Resolution of Generic Safety Issues: Issue 110: Equipment Protective Devices on Engineered Safety Features (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was identified in a DST/NRR memorandum1335 which addressed a condition in which some protective devices intended to trip active engineered safety features (ESF) components, under indication of equipment problems, are overridden by ESF actuation (ESFA) signals. This issue addressed two main concerns: (a) ESF protective trip bypass; and (b) ESF reset capabilities after being tripped.
ESF Protective Trip Bypass: Most ESF equipment are provided with protective devices designed to trip such equipment when an indication of a fault is detected. Following an emergency ESFA, only a few essential protective devices are retained in an active mode. The remaining, non-essential, protective devices are automatically bypassed. The bypassed non-essential protective devices do not cause an ESF trip but, on detection of a fault condition, will alarm in the control room. The intent of this design aspect is to ensure continued operation of an ESF during a genuine demand, without spurious or unnecessary trips from protective devices.
This issue addressed the concern that, during an ESFA, a component could self-destruct if a real fault existed with the protective trip bypassed, thus causing the ESF to become unavailable for event mitigation. The current philosophy of bypassing these ESF trips does not take advantage of the adequate time that may be available to correct the cause of the trip and restart the ESF in time to perform its safety function.
The question being raised by this issue is: Is it better for safety to allow all ESF protective trips to be active (i.e., no trip bypass) during emergency conditions and depend on the operator for restoration? The advantage of all-trips-active condition is more assurance of ESF integrity which, in turn, ensures reactor safety. The disadvantages include: (a) increased ESF trips from conditions that do not truly threaten operability; and (b) an increase in the number of spurious ESF trips which may complicate operators' actions to recover from accident conditions, without adding much protection to the ESF equipment.
ESF Reset Capabilities: A related concern addressed the reset capabilities of protective devices. Protective devices for some ESFs must be reset after a trip and before the ESF can be restarted. Most reset capabilities are designed primarily for normal plant operation and test and maintenance activities. In some instances, an ESF reset capability (which must be exercised if the equipment trips) may be at a location that is inaccessible or hazardous during accident conditions. The issue considered was whether the ESF reset capabilities were appropriately located.
Bypassing ESF equipment protective trips during emergency conditions may cause some of this ESF equipment to self-destruct, if a genuine ESF trip condition existed and the operators failed to take the appropriate corrective actions. This may complicate the event and lead to higher risk.
Similarly, an ESF reset capability that is inaccessible during emergency conditions will render the ESF inoperable, if the latter is tripped and cannot be reset and restarted. This may complicate the event and lead to higher risk.
A possible solution for the ESF protective trip bypass concern was to enable all ESF protective trips during emergencies as well as during regular surveillance and normal operation. A possible solution for the ESF reset capability concern was to require licensees to survey and relocate, as necessary, any ESF reset capabilities that may be needed during emergencies but found to be inaccessible.
ESF Protective Trip Bypass: The ESFs that are the subject of this issue are the Emergency Diesel Generators (EDG), safety-related pumps and pump motors, and safety-related valve motor operators. The following is a discussion of: (1) essential and non-essential protective trips; (2) trip alarms; (3) operating philosophy pertinent to ESF protective trips; and (4) operational statistics.
(1) Essential and Non-essential Protective Trips: The function of an essential trip is to prevent true threats to the integrity and the operability of the ESF components. On the other hand most of the non-essential trips are intended to restrict ESF operation to a narrow, optimum operation band. In the current ESF design philosophy, less than optimum operating conditions are acceptable in cases of emergency. Draft Regulatory Guide 1.9, Rev.3, which was the proposed resolution for Issue B-56, "Diesel Reliability," contains the staff position on protective trips for EDGs. Also, Regulatory Guide 1.106,1215 provides guidance to the industry that because MOVs are operated intermittently their thermal overload protection may be bypassed in cases of emergency.
The EDGs are equipped with various protective trips, but typically only a few essential trips remain active for EDG protection when an ESF signal is present. Essential EDG trips include: (1) Low Lube Oil Pressure, which protects against the seizure of the EDG's internals; (2) Generator Overspeed, which protects against the destruction of the generator in case of loss of load; and (3) Generator Differential Overcurrent, which protects against major damage in the internal generator windings. Other, non-essential trips, (e.g., high jacket water temperature) are bypassed during emergency operation.
Similarly, safety-related pump and valve motors are protected during emergency operation by a few essential trips, for example: (1) Ground Fault and Overload Protection, which protects against losing the electric bus or the pump motor; (2) Pump Overspeed, which protects against pump damage; and (3) Torque and Limit Switches for Valves, which protect against damage of the valve internals. Non-essential trips (e.g., thermal overload protection for MOVs) may be bypassed. As many as nine non-essential trips are bypassed on an EDG in case of an emergency actuation. Similarly, a few trips are bypassed on other ESF equipment.
(2) Trip Alarms: For a bypassed non-essential protective device the automatic trip action is blocked but a trip alarm is activated in the control room if a trip condition is reached. Also, as a condition for bypassing non-essential trips, licensing guidance requires that there must be sufficient time for an operator to react to the trip alarm and take the appropriate corrective actions (see Regulatory Guide 1.9).
(3) Operating Philosophy: Current operator training and EOPs require an operator, in cases of emergency, to first take some immediate actions that are committed to memory, then take some follow-up actions. The immediate actions include ensuring that all the needed ESFs have properly started and continue to operate. The follow-up actions include:
(a) taking the necessary remedial actions if a trip or a trip alarm (either essential or non-essential) is activated. The remedial actions depend on the type of accident and the stage at which the trip or the trip alarm occurs (e.g., reactor conditions changing rapidly, or core cooling has stabilized, preferred power supplies are restored, etc.);
(b) determination of whether any of the operating ESF equipment is only needed in a standby capacity, or not needed and may be turned off. This is done to conserve energy and cooling water which may be necessary for long-term recovery following an accident.
Considering the above operating philosophy and operator actions, activating the non-essential trips during emergencies does not provide much additional protection to the ESF equipment.
(4) Operational Statistics: Operational statistics compiled by AEOD and industry (EPRI NP-5924, July 1988) indicate that a large percentage of ESF trips are spurious and unnecessary. This means that activating additional trips during emergency conditions is likely to increase the number of spurious trips. Therefore, if the non-essential trips are retained (not bypassed), the actuation of these additional trips (valid or spurious) is likely to divert the operators' attention from the important task of controlling the accident while not adding much protection as outlined above.
ESF Reset Capabilities: The licensing guidance for ESF equipment [10CFR50.55a(h), "Protection Systems," (which endorses IEEE-279) and Regulatory Guide 1.153 (which endorses IEEE-603)] requires that safety system reset capabilities by an operator must be readily achievable. Typically, for systems required during emergency conditions, the reset capability is located in the control room.
Most reset capabilities are designed for equipment testing, maintenance, and normal plant operation. These reset capabilities are not affected by this issue. However, some ESF equipment must be reset prior to restart. These reset capabilities are either accessible during emergencies (as discussed earlier) or are designed to automatically reset and restart after trip when there is an emergency signal present. For instance, a high pressure injection pump, after tripping on undervoltage, will automatically reset and restart when the diesel generator is loaded.
A quantitative evaluation of the effect on risk of the possible solution was conducted by constructing event trees.1383 The solution called for enabling all protective ESF trips during emergency conditions as well as during normal test and surveillance operation. This solution would increase reliance on the operator to diagnose the reason for ESF trips and quickly restore the tripped equipment.
Best estimates (mean value) of the conditional probability of core damage given an ESF actuation were calculated for the base case and two additional cases, Case 1 and Case 2. Below is a discussion of the assumptions made for the analyses:
(1) The event tree analyses considered a simplified composite plant with an ESF that has: (1) two trains of safety injection pumps; (2) two EDGs; and (3) an Emergency Feedwater System (EFWS) that has two electric- and one turbine-driven pumps. Although BWRs do not have EFWS, they have electric- and turbine-driven pumps. This makes the simplified composite plant equally representative of BWRs and PWRs for the purpose of this evaluation. The event tree analyses provided an estimate of the conditional probabilities of core damage for the composite plant given an ESF actuation.
(2) It was assumed that 80% of the ESF trips occur in the first few minutes of ESF actuation. Of all ESF trips, the non-essential trips were assumed to be of a less serious nature than the essential trips and, therefore, were assumed to be recoverable within a few minutes. The number of trips that require moderate to long periods of time for recovery was assumed to remain unchanged despite the additional trips. Therefore, the percentage of the ESF trips recoverable in a few minutes was increased, while the percentage of those requiring longer recovery times was decreased.
In reality, some non-essential trips may require long recovery times. The effect of neglecting this possible increase in trips requiring long recovery times was a decrease in the CDF estimate. For Case 1, the percentage of trips that are recoverable in a few minutes was increased from 80% for the base case to 90%. The percentage of trips that fall in the moderate and long recovery times were decreased from 15% and 5%, to 7.5% and 2.5% respectively. For Case 2, the percentages were 96%, 3%, and 1%, respectively.
(3) The probability of operator failure to recover the tripped ESF was assumed to remain the same as the number of spurious and non-essential trips increased. However, the anticipated increase in trips is likely to heighten the stress level of operators and consequently increase the probability of their failure to recover the tripped ESF equipment.
(4) The base case modeled the existing number of essential ESF trips. Case 1 assumed that, if all ESF trips are enabled, the rate of ESF failure to continue to run will be doubled. Case 2 assumed that the rate of ESF failure to continue to run was increased by a factor of 5. The increase in the failure rate by factors of 2 and 5 was not intended to be proportional to the effect of the additional trips, but intended to show the trend of plant risk as a result of increasing the number of non-essential trips. The actual increase in risk due to activating non-essential trips during emergencies was believed to be much smaller. The results of the analysis are shown below.
|Mean Conditional CDF,Given An ESFA|
|Base Case||1.4 x 10-4/RY|
|Case 1||1.9 x 10-4/RY|
|Case 2||3.4 x 10-4/RY|
As indicated above, the event tree analyses showed an increase in risk if the suggested solution were adopted. The conditional CDF estimate for the base case was 1.4 x 10-4/ESFA, while the conditional CDF for Cases 1 and 2 were estimated at 1.9 x 10-4/ESFA and 3.4 x 10-4/ESFA, respectively. Although the difference between the base case CDF and the two CDF estimates for Cases 1 and 2 was not substantial, it indicated a trend toward increasing risk.
Although not explicitly included in the analysis, the additional trips may provide some protection against long-term system faults. Therefore, by causing some early trips with short recovery times, the additional trips may avoid later system faults requiring longer recovery times. This effect tends to limit the increase in overall CDF (i.e., trade some early ESF trips for later system faults).
The following comparison delineates the competing risks resulting from not bypassing non-essential trips. In the base case as well as the solution cases, the essential trips and all trip alarms are active and will actuate if their setpoints are reached. The only difference between the base case and solution cases is that, in the latter cases, non-essential trips will actuate automatically. Therefore, in a solution case, the only possible non-essential trips are: (i) spurious non-essential trips that interrupt ESF function and distract operators, clearly increasing the likelihood of core damage; (ii) valid non-essential trips that help long-term system operation by permitting early equipment repair to avoid later system faults, thus reducing the overall probability of ESF failure to continue to operate and therefore decreasing the likelihood of core damage; or (iii) valid non-essential trips that do not help long-term system operation and act like (i) above (spurious trips).
Data show that spurious trips are more frequent than valid trips. Therefore, even if every valid non-essential trip is assumed to help long-term system operation, there would be a net increase in CDF if it is assumed that trips of categories (i), (ii), and (iii) are of equal importance. However, the importance of any trip depends on the accident scenario, timing of the trip, available equipment, and operator actions. It is likely that an ESF trip causing an ESF interruption of a short duration in the early stages of an accident (when the reactor core conditions are still rapidly changing) is more serious than a later interruption of an ESF equipment of a longer duration (when the accident may have been stabilized or terminated, other equipment became available, more support staff is brought on site for added help, or when requirements for decay heat removal may have diminished).
As shown above, enabling the non-essential ESF trips (i.e., not bypassing them) during emergency conditions causes an increase in ESF spurious trips and is predicted to increase plant risk. By interrupting the ESF functions unnecessarily, these spurious trips divert the operators' attention from the more important tasks of controlling an evolving accident. This increases the likelihood of core damage. Therefore, it was concluded that changes to the current ESF protective trip philosophy would not improve safety. Thus, this issue was DROPPED from further pursuit. In an RES evaluation,1564 it was concluded that consideration of a 20-year license renewal period did not change the priority of the issue.