Resolution of Generic Safety Issues: Issue 2: Failure of Protective Devices on Essential Equipment (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was identified4 after a review of LERs involving the failure or degraded performance of essential equipment that resulted from the failure of protective devices such as fuses and circuit breakers. The affected systems included plant control, engineered safety features, and plant protection. In this evaluation, these affected systems are referred to as essential equipment.
The observed protective device failures were not limited to overcurrent devices but also occurred in torque and limit switches and overspeed trips. The essential equipment failures may have been caused by (a) essential equipment component failures or (b) protective device failures such as improper application, maladjustment, or protective device component failures.
The concern raised in this issue is that the failure rates of essential equipment that are assumed in PRAs may not have accounted for those failures of protective devices that also disable the essential equipment, hence leading to underestimation of risk. A further discussion of this issue was published in NUREG-0705.44
If PRAs do not properly account for the failures of essential equipment as a result of protective device failures, the assumed failure rates may be too optimistic. This can seriously affect industry and NRC priorities in expending resources to address safety concerns. Since essential equipment on all plants contain protective devices, this issue affects all operating and future plants.
Given the nature of PRA and the limitations of its use in the regulatory arena, it was not likely that a solution to this issue could result in additional requirements to be imposed on plants. However, a possible solution could be an information notice to alert licensees and PRA analysts of any shortcomings in the PRA methodology or assumptions so that plant risk is not underestimated in PRAs.
This issue addressed PRA analysis methodology and the validity of certain assumptions including (a) the composition of failure rate data and (b) the modeling of essential equipment and their associated protective devices in the PRAs. In considering the relation between (a) and (b) above, four analysis possibilities can develop:
|(1)||The failure data are given for essential equipment, including their protective devices, and the plant modeling accounts for essential equipment including protective devices. In this case, risk estimates are done properly.|
|(2)||Failure data are given for essential equipment without protective devices and the plant model accounts for essential equipment without protective devices; the model deals with protective devices separately. Also, in this case, risk estimates are done properly.|
|(3)||Failure data are given for essential equipment with protective devices, but the model is for essential equipment without protective devices; protective devices are modeled separately. In this case, the protective device failure rates are considered twice. This analysis tends to overestimate plant risk.|
|(4)||Failure data are given for essential equipment without protective devices, but the model is for essential equipment with protective devices, i.e., the protective device failure rates are not considered. This analysis tends to underestimate plant risk.|
However, knowledgeable PRA practitioners believe that present PRAs usually model the protective devices explicitly but sometimes include them with the essential equipment and account for their failure rates.
There are several sources of generic databases that are used by the NRC and the industry to conduct PRAs. These databases include the Nuclear Computerized Library for Assessing Reactor Reliability (NUCLARR),1327 IEEE Std. 500,194 and the Component Failure Data Handbook (EGG-EAST-8563, INEL, June 1989). Also, some firms that conduct PRAs maintain their own generic databases.
The sources of the failure and demand information used in the generic databases include LERs, Nuclear Plant Reliability Data System (NPRDS) records, and other industry reports. These sources of failure data are affected by the interpretation by plant personnel of (1) the nature of the failure and (2) the boundaries of the affected system or component. For example, a control circuit that actuates a component may be included within the boundary of that component. Likewise, in generating the failure rate, some protective devices (e.g., fuses) that are installed in or on the body of the component may be considered as part of that component. On the other hand, circuit breakers, especially those not in the proximity of the affected equipment, are considered as separate components and are usually modeled as such.
Support system failures that lead to failure of a front-line system typically are treated as separate system failures and are modeled as such. For example, CCW system failure leads to a loss of lube oil cooling which in turn leads to pump failure. In this case, there is only one valid failure: the CCW system. The induced failures are accounted for in the model through the dependency matrix.
On the basis of discussions with knowledgeable PRA practitioners, existing practice was to include protective devices in PRAs, either explicitly or as an element of the component failure rate. Therefore, it was concluded that this issue did not represent a safety concern and was DROPPED from further consideration. In an RES evaluation,1564 it was concluded that consideration of a 20-year license renewal period did not change the priority of the issue.