Summary of Meetings Held on 9/18-20/79 to Discuss Potential Unreviewed Safety Question on Systems Interaction for B&W Pl (Generic Letter 79-49)
GL79049
UNITED STATES
NUCLEAR REGULATORY COMMISSION
WASHINGTON, D. C. 20555
October 5, 1979
TO ALL POWER REACTOR LICENSEES
SUBJECT: SUMMARY OF MEETINGS HELD ON SEPTEMBER 18-20, 1979 TO DISCUSS A
POTENTIAL UNREVIEWED SAFETY QUESTION ON INTERACTION BETWEEN
NON-SAFETY GRADE SYSTEMS AND NSSS SUPPLIED SAFETY GRADE SYSTEMS
(I&E INFORMATION NOTICE 79-22)
I. Introduction
A series of meetings was held with all four light water reactor vendors
and the corresponding utilities to discuss the effect of I&E
Information Notice 79-22 on nuclear power plant owners. I&E Information
Notice 79-22, issued on September 14, 1979, notified the nuclear
industry of a potential unreviewed safety question at Public Service
Electric and Gas Company's Salem Unit 1 nuclear facility. The meetings
were held in the Bethesda offices of the NRC according to &he following
schedule:
Westinghouse - September 18, 1979
Combustion Engineering - September 19, 1979
Babcock and Wilcox - September 20, 1979; a.m.
General Electric - September 20, 1979; p.m.
The Nuclear Regulatory Commission staff was seeking additional
information from operators of all nuclear power plants on a potential
unreviewed safety question involving malfunctions of control equipment
under accident conditions. This equipment consists of electrical
components used for reactor and plant control under normal operating
conditions.
Some of this equipment could be adversely affected by steam or water
from certain pipe breaks, such as in the main steam line inside or
outside plant containment buildings. The consequences of a control
system malfunction could result in conditions more or less severe than
those previously analyzed. The NRC staff Intends to determine the
degree to which the validity of previous safety reviews are affected
and whether changes in design or operating procedures will be required.
II. Background
As part of the Westinghouse Environmental Qualification Program, IEEE
323-74 has been reviewed, in particular, sections dealing with
environmental
7911070350
.
-2-
interactions. Westinghouse design philosophy is that if a component is
necessary to function in order to protect the public, it is
"protection" grade. Should a non-protection grade component perform
normal action in response to system conditions, it must be shown to
have no adverse impact on protection grade component response. If a
component did not receive a signal to change state, it was assumed to
remain "as is". Part of the environmental qualifications require the
demonstration that severe environments will not cause common failure of
"protection" grade components. An outgrowth of the environmental
qualification program review was a defemination if the severe
environment can cause a failure of a non-protection grade component
that was previously assumed to remain "as is" and alter the results of
the design basis analysis.
Westinghouse formed an Environmental Interaction Committee whose
charter was to identify, for all high energy line breaks and possible
locations, the control systems that could be affected as a result of
the adverse environment and whose consequential malfunction or failure
could exceed the safety limits previously satisfied by accident
analyses presented in Westinghouse plants' SARs. The Committee was also
to establish, for any adverse interactions identified, recommendations
to resolve the issue. The assumed ground rules for the investigations
performed by Westinghouse are enumerated on page five of Enclosure 2.
The investigation resulted in a compilation of potential control system
consequential failures (due to environmental considerations) which
affected plant safety analyses. The investigation considered seven
accident scenarios and seven control systems interactions in a matrix
form, as shown on page 6 of Enclosure 2. The accidents are: 1) small
steam line rupture; 2) large steam line rupture; 3) small feedline
rupture; 4) large feedline rupture; 5) small LOCA, 6) large LOCA; and,
7) rod ejection. The control systems are: 1) reactor control; 2)
pressurizer pressure control; 3) pressurizer level control; 4)
feedwater control; 5) steam generator pressure control; 6) steam dump
system control; and 7) turbine control.
The investigations identified potential significant system response
interactions in the:
a. steam generator power operated relief valve control system;
b. pressurizer pressure control system;
c. main feedwater control system; and,
d. rod control system.
III. Discussion
A. The first In the series of meetings was with Westinghouse and
utilities that own Westinghouse reactors. The meeting was attended
by seventy (70) persons representing the NRC, PSE&G along with
nine other utilities, Westinghouse and the other three light water
reactor vendors, utility owner groups, four A/E consultants, the
ACRS, AIF and EPRI. The list of attendees is presented as
Enclosure 1.
Westinghouse's presentation is included as Enclosure 2.
During the Westinghouse meeting, they identified, for all
high-energy line .
-3-
breaks and possible locations, the control systems that could be affected as
a result of the adverse environment and whose consequential failure could
invalidate the accident analyses presented in Westinghouse plants' SARs.
Recommendations were also presented for resolving the adverse interactions
identified.
Westinghouse's investigation identified seven accidents and seven control
systems that could possibly interact and presented them in a matrix form as
shown in Enclosure 2, page 6. As can be seen the potential interactions that
could degrade the accident analyses are in the:
a. Automatic Rod Control System
b. Pressurizer PORV Control System
c. Main Feedwater Control System
d. Steam Generator PORV Control System
Westinghouse stated that the possible matrix interactions may increase as
more detailed analyses are performed but the interactions will remain for
all of their plants and the interactions may be eliminated only if
conditions are such that plant specific designs mitigate the interactions
because of:
a. system layout;
b. type of equipment used;
c. qualification status of equipment utilized:
d. design basis events considered for license applications; and,
e. prior commitments made by utility to the NRC.
The Westinghouse analysis did not consider plant operators as part of the
control systems nor was the time allotted for operator "inaction"
considered. The assumed operator action times, as stipulated in plant
analysis, were used without modification. Equipment in a control system or
part of a control system was assumed to fail as a system in the most adverse
direction for conservatism. Westinghouse stated that the possible matrix
interactions will remain for all of their plants and the interactions may be
removed only if conditions are such that plant specific designs mitigate the
interactions because of:
a. system layout;
b. type of equipment used;
c. qualification status of equipment utilized;
d. design basis events considered for license application; and,
e. prior commitments made by utility to the NRC.
It should be noted that Westinghouse only analyzed accidents and not
transients.
.
-4-
Further, long-tem investigations may be required to analyze the transient
cases. Initial conditions and assumptions are shown on pages 5, 7, 9, 14,
15, 22, 23, 27, 28, 33, 37 and 38.
Westinghouse presented their analyses for the four control systems
identified as follows:
A. Steam Generator Power Operated Relief Valve Control System
The areas of concern for this system are:
1. multiple steam generator blowdown in an uncontrolled manner;
2. loss of turbine driven auxiliary feedwater pump; and,
3. primary hot leg boiling following feedline rupture.
The assumptions used are presented on page 15 of Enclosure 2. Potential
solutions to the Steam Generator PORV Control System interaction
problems were presented as both short term and long term. The
short-term solutions are to:
1. investigate whether the SG PORV Control System will operate
normally or fail in a closed position when exposed to an adverse
environment; and,
2. modify the operating instructions to alert operators to the
possibility of a consequential failure in the SG PORV Control
System caused by an adverse environment.
If evident, close block valves In the relief lines.
The long-term solutions are:
1. redesign the SG PORV Control System to withstand the anticipated
environment;
2. relocate the SG PORVs and controls to an area not exposed to the
environment resulting from ruptures in the other loops;
3. install two safety grade solenoid valves in each PORV to vent air
on a signal from the protection system, thereby ensuring that the
valve will remain closed initially or will close after opening;
and,
4. install two safety grade MOVs in each relief line to block venting
on signal from the protection system.
Westinghouse presented similar analyses for the other three control
systems along with the assumptions, areas of concern and potential
solutions. These are presented in Enclosure 2.
a. Steam Generator PORV Control System pp. 14-21, Enclosure 2.
.
-5-
b. Main Feedwater Control System pp. 22-26, Enclosure 2,
c. Pressurizer PORV Control System pp. 27-32, Enclosure 2.
d. Rod Control System pp. 37-42, Enclosure 2.
At the end of Westinghouse's presentation, the NRC staff caucused to
discuss their future plans and actions. When all attendees reconvened
the meeting was opened to discussions of the impact of the NRC 10 CFR
50.54(f) letter, vendor and utility plans, and staff plans.
Westinghouse stated that they would establish an action plan along the
guidelines of NUREG-0578. Westinghouse also stated that their
investigations were carried further than FSAR analyses and they would
need to evaluate consequential failures on a realistic basis; this
evaluation may eliminate some problems. Westinghouse stated that their
investigations are lower probability subsets of SAR analyses which in
themselves are sets of low probability, Westinghouse expressed doubts
that a conclusive determination can be made of the qualification status
of all of the involved equipment in 20 days.
Robinson plant representatives noted that their secondaries are open
and therefore breaks outside of containment present no problem. They
indicated their basic approach to answering the 20-day letter will be
to follow the short-term Westinghouse recommendations.
Representatives of Salem also stated that their intent is to follow the
short-term Westinghouse recommendations to satisfy the request of the
20-day letter.
Utility representatives stated that they will respond to the 20-day
letter by addressing the four control systems identified in a manner
suggested by the Westinghouse recommendations unless the NRC staff
provides directions to the contrary and further established guidelines
stating their position on the problem along with their recommendations.
B. The second in the series of meetings was held with Combustion
Engineering and utilities that own CE's reactors. The meetings were
attended by 52 persons representing the NRC, all four light water
reactor vendors, five utilities, various consultants, the ACRS, AIF and
EPRI. The list of meeting attendees is presented as Enclosure 3.
They explained the concerns presented by Westinghouse and the four
control systems that could be affected as a result of the adverse
environment of a high energy pipe break and whose consequential failure
could invalidate the accident analysis of plant SARs.
Previous analyses did not specifically take control systems into
account in accident scenarios and the systems were considered passive
in the analyses. The staff explained its earlier understanding
regarding control systems interaction in accidents as one in which the
accidents were expected to be quick and the control systems did not
have the time to contribute significantly to the consequences. If most
of industry reviewed their accident analyses according to the staff
position on control system contribution, then a need does, in fact,
exist to further the scope of accident analyses to include potential
consequential failure modes of the
.
-6-
control systems.
Industry representatives stated that in the allotted 20 days, they
could only skim the surface in accident review with the inclusion of
control system interactions. An initial approach would be of a
mechanistic nature to determine what control system would be involved
and what type of hardware would be necessary to initiate fixes rather
than using an analytical approach to determine the contribution of
control systems on accident consequences.
Combustion Engineering's plans are to identify the control systems that
could cause interactions and then look at resolutions to the problem on
a per plant basis since some solutions are plant dependent. The action
process to be followed is presented as Enclosure 4 and is as follows:
1. Identify those non-safety related control systems, inside and
outside containment, whose malfunction could adversely affect
the accident or transient when subJected to an adverse
environment caused by a high energy pipe break.
2. Determine the limiting malfunctions and their impact during
high energy pipe breaks for those control systems.
3. Determine the short tem and long tem corrective actions.
Combustion Engineering stated that in their plants, operation of
control systems is not required in order to mitigate the consequences
of the transients analyzed in Chapter 15. The analyses in Chapter 15
include the assumption that these control systems respond normally to
each transient and that their operational mode is that which would be
most adverse for the transient under consideration. The consequences
produced by any credible malfunction of these control systems would be
less severe than any which would be produced by the mechanisms
considered as causes of the transients analyzed in Chapter 15.
Some discussion followed dealing with the failure modes of control
system and whether the failure mode is in the most adverse direction or
in the design direction. Resolution of this topic was not obtained but
will be addressed on a plant-by-plant basis.
Again utilities presented their concerns over the 20-day letter and
what is expected of them in this time frame. They stated that in order
to follow the directions of the letter all components would have to be
reviewed to determine if the non-safety grade system failure mode would
aggrevate the accident consequences.
C. The third in the series of meetings was held with Babcock and Wilcox
and utilities that own B&W reactors. The meetings were attended by
fifty-six (56) persons representing the NRC, reactor vendors,
seven-utilities, various consultants, the AIF and EPRI along with the
Union of Concerned Scientists.
.
-7-
The NRC staff explained the background history leading up to the
"20-day" letter and the fact that they consider the problem a generic
one common to all LWRs.
The utility representatives stated that they will answer the letter
themselves without specific participation of the owners group, which
they consider germane only to TMI-2 related subject. Most of the work,
the detailed action plans of which have not yet been established, will
be performed by the various utilities and their architect engineers and
consultants, with generic material supplied by the reactor vendor.
The utility representatives understand the environment to be plant
specific and will use that environment in their analyses for control
system failure. The system failure will include not only component
failure but also failure of transducers, wires, and hot and cold
shorts. The adequacy of fixes for the long-tern and the combination of
consequential failures is not expected to be considered in the allotted
20 days.
Babcock and Wilcox representatives stated that in the past, evaluations
were performed for the sequence of events leading up to the trip, a
time of about 5 to 10 seconds. Prior to that time the control systems
have no effect on the accident sequence or consequence. Failure of
control systems will be investigated in view of the severity of the
possible accident, if the control system failure increases the
consequences, then that system will be considered.
The approach proposed by B&W and the utilities is outlined in Enclosure
6 and is as follows:
1. Evaluate the impact of IE 79-22 on licensing basis accident
analyses.
2. Identify accidents which will yield the adverse environment.
3. Define inputs and responses used.
4. Verify conclusions and Justify continued operation.
The utilities will alert the plant operators to the potential failure
of the plant control systems in total or in providing correct
information. The abnormal and emergency procedures will be reviewed to
determine how failure of non-safety grade systems or improper
information will affect the prescribed operator action.
D. The fourth and final in the series of meetings was with General
Electric and utilities that own GE reactors. The meeting was attended
by 52 people representing the NRC, three reactor vendors, nine
utilities, architect engineers, consultants, and the AIF. The list of
attendees is presented as Enclosure 7.
The NRC staff presented highlights of the previous meetings and the
concerns identified by Westinghouse. The staff stated that a more
sophisticated evaluation of the accident analysis is required to see if
the course and consequences of the accident are altered by
consequential failure of non-safety grade control systems.
.
-8-
General Electric representatives stated that their analyses have
considered high energy pipe breaks in many locations and are more
detailed since BWRs have a larger number of pipes inside and
outside containment carrying radioactive liquids. The BWR leak
detection capabilities are correspondingly greater. Special
attention is given to separation criteria viz., various systems
are in separate cubicles and inside a class 1 secondary as well as
primary containment.
The high energy line break is not considered a problem. In 1970,
Dresden 2 experienced opening of a safety valve and a resulting 10
psi and 340 F environment. The equipment was examined and the
qualifications were subsequently upgraded.
GE representatives stated that they performed sensitivity studies
on their non-safety grade systems to determine if they are heavily
relied upon during an accident. The studies revealed that there
was no heavy dependence upon those systems.
It must be noted that the CE non-safety grade system and
components comprise only approximately 25% of a typical plant
total. The utilities will perform their own analyses on BOP
systems to satisfy the requirements of the "20-day" letter.
IV. NRC Comments
The NRC staff stated that they understood the requests by the nuclear
industry regarding position and direction the request found in the NRC
10 CFR 50.54(f) letter dated September 17, 1979 but would wait until
the conclusion of the scheduled meetins with all four light water
reactor vendors. The staff further stated a Commission Information
paper would be prepared discussing the staff's judgment regarding the
magnitude of the concern and the appropriateness of industry's response
for resolution of the problem.
More specific staff statements were made in terms of generating a plant
specific matrix of potential environmental interactions of control
system for each plant. The NRC requested that they be notified of
further analyses and the individuals that will perform them either
reactor vendors, the owners groups, or the individual utilities.
The NRC noted that at this time, it is not evident which utilities are
faced with what environmental interaction problems. The effects of
implementing all of the Westinghouse recommended short-term "fixes" may
be contradicted by other sequences. Multiple failure analyses could be
performed but this would take months and could not possibly be ready in
20 days.
The NRC recommended that utilities check if qualified equipment is in
place to determine the magnitude of a total qualification program.
The staff advised the utilities to check the validity of their
operating procedures in light of the steam environment around various
components and the reliability of certain control valves in question;
also, use should be made of all information available in files of
vendors, A/Es, and consultants dealing with the problem.
.
-9-
The staff is aware that sufficient time is not available to identify
all of the potential interactions but some of the more obvious ones
must be reviewed. For example, some utilities might choose to operate
their plants in the interim period using a manual rod mode instead of
the preferred automatic mode; also, the PORV block valves may be
operated in the closed position. The determination of what systems are
suspect and the possible 20-day solutions must be answered by each
individual utility according to their plant design. Operator training
would have to be stressed to make the operators aware that potential
consequential failures may exist that would mask the real failure and
give erroneous readings.
The staff stated that for the "20-day" letter response, the utilities
should use engineering judgment and evaluations instead of detailed
analyses that would be time consuming and might limit the utility
response to a limited number of evaluations.
V. Conclusions
The staff indicated that there were three possible options that could
be followed in providing a short-term response.
1. Qualify equipment to the appropriate environment; this would
take longer than 20 days and would, more likely, for most
utilities be a long-term partial solution.
2. Short-term fixes should be in place pending long-term
solutions. It must be noted that In this situation some
components that are relied upon to work properly might be
wiped out by consequential failures under certain conditions
and accident sequences.
3. The "worst case" plant should be selected and a bounding
analysis performed to determine the time frame available for
qualification of equipment.
The staff reiterated the presented recommendations, possible interim
solutions that are plant specific, and in addition,,requested the
following:
1. Identify equipment and control systems which are either
needed to mitigate the consequences of a high energy pipe
break or could adversely affect the consequences of these
events.
2. Check the locations, expected environment, and environmental
qualifications of the equipment and control system identified
in part 1.
3. If some of these are found not be qualified for the
environmental conditions, propose an appropriate fix, i.e.,
design change, change in operating procedures, acceptable
consequences argument based on your evaluation, etc. Provide
a schedule for the proposed fix.
George Kuzmycz, Project Manager
Division of Project Management
.
ENCLOSURE 1
MEETING ATTENDEES
NRC WESTINGHOUSE
D. Ross K. Jordan
D. Eisenhut R. Sero
J. Heltemes R. Steitler
G. Kuzmycz G. Lang
J. Guttmann G. Butterworth
W. Jensen V. Sluss
S. Israel F. Noon
G. Lainas
V. Benaroya PSE&G Co.
R. Woodruff F. Librizzi
A. Dromerick R. Mittl
B. Smith J. Wroblewski
M. Grotenhuis J. Gogliardi
A. Schwencer P. Moeller
P. Norian R. Fryling
F. Orr
F. Odar VENDORS
T. Dunning N. Shirley - G.E.
W. Gammill W. Lindblad - G.E. Portland
S. Salah R. Borsun - B&W
J. Stolz C. Brinkman - C.E.
Z. Rosztoczy
T. Novak UTILITIES
J. Beard D. Waters - CP&L
M. Cliramak M. Scott - Con. Ed.
D. Tondi G. Copp - Duke Power
C. Berlinger N. Mathur - PASNY
L. Kintner J. Barnsberry - S. Cal. Ed.
J. Mazetis K. Vehstedt - AEPSC
K. Mahan R. Shoberg - AEPSC
D. Thatcher E. Smith - VEPCO
J. Burdoin T. Peebles - VEPCO
P. Mathews P. Herrmann - Southern Co. Services
M. Lynch W. House - Bechtel
R. Scholl T. Martin - Nutech
J. McEment - Stafeo
M. Wetterhahn - Conner, Moore & Corber
K. Layer - BBR
E. Igne - ACRS
P. Higgins - AIF
R. Leyse - EPRI
Page Last Reviewed/Updated Tuesday, March 09, 2021