Resolution of Generic Safety Issues: Item A-30: Adequacy of Safety-Related DC Power Supplies (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue is documented in NUREG-03712 and addresses the adequacy of safety-related DC power supplies which was questioned by a nuclear consultant in a letter to the ACRS in April 1977 (NUREG-0305,163 Attachment B). The staff performed an initial study of the DC power supplies' safety adequacy and reviewed typical designs, operating experience, and decay heat removal capability with DC power system failure. The results of this initial staff assessment were reported in NUREG-0305,163 which recommended performance of a quantitative reliability assessment. That was done and the results are documented in NUREG-0666.164
The DC power system in a nuclear power plant provides control and motive power to valves, instrumentation, emergency diesel generators, and many other components and systems during all phases of plant operation including abnormal shutdowns and accident situations.
The minimum acceptable DC power system, specified in GDC-17 (10 CFR 50, Appendix A) and in SRP,11 Section 8.3.2, is comprised of two physically independent divisions which supply DC power for control and actuation of redundant safety-related systems.
Assurance of DC power supply reliability is subject to two concerns: (1) that the batteries and other system elements should remain in full operation-ready (not degraded) condition; and (2) that independence of the two redundant divisions should be assured. An aspect of the potential significance of the issue is that failure of one division would generally cause a reactor scram which could result in a demand for DC power to remove decay heat and prevent core melt.
NUREG-0666164 provided recommendations and supporting technical bases for augmenting the minimum design criteria and procedural requirements which will provide greater assurance of DC power supply reliability. These recommendations for augmenting the minimum requirements for DC power systems are: (1) prohibiting certain design and operational features of the DC power systems, such as use of a bus tie breaker, which could compromise division independence; (2) augmenting the test and maintenance activities presently required for battery operability to also include preventive maintenance on bus connections, procedures to demonstrate DC power availability from the battery to the bus, and administrative controls to reduce the likelihood of battery damage during testing, maintenance, and charging activities; (3) requiring staggered test and maintenance activities to minimize the potential for human error-related common cause failure associated with these operations; and (4) requiring design and operational features adequate to maintain reactor core cooling in the hot standby condition following the loss of any one DC power bus and a single independent failure in any other system required for shutdown cooling.
The recommendations of NUREG-0666164 are being translated into proposed requirements with the aid of technical assistance contracts and the benefit of ACRS review.
With respect to Recommendation 4, evaluation by DSI indicates that most existing plants should be able to meet the concern identified in that recommendation without major modification. The DSI evaluation165 took into account current steps to upgrade, under the TMI Action Plan Item II.E.1.1 in NUREG-0737,98 those PWRs with only two auxiliary feedwater pumps, to improve assurance that at least one auxiliary feedwater train would be available following DC bus failure and an additional single active failure. Case-by-case review of specific plants will be required where it appears that the power supply interdependencies (due to absence of complete compliance with Recommendations 1, 2, and 3) may bring into question the validity of assumptions underlying the DSI evaluation.165
For plants not yet built, consideration is being given to further enhancing the reliability of the DC power supplies by: (1) placing nonsafety-related loads on completely separate DC power supplies (i.e., nonsafety-related balance-of-plant and switchyard batteries); and (2) dividing the Class 1E (safety-related) DC supplies into four physically and electrically independent systems to reduce the probability of reactor trip in the event of the loss of a single safety-related DC bus.
Estimated accident frequencies and consequences and costs of corrective actions are subject to substantial variation from case to case since current plant designs and operational practices vary. Estimates are also a sensitive function of particulars of resolution options to be selected for various classes of plant design and plant status.
From NUREG-0666164 (p.48), F = 4 x 10-4/RY. This estimate of the frequency of core-melt due to DC power failure is for plants meeting, but not exceeding, current minimum requirements (GDC-17). NUREG-0666164 (p.2) states that, in general, operating plants have DC power supply designs and procedural standards that exceed current minimum requirements. Therefore, the actual frequency would be less by an amount that cannot now be accurately estimated. In NUREG-0666,164 the proposed solutions are estimated to have the potential to reduce the frequency by over a factor of 10.
Since loss of DC power could cause failure of both core decay heat removal and containment heat removal, the consequences are taken as accidents in which the core melts and the containment fails due to overpressure as a consequence of loss of containment cooling. This corresponds to WASH-140016 BWR-2 and PWR-2 accident release categories.
Consequences for BWR-2 and PWR-2 release categories are expressed in man-rem. The total whole-body man-rem dose is obtained by using the CRAC64 Code for the particular release category. The calculations assume a uniform population density of 340 people per square mile (which is average for U.S. domestic sites) and a typical (midwest site) meteorology. For a PWR-2 accident, D = 4.8 x 106 man-rem and for a BWR-2 accident, D = 7.1 x 106 man-rem. The average dose for both BWRs and PWRs is 6 x 106 man-rem. This may be an overestimate because, depending on plant and accident specifics, the containment may not fail.
We arrive at our estimate of the potential risk reduction for 73 reactors with a 30-year operating life by multiplying the frequency and consequences estimated above by 73 x 30 and dividing the product by 10 to correct for the combined effect of the overestimates in the frequency and consequences discussed above. Thus, the total estimated potential risk reduction for the 73 reactors involved is as follows:
Further anticipated NRC costs of roughly $200,000 would bring the total NRC cost to about $400,000 (based on discussions with PSB). No NRC estimates of industry costs of implementation are currently available, though PSB believes that the cost of implementing the NUREG-0666164 recommendations, except Recommendation 4, would not be large. A dependable industry-aided estimate must await completion of detailing of proposed specific requirements for design changes and for more extensive periodic testing. The current tentative conclusion concerning recommendation 4 (viz., that no changes attributable to Item A-30 are required) points to no additional cost. On the basis of discussions with PSB, we associated with that recommendation an average cost of implementing Recommendations 1, 2, and 3 of NUREG-0666164 (involving connections, tests, and maintenance) in the range of $150,000 to $200,000 per reactor.
Seventy-three reactors are affected by the implementation recommendations of NUREG-0666.164 The total cost is the sum of NRC cost per reactor plus industry cost per reactor. However, considering that 73 reactors are affected, then
the NRC costs are negligible in comparison. Therefore, the total cost for the solution to this issue is $(73)(0.2)M or $14.6M.
Based on a potential risk reduction of 530,000, the value/impact score is given by:
The probabilistic safety analysis in NUREG-0666164 was based primarily on relative comparison of core damage probability estimates. Uncertainty bands around the probability estimates are wide by two to three orders of magnitude (NUREG-0666,164 pp.46-47, 60-65). NUREG-0666164 (pp.66-67) presents the following conclusions which underlie the recommendations cited above.
"The results of this work showed that failure of the minimum DC power system could represent a significant contribution to the unreliability of shutdown cooling. It was also shown that this contribution could be substantially reduced through the use of various design and operational improvements to the minimum DC power system. Since operating nuclear power plants include some DC power supply features which exceed the minimum analyzed, DC power reliability will be correspondingly improved at these facilities. The sensitivity analyses showed that the probability of a core damage accident can be significantly affected by the reliance placed on any one DC power supply for shutdown cooling functions. It was also shown through the sensitivity analyses that differences in design and operational features other than DC power can have a potentially large influence on the unreliability of shutdown cooling and the probability of a core damage accident."
This issue was conservatively determined to be of high priority and it was recommended that resolution be pursued to the point of establishing requirements and implementation plans. However, in November 1986, this issue was integrated into the resolution of Issue 128.1001