Resolution of Generic Safety Issues: Issue 55: Failure of Class 1E Safety-Related Switchgear Circuit Breakers to Close on Demand (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
In August 1982, AEOD reviewed a number of LERs related to Class 1E safety related switchgear circuit breakers and found a high incidence of their failure to close on demand. A preliminary report was written and transmitted to NRR with recommendations for improvements.281 NRR reviewed the AEOD report and did not agree with the AEOD conclusion.282 The preliminary AEOD report was later finalized, issued as a reactor case study (AEOD/C301),864 and transmitted to NRR.661 A further NRR review of AEOD/C301864 showed that NRR agreed with only one of the four AEOD recommendations. However, because of the AEOD concerns, NRR agreed to prioritize the issue.662
The majority of safety systems contain large electrical components such as motors for pumps. Electrical circuit breakers must be closed to feed the power to these components. In addition, for cases of loss of offsite power, the diesel-generators must be connected (via breaker) to power all the plant electrical equipment. All of these breakers are normally closed by remote automatic electrical signals; however, they. can be closed manually by an operator at the switchgear, provided the circuit breaker closing circuit, control power, and breaker operating mechanism are free of defects. Failure to close the required breakers could lead to core-melt. This issue applies to the design and operation of all nuclear power plants.
(1) Provide for monitoring the status of the closing circuit of Class 1E safety-related switchgear circuit breakers and, for appropriately selected breakers such as diesel-generator output breakers, make the status indication available to the control room operator. Further, other selected breakers which are normally open and through which emergency equipment is powered should be reviewed to determine if such monitoring may also be warranted.
(2) In the short-term, licensees of operating reactors should establish regular local surveillance of Class 1E switchgear circuit breakers to monitor the readiness status of the spring-charging motor of each unit.
(3) In addition to the above, measures that tend to preclude dirty or corroded contacts, poor electrical connections, blown control circuit fuses, and improper return of breakers to operable status should be incorporated into the maintenance procedures and used in actual maintenance practice.
(4) Shift operating personnel should receive periodic training in the logic and operation of circuit breakers equipped with anti-pumping controls.
In an evaluation of the issue by PNL,64 implementation of AEOD Recommendations 2 and 3 was assumed. Only the diesel-generator breakers were considered in the analysis because it was felt that they were the most significant contributors, based on their ability to simultaneously affect a large number of safety systems. The analysis was performed using ANO-1 as the representative plant.
For ANO-1, only one dominant accident sequence corresponds to loss of emergency power--T(LOP)LD1YC.366 Of its minimal cut sets (dominant), only the following involve diesel-generator-related failures:
T(LOP) • LF-AC-DG1 • LF-AC-DG2 • LF-EFS-E11 • [0.36]
T(LOP) • LF-AC-DG1 • LF-AC-DG2 • LF-EFC D1D2CM • [0.05],
where the numbers in brackets [ ] represent the probabilities of nonrecovery within the estimated one-hour duration prior to onset of a core-melt.
The terms related to diesel-generator failure (LF-AC-DG1 and LF-AC-DG2) are redefined as follows to include a circuit breaker failure CBF:
LF-AC-DG1 = (LF AC DG1)o + CBF1
LF-AC-DG2 = (LF-AC-DG2)o + CBF2,
The terms with the subscript "o" represent the original terms and the designators "1" and "2" on CBF correspond to diesel generators "1" and "2", respectively. These term redefinitions resu1t in the generation of two "new" minimal cut sets, representing the affected minimal cut sets for this issue:
T(LOP) • CBF1 • CBF2 • LF-EFS-E11 • [0.36]
T(LOP) • CBF1 • CBF2 • LF-EFC-DID2CM • [0.05]
The terms CBF1 and CBF1 were then calculated using the fo11owing approach. A fault tree for failure to energize Class 1E [safety-re1ated electrical loads was constructed. This is caused by either diesel-generator failure or failure of the circuit breaker in its open position. The circuit breaker is failed open as a result of a failure in the breaker closing circuit and failure of the operator to order that the breaker be activated locally.
The latter is dominated by human error events. Failure to close the circuit breaker normal1y results from either an incorrect operator response or failure of the operator to respond to breaker position indicator lights. An incorrect operator response may occur if the operator responds to the wrong indicator light or his order to manually operate the breaker is misunderstood by another workman and the wrong breaker is closed. Failure of the operator to respond could be caused by improper indication of the breaker position or the operator failing to respond to correct light indications. Table 3.55-1 below lists the probabilities per demand for the basic events of this fault tree.
|(1) Operator responds to wrong light||P(1) = 5 x 10-3||NUREG/CR-1278339|
|(2) Workman throws wrong breaker||P(2) = 5 x 10-3||NUREG/CR-1278339|
|(3) Improper light indication||P(3) = negligiblea||WASH-140016|
|(4) Operator fails to respond||P(4) = 2.5 x 10-1 b||NUREG/CR-1278339|
(a) Improper light indication requires two simultaneous demand-type failures of indicator lights i.e., green-light failure due to burn out and red-light indication due to spurious current. Probabilities for such failures are on the order of 1 x 10-6 and negligible compared to those for human error.
(b) From data for failure to respond to one of M lights on panel; value used corresponds to M > 40. Failure of the operator on demand to effect on demand a manual bypass of the failed closing circuit is then equivalent to an unavailability given by.
ABF = P(1) + P(2) + P(3) + P(4) = 2.6 x 10-1
The unavailability of the diesel-generator breaker closing circuit was estimated from the incidents reported in the AE0D preliminary report.281
|Number of failure to close events||= 94|
|Number of reactors affected||= 42|
|Period considered||= 5.25 years|
Analysis of these data shows that the number of incidents varied from 0 to 3 per reactor-year and 1 to 8 per 5.25-year period for individual reactors. As these data were derived from required LERs, it is assumed that no such failures of the Class 1E circuit breakers were reported from any other operating reactor.
Assuming periodic inspection every W weeks and a 1-day repair time if a breaker closing circuit is found defective, Average down-time (T) = (W/2 + 1/7) weeks.
|where NF||= number of failures|
|341||= the sum of reactor-years in reporting period|
|52||= the number of weeks/year|
|Unavailability of breaker closing circuit (BCC) is given by:|
|BCC = T|
|Unavailability of breaker to close on demand (CBF) is given by:|
|CBF = BCC • BF|
|= 0.26 BCC|
The unavailability of the breakers to close on demand is critical in the case that transfer of safety-related electrical loads to diesel-generator power is required. The AEOD report864 noted that approximately 25% of the incidents reported involved a diesel-generator output breaker. The failure frequency calculation therefore assumed NF = (94)(0.25) = 23.5. Therefore,
The following table summarizes BCC and CBF for three inspection frequencies:
|Breaker Unavailability as a Function of Inspection Frequency|
|4 weeks||2.9 x 10-3||8.0 x 10-4|
|2 weeks||1.5 x 10-3||4.0 x 10-3|
|1 week||8.6 x 10-4||2.3 x 10-4|
NRC has no regulatory requirement for monthly inspections. However, assuming licensees' current inspection procedures require monthly inspections of the circuit breakers, the base case frequencies of the affected cut sets become 3 x 10-10/RY and 4.8 x 10-11/RY, respectively. Original values from the AN0-1 study are used for all terms except CBF1 and CBF2 (which are taken as 8.0 x 10-4 as shown before). Thus the base case affected core-melt frequency is 3.5 x 10-10/RY for PWRs. Scaling this va1ue for BWRs resulted in a base case affected core-melt frequency of 2.6 x 10-10/RY.
Increasing the inspection frequency to once per week results in an adjusted case core-melt frequency of 2.8 x 1011/RY (based on an adjusted case value of 2.3 x 10-4 for CBF1 and CBF2). Therefore, the reduction in core-melt frequency for PWRs and BWRs is 3.2 x 10-10/RY and 2.4 x 1010/RY, respectively.
There are 90 PWRs and 44 BWRs with average remaining lives of 28.8 years and 27.4 years, respectively. Based on the reductions in core-melt frequency calculated above, PNL determined that the total public risk reduction associated with this issue is 2 man-rem.
Industry Cost: The costs to implement the recommendations were estimated by PNL.64 Assuming 5.5 man-weeks/plant would be required to implement the recommendations in the plant procedures for operating plants, the total implementation cost was estimated to be $1.17M. Future plants are not affected since the above plans can be incorporated in their initial procedures.
Based on an increase in labor of 2.5 man-weeks/RY for weekly inspections and/or maintenance of Class 1E diesel-generator circuit breakers, the total operation and maintenance cost is $21.5M. This estimate includes training time. Thus, the total industry cost is approximately $23M.
NRC Cost: The cost for development of the solution was calculated to be $120,000, based on an estimate of 1.2 man-yrs. It was assumed that NRC review and approval of industry plans for implementing the solution would involve 1 man-week/plant for a total cost of $160,000 for all plants. NRC labor to check utility compliance with the solution through inspection/verification was assumed to be 1 man-hr/RY. Thus, total operation and maintenance costs were estimated to be $215,000. Therefore, the total NRC cost associated with the solution to this issue is approximately $0.5M.
Based on an estimated public risk reduction of 2 man-rem, the value/impact score is given by:
(1) The low cost recommendations i.e., revising procedures, could be costbeneficial on those plants that have experienced a relatively larger number of failures.
(2) The area of diesel-generator output breakers has also received attention during the staff's investigation of Issue A-44, "Station Blackout." In NUREG/CR-2989,665 it was concluded that the output breakers (in combination with load sequencers) were responsible for about 10% of all emergency AC power system failures. The Regulatory Guide to be issued with the resolution of Issue A-44 will address the area of diesel-generator output breakers as part of reliability improvements of onsite sources.
(3) The NRR responses662 to AE0D concluded that the overall issue could be effectively addressed by improvements in maintenance procedures and periodic testing. IE lnformation Notice No. 83-50663 was later issued by OIE.
(4) Implementation of the solution will not increase occupational dose because it involves the specification and authorization of inspection procedures. However occupational dose from operation and maintenance of the solution was estimated to increase by 750 man-rem.
In AEOD/C301,864 a number of failures of circuit breakers were tabulated and then evaluated to determine recommendations to remedy the problems found. This report did not provide any evaluation of the potential safety significance of the failures and did not address the following question: Are such failures an indication of an unacceptable failure rate? Based on the above risk analysis, we have concluded that the potential safety significance does not appear to indicate a need for issuing generic requirements. Furthermore, the issue was adequately addressed by IE Information Notice No 83-50.663 Based on the value/impact score calculated above, this issue was DROPPED from further consideration.