Resolution of Generic Safety Issues: Issue 43: Reliability of Air Systems (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was initiated in response to an immediate action memorandum497 issued by AEOD in September 1981 regarding desiccant contamination of instrument air lines. NRR responded to the AEOD memorandum by establishing a working group498 to determine the generic implications of air system contamination and to develop recommendations accordingly. The AEOD memorandum was prompted by an incident at Rancho Seco where the slow closure of a containment isolation valve resulted from the presence of desiccant particles in the valve operator. Desiccant contamination of the plant instrument air system (IAS) was also found to be one of the contributing causes of the loss of the salt water cooling system at San Onofre in March 1980; this incident resulted in Issue 44, "Failure of Saltwater Cooling System." Since the only new generic concern to be found in the evaluation of the San Onofre event was the common cause failure of safety-related components due to contamination of the IAS, Issue 44 was combined with Issue 43.
Issue 43, "Contamination of Instrument Air Lines," as defined above, was evaluated in 1983 and a recommendation was made to drop it from further consideration. Comments received from the ACRS and AEOD, after the publication of the priority evaluation in November 1983, indicated that the issue should be broadened to include all causes of air system unavailability, as opposed to the restrictive limits that were imposed on the issue previously. NRR concurred with the ACRS and AEOD recommendations and agreed to reevaluate the issue after the completion of an extensive AEOD case study of air systems at LWRs in the U.S. AEOD Case Study C/7011078 was completed in March 1987 and later published in NUREG-1275.1079 As a result, Issue 43 was reevaluated, broadened as suggested above, retitled, and reprioritized.
U.S. LWRs rely upon air systems to actuate or control safety-related equipment during normal operation; however, air systems are not safety grade systems at most operating plants. Safety system design criteria require (and plant accident analyses assume) that safety-related equipment dependent upon air systems will either "fail safe" upon loss of air or perform its intended function with the assistance of backup accumulators. The AEOD case study1078 highlights 29 failures of safety-related systems that resulted from degraded or malfunctioning air systems. These failures contradict the requirement that safety-related equipment dependent upon air systems will either "fail safe" upon loss of air or perform their intended function with the assistance of backup accumulators. Some of the systems that may be significantly degraded or failed are decay heat removal, auxiliary feedwater, BWR scram, main steam isolation, salt water cooling, emergency diesel generator, containment isolation, and the fuel pool seal system. The end result of degradation or failure of safety or safety-related systems is an increase in the expected frequency of core-melt events and, therefore, an increase in public risk.
This issue is applicable to all operating and planned LWRs. For the purpose of this analysis, the safety issue resolution (SIR) is assumed to be the imposition of the following requirements upon the nuclear power industry:
(1) Licensees would be required to evaluate their air system(s) to ensure that the air quality is consistent with the equipment specifications and that it is periodically monitored and tested.
(2) Licensees would be required to review and revise anticipated transients and system recovery procedures and related training for loss of air systems as necessary.
(3) Licensees would be required to train the plant staff regarding the importance of air systems.
(4) Licensees would be required to verify the adequacy of safety-grade backup air accumulators for safety-related equipment and institute periodic surveillance programs.
(5) Licensees would be required to perform gradual loss of instrument air system pressure tests.
Assessment of this issue is based partly on work performed by PNL and will be reported in a Supplement to NUREG/CR-2800.64
This analysis uses the Oconee 3 PRA889 because it is the only readily-useable PRA that includes an assessment of the effects of air system malfunctions on safety systems in the event trees for accident evaluations. Although the air system modeling in the Oconee PRA is not very sophisticated, it offers the best treatment of air systems currently available. As a result, the analysis used for assessment of this issue uses the Oconee PRA as representative of all LWRs rather than the usual approach of using two representative PRAs: one for PWRs and one for BWRs. It is assumed that the reduction in affected public risk and core-melt frequency can be estimated as reductions in air systems contribution to the total Oconee 3 risk. The dominant sequence type involves the following scenario: A loss of instrument air (T6) occurs as an initiating event, as a result of a loss of offsite power, or as a result of system faults after a reactor trip. Main feedwater is not available because of the loss of instrument air, and the special operation of the emergency feedwater system after a loss of instrument air also fails (only the steam-driven pump is available and it requires special actions). Feedwater is not recovered and HPI cooling fails to be initiated.
The dominant cut sets involving air systems malfunctions, along with their frequencies, are shown below:
|Cut Set||Event Frequency /Probability||Frequency/RY|
|T6||0.17/yr||1.4 x 10-6|
|T6||0.17/yr||5.2 x 10-7|
|T6||0.17/yr||6.8 x 10-7|
|Total:||2.6 x 10-6|
The events in these cut sets are defined as follows:
|T6||Loss of instrument air|
|REIA2/6||Failure of operator to recover instrument air in 2 to 6 hours after the initiating event.|
|EFTDST6H||Operator's failure to provide suction to the steam-driven emergency feedwater pump after the upper surge tank is depleted, given loss of instrument air; the operator is required to perform remote manual actions, including a position change on a locked valve.|
|REEF122/6||Failure to obtain feedwater from the SSF (Safe Shutdown Facility) after the failure of emergency feedwater 2 to 6 hours after the initiating event.|
|UTHPIH||Operator's failure to initiate HPI cooling.|
|EFM17||Failure of the steam-driven emergency feedwater pump through local hardware faults and human errors.|
|EFUSTF||Failure of the emergency feedwater pump because of insufficient inventory in the upper surge tank at the start of the sequence.|
To support the NRC's review of the Oconee 3 PRA, BNL performed a detailed review of the Oconee 3 PRA core damage sequence analyses.1080 BNL's review found that the values chosen in the Oconee PRA were non-conservative with regard to the IAS. Based on interviews with plant personnel and operating experience reviews, the BNL study concluded that the loss of instrument air was the dominant contributor to core damage frequency. Specifically, BNL found that examination of the pertinent data indicated an initiating frequency (T6 - loss of instrument air) of 0.21/RY. However, BNL's evaluation of the IAS pressure decay characteristics and its effect upon the upper surge tank drain valve, which fails open on loss of instrument air, indicate that instrument air must be recovered quickly (significantly less than 2 hours) and thus a recovery probability (REIA 2/6) of 0.5 should be used.
Repeating the affected cut set calculations using the above values, a base case affected core-melt frequency of 2.2 x 10-5/RY is determined. It should be noted that this high estimate of core-melt frequency is determined because of the effects of one valve which, moving to its "fail safe" open position upon loss of instrument air, drains the upper surge tank thus depriving the plant of its source of emergency feedwater. In this specific instance, the failure mode of the valve was ultimately revised to fail closed to reduce the core-melt frequency which could be attributed to loss of instrument (control) air. If one conservatively assumes that all plants have at least one safety or safety-related function which has an unknown high degree of sensitivity to the loss of control or instrument air, the use of the Oconee 3 PRA, as adjusted by the BNL recommendations, is considered to be an acceptable model for all plants. We have, therefore, assumed a base case core-melt frequency of 2.2 x 10-5/RY for loss of the air systems at LWRs.
For the purpose of evaluating the potential public risk reduction which might be achieved by the proposed SIR for this issue, we have assumed that implementing the SIR would result in a reduction of the frequency of the T6 events (loss of air systems). In order to evaluate the adjusted case core-melt frequency, it is assumed that the T6 initiating event frequency will be reduced approximately 30% as a result of SIR implementation. This assumption is based on an evaluation of the potential effects of the proposed resolution on each of several factors that contribute to the overall frequency of loss of instrument air, T6. It is believed that this assumption is conservative (some plants may realize greater improvements). One conservatism of this estimate is that no credit was given for potential improvements in operator recovery actions which could, in fact, reduce the consequences of air systems-related problems. An upper bound that assumes a 90% improvement in instrument air reliability is evaluated to show the potential effects on plants which may have greater improvement in air systems performance.
When the base case cut-set frequences are reevaluated using a 30% and 90% reduction in the frequency of the T6 event (i.e. T6 = 0.12 and 0.02/RY respectively), the new core-melt frequencies are found to be 1.6 x 10-5 and 2.3 x 10-6/RY. Subtracting post-SIR core-melt frequencies above from the base case affected core-melt frequency (2.2 x 10-5/RY) results in an expected reduction core-melt frequency (fcm) of 6 x 10-6/RY and 2 x 10-5/RY for the best estimate and upper bound cases, respectively.
From the compilation of operating and planned reactors found in Appendix C to NUREG/CR-2800,64 the total population of affected plants (N) is 134. When adjusted for the current date, the average remaining life time (T) for the population is 24.6 years.
An average dose from all core-melt sequences for an LWR (Ro) was estimated by PNL in the development of other issues to be 3.3 x 106 man-rem/event. The potential averted public risk (W) is given by:
For this issue, the best estimate and upper bound values of averted public risk are determined to be:
|W = (134)(24.6)(6 x 10-6)(3.3 x 106) man-rem|
|W = 65,300 man-rem|
|W = (134)(24.6)(2 x 10-5)(3.3 x 106) man-rem|
|W = 218,000 man-rem|
Industry Cost: Of the total population of 134 plants, 104 are currently operating with the remaining 30 in the construction phase. If the resolution actions assumed above are implemented, the following resource estimates are assumed for the 104 operating plants:
|(a) Labor:||2.4 man-weeks/plant to evaluate air system(s)|
|4.3 man-weeks/plant to review recovery procedures|
|0.6 man weeks/plant on average to revise recovery procedures|
|2.8 man-weeks/plant for additional staff training|
|3.3 man-weeks/plant to verify adequacy of back-up accumulators|
|7.9 man-weeks/plant for planning and executing tests|
|21.3 man-weeks/plant for SIR Implementation|
|(b) Equipment:||Additional testing equipment, moisture indicators, contamination sensors.|
For the 30 planned plants, no additional labor, down-time, or equipment is anticipated because it is assumed that air systems will be adequately evaluated at the pre-operational testing phase.
At the standard labor cost rate ($2270/man-week) and conservatively assuming an equipment cost of $5,000/plant, the total industry cost to implement the SIR is estimated to be $5.5M.
It is assumed that all 134 affected plants will institute increased maintenance and surveillance programs. This labor intensive activity is estimated to require an additional 8 man-hr/month/plant for periodic monitoring and testing. At the standard labor rate, the increased labor costs are estimated to be $18M for the industry over the expected remaining plant lifetimes. At a 5% discount rate, the present value of the industry recurring maintenance and surveillance cost is $9.4M.
The total industry cost for implementation, maintenance, and surveillance is $(5.5 + 9.4)M = $14.9M.
NRC Cost: Analysis and development costs for the SIR are estimated to be $275,000. This includes the cost associated with the issuance of an order imposing the SIR on the industry. The staff labor expenditure assumed for review, inspection, and approval of industry implementation of the SIR is as follows:
|Review and approval of licensee evaluations||= 2 man-months|
|Onsite Inspections||= 1 man-month|
|Total:||3 man-months/plant or 0.25 man-yr/plant|
This is assumed to apply only to the 104 operating plants since these activities will presumably be incorporated initially into the normal review and inspection accorded new plants prior to operation. At the standard labor rate, the NRC cost for the review, inspection, and approval of licensee implementation of the SIR is estimated to be $2.6M. The total NRC cost for SIR development and implementation is thus estimated to be $(0.275 + 2.6)M = $2.9M.
Staff oversight of industry maintenance and surveillance programs for air systems is estimated to require 0.5 man-week/RY. At the standard labor rate, the total NRC cost for SIR surveillance is estimated to be $3.7M. At a 5% discount rate, the present worth of the NRC recurring SIR surveillance costs is $1.9M. The total NRC cost for SIR implementation and surveillance is $(2.9 + 1.9)M = $4.8M.
The total NRC and industry costs are thus estimated to be $(14.9 + 4.8)M = $19.7M.
Based on the total best estimate risk reduction of 65,300 man-rem and the total industry and NRC cost of $19.7M, the value/impact score is given by:
It was assumed in the above analysis that 75% of licensee labor used to perform annual air quality tests and to take appropriate actions where required would be performed in a low level radiation environment of 2.5 millirem/hr. As a result, an ORE of about 600 man-rem was calculated for the implementation of the assumed solution for this issue.
This issue was assigned a high priority ranking based on its value/impact score. It was recognized that this conclusion was driven by the analysis of risk due to instrument air failure at a single plant. This analysis revealed a high degree of sensitivity to instrument air failures due primarily to poor selection of a "fail safe" position due to loss of operating air for one particular valve (which has subsequently been changed). Accordingly, the analysis used as a surrogate for all plants was very plant-specific in nature. However, past air system LERs revealed numerous additional instances in which a high degree of risk sensitivity was apparent.1079 Therefore, the Oconee 3 PRA, as modified by BNL, was used in order to ascertain a risk estimate for the industry, recognizing that it would not be appropriate for all plants and was no longer appropriate for Oconee 3.
In December 1987, the staff issued Information Notice No. 87-28,1140 Supplement 1, to inform OLs and CPs of the publication of NUREG-1275,1079 Volume 2. This report indicated that the performance of the air-operated safety-related components may not be in accordance with their intended safety function because of inadequacies in the design, installation, and maintenance of the instrument air system. The report also indicated that anticipated transient and system recovery procedures were frequently inadequate and that operators were not well-trained for coping with loss of instrument air conditions.
In August 1988, Generic Letter 88-141141 was issued to request that each licensee/applicant review NUREG-1275,1079 Volume 2, and perform a design and operations verification of instrument air systems. In addition, all licensees/ applicants were requested to provide a discussion of their program for maintaining proper instrument air quality. Thus, this issue was RESOLVED and requirements were established.