HomeMy WebLinkAbout851168.tiff SSINS No. : 6835
IN 85-52
UNITED STATES MEAD CUUUTy C
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT ' iiillf
WASHINGTON, D. C. 20555 :At-
91985
July 10, 1985
‘GwE'ELEY. cote.
IE INFORMATION NOTICE NO. 85-52: ERRORS IN DOSE ASSESSMENT COMPUTER CODES AND
REPORTING REQUIREMENTS UNDER 10 CFR PART 21
Addres"sees:
All nuclear power reactor facilities holding an operating license (OL) or a
construction permit (CP).
Purpose:
The purposes of this information notice are to alert licensees (1) of errors in
a dose assessment computer code supplied by a vendor, and (2) that, in general ,
computer codes can be considered basic components under the requirements of
Part 21, and errors that can lead to substantial radiation exposures would be
considered reportable under 10 CFR 21. It is expected that recipients will
review the information for applicability to their facilities and consider
actions, if appropriate, to preclude a problem at their facilities. Licensees
are also encouraged to share this information with their vendors. However,
suggestions contained in this information notice do not constitute NRC require-
ments; therefore, no specific action or response is required.
Description of Circumstances:
The NRC staff recently evaluated an event where errors were found in computer
software supplied by Nuclear Data, Inc. (ND) for predicting offsite doses at
San Onofre. Attachment 1 provides further details of the San Onofre event,
including the cause and effect of the computer error. Although notification
was made via INPO' s electronic "notepad" , this information was prepared to
ensure that all potentially affected licensees are aware of the problem.
In the past, licensees and vendors appear to have been diligent in reporting
non-conservative errors in computer software used to perform design calcula-
tions. However, NRC staff conversations with licensees in regard to the
San Onofre problem have indicated that some licensees believe, in general , that
errors in vendor supplied computer software used for offsite dose assessments
are not reportable under 10 CFR 21. However, such errors may be reportable in
some circumstances. This particular error was not reportable under 10 CFR Part
21 because the error led to substantially overestimating calculated offsite
doses. However, if the error had been non-conservative and caused significant
underestimation of offsite doses, then this could have (theoretically) led to
8507090274 851168
IN 85-52
July 10, 1985
Page 2 of 2
radiation exposures exceeding the guidelines found in NUREG-0302 (Rev. 1)
regarding the exposure levels associated with substantial safety hazards.
Attachment 2 repeats the pertinent guidelines (NUREG-0302, Rev. 1) for deter-
mining when a substantial safety hazard exists.
No specific action or written response is required by this information notice.
If you have any questions about this matter, please contact the Regional
Administrator of the appropriate regional office or this office.
ard`2 d, Director
Division Emergency Preparedness
and E neering Response
Office o Inspection and Enforcement
Technical Contacts: J. E. Wigginton, IE
(301) 492-4967
R. L. Pedersen, IE
(301) 492-9425
Attachments:
1. Description of San Onofre Event
2. Guidelines For Determining Whether a Substantial Safety
Hazard Exists
3. List of Recently Issued IE Information Notices
Attachment 1
IN 85-52
July 10, 1985
DESCRIPTION OF SAN ONOFRE EVENT
During a recent emergency preparedness exercise at San Onofre, NRC Region V
personnel noted large differences between the results of the offsite dose
calculations made by the licensee and the region. With the licensee and Region
V using the same input parameters (radiological source term and meteorological
conditions) , offsite doses calculated by the region were an order of magnitude
less than the licensee' s estimations. The NRC staff recognizes that there is
no "standard code" for calculating offsite doses. Because of modeling assump-
tions andicomplexities, large differences in resultant doses can exist when
comparing two codes with both codes still correctly considered to be error-free.
However, when they examined their code for internal accuracy, the licensee
noted the problems discussed below.
The licensee found errors in the dose assessment computer programs, supplied by
ND, used to estimate environmental doses for both routine operations and
emergency operations. Coordinating with ND, the licensee corrected these errors
and notified other licensees via INPO' s electronic "notepad. " The vendor-supplied
computer program DISP (main program for calculating atmospheric dispersion) had
an inherent error, which led to predicting less atmospheric dispersion (dilution)
than the code should have calculated, hence leading to an overestimation of the
effect of a radioactive gaseous release (by a factor of approximately 10 for
emergency doses).
During an emergency situation, overestimating or underestimating the dose due
to code errors could lead to potential confusion. During an emergency situa-
tion protective action decisionmaking would be based principally on plant
conditions. However, dose projection calculations do influence such decisions.
Therefore, the calculations need to meet accuracy expectations to be useful .
Given the levels of real-time technical oversight and review by local govern-
mental authorities and Federal agencies, including independent dose estima-
tions, it is not likely that a protective actions decision by the local
authorities would be based solely on the licensee dose projection.
Staff discussions with the San Onofre licensee and another licensee indicated
that some licensees believe such software errors are simply not reportable.
However, NRC staff maintains that such errors are reportable in some circum-
stances as a material defect.
If errors result in substantially underestimating or overestimating offsite
doses, it could possibly result in inappropriate protective actions. An error
that substantially underpredicts offsite doses (non-conservative) would cer-
tainly be reportable under 10 CFR 21. This underestimation could possibly cause
a delay or deferral of a protective action which could clearly lead to the
unnecessary exposure to a person in an unprotected area, thereby creating a
"substantial safety hazard. " An error that substantially overpredicts (conser-
vative) is not strictly reportable under 10 CFR 21, since it is very unlikely
that such an overestimation could result in personnel radiation exposures
exceeding the referenced guidelines. However, given the potential non-radiological
negative impact from unnecessary protective actions that could result from overly
conservative dose estimates, licensees should continue to cooperate with vendors
and share information concerning common problems with generic computer codes.
Staff guidance on the amount of radiation exposure that can be considered to
represent a substantial safety hazard is provided in NUREG-0302 (Rev. 1) (see
Attachment 2).
Attachment 2
IN 85-52
July 10, 1985
Guidelines For Determining Whether A "Substantial Safety
Hazard" Exists*
1. A substantial safety hazard means the loss of a safety function to the
extent there is a major reduction in the degree of protection provided to
public health and safety. Note that the term "public health and safety"
includes both members of the public and licensee workers/employees.
2. From a radiological perspective, a criterion for determining whether
substantial safety hazard exists includes "moderate exposure to, or
release of, licensed material ."
a. Guidelines for determining what "moderate exposure to. . . " means:
o Greater than 25 rem wholebody
(or its equivalent to other body parts) to occupationally
exposed workers
o Exposure of 0.5 rem wholebody
(or its equivalent to other body parts)
to an individual in an unrestricted area
b. Guidelines for determining what ". . . release of, licensed
material . " means:
o Release of materials in amounts reportable under the
provisions of 10 CFR Part 20, §20.403(b)(2)
*Taken from NUREG-0302 (Rev.1) , "Remarks Presented (Questions/Answers Dis-
cussed) at Public Regional Meeting To Discuss Regulations (10 CFR Part 21) for
Reporting of Defects and Noncompliance," October 1977.
Attachment 3
IN 85-52
July 10, 1985
LIST OF RECENTLY ISSUED
IE INFORMATION NOTICES
Information Date of
Notice No. Subject Issue Issued to
85-51 Inadvertent Loss Or Improper 7/10/85 All power reactor
Actuation Of Safety-Related facilities holding
Equipment an OL or CP
85-50 Complete Loss Of Main And 7/8/85 All power reactor
Auxiliary Feedwater At A PWR facilities holding
Designed By Babcock & Wilcox an OL or CP
85-49 Relay Calibration Problem 7/1/85 All power reactor
facilities holding
an OL or CP
85-48 Respirator Users Notice: 6/19/85 All power reactor
Defective Self-Contained facilities holding
Breathing Apparatus Air an OL or CP, research,
Cylinders and test reactor,
fuel cycle and
Priority 1 material
licensees
85-47 Potential Effect Of Line- 6/18/85 All power reactor
Induced Vibration On Certain facilities holding
Target Rock Solenoid-Operated an OL or CP
Valves
85-46 Clarification Of Several 6/10/85 All power reactor
Aspects Of Removable Radio- facilities holding
active Surface Contamination an OL
Limits For Transport Packages
85-45 Potential Seismic Interaction 6/6/85 All power reactor
Involving The Movable In-Core facilities holding
Flux Mapping System Used In an OL or CP
Westinghouse Designed Plants
85-44 Emergency Communication 5/30/85 All power reactor
System Monthly Test facilities holding
an OL
OL = Operating License
CP = Construction Permit
SSINS No. : 6835
tb��SNi
UNITED STATES 0
NUCLEAR REGULATORY COMMISSION 1
OFFICE OF INSPECTION AND ENFORCEME 'J(f��i 9 I
WASHINGTON, D. C. 20555 19gg
July 10, 1985 city
cam..
IE INFORMATION NOTICE NO. 85-51: INADVERTENT LOSS OR IMPROPER ACTUATION
OF SAFETY-RELATED EQUIPMENT
Addressees:
All nuclear power reactor facilities holding an operating license (OL) or a
construction permit (CP).
Purpose:
This information notice is provided to alert licensees of potentially signifi-
cant reactor safety problems that may be a byproduct of the normal practice of
removing fuses or of opening circuit breakers for personnel protection during
maintenance and plant modification activities. The reactor safety concern may
result when the effects of electrical power interruption on all circuits
powered by the fuse or breaker are not fully reviewed in advance. Errors in
the review have resulted in unknowingly disabling safety systems and also have
caused inadvertent actuation of safety systems. It is suggested that recipi-
ents review this information for applicability to their facilities and consider
actions, if appropriate, to preclude similar problems at their facilities.
However, suggestions contained in this information notice do not constitute NRC
requirements; therefore, no specific action or written response is required.
Description of Circumstances:
At Susquehanna Unit 2 on July 9, 1984 with the plant at approximately 20% of
full power electricians removed two dc-control power fuses for personnel
protection during modifications involving the core spray isolation logic. The
electricians believed that removing these fuses would provide the nearest local
blocking-point protection needed while performing the modification. However,
the fuses that were removed were considerably "upstream" of the local blocking
point and the following situations resulted from this improper action:
1. Signals to start the pumps and position valves for the A loop of the core
spray system were lost.
2. One of the diesel generators would not have received a "Start" signal from
the Division 1 core spray logic that is provided for a loss-of-coolant
accident (LOCA) condition associated with Unit 2.
8507090268
IN 85-51
July 10, 1985
Page 2 of 3
3. The A and C instrumentation channels, sensing reactor water level and
drywell pressure, were made inoperable. Because of this, the residual
heat removal system and high pressure injection system would not have
received an actuation signal from those channels in the event of an
accident. However, the B and D channels remained functional .
4. A partial isolation signal for drywell cooling was generated.
5. The load shedding feature of the A and C 4160 V ac essential buses associ-
ated with Units 1 and 2 were disabled, and the instrument air compressors
for Unit 2 would not have tripped if a LOCA condition had existed for Unit
2.
As a result of this event, the licensee instituted training sessions for
personnel . The training sessions emphasized review and analysis of the cir-
cuits involved in all current and future construction work orders at the
Susquehanna facility and included a human factors analysis focusing on the
adequacy of the status switch features for the core spray system and other
safety-related systems.
Discussion:
Following the event at Susquehanna Unit 2, the NRC conducted a search for other
licensee event reports (LERs) from 1981 through 1984 that had similar cause and
effect. This search resulted in the identification of five additional events
which may be indicative that the problem is widespread. The events described
in these reports are briefly summarized in Attachment 1. The event described
above and those summarized in Attachment 1 illustrate how the practice of
removing fuses may result in actuation or disabling of safety-related equipment
during any mode of plant operation. At the time the fuses were removed, the
involved plant personnel were unaware of the resulting actuation and
inoperabilities. Similar situations could occur when electrical circuits are
de-energized by operating circuit breakers for personnel protection.
The practice of de-energizing circuitry in order to provide plant personnel
with appropriate protection is unavoidable. Corrective and preventive actions
by licensees have emphasized the following items: identification of effects on
plant equipment or systems, independent verification of the evaluation of
effects, and utilization of the nearest local fuse or circuit breaker to
minimize the number of systems affected.
IN 85-51
July 10, 1985
Page 3 of 3
No specific action or written response is required by this information notice.
If you have any questions about this matter, please contact the Regional
Administrator of the appropriate regional office or this office.
dwardt) r an, Director
Division Emergency Preparedness
and Eng eering Response
Office of nspection and Enforcement
Technical Contact: V. D. Thomas, IE
(301) 492-4755
Attachments:
1. Earlier Events Similar to the One at Susquehanna
2. List of Recently Issued IE Information Notices
Attachment 1
IN 85-51
July 10, 1985
Page 1 of 2
EARLIER EVENTS SIMILAR IN NATURE TO THE ONE
AT SUSQUEHANNA
Surry Station, September 1981
In this event, an electrician was attempting to remove a battery in the plant' s
smoke detector system. The electrician did not wish to leave energized wiring
exposed and therefore he removed a line fuse. This action disabled the smoke
detector panel that provides early detection of fires, thereby introducing the
potential for damage of safety-related equipment.
The licensee attributed the cause of this event to personnel error in that the
electrician did not realize that removing the line fuse would disable the smoke
detector panel . Corrective action taken to prevent recurrence of this event
was to revise the labeling of the smoke detector battery chargers and associat-
ed circuit panels with a caution tag.
Oyster Creek Station, December 1981
While performing maintenance activities to repair a faulty electromatic relief
valve pressure switch, dc-control power fuses were removed, resulting in the
inoperability of one trip system in the automatic depressurization system
(ADS). The licensee reported that the cause of the loss of ADS trip system
redundancy was the removal of the power fuses by plant personnel , without
realizing the consequences on the ADS control logic circuitry. However, had a
plant condition been present that required the operation of the ADS, the
redundant trip system would have actuated the four remaining relief valves to
depressurize the reactor system.
To prevent recurrence of this reportable occurrence, the licensee incorporated
it in the required reading program for Shift Operations Supervisors and Instru-
ment Department Personnel . Additionally, the power fuses that defeat the
redundancy of the ADS have been identified with a warning label .
Sequoyah Unit 1, September 1982
This licensee reported that during modifications to train "B" of the
solid-state protection system (SSPS), the power fuses were removed to facili-
tate work on the output relays. This caused the train "B" reactor heat removal
(RHR) suction valve to close rendering that system inoperable. A review of the
drawings associated with the SSPS showed that the power supply to the output
relays also supplied power to a relay that operates the RHR suction valve.
When this relay is de-energized, the valve automatically closes. The operator
immediately returned the system to normal operating conditions.
A change was made to the facility work plan covering SSPS modification to
inform operators that removal of the power fuses isolates the associated train
of the RHR suction valve. The licensee also reports that caution signs were
placed near the location of the fuses in the SSPS cabinets.
Attachment 1
IN 85-51
July 10, 1985
Page 2 of 2
Diablo Canyon Unit 1, May 1983
The event at Diablo Canyon Unit 1 during May 1983 was similar to the events
discussed above, in that personnel at the plant removed power fuses to perform
work activity. This action resulted in disabling of radiation monitoring
equipment.
To prevent recurrence, plant personnel have been instructed to ensure that all
effects on plant equipment are known and recognized before approving clearances
for work activity.
Susquehanna Unit 1, April 1984
This earlier event at Susquehanna Unit 1 also was caused by removing power
fuses for personnel protection. Plant personnel removed two fuses associated
with the primary containment isolation logic for Unit 2 to perform a modifica-
tion for the logic circuitry. This resulted in the actuation of a false high
drywell pressure signal , which, in turn, actuated the common control room
emergency outside air supply and standby gas treatment systems. The licensee
later discovered that an improperly placed wire jumper in conjunction with fuse
removal actually caused the false actuation. Subsequently, the wire jumper was
installed properly.
To prevent recurrence of this event, the subject work activity and associated
wiring error were reviewed with the work crew involved. During this review the
licensee also instructed personnel to review and verify circuitry before
de-energizing power sources to equipment scheduled for maintenance or
modification.
Attachment 2
IN 85-51
July 10, 1985
LIST OF RECENTLY ISSUED
IE INFORMATION NOTICES
Information Date of
Notice No. Subject Issue Issued to
85-50 Complete Loss Of Main And 7/8/85 All power reactor
Auxiliary Feedwater At A PWR facilities holding
Designed By Babcock & Wilcox an OL or CP
85-49 Relay Calibration Problem 7/1/85 All power reactor
facilities holding
an OL or CP
85-48 Respirator Users Notice: 6/19/85 All power reactor
Defective Self-Contained facilities holding
Breathing Apparatus Air an OL or CP, research,
Cylinders and test reactor,
fuel cycle and
Priority 1 material
licensees
85-47 Potential Effect Of Line- 6/18/85 All power reactor
Induced Vibration On Certain facilities holding
Target Rock Solenoid-Operated an OL or CP
Valves
85-46 Clarification Of Several 6/10/85 All power reactor
Aspects Of Removable Radio- facilities holding
active Surface Contamination an OL
Limits For Transport Packages
85-45 Potential Seismic Interaction 6/6/85 All power reactor
Involving The Movable In-Core facilities holding
Flux Mapping System Used In an OL or CP
Westinghouse Designed Plants
85-44 Emergency Communication 5/30/85 All power reactor
System Monthly Test facilities holding
an OL
85-43 Radiography Events At Power 5/30/85 All power reactor
Reactors facilities holding
an OL or CP
OL = Operating License
CP = Construction Permit
Hello