiple failures associated with an operational demand, but result from a "condition of equipment." The most common is an inspection or surveillance test of one component revealing a deficiency that prompts the licensee to inspect/test the redundant component, resulting in the discovery that the same defective condition is common to both components. This illustrates that detection of failures during the testing and surveillance program can prevent CCFs from occurring during demand situations.

Distribution of causes of complete and partial CCF events

2a. Distribution of causes of complete and partial CCF events

Distribution of causes of only the complete CCF events

2b. Distribution of causes of only the complete CCF events

To top of page

Figure 2. Distribution of CCF events by cause

Distribution of coupling factors for both complete and partial CCF events

3a. Distribution of coupling factors for both complete and partial CCF eventsDistribution of coupling factors for only complete CCF events

3b. Distribution of coupling factors for only complete CCF events

To top of page

Figure 3. Distribution of CCF events by coupling factors

  • The CCF database contains several examples of both CCF and independent failure events recurring at selected plants. This indicates varied effectiveness of root cause analyses and corrective actions from plant to plant. Examples of repeated events are water in compressed air systems, pump seal wear out, and turbine governor misadjustment. However, not all plants experience the same type of recurring event. This indicates that plant-to-plant variability exists in the CCF parameters that might cause the CCF parameter estimates used in PRAs for some plants to be higher than the industry average for certain component and system combinations.

Table 1 lists the systems, component types, and failure modes for which CCF events have been collected and entered into the database. It also contains the number of CCF events for each system and component combination and the number of independent failure events. Table 1 shows only the event counts for failure modes that are relevant to PRA studies. Other failure modes, such as failure to close for reactor trip breakers, were found in the source data; these events were coded and entered into the CCF database, even though they are not likely to be used in PRA studies.

To top of page

SPECIFIC INSIGHTS FROM CCF EVENTS

The NRC plans to update the CCF events database and document more specific observations and insights on the characteristics of CCF events for classes of risk-significant component groups such as emergency diesel-generators, pumps, motor-operated valves, air-operated valves, check valves, batteries/chargers, circuit breakers, heat exchangers and strainers. It is anticipated that CCF insights reports will be periodically published over the next few years for each group and will include operational and engineering insights for CCF events including aspects such as causes, coupling factors, and frequency of occurrence. Accordingly, as these studies are completed, the NRC plans to periodically supplement this RIS with more specific and detailed component-level CCF insights.

With the transmittal of the general insights from NUREG/CR-6268, Vol. 1 in this RIS the actions required for final resolution of GI-145 have been completed. The staff determined that a notice of opportunity for public comment prior to issuance of this RIS was unnecessary because it is informational and merely augments the NUREG/CR documents and administrative letter noted in the background discussion, and the information presented herein was discussed in a public forum with the Advisory Committee on Reactor Safeguards.

To top of page

Table 1. Component types and systems analyzed for CCF events (1980-1995)

Component Type PRA-Relevant Failure Modes Systems Analyzed for the Component Type Number of CCF Events(4) for System and Component Type Number of Independent Failures for System & Component Type Total Number of CCF Events(5) for Component Type Total Number of Independent Failures for Component Type
Air-Operated Valves Fail to Open Auxiliary Feedwater 42 197 191 505
Fail to Close High Pressure Injection 2 28
Fail to Stay Closed Isolation Condenser 1 9
    Main Steam Isolation (BWR/PWR) 146 271    
Batteries/

Chargers

No Output, High Output DC Power (BWR & PWR) 60 1,260 60 1,260
Check Valves Fail to Open Auxiliary Feedwater 59 201 147 556
Fail to Close High Pressure Injection 23/21 84/145
Fail to Stay Closed Low Pressure Injection 23/21 88/38
Circuit Breakers Fail to Open DC Power (BWR/PWR) 8 112 116 989
Fail to Close AC Power (BWR/PWR) 82 746
Fail to Stay Closed Reactor Trip Breakers 26 131
Emergency Diesel Generators Fail to Start, Run Emergency Power (BWR/PWR) 131 1,346 131 1,346
Heat Exchangers Fail to Transfer Heat Containment Spray (PWR) 10 14 18 29
  Residual Heat Removal 8 15
Motor-Operated Valves Fail to Open Auxiliary Feedwater 27 422 192 2,568
Fail to Close Containment Spray (PWR) 15 250
Fail to Stay Closed High Pressure Injection 11/40 369/292
  Isolation Condenser 2 44
  Low Pressure Injection 61/23 492/470
  Pressurizer (PWR) 7 155
  Refueling Water Storage 6 74
Pumps Fail to Start Auxiliary Feedwater 51 919 280 3,507
  Emergency Service Water 141 1,184
  High Pressure Injection 2/42 343/481
  Low Pressure Injection 9/25 148/362
  Standby Liquid Control 10 70
Relief Valves Fail to Open BWR Primary System 37 237 115 976
Fail to Close Pressurizer (PWR) 22 334
Fail to Stay Closed Steam Generator (PWR) 56 405
Safety Valves Fail to Open Pressurizer (PWR) 6 119 38 280
Fail to Close Steam Generator (PWR) 32 161
Fail to Stay Closed      
Strainers Fail to Allow Flow Containment Spray (PWR) 1 0 39 162
Emergency Service Water (BWR/PWR) 36 162
Suppression Pool (BWR) 2 0

This RIS requires no specific action or written response. If you have any questions about the information in this RIS, please contact one of the technical contacts listed below.

To top of page

  Original signed by

David B. Matthews, Director
Division of Regulatory Improvement Programs
Office of Nuclear Reactor Regulation

Attachment: Recent List of NRC Regulatory Issue Summaries
Technical Contacts: Dale Rasmuson, RES
301-415-7571
E-mail: Dale.Rasmuson@nrc.gov
  Ronald Emrit, RES
301-415-6447
E-mail: Ronald.Emrit@nrc.gov
(NUDOCS Accession Number 9910060044)

1 A complete CCF event is one in which all of the components are completely failed (not degraded), and the failures occur within a short time period of each other.

2 A coupling factor is a characteristic of a group of components that identifies them as susceptible to the same cause of failure. Such characteristics include similarity in hardware, maintenance, environment, or operation. Examples of coupling factors are (1) the same defective design in multiple identical components (hardware), (2) an incorrect set point specified in the calibration procedure for multiple relief valves (operational), and (3) emergency diesel generator (EDG) fuel oil contamination that disables all EDGs (environmental).

3 Any CCF event which is not a complete CCF event. At least one component in the group is not completely, but partially, failed or one of the failures does not occur within a short time interval of the original failure, or there is uncertainty about the shared cause.

4 Includes partial (degradations) and complete failure CCF events

5 Includes partial (degradations) and complete failure CCF events

To top of page

Page Last Reviewed/Updated Tuesday, March 09, 2021