Resolution of Generic Safety Issues: Issue 76: Instrumentation and Control Power Interactions (Rev. 3) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was identified524 when a number of concerns regarding DC power systems were raised during the review of the proposed resolution of Issue A-30, "Adequacy of Safety-Related DC Power Supplies." The main concerns were:
(1) An instrumentation and control (I&C) power supply fault can cause a critical challenge to standby ESFs, i.e., cases including reactor trips, loss of main feedwater, loss of offsite power, and/or small LOCA through a failed-open PORV.
(2) The same I&C power supply fault could defeat some of the ESFs called upon to mitigate the initiating event, both core cooling systems and containment cooling systems.
(3) The same I&C power supply fault could blind or partially blind the operators to the status of the plant.
I&C electric power systems include AC and DC systems which provide control and motive power to several vital and non-vital components. These components include instrumentation and controls, emergency diesel generator controls, solenoid valves, and breaker controls. Many of these components are required to operate under abnormal and accident conditions. Large-capacity batteries are a typical electric power system component which provide electric power to the DC components. Battery chargers are provided to ensure that an adequate charge is maintained. Inverters are used to convert the DC to AC in order to provide continuous power to vital equipment during offsite AC power interruptions.
Operating experience1428 indicated that failures in I&C systems have occurred at a significant frequency and a number of these failures have had potential safety implications. Potentially significant events included loss of DC power supplies for one hour, partial and total losses of normal and emergency AC power, loss of control room annunciators, control system malfunctions, reduction or loss of feedwater, and a variety of inadvertent valve actuations. The impact of these failures has ranged from minimal effects on plant operation to reactor trips with complications. Most notable was the event at Nine Mile Point in August 1991.1429 The simultaneous loss of five uninterruptible power sources was unexpected and presented unique challenges to both equipment and personnel. Fixes that have been implemented to prevent recurrence of these events include modifications to operating procedures, TS changes, and repair or replacement of failed components. The evaluation of this issue included consideration of Issue 46, "Loss of 125 Volt DC Bus."
The operating events that have occurred were typically recoverable in a short period of time. However, the effects of the power failures may result in transients involving a series of multiple, propagating interactions that may lead to adverse conditions that are not readily reversible or correctable. This issue affected all operating and future plants.
Resolving this issue could require actions to increase the reliability of power systems. One method would be to require additional sources and divisions of electric power which would involve a major hardware modification for some plants. For example, some plants were already equipped with four divisions of vital AC and DC power. Other possible solutions could include new testing, increase existing test frequencies, improve preventive maintenance and/or better operating procedures.
This issue affected 90 PWRs and 44 BWRs with average remaining lives of 28.8 and 27.4 years, respectively. This analysis was performed for Grand Gulf 1 (BWR) and scaled to Oconee 3 (PWR) using the scaling relationships given in NUREG/CR-2800.64 The primary focus of the analysis was on DC power systems. Two situations involving DC power losses were analyzed separately and the results combined; one involved DC power failures as initiating events and the other involved DC power failures as contributing events.
The Grand Gulf 1 PRA includes DC power system failure as a contributing event. The analysis of this issue required added assumptions about DC power system failures as initiating events.
It was assumed that undervoltage and undercurrent events can have the same consequences as a sudden loss of power. This assumption was supported by LER data reviewed from the 1984 to 1990 time period which involved DC system failure. For example, an undervoltage can result in a main feedwater trip. The transient and resultant reactor trip are similar to a sudden loss of main feedwater. In analyzing the LER data, the undervoltage and undercurrent events were assumed to be failures of the affected equipment.
It was assumed that overvoltage and overcurrent events are recoverable because of the protective devices on the equipment. Unless the protective devices fail, the equipment will not be damaged and can be returned to service (if lost); the LER data from 1984 to 1990 supported this assumption.
The frequency of DC power system failures, using the above assumptions and the data from the LERs, was the basis for improving the adjusted case. The possible solution was assumed to increase the reliability of DC power systems, based on battery failure rate distributions given in the Nuclear Computerized Library for Assessing Reactor Reliability (NUCLARR).1327 The error factors given in NUCLARR for 7 battery failure rate data points ranged from 2 to about 8. The average of these data points was 4.76. The solution was conservatively estimated to reduce the frequency of battery failures by a factor of 3.1327
Using a station blackout analysis, an event tree was constructed with the loss of DC power as the initiating event. The loss of AC power was assumed to be independent of a loss of the DC power system. The emergency AC power reliability was assumed to be representative of a single, failed diesel in a two-diesel generator system; the probability of recovery of AC power within one hour was estimated to be 0.55.890
If AC power is available, it was assumed that RCP seal cooling is available and an RCP seal LOCA is not likely to occur. However, the subsequent transient is likely to result in an increase in primary coolant system pressure and temperature. The potential exists for a LOCA to be caused by a stuck-open safety relief valve. The AC power recovery time to prevent core damage from a stuck-open relief valve is 1 to 2 hours. If AC power is not available, there is a significant probability that a RCP seal LOCA will occur. The AC power recovery time to prevent core damage from a RCP seal LOCA depends on the size of the LOCA. If RCP seal leakage is large (more than 100 gpm/pump), the core could be uncovered within a few hours. Smaller leak rates (a few gpm/pump) are not a limiting factor.890 Issue 23, "Reactor Coolant Pump Seal Failures," showed a probability of leak rates of 480 gpm/pump, which would reduce the recovery time significantly.
DC Power Failure - Initiating Events: To estimate the reduction in core-melt frequency, a search of LERs from 1984 through 1990 was made using the key words "DC power" and "station battery." Only those LERs that had safety significance were considered. From this LER data, the base case value for the frequency of DC power failures and subsequent reactor trip as an initiating event was estimated to be 0.06/RY. Based on the Grand Gulf 1 PRA, the frequency of this initiating event leading to core-melt was calculated to be 6 x 10-7/RY. The adjusted case was then calculated based on a factor of 3 reduction in initiating event frequency, resulting in a core-melt frequency of 2 x 10-7/RY.
DC Power Failure - Contributing Events: DC power system failures as contributing events are represented in the Grand Gulf 1 PRA by events BATA and BATB. The base case failure probabilities for both these events are 0.001. The base case CDF for Grand Gulf was 4.9 x 10-7/RY and the adjusted case was calculated to be 1.6 x 10-7 /RY, based on a factor of 3 improvement in the unreliability of the batteries and DC system. Combining these 2 sets of events resulted in a base case core-melt frequency of 1.1 x 10-6/RY and an adjusted case core-melt frequency of 3.6 x 10-7 /RY. Subtracting the adjusted case from the base case yielded a reduction in core-melt frequency of 7.4 x 10-7/RY for BWRs.
The PWR values of core-melt frequency were arrived at by scaling the BWR values; this resulted in an estimated base case core-melt frequency of 2.4 x 10-6/RY and an adjusted core-melt frequency of 8 x 10-7/RY. The reduction in core-melt frequency then is 1.6 x 10-6/RY for the PWR.
For BWRs, the core-melt frequency reduction of 7.4 x 10-7/RY translated to a public risk reduction of 2.1 man-rem/RY. For 44 BWRs with an average remaining life of 27.4 years, the estimated public risk reduction was 2,532 man-rem. For PWRs, the core-melt frequency reduction of 1.6 x 10-6/RY translated to a public risk reduction of 1.7 man-rem/RY. For 90 PWRs with an average remaining life of 28.8 years, the estimated public risk reduction was 4,406 man-rem. Thus, the total potential public risk reduction associated with this issue was approximately 7,000 man-rem.
Industry Cost: All plants would need to prepare a FMEA of their power systems and would have to: (1) revise TS; (2) rewrite operating procedures; and (3) train operators. At a cost of $99,000/plant, the cost for these changes were estimated to be $13.3M. In addition, it was estimated that 27 plants with particularly unreliable DC power systems would require hardware modifications. These plant modifications were estimated to cost $275,000/plant for a total of $7.4M.
The TS changes were assumed to increase the power inspection/tests. The annual cost necessary for operating and maintaining the proposed solution was assumed to include approximately 48 man-hours/RY. This estimate included periodic retraining as well as additional time required to perform more surveillance tests on the batteries. This estimated annual cost was $2,724/RY. For all 134 plants with an average remaining life of 28.3 years, the cost was $10.3M.
NRC Cost: One man-year of contractor effort was estimated for reviewing and updating existing data, determining the feasibility of the possible solution, and developing a technical findings document. NRC technical oversight was estimated at 0.1 man-year. A value/impact and backfit analysis was estimated at $75,000. At a cost of $100,000/man-year, the total development costs were estimated at $0.185M.
NRC review of the FMEA and TS revisions was estimated at 0.5 man-week/plant. At a cost of $2,270/man-week, the total estimated cost was $0.15M for all 134 plants. Reviewing the hardware modifications was estimated to require 2 man-weeks/plant. Since hardware modifications would be required only on the 27 plants with unreliable DC power systems, at a cost of $2,270/man-week, these reviews would cost $0.123M. The total NRC cost to support implementation was estimated to be $0.273M.
The NRC support cost for operation and maintenance for plants requiring hardware modifications was estimated at 0.5 man-week/RY. Since the 27 plants had an estimated remaining life of 28.3 years, the total NRC operation and maintenance support cost was estimated to be $0.867M.
Total Cost: The total industry and NRC cost associated with the possible solution to this issue was $32.3M.
Based on an estimated public risk reduction of 7,000 man-rem and a resolution cost of $32.2M, the value/impact score was given by:
Additional Public Risk Attributed to Vital AC Power Losses: The reduction in core-melt frequency and resultant risk was estimated while focusing on the DC portion of the issue. Inclusion of the vital AC portion would tend to raise the risk reduction and therefore the issue priority.
Other Related Actions: Issue 128, "Electrical Power Reliability," combined a number of electrical power issues and considered a number of related issues and actions. Three specific issues were A-30, "Adequacy of Safety-Related DC Power Supplies"; 48, "LCOs for Class 1E Vital Instrument Buses"; and 49, "Interlocks and LCOs for Class 1E Tie Breakers." With the resolution of Issue 128 and other issues, a number of actions were taken that could have a significant impact (i.e., lower the assumed safety benefit) on the possible resolution of Issue 76 and, therefore, lower its priority.
IPE: One preliminary result1430 from a plant IPE indicated that certain power system faults/failures can be a large contributor to a core-melt. In this instance, the unbalanced nature of the loads contributed to the significance of the postulated events. This would tend to increase the priority of the issue.
Life Extension: The remaining life of the affected plants was based on the assumption that the total operating life of nuclear power plants was limited to 40 years. If it was assumed that 75% of the plants had their licenses extended for 20 years, the value/impact score would have increased to about 260 man-rem/$M.
The preliminary results1430 from an IPE indicated that certain power system faults/failures can be a large contributor to core-melt probability. Although the potential risk reduction calculated above would have placed this issue in the medium priority category (See Appendix C), it was concluded that the safety concern would be addressed more directly on a plant-specific basis in the IPE program. Therefore, this issue was DROPPED from further pursuit as a new and separate issue. Consideration of a 20-year license renewal period did not change this priority.1564