Resolution of Generic Safety Issues: Issue 49: Interlocks and LCOs for Class 1E Tie-Breakers (Rev. 3) ( NUREG-0933, Main Report with Supplements 1–34 )
In an AEOD memorandum638 to NRR, it was concluded that the design of the Point Beach Nuclear Plant, Units 1 and 2, under certain conditions, allowed manual interconnection of redundant electrical load groups, thereby paralleling their power sources. AEOD noted that it took the plant operators approximately five weeks to discover that the electrical distribution system line-up was not in the proper configuration. This suggested a generic concern regarding the adequacy of procedural and administrative controls. In this instance, the lack of procedures to include the monitoring of the status of the plant electrical distribution system during plant operation, through several shift changes, prevented the detection of the human error committed.
The incident referred to in the AEOD memorandum638 was discovered (and corrected) at Point Beach Unit 2 on June 9, 1980.639 It involved operation at 100% power with one of the 4160V Class 1E redundant buses being supplied by the offsite power source via the other 4160V redundant bus and its tie-breaker.
In responding to AEOD, NRR identified507 an additional complementary concern: interlocks are not provided to prevent the tie-breaker from being closed when both normal feed breakers to the Class 1E buses are closed. Interlocks are not provided between the emergency diesel-generator output breakers and the tie-breaker. Such interlocks should also be provided to prevent out-of-synchronization interconnection of the diesel-generator and the offsite power source.
GDC-17 requires that the onsite source and distribution systems have sufficient independence and redundancy to perform their safety function assuming a single failure. Operating the plant in the reported Point Beach configuration violates the independence requirement of being able to accommodate a single failure.
With features of breaker operation such as those at Point Beach the following problems potentially impair plant safety: (a) a failure of the tie-breaker to open on loss of voltage would prevent both emergency diesel-generators from automatically supplying power to their respective buses (single failure); (b) the tie-breaker is capable of being closed when the offsite source breaker is closed on one bus and the respective diesel-generator breaker is closed on the other bus (paralleling two divisions, one with offsite and the other with emergency sources); and (c) the tie-breaker is capable of being closed when both 4160V Class 1E buses are being supplied by their respective diesel generators (paralleling redundant emergency sources). This is contrary to the requirement of Regulatory Guide 1.6,66 which states "If means exist for manually connecting redundant load groups together, at least one interlock should be provided to prevent an operator error that would parallel their standby power sources."
A possible solution to this issue was the issuance of an IE circular to OLs requesting review of the design and operational features of all Class 1E bus tie-breakers. If only one tie-breaker existed between redundant Class 1E buses, then licensees should promptly take, as a minimum, the following actions, via procedural requirements (taken as the possible solution for affected plants): (a) use a bus tie-breaker only during shutdown when it is absolutely necessary; (b) physically disengage each tie-breaker and rack out (withdraw) following each usage; (c) "red tag" the tie-breaker enclosure for the breaker to be kept open; and (d) incorporate QA procedures to reconfirm that all tie-breakers are racked out and "red tagged" prior to each plant startup.
The existing licensing practice as stated in SRP11 Section 8.3.1, III.2.B, required physically separated tie-breakers in series between redundant Class 1E buses. In addition, the STS for new plants require tie-breakers between redundant buses to be open as a condition of operability of the redundant Class 1E electrical distribution system. Therefore, this issue only affected operating plants. A cursory review of AC one-line diagrams for 22 plants indicated that ten had single tie-breakers between redundant buses.64 Therefore, it was assumed that this issue affected 10/22 or 45% of all backfit LWRs, i.e., 11 backfit BWRs and 21 backfit PWRs.
At the time of this evaluation, there had been one documented tie-breaker failure.64 Based on this experience (in some 1,000 RY of operation at that time), a tie-breaker failure frequency of about 1 x 10-3/RY was estimated.
The probability of an emergency diesel-generator failing on demand to supply power to Class 1E buses is conditional on the tie-breaker between these buses being in a failed position during a loss of offsite power. Failure of emergency diesel power must persist for some time, typically 4 hours (based on NUREG-1032),890 to lead to a station-blackout/core-damage sequence.
The frequency of loss of offsite power (LOOP) of 4 hours or longer duration was taken as 9 x 10-3/RY, based on historic experience documented in NUREG/CR-3992.10
With a mean time to discovery and repair of 5 weeks (i.e., 0.1 yr.) for the failed circuit breaker (based on the Point Beach history), the indicated frequency of station blackout with core damage becomes (9 x 10-3)(0.1)(1 x 10-3) = 9 x 10-7/RY. If there is a 0.1 probability that the incorrect tie-breaker position is not discovered and corrected within 4 hours after onset of LOOP, the adjusted core damage frequency becomes (0.1)(9 x 10-7)/RY or 9 x 10-8/RY.
In view of the low estimated severe core damage frequency, no consequence estimates was made; however, it would not have exceeded about 6 x 106 man-rem (about 5 x 106 man-rem for a PWR, based on a PWR-1 release and 7 x 106 man-rem for a BWR, based on a BWR-2 release). Thus, for the 32 affected plants with an average remaining life of 30 years, the public risk reduction was estimated to be (30)(9 x 10-8)(6 x 106) man-rem/reactor or 16 man-rem/reactor.
PNL estimated64 $330,000 for industry costs and $32,000 for NRC costs as the total for all plants. This was based on 42 man-hours of industry labor for each of 32 operating plants performing design review and taking corrective action and 6 man-hours/plant doing design review but not required to take corrective action. The combined industry and NRC cost for plants involving corrective action was approximately $10,000/plant. This estimate was doubled to $20,000/ plant to allow for the added costs of review and approval of analyses, designs, and reports and QA measures for corrective actions.
Based on an estimated public risk reduction of 16 man-rem/reactor and a cost of $20,000/plant, the value/impact score is given by:
(1) The bounding consequence estimates may well be an order of magnitude too high. Depending on containment features and accident particulars, containment failure may be delayed or not take place at all.
(2) The accident frequency may have been underestimated to the extent that there may have been unreported closed tie-breaker events; not all plants are required to report Point Beach-type incidents. (A number of older plants do not.) Thus, the one reported closed tie-breaker incident may not have represented all actual similar incidents.
(3) The risk analysis was based on the assumption that, if the incorrect tie-breaker position is discovered and corrected, then the plant is safe from core damage. However, some plants may have no interlocks to prevent closure of the diesel-generator breakers upon LOOP with the tie-breaker closed. In such designs, the diesel-generators can suffer damage such that they could not be restarted after opening the tie-breaker. For such plants, core damage becomes an order of magnitude more likely (since the estimated 0.1 probability of failure to achieve effective correction before core damage would not apply).
The low estimate for potential risk reduction and the associated value/impact score indicated that this issue should have a low priority. However, a medium priority was assigned because of the possible existence of plants having features that exacerbate the risk from this issue by causing potential serious damage to the diesel-generators. In November 1986, this issue was integrated into the resolution of Issue 128.1001