Resolution of Generic Safety Issues: Issue 145: Actions to Reduce Common Cause Failures (Rev. 3) ( NUREG-0933, Main Report with Supplements 1–35 )

DESCRIPTION

Historical Background

This issue was identified as an alternative approach to the Finding 15 recommendation⁸⁸⁶ discussed in Issue 125.I.5, "Safety Systems Tested in All Conditions Required by DBA," which states that "[t]horough integrated system testing under various system configurations and plant conditions as near as practical to those for which the system is required to function during an accident is essential for timely detection and correction of common mode design deficiencies." In Issue 125.I.5, it was proposed that integrated systems and plant test programs be designed to detect and correct unforeseen common mode design deficiencies (CMDD). Issue 125.I.5 was evaluated and not pursued further primarily due to the narrow scope of the common cause trigger and the impracticality of the proposed solution. However, an alternative approach to resolving the Finding 15 recommendation that included a broader scope of common cause failures (CCF) and a more practical approach was identified during the evaluation of Issue 125.I.5 and formed the basis for Issue 145.

The identified alternative approach consisted of assessing the benefits of improvements in existing in-service, refueling, and surveillance testing programs in operating reactors and improved startup testing for future plants. Such an assessment would focus on improvements in testing components and systems under conditions more representative of operational and DBA expectations with emphasis directed toward detection of all types of CCFs. This alternative approach, however, would be more effective as a long-term program and could make use of results from the IPE program and other ongoing research and regulatory programs to provide guidance for the prevention and detection of CCFs. Such guidance would also be useful to new plants because it could be used in the development of system design and the procedures for operating, maintaining, and testing the plants.

Testing of equipment has its limitations; in fact, testing can be an important cause of CCFs which occur when the testing does not reflect true demands of the equipment under operating conditions. For example, MOVs may work during a test but not during a true demand when there exists a high delta pressure across them. Much design basis testing cannot be performed in situ. Prototypical testing, on the other hand, is expensive and the application of prototypical testing to equipment in plants is sometimes not practical. Thus, it was believed that measures were needed to identify CCF precursors before they occur so that corrective measures could be taken.

Prior to the evaluation of this issue in February 1992, RES had performed basic research on procedures for identifying CCFs, the results of which were documented in NUREG/CR-4780¹¹¹⁹ and NUREG/CR-5460.¹⁴⁶⁶ The basic emphasis of the latest concepts involved evaluating the CCFs from a historical and plant-specific basis and evaluating the defenses of the plant to reduce the threat of the cause or protect the equipment from such causes. At that time, RES was also completing research on data analysis methods for detecting potential CCFs.

Related issues included: A-17, "Systems Interactions," which identified internal flooding as a significant concern and was expected to be analyzed by each licensee as part of the IPE program; the maintenance rule (10 CFR 50.65) and regulatory guide; A-9, "ATWS"; A-30, "Adequacy of Safety-Related DC Power Supplies"; A-35, "Adequacy of Offsite Power Systems"; A-44, "Station Blackout"; B-57, "Station Blackout"; B-56, "Diesel Generator Reliability"; C-13, "Non-Random Failures"; and 123, "Deficiencies in the Regulations Governing DBA and Single-Failure Criteria as Suggested by the Davis-Besse Incident of June 9, 1985."

Other NRC projects related to this issue were the Technical Specifications Improvement Program in NRR and the AEOD operating feedback study of solenoid-operated valves (NUREG-1275)¹⁰⁷⁹ which addressed widespread deficiencies that were found in the design, application, manufacture, maintenance, surveillance testing, and feedback of failure data. Many of the solenoid valve problems involved components not modeled in a PRA. Such component failures can be important to plant operation and safety.

Safety Significance

Prevention of CCFs is very important to plant safety. For highly redundant systems, CCFs can be a major cause of system failure. The TMI-2 and Davis Besse incidents were examples of scenarios involving CCFs. AEOD studies have shown the importance of CCFs, and PRAs routinely identify CCFs as important contributors to CDF and risk.

Possible Solutions

The possible solutions to this issue were:

(1) Provide information about CCFs to licensees for use in performing their IPEs, and encourage licensees to conduct an engineering analysis and to provide training to plant personnel so that they are aware of the importance of CCFs and the types of actions which increase the frequency of occurrence of CCFs, and the types of actions and situations which can decrease the frequency of CCFs. Licensees could then voluntarily make changes in maintenance programs, testing, procedures, etc., to help reduce the potential for CCFs. This would be implemented by the NRC issuing an information notice to licensees. A report would be prepared to contain useful information about CCFs occurring in operating histories, identified in PRAs and IPE, and insights from RES CCF projects.

(2) Request licensees to perform a systematic engineering examination of the important CCFs identified in their IPEs and updates as they are made. Such analyses would provide insights into plant practices which will prevent or defend against CCFs, including hardware and human interactions. An example of a detailed engineering analysis of a PRA common cause event is contained in Section 4.2 of NUREG/CR-4780.¹¹¹⁹ This analysis focused on a detailed examination of battery common mode failures at a plant. The commonality found from this plant-specific analysis was attributed to maintenance of the batteries.

(3) Have licensees monitor dates of failures to recognize increased potential for CCFs. Where dates of component failures are clustered or grouped in time, instead of being spread over time randomly, statistical analysis of this clustering can indicate when failures are not independent of each other, i.e., that they are subject to a common cause. This would be incorporated into the regulatory guide associated with the maintenance rule. This should have a positive impact in reducing those CCFs which are the result of inadequate maintenance practices. However, this will be dependent upon the ability of individual licensees to recognize CCFs as part of the monitoring and root cause analyses performed to investigate equipment failures and/or malfunctions.

(4) For a select group of important, highly reliable components (e.g., batteries and scram breakers), have licensees perform a detailed review of actual and potential failures to determine the extent that each failure or its root cause may affect multiple components.

PRIORITY DETERMINATION

Frequency Estimate

Table 3.145-1 contains a summary of the CCF contribution from four NUREG-1150¹⁰⁸¹ internal events PRAs and the LaSalle PRA. The common cause contributions were those contained in the dominant accident sequence cut sets. The common cause terms were set to zero and a reduced CDF was calculated. This value represented the maximum amount the CDF could be reduced by the possible solution.

Table 3.145-1

CCF Contributions from Selected PRAs

Plant	Mean CDF/RY	CDF/RY With CCF=0	Difference (/RY)	Difference (% of CDF)
Surry	3.2 x 10-5	2.1 x 10-5	1.1 x 10-5	33.6
Sequoyah	5.3 x 10-5	4.2 x 10-5	1.1 x 10-5	19.9
Peach Bottom	3.6 x 10-6	3.2 x 10-6	4.1 x 10-7	11.6
Grand Gulf	2.1 x 10-6	1.2 x 10-6	8.5 x 10-7	41.2
LaSalle	3.2 x 10-5	1.3 x 10-5	1.9 x 10-5	59.4
Average	2.4 x 10-5	1.6 x 10-5	8.3 x 10-6	33.8

It is recognized that not all common causes modeled in the PRAs can be reduced to zero. However, not all common causes are modeled in the PRAs and not all systems are modeled, or modeled in detail. Thus, this reduced CDF may be regarded as being representative of the amount the core damage could be reduced. On the other hand, the possible solutions may not be effective in eliminating the specific CDFs modeled in the IPEs. Therefore, it was assumed that the CDF attributed to CCFs will be reduced by a factor of 2, i.e., the possible solutions will be 50% effective in reducing and preventing CCFs. Based on the above considerations, the CDF reduction by reactor type was 5.35 x 10^-6/RY for PWRs (based on 2 PRAs) and 3.33 x 10^-6/RY for BWRs (based on 3 PRAs).

Consequence Estimate

The conditional release doses used in this analysis were based on the fission product inventory of a 1120 MWe PWR and a 1000 MWe BWR. Additional assumptions common to both reactor types were meteorology typical of a midwest site, a surrounding uniform population density of 340 persons/square-mile within a 50-mile radius of the plant, an exclusion radius of one-half mile from the plant, no evacuation, and no ingestion pathways. Therefore, the estimated change in risk was intended to be representative of hypothetical generic PWR and BWR plants and not representative of any specific plant. The assumption of no evacuation provided a degree of conservatism for this analysis.

Based on NUREG/CR-2800,⁶⁴ average releases are 2.5 x 10⁶ man-rem and 6.7 x 10⁶ man-rem for PWRs and BWRs, respectively. Based on an average remaining life of 28.8 years for a PWR, the estimated risk reduction associated with this issue was (5.35 x 10^-6/RY)(2.5 x 10⁶ man-rem)(28.8 years) or 385 man-rem/reactor. Based on an average remaining life of 27.4 years for a BWR, the estimated risk reduction was (3.3 x 10^-6/RY)(6.7 x 10⁶ man-rem)(27.4 years) or 606 man-rem/reactor.

Cost Estimate

Industry Cost: If a plant is systematically evaluated by a licensee for common failure (Solution 2) or has its more important systems assessed for the potential for CCF (Solution 4), it was estimated that the cost would be approximately $200,000 (one staff-year). Solution 3 deals with monitoring and analysis of failure information and failure dates of components. It was assumed that this activity will require one person part-time at a cost of $25,000/RY. For the average remaining plant life of 28 years, this cost was approximately $700,000/reactor. In addition to the above, licensees would incur costs to implement any actions to correct potential CCFs identified from the evaluations proposed.

NRC Cost: The cost associated with Solution 1 (preparation of an information notice and a CCF summary report) was estimated to be about $200,000.

Total Cost: The maximum industry and NRC cost associated with the possible solutions would be $1.1M/reactor and would depend upon the possible solutions pursued; implementation would increase this cost.

Value/Impact Assessment

PWRs: Based on a potential public risk reduction of 385 man-rem/reactor and an estimated cost of $1.1M/reactor for a possible solution, the value/impact score was given by:

BWRs: Based on a potential public risk reduction of 606 man-rem/reactor and an estimated cost of $1.1M/reactor for a possible solution, the value/impact score was given by:

Other Considerations

(1) Effective maintenance is important to ensure that design assumptions and margins in the original design basis are either maintained or are not unacceptably degraded.¹⁴⁶⁷ In the design of nuclear power plants, an important safety margin is the redundancy of equipment to perform safety functions. This redundancy, however, can be degraded by CCFs. Therefore, defense against CCFs over the life of a plant is an important part of each licensee's maintenance program. If properly performed, the CCF monitoring activity and the root cause analyses conducted by licensees to investigate equipment failures and/or malfunctions should reduce CCFs that result from inadequate maintenance. However, the effectiveness of some defenses may be reduced because of aging and may need to be taken into consideration during license renewal.

(2) Assuming a 20-year license renewal period for operating reactors, the estimated risk reduction for a PWR was (5.35 x 10^-6/RY)(2.5 x 10⁶ man-rem)(48.8 years) or 653 man-rem/reactor. For a BWR, the estimated risk reduction was (3.3 x 10^-6/RY)(6.7 x 10⁶ man-rem)(47.4 years) or 1,048 man-rem/reactor.

CONCLUSION

Based on the potential public risk reduction, this issue would have been given a medium priority ranking (see Appendix C). However, as part of the IPE program, licensees were requested to consider CCFs. Additionally, the regulatory guide to implement the maintenance rule (10 CFR 50.65) was expected to include monitoring of failure rates to identify CCFs; this action essentially addressed Solutions 2 and 3. Since much CCF information had been generated over the years, it was likely to be beneficial to pursue Solution 1. It was believed that this action would not require any additional research and could be accomplished in the near term. Thus, based on the extent of the ongoing work, the issue was considered nearly-resolved¹⁷⁵⁴ in February 1992 but was later given a high priority ranking in SECY-98-166.¹⁷¹⁸ In accordance with an RES evaluation,¹⁵⁶⁴ the impact of a license renewal period of 20 years was to be considered in the resolution of the issue.

In resolving the issue, the staff developed a CCF database and analysis software package to aid in system reliability analyses and related risk-informed applications. The CCF database was documented in NUREG/CR-6268¹⁷⁵⁵ which, in addition to providing guidance on the screening and interpretation of data, contained relevant event data to provide a more uniform and cost-effective way of performing CCF analyses. The database contained CCF-related events that occurred in U.S. commercial nuclear power plants from 1980 to 1995. Licensees were informed of the availability of the CCF database in Administrative Letter 98-04¹⁷⁵⁶ and Regulatory Issue Summary 99-03¹⁷⁵⁷ was issued to make the major insights derived from the CCF research project more readily available to plant managers. Thus, the issue was RESOLVED with no new or revised requirements.¹⁷⁵⁸

REFERENCES

0064. NUREG/CR-2800, "Guidelines for Nuclear Power Plant Safety Issue Prioritization Information Development," U.S. Nuclear Regulatory Commission, February 1983, (Supplement 1) May 1983, (Supplement 2) December 1983, (Supplement 3) September 1985, (Supplement 4) July 1986, (Supplement 5) July 1996. 0886. NUREG-1154, "Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9, 1985," U.S. Nuclear Regulatory Commission, July 1985. 1079. NUREG-1275, "Operating Experience Feedback Report," U.S. Nuclear Regulatory Commission, (Vol. 1) July 1987, (Vol. 2) December 1987, (Vol. 3) November 1988, (Vol. 4) March 1989, (Vol. 5) March 1989, (Vol. 5, Addendum) August 1989, (Vol. 6) February 1991, (Vol. 7) September 1992, (Vol. 8) December 1992, (Vol. 9) March 1993. 1081. NUREG-1150, "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," U.S. Nuclear Regulatory Commission, (Vol. 1) December 1990, (Vol. 2) December 1990, (Vol. 3) January 1991. 1119. NUREG/CR-4780, "Procedures for Treating Common Cause Failures in Safety and Reliability Studies," U.S. Nuclear Regulatory Commission, (Vol. 1) January 1988, (Vol. 2) January 1989. 1466. NUREG/CR-5460, "A Cause-Defense Approach to the Understanding and Analysis of Common Cause Failures," U.S. Nuclear Regulatory Commission, March 1990. 1467. Federal Register Notice 56 FR 31306, "10 CFR 50, RIN 3150-AD00, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," July 10, 1991. 1564. Memorandum for W. Russell from E. Beckjord, "License Renewal Implications of Generic Safety Issues (GSIs) Prioritized and/or Resolved Between October 1990 and March 1994," May 5, 1994. [9406170365] 1718. SECY-98-166, "Summary of Activities Related to Generic Safety Issues," U.S. Nuclear Regulatory Commission, July 6, 1998. [9807220129, 9807170226] 1754. Memorandum for W. Minners from E. Beckjord, "Generic Issue No. 145, 'Actions to Reduce Common Cause Failures,'" February 11, 1992. [9203170332] 1755. NUREG/CR-6268, "Common-Cause Failure Database and Analysis System," U.S. Nuclear Regulatory Commission, (Vols. 1, 2, 3, and 4) June 1998. 1756. Administrative Letter 98-04, "Availability of Common-Cause Failure Database," U.S. Nuclear Regulatory Commission, July 30, 1998. [ML031110169] 1757. Regulatory Issue Summary 99-03, "Resolution of Generic Issue 145, Actions to Reduce Common-Cause Failures," U.S. Nuclear Regulatory Commission, October 13, 1999. [ML031110454] 1758. Memorandum for W. Travers from A. Thadani, "Resolution of Generic Safety Issue 145, 'Actions to Reduce Common Cause Failures,'" October 18, 1999.