Resolution of Generic Safety Issues: Issue 172: Multiple System Responses Program (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
In resolving GSIs over the years, the staff generally found it necessary to make assumptions and establish limitations on the scope of the issues. As a result of its review of the resolution of some GSIs, the ACRS expressed concerns that the assumptions and limitations on the scope of the issues, the lack of thorough coordination among issues, and the inconsistent assumptions for related issues may have resulted in some potentially significant safety concerns not being addressed. Specifically, these concerns were raised in ACRS meetings during the resolution of Issues A-17, A-46, and A-47. To address these concerns, RES initiated the Multiple System Responses Program (MSRP) program in 1986.
The purpose of the MSRP was to gather and review documentation (correspondence, meeting minutes, etc.) for the issues and other programs of interest and, from this documentation, describe potential safety concerns that were identified or expressed by the ACRS or NRC staff. The issues selected for the MSRP were A-17, A-46, and A-47. Issues that involved concerns similar to those addressed in the resolution of these three issues were also considered and included: (1) equipment qualification (10 CFR 50.49); (2) fire protection rules (10 CFR 50.48 and 10 CFR 50, Appendix R); and (3) related guidelines and reviews implemented based on the SRP.11 In the MSRP, evaluations or judgments were not made regarding the validity of the concerns; rather, the concerns were examined, documented, and potential safety issues were defined as specifically as possible. The results of this effort were documented in NUREG/CR-5420.1237
In NUREG/CR-5420,1237 related concerns were grouped into defined potential safety issues and information was provided to assist the staff in evaluating them. This grouping was based on the following criteria: (1) concerns that had the same initiator (e.g., seismic event, flooding/moisture intrusion, fires); (2) concerns that related to a particular class of failures or failure modes (e.g., degradation of component performance rather than "failure," or common cause failures); (3) concerns that related to a particular group of components or systems (e.g., non-safety-related control system and safety-related protection system dependencies); (4) concerns that already existed as GSIs; and (5) concerns that were unrelated to other concerns or that were being evaluated through separate research activities and should be separate issues. Applying these criteria to the identified concerns yielded 21 potential safety issues.
Of the 21 MSRP concerns, the staff concluded that eleven were to be covered in the IPE or IPEEE Programs. The remaining ten concerns were dropped from further consideration as new and separate issues because eight were included in the scope of existing generic issues or other ongoing NRC programs, one (Item 4) had negligible risk reduction potential, and one (Item 9) was deemed to be a compliance concern. This conclusion was reached after several meetings between the ACRS and the staff and an extensive review1581 of the ACRS concerns by the staff. A comprehensive report1580 on the staff's findings was submitted to the ACRS. The following is a summary of the staff's findings:
(1) Common Cause Failures Related to Human Errors (IPE)
(2) Non-Safety-Related Control System/Safety-Related Protection System Dependencies (IPE)
(13) Effects of Fire Suppression System Actuation on Non-Safety-Related and Safety-Related Equipment (IPEEE)
(14) Effects of Flooding and/or Moisture Intrusion on Non-Safety-Related and Safety-Related Equipment (IPE/IPEEE)
(15) Seismically-Induced Spatial and Functional Interactions ((IPEEE)
(16) Seismically-Induced Fires (IPEEE)
(17) Seismically-Induced Fire Suppression System Actuations (IPEEE)
(18) Seismically-Induced Flooding (IPEEE)
(19) Seismically-Induced Relay Chatter (IPEEE)
(20) Evaluation of Earthquake Magnitudes Greater Than the Safe Shutdown Earthquake (IPEEE)
(21) Effects of Hydrogen Line Ruptures (IPEEE)
(3) Failure Modes of Digital Computer Control Systems
(4) Specific Scenarios Not Considered in USI A-47
(5) Effects of Degradation of HVAC Equipment on Control and Protection Systems
(6) Failure Modes Resulting from Degraded Electric Power Sources
(7) Failure Modes Resulting from Degraded Compressed Air Systems
(8) Potential Effects of Untimely Component Operation
(9) Propagation of Environments Associated with DBEs
(10) Evaluation of Heat, Smoke, and Water Propagation Effects Resulting from Fires
(11) Synergistic Effects of Harsh Environmental Conditions
(12) Environmental Qualification of Seals, Gaskets, Packing, and Lubricating Fluids Associated with Mechanical Equipment
Based on the ongoing work to address the safety concerns, the issue was considered nearly-resolved in December 1995, but was later given a high priority ranking in SECY-98-166.1718 The MSRP was considered resolved at the conclusion of the IPE/IPEEE Programs when a summary report was issued1806 on how the above eleven concerns were addressed. The staff's evaluations of the above 21 concerns are presented below:
(1) COMMON CAUSE FAILURES RELATED TO HUMAN ERRORS
CCF resulting from human error include operator acts of commission or omission that could be initiating events or could affect redundant safety-related trains needed to mitigate the events. Other human errors that could initiate CCF include: (1) manufacturing errors in components that affect redundant trains; and (2) installation, maintenance, or testing errors that are repeated on redundant trains. Since personnel are always intimately involved in all phases of nuclear power plant planning, operation, testing, and maintenance, there is the potential for human errors which may contribute or lead to systems interaction events or CCF. This concern was identified as Item 7.4.1 in NUREG/CR-5420.1237
While existing PRAs have identified human error possibilities to some extent, they are principally limited to errors of omission. The identification or the modeling of errors of commission is in the developmental stages and will continue to require further work. Efforts to increase understanding and preclude the occurrence of this type of human error will continue to be a priority research activity. With the use of NUREG/CR-5455,1582 the staff has been following the investigations of events at operating plants in recent years that involved human performance. In conducting control room design reviews, the staff uses the criteria documented in NUREG-07111583 and NUREG/CR-5908.1584
The staff will continue the present approach of reducing human errors of all types through regulatory review, inspection, research, and the development of regulatory guidance based upon systematic application of human engineering principles, rather than attempting to identify and correct specific human errors that may lead to CCF. Additionally, potential CCFs resulting from human errors of omission in operation, maintenance, or testing are to be considered on a plant-specific basis by licensees in their IPEs. (CCFs resulting from human errors in installation and manufacturing of components are generally not explicitly considered in PRAs and hence would not be explicitly considered in the IPE process.)
The staff's approach will reduce the likelihood of human errors, including those that have not been identified thus far. The staff believes that the potentially significant generic issues associated with CCFs related to human errors are currently being addressed by this approach. Therefore, based on the existing IPE Program, this concern was not pursued as a new and separate issue.
(2) NON-SAFETY-RELATED CONTROL SYSTEM/SAFETY-RELATED PROTECTION SYSTEM DEPENDENCIES
Multiple failures in non-safety-related control systems may have an adverse impact on safety-related protection systems as a result of potential unrecognized dependencies between control and protection systems. There is concern that plant-specific implementation of the regulations regarding separation and independence of control and protection systems may be inadequate. This concern was expressed by the ACRS during their review of the resolution of Issue A-47 and was identified as Item 7.4.2 in NUREG/CR-5420.1237
The resolution of Issue A-17 stated that “[m]ethods are available (and some are under development) for searching out systems interactions on a plant-specific basis. Studies conducted by utilities and national laboratories indicate that a full-scope plant search takes considerable time and money. Even then, there is not a high degree of assurance that all, or even most, adverse systems interactions will be discovered.” Thus, the staff concluded that the cost of a systematic search of systems interactions, such as non-safety-related control system/safety-related protection system dependencies, would produce very little safety benefit.
The summary of NUREG/CR-54201237 states that this issue “does not question regulations but addresses plant-specific implementation.” As such, the licensees' IPE process should provide a framework for evaluating interdependence between safety-related and non-safety-related systems and identify potential sources of vulnerabilities. Continued notices, letters, and bulletins addressing identified problems of this nature should aid in the identification and resolution at those plants where these or similar weaknesses may exist. Therefore, based on the existing IPE Program, this concern was not pursued as a new and separate issue.
(3) FAILURE MODES OF DIGITAL COMPUTER CONTROL SYSTEMS
Two areas of concern were identified for digital computer control systems. The first is the potential for interactions between computerized non-safety-related control systems and safety-related protection systems. Use of computerized control systems presents the potential for complex or unexpected failure modes that might impact protection systems. The second area of concern is the use of digital control systems for safety-related purposes. The first OL application including this type of equipment for safety-related purposes (although on a small scale) was ANO Unit 2, where digital computers are used for the initiating logic for two reactor trip parameters. Several utilities are implementing core protection calculators (CPC), which are digital components, to provide trip signals. This concern was identified as Item 7.4.3 in NUREG/CR-5420.1237
This ACRS concern was based on the potential failure of digital computer control systems which may affect the safe shutdown capability of a plant. It applies primarily to the adequacy of NRC regulations and the NRC's capability to review designs for such equipment.
For the review and evaluation of digital instrumentation and control systems (including the interface design and the software to drive them), methods and technical bases for guidelines and criteria are being developed in the ongoing NRC research on human-system interface. The many research issues include the potential for interactions between computerized non-safety related control systems and safety-related protection systems. The research also addresses the use of digital instrumentation and control systems for safety-related purposes. Additional work is being initiated with the National Academies of Sciences and Engineering under a study titled "Study and Workshop on Application of Digital Instrumentation and Control Systems to Nuclear Power Plants," to identify the important safety and reliability issues associated with the use of digital instrumentation and control systems, and to address what approach and criteria should be applied to ensure safe application and effective regulation of digital instrumentation and control systems.
In addition, potential failure modes and interactions in computer systems are being considered in the NRR review of digital systems in operating plants and advanced reactors. Based on the ongoing work, this concern was dropped from further consideration as a new and separate issue.
(4) SPECIFIC SCENARIOS NOT CONSIDERED IN USI A-47
The staff identified two scenarios of concern that were not evaluated during the review of Issue 47: (1) scram without turbine trip, including return to criticality resulting from overcooling the primary system; and (2) steam generator overfill resulting from SGTR leading to an MSLB and more SGTRs that would involve the blowdown of more than one steam generator. The other potential cause of steam generator overfill (excessive feedwater flow due to control system failure) and its consequences were analyzed in the resolution of Issue A-47. This concern was identified as Item 7.4.4 in NUREG/CR-5420.1237
The first scenario was addressed in Issue 144 which was given a low priority ranking. The second scenario, along with other concerns, was addressed in Issue 135 which was given a medium priority ranking and resolved by the staff. In NUREG/CR-4893,1411 the staff's technical findings report for Issue 135, it was stated that for steam generator overfill resulting from SGTR “[a]nalyses for several plants on the increase in stress levels due to deadweight loading resulting from filling the steam lines indicate that, while in some cases the spring hangers may be loaded slightly beyond specification, they will not fail. The stress levels in the main steam line will remain within ASME Code limits in all cases. The NRC staff has concluded that the probability of failure of the main steam line is not increased by the deadweight loading. Further, because the water in the steam lines is essentially at saturation temperature and pressure, the potential for failure due to condensation-induced water hammer is considered insignificant ... there is no evidence of steam line failure from overstress, and dynamic loading from water hammer is not considered to be a problem.”
Since steam generator overfill resulting from an SGTR is not likely to lead to an MSLB, an SGTR caused by an SGTR-induced MSLB and associated mechanical and thermal shock are also not very likely. Based on this low probability event, this concern was dropped from further consideration as a new and separate issue. Consideration of a 20-year license renewal period would not change this conclusion.
(5) EFFECTS OF DEGRADATION OF HVAC EQUIPMENT ON CONTROL AND PROTECTION SYSTEMS
Instrumentation systems generally require a carefully controlled environment to function properly. Loss or degradation (i.e., partial loss) of either safety or non-safety-related HVAC systems could result in the failure of systems necessary to achieve and maintain safe shutdown. HVAC degradation can have a direct impact on safety-related equipment or an indirect impact through interactions with non-safety-related components. The possibility for HVAC degradation to have an undesirable impact on safety-related protection systems may not have been given adequate attention. This concern was identified as Item 7.4.5 in NUREG/CR-5420.1237
The concern for the effects of loss of HVAC/chilled water systems on safety-related systems and components was addressed in the resolution of Issue 143. In the regulatory analysis for the resolution for this issue documented in NUREG/CR-6084,1550 it was indicated that the reduction in annual CDF by eliminating (or decreasing) the dependence of safety systems on HVAC and room cooling was only on the order of 10-6/RY, and all three proposed resolution strategies exceeded the $1,000/man-rem cost-effectiveness ratio. Therefore, the staff did not recommend any new requirements in the resolution of Issue 143.
Although the effects of degradation (such as decrease in efficiency) of HVAC/chilled water systems were not considered in Issue 143, and only the effects of loss of HVAC/chilled water systems on safety-related systems and components were considered, Issue 143 did provide a worst-case scenario that enveloped the concerns of Item 7.4.5. This conclusion was based on the following: (1) the effects of degradation (partial loss) of HVAC/chilled water systems on systems and components will be less severe compared to those from the total loss of HVAC/chilled water systems; and (2) the indirect impact of HVAC degradation on safety-related equipment through interactions with non-safety-related components will lead to the same end results as the direct impact of loss of HVAC/chilled water systems on safety-related equipment. Therefore, the ACRS concerns were bounded by Issue 143 and were dropped from further consideration as a new and separate issue.
(6) FAILURE MODES RESULTING FROM DEGRADED ELECTRIC POWER SOURCES
Electric power system degradation (i.e., undervoltage, overvoltage, underfrequency, overfrequency) has the potential for affecting multiple trains of safety-related equipment although it is not clear what failure modes could result from these types of events. The ACRS believed that, although Issue A-47 addressed sudden complete loss of electrical power, it did not address the effects of electric power system degradation on safety-related equipment. This concern was identified as Item 7.4.6 in NUREG/CR-5420.1237
The concern for electrical power reliability was addressed in the resolution of Issue 128 which was established to integrate the resolution of 3 separate safety issues: 48, "Limiting Conditions for Operations (LCOs) for Class 1E Vital Instrument Buses"; 49, "Interlocks and LCOs for Class 1E Tie Breakers"; and A-30, "Adequacy of Safety-Related DC Power Supplies." However, the resolution of Issue 128 did not specifically address "degradation" of electrical power systems and its consequences. Issue A-35, "Adequacy of Offsite Power Systems," did address the concern for the vulnerability of safety-related equipment to sustained degraded voltage from offsite power sources. It also addressed the concern relating to a rapid rate of frequency decay of the offsite power system.
The concerns regarding the performance of MOVs under degraded electric power sources, among other things, were addressed in the resolution of Issue II.E.6.1, “In Situ Testing of Valves - Test Adequacy Study,” and resulted in the issuance of Generic Letter 89-101217 which required licensees to establish programs to ensure the operability of MOVs in safety-related systems. In the resolution of Issue 158, “Performance of Safety-Related Power-Operated Valves Under Design Basis Conditions,” currently being resolved with a high priority, the staff will investigate the performance of safety-related, power-operated valves such as SOVs, AOVs, and HOVs under design basis conditions. Thus, Item 7.4.6 is being addressed for power-operated valves.
Lastly, there was an extensive inspection program initiated by NRR in the late 1980s entitled Electrical Distribution System Functional Inspections (EDSFI) where all operating plants were reviewed and inspected regarding the design, operation, maintenance, and testing of their electrical distribution systems; both offsite and onsite electrical power systems were included. A number of information notices were issued as a result of this inspection program and an EDSFI data bank is being maintained by RSIB/NRR. RES, in consultation with NRR, will consider the information in the EDSFI data bank and other pertinent operational experiences, to determine the effects on component operation by degraded input power and if further NRC action is appropriate. With the completed and ongoing programs described above, this concern was dropped from further consideration as a new and separate issue.
(7) FAILURE MODES RESULTING FROM DEGRADED COMPRESSED AIR SYSTEMS
Compressed air system degradation has the potential to affect multiple trains of safety-related equipment. Air system degradation includes: (1) gradual loss of air pressure; and (2) air underpressurization or overpressurization outside the design operating pressure range of the associated equipment dependent upon this system. It is not clear what failure modes could result from these types of events. Although Issue A-47 addressed sudden complete loss of air pressure, it did not specifically investigate the effects of compressed air system degradation on safety-related equipment. This concern was identified as Item 7.4.7 in NUREG/CR-5420.1237
Issue 43, “Reliability of Air Systems,” which was resolved with the issuance of Generic Letter 88-14,1141 addressed, to a large extent, the ACRS concern on air system reliability. However, the ACRS stated1579 that “we do not consider the resolution of Generic Issue 43 as adequate. We support what has been proposed or done by the staff and the industry as described in the resolution package for Generic Issue 43, but further work is needed to show that the gradual loss of air pressure issue is not a safety problem for any plant.”
In AEOD/C701,1078 five recommendations to address air systems problems were made. Recommendation 5 stated that “[a]ll operating plants should be required to perform gradual loss of instrument air system pressure tests.” CRGR considered the five recommendations while deliberating on the issuance of Generic Letter 88-141141 and concluded that licensees should implement four of the five recommendations. Recommendation 5, pertaining to slow bleed-down testing, was not supported by CRGR because it was believed that the other four recommendations would be effective in correcting the problems.
The issuance of Generic Letter 88-141141 resulted in major utility efforts in which dozens of air system problems that had the potential to compromise public health and safety were found and corrected. In addition, AEOD now believes that the importance of the slow bleed-down test recommendation has actually diminished because of the efforts that many licensees have made to find and correct other air system problems and the aggressive industry initiatives to improve the reliability of air-operated equipment. Evidence of these activities are: (1) INPO and EPRI/NSAC issued reports encouraging utilities to take actions to correct problems noted in NUREG-1275,1079 Vol. 2; (2) EPRI/NMAC issued maintenance guides on air systems and SOVs; (3) the Air Operated Valve Users' Group was formed and members meet on a regular basis to exchange information and promote reliable equipment operation; and (4) there is an ongoing process to establish an ASME O&M performance guide/standard for air systems.
The slow bleed-down test will require the determination of the range of credible blowdown rates, and the performance of sequential testing of individual branches of the air distribution system to avoid creating a challenge to plant safety. In addition, to fully implement the slow bleed-down test recommendation could require expenditure of disproportionate amounts of resources and may also result in increased risk due to the introduction of unnecessary challenges to plant safety. AEOD is monitoring improvements in plant performance pursuant to Generic Letter 88-14.1141 Based on the above actions that have been taken, this concern was dropped from further consideration as a new and separate issue.
(8) POTENTIAL EFFECTS OF UNTIMELY COMPONENT OPERATION
This concern addressed the effects of components potentially changing state or actuating in an unanticipated sequence from spurious signals. This scenario can potentially cause damage to safety-related equipment. This concern was identified as Item 7.4.8 in NUREG/CR-5420.1237
The staff reviewed existing programs and found that this concern has been adequately addressed by existing generic issues and other NRC programs. This review involved an evaluation of operational events studied under the Accident Sequence Precursors Program which indicated that the major cause of untimely equipment operation is human error which will be reduced by the application of human engineering principles (See Item 7.4.1). In addition, the only effects from the untimely operation of equipment in many of the events are spurious reactor, generator, or turbine trip. The remaining events involve accident sequences which are within the scope of existing generic issues, or involve accident sequences which are within the design basis of plants, such as loss of one out of two redundant ESF trains. Consequently, the staff believed that the potential effects of untimely component operation have been adequately addressed by existing generic issues and other NRC programs and this concern was dropped from further consideration as a new and separate issue.
(9) PROPAGATION OF ENVIRONMENTS ASSOCIATED WITH DBEs
A harsh environment results from certain DBEs (i.e., MSLB, HELB, or LOCA). Equipment exposed to such environments must be qualified to withstand the severe conditions (e.g., the combined effects of high temperature, pressure, humidity/moisture, radiation, and submergence). The actual zone of influence for a particular environment can be larger than the zone used in the analysis if the harsh environment propagates by some unknown or unrecognized path (e.g., open floor drains) into another zone. The following scenario was to be considered:
Steam from an MSLB could travel from where it occurs into another area or zone. This could result in higher temperature, higher pressure, or higher humidity in the other zone. Equipment required for safe shutdown in this area may not be qualified to operate in such a harsh environment. Licensees may not have considered such pathways as HVAC ducts and electrical conduits to propagate harsh environments when performing their environmental qualification analyses.
This concern was identified as Item 7.4.9 in NUREG/CR-5420.1237
10 CFR 50.49 requires that the DBE environmental conditions (e.g., the time-dependent temperature, pressure, humidity, radiation, chemicals, submergence, etc.) be specified in the qualification file at locations where equipment important to safety must perform and this equipment, in turn, must be qualified to these DBE environmental conditions. The staff considered the scenario described above to be an issue of compliance with 10 CFR 50.49 and this concern was dropped from further consideration as a new and separate issue.
(10) EVALUATION OF HEAT, SMOKE, AND WATER PROPAGATION EFFECTS RESULTING FROM FIRES
Fire can damage one train of equipment in one fire zone while a redundant train could potentially be damaged in one of the following ways:
(1) Heat, smoke, and water may propagate (e.g., through HVAC ducts or electrical conduit) into a second fire zone and damage a redundant train of equipment.
(2) A random failure, not related to the fire, could damage a redundant train.
(3) Multiple non-safety-related control systems could be damaged by the fire and their failure could affect safety-related protection equipment for a redundant train in a second zone.
A fire can cause unintended operation of equipment due to hot shorts, open circuits, and shorts to ground. Consequently, components could be energized or de-energized, valves could fail open or closed, pumps could continue to run or fail to run, and electrical breakers could fail open or closed. This concern was identified as Item 7.4.10 in NUREG/CR-5420.1237
The concern of water propagation effects resulting from fire was partially addressed in the resolution of Issue 57. For operating and future plants having a greater reliance on advanced digital instrumentation and control (I&C) systems, there is a separate ongoing RES program to investigate the effects of smoke (SNL/FIN W6051) together with synergistic effects from temperature, moisture/humidity, electromagnetic interference/radio frequency interference (EMI/RFI), etc., (ORNL/FIN L1798, ORNL/FIN L1951) on these systems. This study will involve identifying all plausible environmental stressors associated with the advanced digital I&C systems, collecting reliability data for components that are unique for the advanced digital I&C systems, and prioritizing these environmental stressors (including the synergistic effects) based on their risk significance (BNL/FIN L1908). The results of this study will be incorporated into an ORNL program on Qualification of Advanced Instrumentation and Control Systems (See initial results in NUREG/CR-59041668 and NUREG/CR-59411669). Based on the above actions that have been taken, this concern was dropped from further consideration as a new and separate issue.
(11) SYNERGISTIC EFFECTS OF HARSH ENVIRONMENTAL CONDITIONS
A synergistic effect is one in which the presence of simultaneous combined environmental conditions has a greater impact on equipment than the sum of the individual environmental conditions taken independently or sequentially. The ACRS contends that a lack of regulatory guidance for analyzing synergistic effects makes it difficult to assess what licensees have done in this area and, therefore, some equipment important to safety may not be adequately qualified for the actual environments. This concern was not combined with other concerns because it relates to a specific part of the environmental qualification (EQ) issue, namely, synergistic environmental effects. This concern was identified as Item 7.4.11 in NUREG/CR-5420.1237
10 CFR 50.49(e)(7) states that synergistic effects must be considered when these effects are believed to have a significant effect on equipment performance. The staff believed that, although regulatory guidance for analyzing synergistic effects is currently lacking, there is sufficient ongoing staff action to evaluate and resolve existing EQ concerns and to identify and resolve any other EQ issues that may exist. RES is currently working with NRR on the planned actions of the EQ 10 CFR 50.49 Task Action Plan (EQ-TAP) where the adequacy of existing EQ standards and regulations for operating reactors is to be evaluated. The EQ-TAP stated that "[a]lthough this TAP describes planned actions, it should be recognized that this is an evolving issue and the actions, as described, may be modified as additional information is obtained through further research and review of industry operating experience." The RES program plan for the EQ-TAP will include synergistic effects. Thus, the concerns of NUREG/CR-5420,1237 Item 7.4.11 will be included in the EQ-TAP and additional guidance will be issued if appropriate. Therefore, this concern was dropped from further consideration as a new and separate issue.
(12) ENVIRONMENTAL QUALIFICATION OF SEALS, GASKETS, PACKING, AND LUBRICATING FLUIDS ASSOCIATED WITH MECHANICAL EQUIPMENT
Sub-components (seals, gaskets, packing materials, and lubricating fluids, etc.) in some mechanical equipment may not be adequately qualified to normal harsh environments due to the lack of concerted industry equipment qualification programs on mechanical equipment and NRC review. This is possible because currently no specific NRC guidelines equivalent to 10 CFR 50.49, "Environmental Qualification of Electric Equipment Important to Safety for Nuclear Power Plants," exist for mechanical equipment. This concern was identified as Item 7.4.12 in NUREG/CR-5420.1237
Previously-identified generic issues addressed the operability and reliability of PORVs, MOVs, and other power-operated valves. Specifically, Generic Letter 89-101217 was issued for Issue II.E.6.1; Generic Letter 90-061290 was issued for Issue 70; and Issue 158, "Performance of Safety-Related Power-Operated Valves Under Design Basis Conditions," is currently being resolved with a high priority and will address the operability and reliability of AOVs, HOVs and SOVs.
The EPRI-sponsored reliability-centered maintenance program (RCM) and the associated Users' Group have been in existence for some time and are now well-represented by the nuclear utilities. This maintenance program encompasses equipment and components (includes non-metallic parts which is the focus of concern of this issue), and regularly identifies and replaces unqualified or degraded components and sub-components. The Users' Group members meet on a regular basis (with participation from the NRC staff) to exchange information on RCM and promote reliability of equipment and components.
In addition, an ASME Standard on environmental qualification of mechanical equipment (QME) is scheduled for issuance. This document will help to address the concerns of this item for future plants and for replacements at operating plants. Based on the above actions that have been taken, this concern was dropped from further consideration as a new and separate issue.
(13) EFFECTS OF FIRE SUPPRESSION SYSTEM ACTUATION ON NON-SAFETY-RELATED AND SAFETY-RELATED EQUIPMENT
Fire suppression system actuation events can have an adverse effect on safety-related components either through direct contact with suppression agents or through indirect interactions with non-safety-related components. This concern was identified as Item 7.4.13 in NUREG/CR-5420.1237
This concern was addressed in the resolution of Issue 57 and will be considered by licensees on a plant-specific basis during implementation of the IPEEE Program. Supplement 4 to Generic Letter 88-201222 and NUREG-14071354 provided procedural and submittal guidance for the IPEEE Program. As stated in NUREG-14071354 for internal fires, some fire issues identified in NUREG/CR-50881211 such as seismic/fire interaction, effects of fire suppressants on safety equipment, and control system interactions, should be addressed in the IPEEE. Based on the existing IPEEE Program, this concern was not pursued as a new and separate issue.
(14) EFFECTS OF FLOODING AND/OR MOISTURE INTRUSION ON NON-SAFETY-RELATED AND SAFETY-RELATED EQUIPMENT
Flooding and/or water intrusion events can affect safety-related equipment either directly or indirectly through flooding or moisture intrusion of multiple trains of non-safety-related equipment. This type of event can result from external flooding events, tank and pipe ruptures, actuations of fire suppression system, or backflow through part of the plant drainage system. This concern was identified as Item 7.4.14 in NUREG/CR-5420.1237
The purpose of this concern was to determine whether additional regulations or more detailed requirements would result in a significant improvement in public health and safety. However, there is no evidence that this safety concern could be resolved in this manner. Instead, if a potential safety problem exists, it would appear to be a result of plant-specific vulnerabilities.
The IPE submittal guidance (Generic Letter 88-201222 and NUREG-13351587) includes consideration of moisture intrusion and internal flooding. The concern for external flooding and/or moisture intrusion resulting from external events is being addressed in the IPEEE Program. Thus, the IPE/IPEEE process should detect plant-specific vulnerabilities identified in the ACRS concern. Based on the existing IPEand IPEEE Programs, this concern was not pursued as a new and separate issue.
(15) SEISMICALLY-INDUCED SPATIAL AND FUNCTIONAL INTERACTIONS
Seismic events have the potential to cause multiple failures of safety-related systems through spatial and functional interactions. In particular, additional analyses may be necessary to ensure the following:
(1) small piping (e.g., air, instrument, and water lines) is properly evaluated to prevent small pipe ruptures that may disable essential plant shutdown systems;
(2) non-seismically qualified structures, systems and components cannot cause small piping failures from direct impact;
(3) seismic activity will not adversely affect safety-related protection systems via multiple non-safety-related control system failures and/or functional interactions (excluding direct impact); and
(4) indirect effects of seismic activity such as dust generation cannot affect essential plant shutdown systems.
The ACRS expressed concern that not all of the potential seismically-induced system interactions that could adversely affect safe shutdown of a plant have been thoroughly identified and investigated. This concern was identified as Item 7.4.15 in NUREG/CR-5420.1237
The procedural and submittal guidance document1354 for the IPEEE Program states that, for seismic review, plant walkdowns must be performed consistent with the intent of the guidelines described in Sections 5 and 8 and Appendices D and I of the EPRI Seismic Margins Methodology (EPRI NP-6041). EPRI NP-6041 in turn states that seismic systems interactions reviews should be one of the items performed during a plant walkdown and guidelines on how to perform these reviews are provided. These guidelines address the concern for seismically-induced spatial interactions; it is expected that implementation of the IPEEE Program will identify any vulnerabilities to seismically-induced functional interactions. Thus, licensee evaluations of their plants for vulnerabilities to seismic events as part of the IPEEE Program are sufficient to address the ACRS concern. Based on the existing IPEEE Program, this concern was not pursued as a new and separate issue.
(16) SEISMICALLY-INDUCED FIRES
Seismically-induced fires have the potential to cause multiple failures of safety-related systems. The occurrence of a seismic event could create fires in multiple locations, simultaneously degrade fire suppression capability (because fire suppression systems are not seismically-qualified), and, therefore, prevent mitigation of fire damage to multiple safety-related systems. The ACRS expressed concern that seismically-induced fires were not adequately addressed in the resolution of Issue A-46, other seismic requirements, or fire protection regulations. This concern was identified as Item 7.4.16 in NUREG/CR-5420.1237
In resolving Issue 57, the staff considered the results of the PRA analyses for 4 operating plants (1 GE, 1 B&W, and 2 W plants) and these are summarized below.
The mean CDF from Issue 57 root causes for these 4 plants are in the range of 7.3 x 10-6/RY to 5.6 x 10-5/RY. The dominant risk contributors were found to be: (1) seismic-induced fire plus seismic-induced suppressant diversion, i.e., the unsuppressed fire and/or the diverted suppressant incapacitate safety-related equipment needed to mitigate effects of the seismic event; and (2) seismic-induced actuation of the fire protection systems (i.e., the released suppressant damages safety-related equipment needed to mitigate the effects of the seismic event) which are both being addressed by IPEEE (See Supplement 4 to Generic Letter 88-201222 and NUREG-14071354). After subtracting these two dominant risk contributors, the mean CDF of remaining contributors is less than 10-5/RY. Therefore, the staff recommended that, after considering credit for the IPEEE, generic backfit was not justifiable for Issue 57 and no new requirements were recommended.
Thus, the ACRS concern will be considered by licensees on a plant-specific basis during implementation of the IPEEE Program and this concern was not pursued as a new and separate issue.
(17) SEISMICALLY-INDUCED FIRE SUPPRESSION SYSTEM ACTUATIONS
Seismic events can potentially cause multiple fire suppression system actuations which, in turn, can cause failures of redundant trains of safety-related systems. Analyses currently required by fire protection regulations generally only examine inadvertent actuations of fire suppression systems as single, independent events whereas a seismic event could cause multiple actuations of fire suppression systems in various areas. This concern was identified as Item 7.4.17 in NUREG/CR-5420.1237
As described in Item 7.4.16 above, the ACRS concern was addressed in the resolution of Issue 57 and will be considered by licensees on a plant-specific basis during implementation of the IPEEE Program. Therefore, this concern was not pursued as a new and separate issue.
(18) SEISMICALLY-INDUCED FLOODING
Seismically-induced flooding events can potentially cause multiple failures of safety-related systems. The ACRS expressed several concerns related to seismically-induced flooding. First, although the ACRS believes that an SSE will likely not cause large-diameter piping to rupture, the ACRS feels that the seismic adequacy of smaller-diameter piping has not been adequately proven. Rupture of small piping could provide flood sources that could potentially affect multiple safety-related components simultaneously. Second, non-seismically qualified tanks are a potential source of flooding that the ACRS believes has not been adequately addressed. This concern was identified as Item 7.4.18 in NUREG/CR-5420.1237
Licensee evaluations of their plants for vulnerabilities to seismic events as part of the implementation of the IPEEE Program (Supplement 4 to Generic Letter 88-201222 and NUREG-14071354) will address the ACRS concern. Therefore, this concern was not pursued as a new and separate issue.
(19) SEISMICALLY-INDUCED RELAY CHATTER
Essential relays must operate during and after an SSE and must meet either one of the following conditions: (1) remain functional without contact chattering; (2) be seismically-qualified; or (3) licensees must show that contact chatter of the relay(s) is acceptable. It is possible that contact chatter of relays not required to operate during seismic events may produce some unanalyzed faulting mode that may impact the operability of equipment required to mitigate the event. This concern was identified as Item 7.4.19 in NUREG/CR-5420.1237
Licensee evaluations of their plants for vulnerabilities to seismic events as part of the implementation of the IPEEE Program (Supplement 4 to Generic Letter 88-201222 and NUREG-14071354) will address the ACRS concern. Therefore, this concern was not pursued as a new and separate issue.
(20) EVALUATION OF EARTHQUAKE MAGNITUDES GREATER THAN THE SAFE SHUTDOWN EARTHQUAKE
The ACRS expressed concern that adequate seismic margins may not have been included in the design of some safety-related equipment. In this context, seismic margin is defined as the capability of a plant to sustain an earthquake larger than its SSE. This concern was identified as Item 7.4.20 in NUREG/CR-5420.1237
Licensee evaluation of their plants for vulnerabilities to seismic events as part of the implementation of the IPEEE Program (Supplement 4 to Generic Letter 88-201222 and NUREG-14071354) will address the ACRS concern. Therefore, this concern was not pursued as a new and separate issue.
(21) EFFECTS OF HYDROGEN LINE RUPTURES
H2 is used in electrical generators at nuclear plants to reduce windage losses and as a heat transfer agent. It is also used in some tanks (e.g., volume control tanks) as a cover gas. Leaks or breaks in H2 supply piping could result in the accumulation of a combustible mixture of air and H2 in vital areas, resulting in a fire and/or an explosion. This concern was identified as Item 7.4.21 in NUREG/CR-54201237 and addressed the potential for H2 line ruptures to occur in the auxiliary building. Resulting fires and/or explosions could damage vital safety-related systems of the plant.
This concern was addressed in the resolution of Issue 106, "Piping and Use of Highly Combustible Gases in Vital Areas." The staff's technical findings and regulatory analysis were reported in NUREG/CR-57591544 and NUREG-1364,1545 respectively. Generic Letter 93-061547 was issued to licensees and referred to new information developed in the resolution of Issue 106. This information was expected to be useful to licensees in performing their IPEEEs. Based on the above actions that have been taken, this concern was not pursued as a new and separate issue.