Resolution of Generic Safety Issues: Issue 98: CRD Accumulator Check Valve Leakage ( NUREG-0933, Main Report with Supplements 1–34 )
During the review of LaSalle, ASB identified a potential problem which could be generic to all BWRs.381,705 The problem relates to ability of the CRD accumulators to retain pressure for a sufficient period of time after the failure of a CRD hydraulic pump.
The CRDs are safety-related as are the accumulators and their associated check valves. For rapid reactor shutdown, the stored hydraulic pressure in the accumulator, in conjunction with the reactor system pressure, rapidly inserts all the control rods. At reactor pressures below 500 psig the accumulators provide all the motive force to insert the control rods. Each control rod is provided with its own accumulator. With the reactor pressure above 500 psig the accumulators provide the initial acceleration force for the control rods with the majority of the work provided by the reactor pressure.
The technical specifications706 for BWRs have a CRD accumulator check valve leakage surveillance statement which is ambiguous and does not have an action statement for failure to pass the surveillance requirement.
The concern of this issue is the potential for the loss of CRD hydraulic system pump at a low reactor vessel pressure with leakage of multiple check valves followed by an accident situation that would require a reactor shutdown. During such an event, it is possible that there would be a failure to scram the reactor and the SLCS would be required to achieve cold shutdown.
Two possible solutions to this issue have been identified. First, the CRD pumps, associated valves, and instrumentation could be made safety-related with the redundant pump automatically starting upon failure of the running pump. The second possible solution would require both CRD pumps to be running with the reactor pressure less than 500 psig and with more than one control rod withdrawn. For those plants requiring manual action to open a stop check valve for the redundant pump to perform its function, an operator must be stationed by the valve, monitor the header pressure, and operate the valve when the header pressure drops to a predetermined value.
For this issue, it is assumed that operation below 500 psig will occur only during ascent to power and controlled descent from power operation. Further, it will be assumed that, to achieve 500 psig operation during controlled descent from power operation, the CRDs will be inserted by the time reactor pressure will have been reduced to 500 psig. During ascent to power, the time interval between going critical and reactor pressure reaching 500 psig is estimated to be usually one hour. It will also be assumed that a power ascent will occur monthly, on an average, for purposes of this calculation. The assumption of monthly power ascents will result in conservative calculations since the average number of plant trips is about eight per year, not all of which result in reactor pressure falling below 500 psig.
It will be assumed that check valve leakage will reduce the accumulator pressure below the pressure required to insert the control rod in ten minutes.
It is assumed that the accident requiring a scram is one that results in the loss of primary system pressure. With system pressure at or below 500 psig the negative reactivity feedback will, with decreasing temperature as a result of decreasing pressure, increase reactivity without control rod insertion. Thus, only those accident situations in which system pressure is lost and primary coolant temperature decreases requires the insertion of the control rods to limit the core reaction, which would be the LOCA events.
Major PRA studies have assumed that a minimum of three adjacent control rods in a BWR must remain withdrawn for the reactor to remain critical. For this analysis, the same assumption will be considered valid.
The undesired event (U), that of being unable to shutdown the reactor with the reactor protection system in an accident situation due to the loss of CRD accumulator pressure can be defined as the product of the following probabilities:
A, the probability that an accident event requiring reactor trip occurs during any one year (1.4 x 10-3). This quantity is based upon the total LOCA initiating event frequency as given in WASH-1400.16
B, the probability that the reactor vessel pressure is less than 500 psig with the reactor critical (1.7 x 10-3). This probability is based upon the assumption that 12 ascents to power occur annually; that one hour elapses from attaining criticality until the reactor vessel pressure is greater than 500 psig; and that the average operating time per year is 7,000 hours.
C, the probability the operators fail to scram the reactor within 10 minutes following the failure of the CRD hydraulic pump, (0.1). This value is based upon the NUREG/CR-1278339 nominal model for operator error.
D, the frequency that the on-line CRD hydraulic pump fails during a one year interval (0.7). The WASH-140016 failure rate for pumps was between 3 x 10-6/hr and 3 x 10-4/hr with a median of 3 x 10-5/hr. Since the CRD hydraulic pump is not a safety-related classified component but is believed to have a quality level above standard off-the-shelf hardware, a failure rate of 10-4/hr was assigned. As previously stated, an annual operating time of 7,000 hours was assumed.
E, the probability that the operators will fail to start the standby CRD hydraulic pump within 10 minutes after the failure of the on-line pump (0.1). This value is also based on the NUREG/CR-1278339 nominal model for operator error. Pump failure to start is negligibly small in comparison.
F, the probability that three adjacent accumulator check valves leak, (0.1). This probability value was chosen with the belief that it conservatively covers common failure causes as well as the multitude of 3 adjacent control rod combinations involving independent failures. Even with an ambiguous action statement, it is unlikely that a large number of check valves will leak.
G, the probability that the operator failed to follow procedures by pulling a control rod adjacent to two other rods which are already pulled, (0.1).
H, the probability that the reactor protection system failed to detect the pulling of the out-of-sequence rod and then failed to initiate a scram signal, (0.01).
Z, the probability that the loss of CRD hydraulic pressure occurs before the accident event (0.5).
|Hence, U||= A•B•C•D•E•F•G•H•Z|
|= (1.4 x 10-3)(1.7 x 10-3)(0.1)(0.7)(0.1)(0.1)(0.1)(0.01)(0.5)/RY|
|= 8.4 x 10-13/RY|
Subcriticality following a LOCA cannot usually be maintained by the SLCS, but may be maintained for a time in some LOCAs. The ECCS could control some LOCAs even if some of the control rods are not inserted. As a conservative assumption, no credit will be taken for the SLCS and it will be assumed that the accidentinitiating event and the failure of the reactor protection system will result in a core-melt accident.
As defined in NUREG/CR-1659,54 accident sequences involving LOCAs and the reactor protection system were dominated by the Category 2 releases. The whole body man-rem dose obtained by using the CRAC Code64 assuming an average population density of 340 persons per square mile (which is the mean for U.S. domestic sites) from an exclusion area of a one-half mile radius about the reactor out to a 50-mile radius about the reactor. A typical midwest meteorology is also assumed. Based upon these assumptions the public dose resulting from a BWR Category 2 release is 7.1 x 106 man-rem. Based on an average life of 25 years for each BWR, the public risk is 1.5 x 10-4 man-rem/reactor. For 44 BWRs, the risk is 6.6 x 10-3 man-rem.
The least expensive resolution to this issue involves turning on the standby CRD hydraulic pump and assigning a dedicated operator at the stop check valve control to monitor pressure and to transfer to the standby system if the hydraulic pressure drops. While it is not exactly known the number of plants having this configuration, for purposes of the calculation it will be assumed that 25% are so configured. For each reactor requiring the dedicated operator, assuming 12 power ascents and descents per year at one hour per change, will utilize 24 operator-hours per year. Based upon 1984 dollars and assuming a cost of $52 per operator-hour for 11 reactors, the lifetime cost for all BWRs will be $0.3M.
The cost of upgrading the CRD hydraulic system to a safety related quality level system will be much more expensive. If 0.5 person-years of technical experience were required for evaluation of the existing system and no hardware changes were required, the cost would be $50,000/reactor or $2.2M for the 44 reactors involved.
Based on a risk reduction of 6.6 x 10-3 man-rem and a cost of $0.3M, the value/ impact score is given by:
In general, accident frequencies on the order of 10-13/yr, even for a very specific sequence, must be used with caution. Errors of incompleteness, and overlooked dependencies, as well as other modeling errors, will generally be very large compared to such frequency estimates. In this case, a conscientious effort has been made to identify other sequences and dependencies. Even with a large error, this issue poses a very small risk. Therefore, the issue should be placed in the DROP category.