Resolution of Generic Safety Issues: Issue 99: RCS/RHR Suction Line Valve Interlock on PWRs (Rev. 3) ( NUREG-0933, Main Report with Supplements 1–34 )
On April 17, 1984, a DSI memorandum796 on the subject of RHR interlocks for W plants described staff concerns that the design basis for RHR interlocks had been misunderstood and that these concerns had not been adequately pursued in recent reviews. As a result, DST was requested to prioritize this concern as a generic safety issue.797
Interlocks are provided to assure that there is a double barrier (two closed valves) between the RCS and RHR systems when a plant is at normal operating conditions, i.e., pressurized and not in the RHR cooling mode. A related issue (Issue 96) addresses the concern of assuring that both series RHR isolation valves are closed during normal power operation. Issue 99 is concerned with the inadvertent closing of these valves when the RHR system is in use.
Two basic features are incorporated in the interlock design: (1) an automatic closure signal on high RCS pressure (typically 600 psig), and (2) a block of the manual open signal at a lower RCS pressure (typically 425 psig). The autoclosure setpoint is generally set higher than the design pressure of the RHR system. However, overpressure protection of the RHR system during RHR cooling is provided by relief valves and not by the slow-acting RHR suction valves. The block setpoint is lower than the RHR system design pressure to preclude opening of either RHR suction valve when the RCS is at a higher pressure.
In the W design, 2 interlock channels are provided such that 1 channel is used to interlock the operation of one RHR suction valve and the other channel is used for the other valve. The same interlock configuration is used in W plants for designs that have 1 or 2 RHR drop lines from the RCS. When either channel is in a tripped state, its associated suction valve will automatically close if it is open. Since the relays used for this interlock are deenergized to initiate valve closure, a loss of the instrument bus used for either channel will result in a loss of RHR cooling due to inadvertent closure of one of the suction valves.
The loss of one instrument bus or disablement of one logic channel will result in the automatic closure of one of the RHR suction line isolation valves. In the RHR cooling mode, such closure gives rise to the potential for RHR pump damage and loss of decay heat removal by the RHR system. This safety concern applies to all W reactors.
The proposed resolution to this issue that was assumed for cost estimation purposes consists of the following parts:
(1) Review and document the design basis for the RHR suction valve interlock.
(2) Develop interim operating procedures until changes to the logic and control for the RHR system can be implemented.
(3) Change the logic configuration that controls the valves from a one-of-one configuration to a two-of-two configuration. Improvements in detecting and alarming of the loss of RHR coolant flow would be made.
(4) Changes to the plants' TS.
NSAC-52798 lists 27 events through 1981 that involved loss of RHR flow due to suction valve closure. Two of these events occurred as the result of a pressure rise in the primary system. The other 25 events resulted from causes other than an actual pressure rise and occurred during 206 RY of operating experience at PWRs. This experience results in a frequency of 0.12 unplanned RHR suction valve closures per plant-year. Of these 25 closures, 22 events involved the closure of only 1 valve and 3 events resulted in the closure of both valves. Thus, 88% of the reported events were independent channel failure events and 12% can be potentially classified as common-cause related.
When in the refueling mode and the water level is 23 feet above the core, only one RHR train must be operable. Closing the suction valve could cause cavitation and damage to the pump and leave no RHR train operable. However, it would take many hours for the level to boil down and uncover the core. RHR cooling could be restored in a few hours. In addition, the fuel pool cooling system could be used. Therefore, this case would have a small associated risk.
In all other modes, two RHR trains are required to be operable while only one is usually operating. If the RHR valves close causing cavitation and damage to the operating RHR pump, the other RHR train would still be operable. The NSAC data798 show that the operator successfully reopened the inadvertently closed valves immediately in all but one event. In this event at Davis-Besse, it took 2.5 hours to restore RHR cooling because of the need to refill and vent the system. Yet, in this lengthy delay, no sustained damage occurred to the system components. However, due to the long time interval involved before restoring RHR cooling, this event was counted as an RHR system failure. Thus, an unavailability of 0.04 is assumed but believed to be overly conservative. If the valve cannot be reopened, either the steam generators or the charging pumps could be used as alternate means of cooling.
Based upon engineering judgment, the unavailability of the main and/or auxiliary feedwater during RHR operation is estimated to be 0.1 and the unavailability of the charging pumps is estimated to be 0.01. These may be overly optimistic since there is no TS requirement for the availability of these systems in the cold shutdown modes. Further, maintenance and testing is often performed on these systems during the RHR cooling modes. Thus, the unavailability of core cooling is estimated to be the product of (0.12 event/RY)(0.04)(0.1)(0.01) or 4.8 x 10-6 /RY which, assuming no further actions are taken, becomes the expected core-melt frequency resulting from an inadvertent closure of one or both RHR suction valves.
Changing the logic system from a one-of-one system to a two-of-two system will reduce the independent failure frequency contribution of one valve closure from 0.12/RY to 0.003/RY. With the common mode contribution remaining the same (0.015/RY), the revised frequency of incorrect valve closures reduces to 0.018/RY
by the revised logic configuration. Improved procedures and alarms are assumed to reduce the human error of failing to reopen the RHR isolation valves from 0.04 to 0.02 per event. The changes in failure rates reduce the expected core-melt frequency from an RHR valve being closed to (0.018)(0.02)(1)(0.01)/RY or approximately 3.6 x 10-7/RY. This represents a core-melt frequency reduction of 4.4 x 10-6/RY.
The expected radiological consequences from this issue are expressed in whole body man-rem dose based upon the radioactive release categories described in WASH-1400.16 The computer program CRAC264 applied to a typical midwest site meteorology (Braidwood) was used for the dose calculation. An average population density of 340 persons per square mile was used over an area which extended from an exclusion zone of one-half mile about the reactor out to a 50-mile radius about the reactor.
A core-melt resulting from the loss of the RHR system would result in an accident similar to the T1MLU sequence described in the Oconee RSSMAP analysis.54 The release, given a core-melt, occurs in the following categories with the respective probability and dose:
|3||0.5||5.4 x 106|
|5||0.0073||1.0 x 106|
|7||0.5||2.3 x 103|
A core-melt frequency reduction of 4.4 x 10-6/RY results in a dose reduction of 12 man-rem/RY. For the 30 existing reactors with an average remaining life of 27.7 years and 28 new plants with an expected life of 30 years, the total risk reduction for this issue amounts to 20,000 man-rem.
Industry Cost: The cost estimate addresses the four actions proposed as the resolution of this issue. The review and documentation of the design basis of the RHR suction valve interlocks is expected to require 4 man-weeks which, at a rate of $2,270/man-week, results in a cost of $9,080/plant. The development of interim operating procedures and operator training is estimated to total 5 man-weeks/ plant or $11,350/plant. Hardware costs to modify the logic system and install the RHR flow alarms are estimated to be $4,000. An additional 6 man-weeks ($13,620) will be required for engineering and installation costs. The total hardware modification cost is estimated to be $17,600. TS changes are estimated to take 4 man-weeks or $9,080. Thus, the costs for issue resolution are estimated to be $47,200/plant. Plants not having an operating license are expected to have a lesser cost but, due to the advanced stages of construction, the reduction is not expected to be significantly less. Modifications to plant hardware are expected to be performed during a refueling outage and would obviate the need to include replacement fuel costs. No significant additional maintenance costs over the currently existing configuration are envisioned. Thus, for all 58 plants, the total industry cost is estimated to be $2.7M.
NRC Cost: It was estimated that NRC costs associated with the resolution could be accommodated in a total of 8 man-weeks or $38,000.
Total Cost: The total cost associated with the resolution of this issue was estimated to be approximately $2.74M.
Based on an estimated public risk reduction of 20,000 man-rem, the value/impact score is given by:
(1) The analysis did not consider the possible increase in the chance of an interfacing systems LOCA which might result because the logic changes reduced the reliability of the interlock function. It was assumed that the reliability of a one-out-of-one logic was the same as a two-out-of-two logic.
(2) The ORE was estimated to be 2.25 man-rem/plant for work involved with hardware modifications inside the containment. This would result in a total worker dose of 176 man-rem. The accident avoidance occupational dose reduction was estimated to be 146 man-rem.
(3) Consideration also should be given to those cost savings which result from the prevention of incidents producing long interval RHR inoperability, but do not result in damage to the core. Such incidents may result in plant shutdown longer than anticipated to investigate the causes of the inoperability and to assure the adequate corrective actions have been taken. Assuming that the outage extension lasts 2 weeks, the replacement power costs (estimated at $500,000/day) would be $7M. At the current frequency of long interval outage events, the savings per plant resulting from incident avoidance would be $90,000.
Based on the potential public risk reduction and the value/impact score, this issue was given a high priority ranking. The staff believed that the public risk may be underestimated if the feedwater and injection alternatives were not as available as predicted. Additional recommendations made in AEOD/C503909 following this evaluation were to be addressed in the resolution of the issue.910, 911
The scope of Issue 99, initially directed solely at the autoclosure interlock (ACI)-related mode of RHR failure, was broadened in June 1986 to include the less frequent but higher risk mode of failure associated with mid-loop operations. The risk aspects of cold shutdown loss of cooling were studied by BNL and the results, published in NUREG/CR-50151144 in May 1988, were applied in the preparation of the regulatory impact analysis for this issue. In a related development following the Diablo Canyon 2 loss-of-RHR event of April 1987, NRR undertook to define the needs for licensee short- and long-term regulatory actions in regard to the perceived deficiencies in the conduct of PWR mid-loop operations. The regulatory requirements for improved licensee operations recommended by NRR were in overall substantive agreement with those proposed by RES in the regulatory analysis for Issue 99. NRR's issuance of Generic Letter 88-171145 on October 17, 1988, requesting PWR licensees and applicants to implement plant improvements pertinent to the concerns of Issue 99 provided the resolution of this issue.
The staff concluded that the proposed requirements for improved instrumentation, procedures, and administrative controls were highly cost-beneficial in reducing the estimated baseline core damage frequency (CDF) by a factor of ten. The value/impact results also supported the proposed requirement for closure of the containment during mid-loop operations, at least pending the appropriate implementation of the CDF-reduction recommendations. Finally, the cost/benefit evaluation of a proposal to remove the ACI to obtain an addition minor reduction in CDF suggested that removal of the ACI be recommended, but not required, for plant implementation. Thus, this issue was RESOLVED and requirements were established.1146