Resolution of Generic Safety Issues: Issue 17: Loss of Offsite Power Subsequent to a LOCA ( NUREG-0933, Main Report with Supplements 1–34 )
In the event of a LOCA in which offsite power remains available, the reactor operator may choose to shut down the emergency diesel generators shortly after the LOCA. If, after the diesels are shut down, offsite power is lost, a potential safety problem arises in view of the possibly short time available for manual restart of the diesels and proper sequencing to assume the LOCA loads. This problem is essentially identical to the problem raised in connection with the reset of the safety injection signal which would also shut down the diesel generators and possibly prevent automatic resequencing of engineered safety feature equipment in the event of subsequent loss of offsite power. Hence, this issue will be evaluated in terms of the SIS reset problem and Issue 26 in this section will also be considered.
The SIS reset issue has been worked on sporadically since late 1976 when it was formalized as Issue No. 4 in NUREG-0138.32 The historical development of the NRC effort on this problem through February 1982 has been documented in detail.35 Subsequent to this effort,35 the NRC effort was resumed by the Power Systems Branch (PSB) in an effort to establish a systematic approach by which to resolve this problem.33
The ECCS designs are such that beginning about two minutes after occurrence of a LOCA the operator is required to reset the safety injection system (SIS) signal. If the operator does reset the SIS signal (a few minutes after LOCA) and if a loss of offsite power should then occur, prompt operator action would be required to restart the LOCA loads. The logic for startup of the emergency diesel generators would cause automatic sequencing to pick up the normal shutdown cooling loads in some designs and in others no loads would be sequenced (since there would be no accident signal present) rather than the LOCA loads, which would be the case if SIS had not been reset. Moreover, if loss of offsite power should occur after reset, some plants may not restart such essential loads as diesel cooling, thereby compromising diesel availability.
Therefore, for conditions other than the design basis (coincident LOCA/LOOP), design variations, ranging from proper loading to improper loading to no loading at all, may exist in the control logics for the application of loads to the ESF buses. Thus, a set of circumstances may develop shortly after the initiation of a LOCA that could lead to severe undercooling of the core and possibly core melting.
The solution to the potential problem is not clear cut. On one hand, there seems to be obvious merit in permitting the operator to terminate operation of safety equipment if the situation has been diagnosed and continued operation is not needed. This may actually avoid an accident. For example, failure to shut off --the high pressure safety injection pumps could result in completely filling the pressurizer and challenging the PORV and/or a safety valve. On the other hand, there may be a greater risk in depending on the operator to initiate safety equipment operation in a short time period to mitigate the consequences of a real accident that occurs following SIS reset.
At one time, the solution to this problem was thought to be procedural in which operator action on SIS reset earlier than 10 minutes would be prohibited.32 The basis for this value is not clear and currently the matter is being investigated by PSB to establish the probabilities and consequences of various LOCA/LOOP sequences and to establish the time frame after which it is permissible to manually reload diesel-generator buses with the required loads to maintain the plant in a safe condition.33
Reactor plant technical specifications do not permit the plant to operate without offsite power available. Therefore, offsite power is assumed to be available immediately prior to the LOCA. In addition, a LOCA will cause a generator trip, resulting in a sudden loss of power generation. If this generation loss exceeds the transient stability limits of the associate power system (net) then offsite power will be lost at the time of the LOCA. Based on data provided by the Federal Power Commission the probability that the LOCA will cause a loss of the offsite net is presented in WASH-140016 as 10-3 per year. On the other hand, if offsite power is still available after the LOCA, the probability that offsite power will subsequently be lost due to random causes is (2)(10-5) per hour in WASH-1400.16 In addition, because of the variable time span in which loss of offsite power can occur in the case of loss subsequent to a LOCA, credit will be taken for corrective actions to restore offsite power following its loss. The available data in WASH-140016 indicate that restoration time ranged from more than 150 hours to essentially zero time. The mean repair time was found to be less than 0.25 hour, but a conservative constant value of one hour for the repair model for restoration of power was used in obtaining the results below. Also, the probability of a pipe break leading to a LOCA is assumed to be 10-4 to 10-3 per reactor-yr, based on the results of WASH-1400.16 And, finally, the probability that two diesels fail to start independently is assumed to be 10-3 per demand. But with loss of offsite power both diesel generators would have to pick up the emergency load and this single event could trip both units at a greater failure rate. WASH-140016 contains an assessment of this probability (the diesel generators fail to pick up the emergency load) as 10-2 per demand, based on an analysis of some sparse data. This value appears to be confirmed within a factor of 2 to 3 by additional studies performed in connection with USI A-44, "Station Blackout." From WASH-1400,16 the cumulative probability of a loss of offsite power during a LOCA with both diesels failing to pick up load, with neither power sources being repaired before the maximum allowed outage time has elapsed is of the form;
p(t) = (net)q(2dg)f(t)
where(net) is the random failure rate for offsite power, q(2dg) is the probability per demand that both diesels will trip out, and f(t) is the time dependence of the cumulative probability. In the present case concerning the reset of the SIS we assume that the unavailability of the diesel during a critical period early in the LOCA will be due to operator error leading to an improper SIS reset, at an assumed failure rate of 10-1 per demand, instead of failure of the diesels to pick up the LOCA loads immediately after start (assumed) to be at the rate of 10-2 per demand in WASH-140016).
Based on the results presented in WASH-1400,16 the probability (median values) of the loss of all AC power at the time of the LOCA (t=O) and subsequent to the LOCA (t>0) are:
|t = 0||QAC = qnet.q(2dg) = (10-3)(10-2) = 10-5 per demand|
|t = 1 hr:||QAC = 2(10-7)|
|t = 24 hr:||QAC = 5(10-6)|
|t = 4 mos:||QAC = 7(10-5)|
[based on q(2dg) = 10-2 per demand]
Revising these values to reflect a failure of the diesels because of an operator error leading to an improper SIS reset at the assumed failure rate of 10-1 per demand instead of the failure of the diesels to pick up the single load with the failure rate of 10-2 per demand the results obtained by multiplying by (10-1/10-2) are:
|t = 0||(QAC)op = (10-4)|
|t = 1 hr:||(QAC)op = 2(10-6)|
|t = 24 hr:||(QAC)op = 5(10-5)|
|t = 4 mos:||(QAC)op = 7(10-4)|
Taking the probability of a LOCA to be 10-3/RY and assuming that the critical part of the LOCA occurs within the first hour (as a result of operator error in the reset of the SIS) the probability of the LOCA and the complete loss of AC power is estimated to be approximately:
(QAC)op(QLOCA)1 = 2(10-6) x 10-3/RY = 2 x 10-9/RY
The consequences for this event are taken to correspond approximately to the PWR-3, 4, 5, 6 and/or the BWR-4 category because the release sequence for this accident would occur sometime after the LOCA, so that some containment of radionuclides would have been achieved.
Consequences for these release categories are expressed in man-rem. The total whole-body man-rem dose is obtained by using the CRAC Code64 for the particular release category. The calculations assume a uniform population density of 340 people per square mile (which is average for U.S. domestic sites) and a typical (midwest plain) meteorology. The average dose for the BWR-4 and PWRs-3, 4, 5, and 6 release is D = 2 x 106 man-rem.
The solution of this problem involves a study performed by the NRC staff leading to possible modifications of plant procedures and training of plant personnel. Assume that the NRC study requires an additional man-year and that 1 man-year has already been expended since the effort was started in NUREG-0l3232 in 1976. A total of 43 PWRs are involved so that the estimated NRC costs per plant are: $200,000/43 = $4,651 per plant. The industry costs for retraining and changing of plant procedures is estimated64 to be $80,000/plant for the first year and $20,000/plant for succeeding years. The industry cost is then approximately $80,000 + 29($20,000)/plant or $0.66M/plant (based on an average remaining reactor lifetime of 30 years). NRC costs are small in comparison to industry costs; therefore, the total cost to resolve this problem is then estimated at $0.66M/plant.
The total public risk reduction for this issue, based on the results above, is (2 x 10-9)(2 x 106)(43)(30) man-rem or 5.16 man-rem. Based on this risk reduction, the value/impact score is given by:
In WASH-1400,16 the probability of a LOCA is estimated to be in the range of 10-4 to 10-3; the larger value of 10-3 was used in this evaluation. In addition, no credit is taken for the operator's ability to manually realign the diesel generators to assume the necessary loads after reset. This may be difficult to quantify but the operator is apt to grasp the situation fairly quickly in the event of a serious accident and to take some remedial steps towards realigning the emergency power supply. Moreover, it is not clear that the release of 108 Ci, corresponding to failure of the containment sprays as well as the core cooling systems, is appropriate in these circumstances. If the sprays do operate, the release is reduced to approximately 106 Ci. And, finally, the cost estimate is based on procedural changes and operator training, which is the least expensive solution to this problem. If diagnostic tools were to be provided or any other changes in the form of hardware were installed to aid the operator in improving the SIS reset success rate, the cost would increase. All told, it is estimated that these effects would tend to reduce the calculated value/impact score by one to three orders of magnitude.
This issue was determined to be in the DROP category. We note that all three PWR NSSS Vendor Owners' Groups have included restoration of applicable LOCA loads upon loss or challenge to a function in their emergency operating procedure guidelines developed in response to TMI Action Plan Item I.C.1. We expect procedures based on these guidelines to be implemented at all operating reactors by mid-1984.