99-003: Resolution of Generic Issue 145, Actions to Reduce Common-Cause Failures
October 13, 1999
ADDRESSEES
All holders of operating licenses for nuclear power reactors, except for those licensees who have permanently ceased operations and have certified that fuel has been permanently removed from the reactor vessel.
INTENT
The U.S. Nuclear Regulatory Commission is issuing this regulatory issue summary (RIS) to notify nuclear power reactor licensees about the staff's resolution of Generic Issue (GI) 145, "Actions to Reduce Common-Cause Failures," and to communicate the broad insights that have been developed from the staff's review of the common-cause failure (CCF) events identified in licensee event reports during the 15-year period between 1980 and 1995. This RIS does not transmit any new requirements or staff positions. No specific action or written response is required.
BACKGROUND INFORMATION
Prevention of CCFs is very important to ensuring nuclear power reactor safety. For highly redundant systems, CCFs can be a major cause of system failure. The accident at Three Mile Island in 1979 and the loss of main and auxiliary feedwater incident at Davis-Besse in 1985 were examples of occurrences involving CCFs. NRC studies have shown the importance of CCFs, and probabilistic risk assessments (PRAs) routinely identify CCFs as important contributors to potential core damage sequences and risk. Licensee event reports and operating experience studies have identified actual and potentially significant CCFs. GI-145 was established to determine whether additional cost-effective actions to reduce the potential for significant common-cause failures were appropriate.
To resolve GI-145 and to address deficiencies related to the availability and analysis of CCF data, the staff developed a CCF database and CCF analysis software package for addressing the CCF aspect of system reliability analyses and related risk-informed applications. The CCF database contains (1) guidance on the screening and interpretation of data and (2) relevant event data to provide a more uniform and cost-effective way of performing CCF analyses. In July 1998, the NRC issued Administrative Letter 98-04, "Availability of Common-Cause Failure Database." This administrative letter notified nuclear power reactor licensees of the availability of the CCF database, CCF analysis software, and associated technical reports that had been developed by the NRC. As noted in the administrative letter, the quantitative results of the CCF data collection effort is described in NUREG/CR-6268, "Common-Cause Failure Database and Analysis System." Additionally, by letter dated July 30, 1998, the NRC sent nuclear power reactor licensees a CD-ROM containing the CCF database together with supporting technical documentation, including an analysis software package, to aid in system reliability analyses and risk-informed applications. Some quantitative insights about the data were also published in NUREG/CR-5497, "Common-Cause Failure Parameter Estimations," for use in PRA studies.
SUMMARY OF ISSUE
With the dissemination of NUREG/CR-6268 information in Administrative Letter 98-04 and the distribution of the CD-ROM on the CCF database and its use, the staff concluded that the objectives of GI-145 had been substantially achieved without the need for developing new or revised requirements. This conclusion was based in large measure on the recognition that the existing infrastructure of regulations, operating experience review processes, probabilistic risk assessments programs, licensee safety review processes, and NRC regulatory oversight programs provide a robust framework for identifying and correcting potentially significant CCFs. The existing NRC infrastructure has been further strengthened, for example, by providing CCF insights for NRC inspections and the dissemination of NUREG/CR-6268 information in support of consistent and correct treatment of CCFs in PRAs. An additional basis for closure of GI-145 is the recognition that the trend in yearly occurrence rate for complete(1) CCF events has steadily declined over the last two decades, as is shown in Figure 1. Note, however, that caution should be used in extrapolating the fitted trend lines.
Although the general insights from the analysis of the CCF data are documented in Volume 1 of NUREG/CR-6268, the staff determined that it would be beneficial to augment Administrative Letter 98-04 with a summary that specifically highlights for nuclear reactor licensees the CCF event insights in NUREG/CR-6268. Accordingly, the general observations from the analysis of the CCF event data are summarized in the paragraphs that follow.
General Insights From CCF Events
Basic information about the nature of CCF events is shown in Figures 2 and 3. These figures illustrate the distribution of the proximate causes and coupling factors,(2) respectively, for CCF events during 1980-1995. This information presents a general picture of the types of events that may be expected to occur, and which design features might be most susceptible to CCF events.
Figure 1. Yearly occurrence rate for complete CCF events
These figures also illustrate the different characteristics of partial CCF events(3) and complete CCF events.
A general review of the actual events and the distributions presented in Figures 2 and 3 reveals the following insights regarding CCF events:
- A major programmatic contributor to CCF events is maintenance practices. The frequency of scheduled maintenance has been a factor in wear out-caused and aging-caused events. Additionally, the quality of the maintenance, in terms of both the maintenance procedures and the performance of the maintenance activities, is a key factor. Similar events have occurred at different plants—lubrication of circuit breakers (too much, too little, or too long between lubrications) and improperly set torque switches and limit switches on motor-operated valves that are reported as misadjustment and not as set point drift. This indicates the importance of the review of maintenance practices in minimizing CCF potential.
- Another significant contributor to CCFs is design problems. Many of the design-related CCF events resulted from a design modification, indicating that the modification review processes were not sufficiently rigorous and resulted in conditions that introduced susceptibility to CCF.
- Human errors related to procedural problems caused a small percentage of the total events. However, the impact of the individual events was usually greater, since the human errors often defeated the programmatic controls (e.g., procedures, vendor maintenance guidance). This is illustrated by comparing Figures 2b and 2a, which show that human errors cause a larger portion of complete CCF events than partial CCF events. Examples of events caused by human error are (1) simultaneously draining all emergency diesel generator day tanks for a chemistry surveillance and (2) having redundant pump motor breakers racked out as the plant changed mode from shutdown to power.
- A vast majority of the CCF events are not due to multiple failures associated with an operational demand, but result from a "condition of equipment." The most common is an inspection or surveillance test of one component revealing a deficiency that prompts the licensee to inspect/test the redundant component, resulting in the discovery that the same defective condition is common to both components. This illustrates that detection of failures during the testing and surveillance program can prevent CCFs from occurring during demand situations.
2a. Distribution of causes of complete and partial CCF events
2b. Distribution of causes of only the complete CCF events
Figure 2. Distribution of CCF events by cause
3a. Distribution of coupling factors for both complete and partial CCF events
3b. Distribution of coupling factors for only complete CCF events
Figure 3. Distribution of CCF events by coupling factors
- The CCF database contains several examples of both CCF and independent failure events recurring at selected plants. This indicates varied effectiveness of root cause analyses and corrective actions from plant to plant. Examples of repeated events are water in compressed air systems, pump seal wear out, and turbine governor misadjustment. However, not all plants experience the same type of recurring event. This indicates that plant-to-plant variability exists in the CCF parameters that might cause the CCF parameter estimates used in PRAs for some plants to be higher than the industry average for certain component and system combinations.
Table 1 lists the systems, component types, and failure modes for which CCF events have been collected and entered into the database. It also contains the number of CCF events for each system and component combination and the number of independent failure events. Table 1 shows only the event counts for failure modes that are relevant to PRA studies. Other failure modes, such as failure to close for reactor trip breakers, were found in the source data; these events were coded and entered into the CCF database, even though they are not likely to be used in PRA studies.
SPECIFIC INSIGHTS FROM CCF EVENTS
The NRC plans to update the CCF events database and document more specific observations and insights on the characteristics of CCF events for classes of risk-significant component groups such as emergency diesel-generators, pumps, motor-operated valves, air-operated valves, check valves, batteries/chargers, circuit breakers, heat exchangers and strainers. It is anticipated that CCF insights reports will be periodically published over the next few years for each group and will include operational and engineering insights for CCF events including aspects such as causes, coupling factors, and frequency of occurrence. Accordingly, as these studies are completed, the NRC plans to periodically supplement this RIS with more specific and detailed component-level CCF insights.
With the transmittal of the general insights from NUREG/CR-6268, Vol. 1 in this RIS the actions required for final resolution of GI-145 have been completed. The staff determined that a notice of opportunity for public comment prior to issuance of this RIS was unnecessary because it is informational and merely augments the NUREG/CR documents and administrative letter noted in the background discussion, and the information presented herein was discussed in a public forum with the Advisory Committee on Reactor Safeguards.
Table 1. Component types and systems analyzed for CCF events (1980-1995)
| Component Type | PRA-Relevant Failure Modes | Systems Analyzed for the Component Type | Number of CCF Events(4) for System and Component Type | Number of Independent Failures for System & Component Type | Total Number of CCF Events(5) for Component Type | Total Number of Independent Failures for Component Type |
| Air-Operated Valves | Fail to Open | Auxiliary Feedwater | 42 | 197 | 191 | 505 |
| Fail to Close | High Pressure Injection | 2 | 28 |
| Fail to Stay Closed | Isolation Condenser | 1 | 9 |
| | | Main Steam Isolation (BWR/PWR) | 146 | 271 | | |
| Batteries/ Chargers | No Output, High Output | DC Power (BWR & PWR) | 60 | 1,260 | 60 | 1,260 |
| Check Valves | Fail to Open | Auxiliary Feedwater | 59 | 201 | 147 | 556 |
| Fail to Close | High Pressure Injection | 23/21 | 84/145 |
| Fail to Stay Closed | Low Pressure Injection | 23/21 | 88/38 |
| Circuit Breakers | Fail to Open | DC Power (BWR/PWR) | 8 | 112 | 116 | 989 |
| Fail to Close | AC Power (BWR/PWR) | 82 | 746 |
| Fail to Stay Closed | Reactor Trip Breakers | 26 | 131 |
| Emergency Diesel Generators | Fail to Start, Run | Emergency Power (BWR/PWR) | 131 | 1,346 | 131 | 1,346 |
| Heat Exchangers | Fail to Transfer Heat | Containment Spray (PWR) | 10 | 14 | 18 | 29 |
| | Residual Heat Removal | 8 | 15 |
| Motor-Operated Valves | Fail to Open | Auxiliary Feedwater | 27 | 422 | 192 | 2,568 |
| Fail to Close | Containment Spray (PWR) | 15 | 250 |
| Fail to Stay Closed | High Pressure Injection | 11/40 | 369/292 |
| | Isolation Condenser | 2 | 44 |
| | Low Pressure Injection | 61/23 | 492/470 |
| | Pressurizer (PWR) | 7 | 155 |
| | Refueling Water Storage | 6 | 74 |
| Pumps | Fail to Start | Auxiliary Feedwater | 51 | 919 | 280 | 3,507 |
| | Emergency Service Water | 141 | 1,184 |
| | High Pressure Injection | 2/42 | 343/481 |
| | Low Pressure Injection | 9/25 | 148/362 |
| | Standby Liquid Control | 10 | 70 |
| Relief Valves | Fail to Open | BWR Primary System | 37 | 237 | 115 | 976 |
| Fail to Close | Pressurizer (PWR) | 22 | 334 |
| Fail to Stay Closed | Steam Generator (PWR) | 56 | 405 |
| Safety Valves | Fail to Open | Pressurizer (PWR) | 6 | 119 | 38 | 280 |
| Fail to Close | Steam Generator (PWR) | 32 | 161 |
| Fail to Stay Closed | | | |
| Strainers | Fail to Allow Flow | Containment Spray (PWR) | 1 | 0 | 39 | 162 |
| Emergency Service Water (BWR/PWR) | 36 | 162 |
| Suppression Pool (BWR) | 2 | 0 |
This RIS requires no specific action or written response. If you have any questions about the information in this RIS, please contact one of the technical contacts listed below.
| | Original signed by David B. Matthews, Director
Division of Regulatory Improvement Programs
Office of Nuclear Reactor Regulation |
| Attachment: | Recent List of NRC Regulatory Issue Summaries |
(NUDOCS Accession Number 9910060044)
1 A complete CCF event is one in which all of the components are completely failed (not degraded), and the failures occur within a short time period of each other.
2 A coupling factor is a characteristic of a group of components that identifies them as susceptible to the same cause of failure. Such characteristics include similarity in hardware, maintenance, environment, or operation. Examples of coupling factors are (1) the same defective design in multiple identical components (hardware), (2) an incorrect set point specified in the calibration procedure for multiple relief valves (operational), and (3) emergency diesel generator (EDG) fuel oil contamination that disables all EDGs (environmental).
3 Any CCF event which is not a complete CCF event. At least one component in the group is not completely, but partially, failed or one of the failures does not occur within a short time interval of the original failure, or there is uncertainty about the shared cause.
4 Includes partial (degradations) and complete failure CCF events
5 Includes partial (degradations) and complete failure CCF events
Page Last Reviewed/Updated Tuesday, March 09, 2021