Resolution of Generic Safety Issues: Item B-8: Locking out of ECCS Power-Operated Valves (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
This NUREG-04713 item concerned staff positions11 BTP EISCB 18 and BTP RSB 6-11 which required physical locking out of electrical sources to specific MOVs in the ECCS. The existing staff positions established the acceptability of disconnecting power to electrical components of a fluid system as one means of designing against a single failure that might cause an undesirable component action. These provisions were based on the assumption that the component is then equivalent to a similar component that is not designed for electrical operation, e.g., a valve that can be opened or closed only by direct manual operation of the valve. They were also based on the assumption that no single failure can both restore power to the electrical system and cause mechanical motion of the components served by the electrical system.
The original position taken by W in WCAP-8966 (Proprietary) was that: (1) an active failure of an MOV was defined as failure to move to the desired position when signaled; and (2) spurious actions originating in the control circuitry were of very low probability and, therefore, such failures should not be considered in the design basis.
The staff determined that the W evaluation of the probabilities of failure of the electrical components was unacceptable as a design basis in lieu of the single failure criteria. This determination was based on the staff view that: (1) the W evaluation covered a very narrow portion of the problem; and (2) inadequacies in the reporting requirements for abnormal occurrences through September 1975 and the data base used in the evaluation could not be readily reconciled.
WCAP-8966 was submitted in March 1978 as an item-by-item response to staff concerns related to a W evaluation. As a result of the 1979 TMI-2 accident and the heavy expenditure of staff resources on TMI-related issues, review of this document was suspended.
The safety significance of this issue was that spurious actuation of valves could degrade or defeat the ECCS.
A possible solution was a probabilistic determination that there was negligible risk to the public due to potential mispositioning of the ECCS valves; thus, locking out of ECCS valves would not be required. This alternative probabilistic solution to the existing ECCS lock-out solution would involve a reevaluation of the staff requirement using a systems approach and considering such items as: (1) the evaluation of the probability of spurious signal; (2) time required to reactivate the valve operator; (3) status of signal lights when the circuit breaker is open; (4) can the valve be locked out in an improper position due to a faulty indicator? (5) are there other designs for improving reliability without lock-out? (6) what are the advantages and disadvantages of corrective action by an alert operator in case of incorrect positioning vis-a-vis a system with power locked out?
Using the W arguments in WCAP-8966 and WCAP-9207 (Proprietary) to support the position that ECCS lock-out was not required, it was reasonable to assume that changing the existing staff position to the proposed solution would not significantly increase the probability (frequency) of accidents leading to a core-melt.
In WCAP-8966, W calculated the probabilities of three specific failure mechanisms involved in mispositioning the ECCS valves. The failure mechanisms considered in this calculation included maintenance errors, electrical faults (shorts), and mechanical failures. The combined probability of the above failure mechanisms, coincident with a LOCA, was calculated to be 7 x 10-7. In addition, the calculated probability of ECCS valve mispositioning, coincident with a LOCA and as a result of operator error, was determined to be 4 x 10-7. The latter probability included incorporation of specific design changes and properly developed procedures, as described in WCAP-8966.
No information had been provided by industry or developed by the staff that was related to failure mechanisms or potential operator errors resulting from locking out of the ECCS valves. Such information would be needed to completely evaluate the accident frequencies associated with the staff ECCS lock-out position. In the absence of any identified accident sequences initiated or exacerbated by locking out the valves, any increase in accident frequency due to locking out ECCS valves was assumed to be negligible.
As noted above, the frequencies of accident sequences, not the consequences, would be changed whether ECCS valves are locked out or not.
Because licensees had already implemented locking out the ECCS valves in accordance with BTPs11 ICSB-18 and RSB 6-1, there was no cost benefit from relaxation of the ECCS lock-out position.
It was estimated that 6 to 9 staff-months would be required to review WCAP-8966. Preparation of responses to staff questions and possibly an updated submittal was also estimated to take approximately 6 to 9 man-months of industry time. Thus, the total estimated NRC and industry cost associated with the possible solution was $150,000.
No significant change in risk was identified and a significant expenditure of NRC and industry manpower would be involved to resolve the issue. Thus, based on the information available, the value/impact score was essentially zero.
The existing staff position for locking out ECCS power-operated valves provided an acceptable approach to meet the single failure criterion required by 10 CFR 50. This issue was DROPPED from further consideration as a safety issue until a quantifiable reduction in public risk or a significant industry cost saving could be ascertained for an alternate solution to the existing ECCS lock-out position.