Resolution of Generic Safety Issues: Task II.F: Instrumentation and Controls (Rev. 3) ( NUREG-0933, Main Report with Supplements 1–34 )
The objective of this task was to provide instrumentation to monitor plant variables and systems during and following an accident. Indications of plant variables and status of systems important to safety are required by the plant operator (licensee) during accident situations to:
(1) provide information needed to permit the operator to take pre-planned manual actions to accomplish safe plant shutdown;
(2) determine whether the reactor trip, engineered safety features systems, an manually-initiated systems are performing their intended functions (i.e., reactivity control, core cooling, maintaining reactor coolant system integrity, and maintaining containment integrity);
(3) provide information to the operator that will enable him to determine the potential for a breach of the barriers to radioactivity release (i.e., fuel cladding, reactor coolant pressure boundary, and containment) and if a barrier has been breached;
(4) furnish data for deciding on the need to take unplanned action if an automatic or manually-initiated safety system is not functioning properly or the plant is not responding properly to the safety systems in operation;
(5) allow for early indication of the need to initiate action necessary to protect the public and for an estimate of the magnitude of the impending threat;
(6) improve requirements and guidance for classifying nuclear power plant instrumentation control and electrical equipment important to safety.
ITEM II.F.1: ADDITIONAL ACCIDENT MONITORING INSTRUMENTATION
This item was clarified in NUREG-0737,98 requirements were issued, and MPAs F-20, F-21, F-22, F-23, F-24, and F-25 were established by DL for implementation purposes.
ITEM II.F.2: IDENTIFICATION OF AND RECOVERY FROM CONDITIONS LEADING TO INADEQUATE CORE COOLING
This item was clarified in NUREG-0737,98 requirements were issued, and MPA F-26 was established by DL for implementation purposes.
ITEM II.F.3: INSTRUMENTS FOR MONITORING ACCIDENT CONDITIONS
Prior to the TMI-2 event, the August 1977 version of Regulatory Guide 1.9755 had been used as guidance during licensing reviews. Item II.F.3 called48 for this regulatory guide to be updated to include the TMI-2 concerns.
After the TMI-2 event, Task II.F of the TMI Action Plan48 addressed several concerns regarding the availability and adequacy of instrumentation to monitor plant variables and systems during and following an accident. Revision 2 to Regulatory Guide 1.9755 was published in December of 1980 and implementation was carried out as discussed in SECY-82-111151 and a letter376 issued to all licensees of operating reactors. Thus, this item was RESOLVED and new requirements were established.
ITEM II.F.4: STUDY OF CONTROL AND PROTECTIVE ACTION DESIGN REQUIREMENTS
After the TMI-2 event, the Special Inquiry Group made recommendations161 for the staff to study three items in the area of control and protection systems. These were: (1) automatic reactor protection actions should be derived, to the degree possible, from independent process variables; (2) automatic actions through coincidence of independent process variables should be limited, to the degree possible, for non-reactor protection functions; (3) control circuit components should be designed and periodically tested at expected degraded power supply conditions to ensure that they are capable of performing their intended function.
The report161 concluded that improvements in these areas may help prevent specific occurrences which were noted upon evaluation of the TMI-2 event.
This TMI Action Plan48 item addressed the performance of a study that could indicate potential deficiencies and identify possible fixes which could be incorporated as design criteria in the SRP.11 Industry would then be required to meet these criteria.
No attempt was made to estimate a value/impact score for this issue. It appeared that the non-specific nature of the recommendations (i.e., use of words like "to the degree possible") would require a large amount of additional study prior to defining any specific implementation requirements. Therefore, neither potential risk reduction or costs could be estimated. The following considerations were taken into account.
(1) The first criterion, to a large degree, was typically addressed by existing protection systems. The use of a number of different plant parameters to initiate the protection system was an indication of the application of this criterion. There may have been instances in different plant designs where, for certain events, this criterion had not been adequately addressed; however, it was believed that these were isolated instances. Furthermore, the ATWS rule, which included NUREG-0460704 requirements, addressed monitoring of independent process variables. As another consideration, protection system design requirements were expected to undergo another review as a result of preparation of a Regulatory Guide to endorse IEEE Std. 603-1977.200
(2) The second criterion addressed non-protection systems. At the time this issue was initially evaluated, the staff did not have detailed design criteria for these systems (typically referred to as "control systems") in the SRP.11 It was believed that, if any criteria were to be included, they would be the result of a comprehensive program such as the existing program addressing Issue A-47, "Safety Implications of Control Systems."
(3) One part of the third criterion was addressed in SRP11 Section 3.11, "Environmental Qualification of Equipment." Specifically, safety-related components are designed for performance at varying power supply conditions. Typically, they are initially tested to these conditions as part of their qualification program. The other part of the third criterion was not required at the time this issue was evaluated. Under conditions with offsite power feeding all plant components, it could be postulated that redundant components could experience some degraded power supply conditions; however, this concern was addressed through various plant fixes as part of their degraded grid analysis. Under conditions with onsite power feeding the components, the independence of the systems would prevent redundant components from experiencing degraded power.
Based on the considerations listed above, this issue was placed in the DROP category.
ITEM II.F.5: CLASSIFICATION OF INSTRUMENTATION, CONTROL, AND ELECTRICAL EQUIPMENT
After the TMI-2 event, the staff recommended48 that the existing method of classifying instrumentation, control, and electrical equipment needed revision to allow graded criteria that would more closely correspond to the equipment's importance to safety.
Such a grading could place emphasis on improvements in the non-class 1E systems which could affect core-melt frequency. It could also allow more design flexibility and result in potentially more cost-effective electrical, instrumentation, and control system designs.
It was recommended that the NRC, in conjunction with IEEE, develop a standard which would provide a classification approach based on the level of importance to safety of equipment. The standard would then be endorsed by a Regulatory Guide. Utility conformance to important criteria such as redundancy, reliability, etc., for selected systems would be mandated.
A program to classify and upgrade non-1E instrumentation, controls, and electrical systems was assumed to improve balance-of-plant system reliability and thus reduce transient frequencies. Based on EPRI transient data,307 a number of transient categories and frequencies of interest were identified.
In a PNL assessment64 of this issue, it was assumed that 50% of all these transients were attributable to instrumentation, control, and electrical system failures. Then it was assumed that resolution of this issue would result in about a 10% reduction in such failures.
The reduction assumed above translates into about a 6% reduction in transients (other than loss of offsite power) for PWRs and a 4% reduction in transients for BWRs. Therefore, the 6% reduction was divided between the T2 and T3 transients for PWRs in the Oconee-3 risk equations. The 4% reduction was applied to the T23 transients for BWRs in the Grand Gulf-1 equations. This resulted in reductions in core-melt frequency of 2.1 x 10-6/RY for PWRs and 9 x 10-7/RY for BWRs.
The above data translated (assuming a population density at 340 people/square-mile) to a per plant reduction in public risk of 5.6 man-rem/RY for PWRs and 7 man-rem/RY for BWRs. Assuming 90 PWRs with an average remaining life of 28.8 yrs and 44 BWRs with an average remaining life of 27.4 yrs, the total public risk reduction was estimated to be 23,000 man-rem.
Industry Cost: An estimate of costs for implementing improved non-1E systems was based on the installation cost ($1M) of a safety parameter display system (SPDS) at Yankee Rowe. The SPDS is considered a non-1E system which includes certain design features beyond those of a typical non-1E system. It was assumed that classification and upgrading of all remaining non-1E systems would represent a similar cost of $1M/plant, divided evenly between equipment costs and manpower costs for backfit plants. Forward-fit plants should only require additional equipment costs. Total industry cost would then be (based on 47 backfit and 43 forward-fit PWRs and 24 backfit and 20 forward-fit BWRs) about $100M.
NRC Cost: Since the IEEE Trial Use Guide P-827,233 "A Method for Determining Requirements for Instrumentation, Control and Electrical Systems Important to Safety," had been released, the NRC cost for development was considered minimal (i.e., on the order of 0.5 man-year). The cost for support of the resolution was believed to be potentially significant and was assumed to be 1 man-year/plant with a resultant cost of $13.4M.
Total Cost: The total industry and NRC cost associated with the possible solution to this issue was estimated to be $(100 + 13.4)M or $113.4M.
Based on a potential public risk reduction of 23,000 man-rem and an estimated cost of $113.4M for a possible solution, the value/impact score was given by:
(1) The estimates of the transient frequency reductions were subject to many assumptions which themselves are uncertain.
(2) Cost estimates were extremely hard to calculate without a clearer fix in mind.
(3) NRC review time would also vary based on the actual fix involved.
(1) A significant industry cost saving (which would outweigh the industry cost) could be calculated based on a saving in plant outage time resulting from improved non-1E system reliability. For example, if it were assumed that non-loss of offsite power transients would be reduced from 7 to 6.58/RY with a loss of one day of power generation per transient, then unscheduled outages would be reduced by 0.42 day/RY. Based on a replacement power cost of $300,000/day, the cost savings would be (0.42 day/RY)($300,000/day) or $130,000/RY. For 134 plants with a remaining lifetime of 30 years, the total cost savings would be (134 plants)(30 years)($130,000/RY) or $523M.
(2) A draft of IEEE P-827, "A Method for Determining Requirements for Instrumentation, Control and Electrical Systems Important to Safety," was issued.
(3) RES was in the process of developing a draft regulatory guide for the classification of systems important to safety that would provide for a Class 2E instrumentation, control, and electrical power system and equipment. This effort was proceeding independently of the IEEE/ANS efforts.
Based on the favorable value/impact score, the effort expended up to the time of the above analysis, and the potential risk reduction and cost saving, this issue was given a medium priority ranking. However, after further evaluation, it was reclassified as a Licensing Issue based on the continuation of the staff's support of the IEEE efforts to develop a standard to define requirements for equipment and systems that are not safety-related, but are sufficiently important to safety to warrant special consideration.1105
The Draft Trial Use Guide P-827 was developed by IEEE but was never published; the project was withdrawn in 1983. Under a separate activity, BNL, under contract with the NRC, attempted to develop a methodology to address the classification issue. In both instances, these activities were terminated due to a lack of agreement on the scope and content of the issue.
In 1989, the IEEE/NPEC Working Group SC 6.2 continued to develop a Position Paper on this issue that would only address the possible benefits of establishing a graduated classification program and would provide a list of attributes that would be prudent to incorporate into such a program. However, the Position Paper was not expected to establish any specific guidelines for an acceptable program.
Based on the lack of new plants being constructed, the industry's reluctance to change their existing classification documentation, and the previous efforts both by the NRC staff and the industry to develop a classification methodology, the staff concluded that no additional NRC action should be taken. Thus, the issue was resolved.1187