Resolution of Generic Safety Issues: Issue 123: Deficiencies in the Regulations Governing DBA and Failure Criterion Suggested by the Davis-Besse Incident of June 9, 1985 (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
Following the Davis-Besse event in June 1985, potential inadequacies of nuclear power plant design criteria and safety analyses were raised in a DST/NRR memorandum.1323 These concerns were: (1) root causes of DBAs are not analyzed and may initiate or exacerbate a plant transient involving an initiating event; (2) allowable outage times (AOTs) and limiting conditions of operation (LCOs) may be inadequate since they are derived from potentially flawed DBA analyses; (3) high-probability common cause failures are not adequately addressed in licensing requirements; and (4) single human errors that may have a broader effect than active failures are not covered.
(1) Root Causes of DBAs: This concern addressed the possibility that auxiliary or support system failures may cause a plant transient or initiating event, as well as result in failure of one or more safety systems to perform their intended function. This concern was addressed, in part, in the resolution of Issues A-17, A-44, and A-45.
Issue A-17 specifically addressed: (1) events involving transients and loss of at least one redundant portion of any one of the systems required to respond to a transient; (2) initiating events and similar failures of redundant safety sytems; and (3) degradation of safety systems by non-safety systems, as well as degradation of auxiliary support systems such as SSW, CCW, and AC/DC power. The results of studies1232 indicated that the causes and effects of systems interactions were plant-specific in nature due to the differences in plant designs. In addition, it was demonstrated that plant-specific PRAs were effective tools for identifying vulnerabilities to systems interactions. Currently, licensees are required to perform IPEs that include an evaluation of common cause (dependent) failures, of which, systems interactions are a subset.1222 The information and insights gained from the Issue A-17 studies have been provided to licensees to assist in the identification and evaluation of system interactions and other common cause failures. Licensees are expected to propose plant-specific procedure and/or hardware modifications, where appropriate, to reduce their vulnerabilities to such events. Consequently, vulnerabilities to the root causes of DBAs are being systematically identified and corrected, as determined by licensees, on a plant-specific basis in the IPE process.
Issue A-44 addressed the likelihood and duration of losses of offsite power, the redundancy and reliability of onsite emergency AC power sources (e.g., diesel generators), and the effects on plant risk of failures of all AC power sources. Support system failures were important aspects of these analyses, particularly DC instrumentation and control power supplies, instrument air supplies, and auxiliary cooling systems such as SSW and CCW. Resolution of this concern involved improving the reliability of onsite AC power systems and strengthening each plant's capability to cope with an extended loss of AC power.
Issue A-45 addressed potential improvements in the reliability of shutdown decay heat removal systems that are required to operate after a transient or initiating event and included support system failures and single-point vulnerabilities. It was concluded in NUREG-12891326 that resolution of Issue A-45 could only be achieved on a plant-specific basis; this is being implemented as part of the IPE process. Licensees were directed to identify decay heat removal vulnerabilities and to determine if cost-effective solutions to these vulnerabilities could be achieved.
In addition to this concern being addressed in part by resolution of Issues A-17, A-44, and A-45, IPEs currently underway by each licensee are expected to search for vulnerabilities stemming from support system failures. It is expected that these IPEs, when completed, will contain dependency tables (or other similar methods of displaying dependencies) that identify dependencies between initiating events and mitigating functions or systems. It is also expected that licensees will move expeditiously to correct any identified vulnerabilities that warrant correction in accordance with Generic Letter 88-20.1222
(2) AOTs and LCOs: This concern relates to the fact that AOTs and LCOs may be derived from the results of DBA analyses; if the DBA analyses are inadequate, then the AOTs and LCOs may also be inadequate. Since it is not uncommon for a plant to have several components out of service at the same time, the potential exists for operation of a plant in a dangerous configuration in which two or more components that appear in the same accident sequence are out of service. The concern focused on outages for diverse components that are not necessarily in the same safety system, such as simultaneous outage of valves in the high pressure injection system (HPIS) and the low-pressure injection system (LPIS).
This concern deals with AOTs for components and the possibility that a plant may be operating one active component failure away from core damage. A large fraction of the potential core damage probability and public risk reduction associated with this concern would be associated with removing vulnerabilities associated with the component outages. AOTs and LCOs were addressed in Issue 117 where the approach to evaluating the change in core damage probability was to remove the test/maintenance unavailability from basic events in each cut set that contained multiple test/maintenance outage terms. This analysis assumed a scenario which precluded the possibility that a plant could be operating at full power with vital equipment in different ESF systems down for maintenance, and effectively removed the vulnerabilities associated with AOTs and LCOs on components in different ESF systems and in redundant divisions of each ESF system. Issue 117 was not pursued separately because its safety concern was addressed as part of the staff's Technical Specification Improvement Program (TSIP). In addition, as part of the implementation of the Maintenance Rule,1338 licensees should make an assessment of the total plant equipment that is out of service during power operation. This assessment is to ensure that the objective of preventing failures by performing maintenance is appropriately balanced against the objective of minimizing unavailability.
(3) High Probability Common Cause Failures: Issue A-17 addressed, among other things, the potential for common cause events involving systems/components that share physical connections or spatial configurations, or could cause operator errors that may result from operation disinformation or inhibition of an operator's ability to respond to a malfunction.1233 An example that was addressed in the Issue A-17 analyses was a high-energy line break and the possibility that adverse environmental conditions resulting from such an event could induce failures in one or more safety systems designed to respond to the event. This is an example of the spatially-coupled system interaction. Other examples include seismic events, fires, and floods that could affect the operability of equipment/systems located in close proximity to each other, interactions between normal offsite and emergency onsite AC power systems (e.g., sharing common breakers or power distribution buses), and common support systems, cross-connects, and other functional dependencies.
As discussed previously, the staff concluded that plant-specific analyses were necessary to accurately identify, evaluate, and resolve (where appropriate) vulnerabilities to systems interactions. The plant-specific IPE program1222 includes an assessment of common cause or dependent failures. Since systems interactions are a subset of common cause failures, this concern is covered in the performance of the IPEs.
Issue A-47 also addressed aspects of this concern, including single failures or multiple failures which could cause a malfunction in one or more control systems. Such malfunctions may result in an undesirable control system response or provide misleading information to an operator. The analyses1248 in support of the resolution of Issue A-47 identified potential control system failures that could cause overpressure, overcooling, overheating, overfilling, or reactivity events. All of these events are covered in DBA analyses. Requirements were established that, in general, provide or enhance systems to protect against reactor vessel/steam generator overfill events and to prevent steam generator dryout, enhance procedures and provisions to verify the operability of these systems, and modify selected procedures to respond to small-break LOCAs. This concern was considered to be resolved.
(4) Single Human Errors: This concern relates to the possibility that a single human error could potentially result in a plant transient or initiating event and defeat one or more divisions of a safety system. At the time of the initial evaluation of this issue in December 1991, no events of this type had been identified in plant operating experience, although the Davis-Besse incident was one that involved two human errors and a flawed Steam and Feedwater Rupture Control System. Therefore, it appeared unlikely that significant vulnerabilities to single human errors existed in the industry.
Issues A-17, A-44, A-45, and A-47 addressed various aspects of this concern as contributors to system failures, including degradation of operator information that could lead to operator "blindness," incorrect operator actions, and human errors. The analyses performed in support of these issues considered, for the most part, the possibility that single operator action could defeat one or more divisions of an ESF system. In addition, in situations where operator actions are necessary but the integrity of the information in the control room may be questionable (such as following a station blackout), it was assumed that the operator would not respond correctly. This effectively addressed single human errors that may defeat an ESF that otherwise would be operable.
Single human errors may also initiate a plant transient. Instances can be found in LERs in which single human errors have resulted in plant shutdowns, such as maintenance errors during electrical switchgear work that result in main feedwater isolation or interruption of vital AC power sources. Maintenance errors on the non-nuclear side of a plant that resulted in turbine-generator trips have also occurred. However, up to the time of this evaluation, such failures had not resulted in the occurrence of a transient and simultaneous failure of ESF systems that are designed to respond to the transient. This was primarily because of the redundancy and diversity of plant systems, particularly ESF systems, that are designed to minimize the effects of single failures by maintaining separation of different divisions of vital plant equipment. This conclusion was supported by the results of a number of PRAs, including NSAC-60889 and the PRAs prepared in support of NUREG-1150,1081 in which no accident sequences initiated by single human errors were found to contribute significantly to core damage probability.
Since this issue was raised, all the safety concerns have been or will be adequately addressed in the resolution of Issues A-17, A-44, A-45, and A-47, the evaluation of Issue 117, the IPE program,1222 and the Maintenance Rule.1338 Thus, this issue was DROPPED as a new and separate issue. In an RES evaluation,1564 it was concluded that consideration of a 20-year license renewal period did not change the priority of the issue.