Resolution of Generic Safety Issues: Issue 115: Enhancement of the Reliability of Westinghouse Solid State Protection System (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
The ATWS rule724, 725 for W plants requires the implementation of a diverse ATWS mitigation system, Auxiliary [or ATWS] Mitigating Systems Actuation Circuitry (AMSAC). The functions prescribed for AMSAC are turbine trip and the initiation of auxiliary feedwater, independent of the reactor trip system.
As a consequence of the Salem ATWS event (Issue 75), Generic Letter 83-28520 established the requirement for the automatic actuation of the shunt trip attachment of reactor trip breakers for W and B&W plants (this feature was included in the original design for CE plants). Although this modification provided a significant increase in the reliability of the reactor trip breakers and hence the reactor trip system, it had not been previously pursued as an action that would significantly reduce the potential of an ATWS event during the extensive dialogue and study of the ATWS issue. Further, it was believed that other similar actions to increase the reliability of the existing reactor trip system for W plants also had not received such consideration.
With respect to W plants with the solid state protection system (SSPS) design, failures of the undervoltage (UV) driver raised concerns with regard to the susceptibility of the design to common mode and random failures of redundant components. Enhancement of the reliability of the W SSPS was suggested by DSI/NRR as a new generic issue in April 1985.905
The failures of the UV driver suggested a higher probability of SSPS failure than that calculated during the ATWS rulemaking proceeding. The higher probability of SSPS failure in turn would lead to a higher probability of ATWS and, as such, would represent a higher risk to the offsite population surrounding the affected plants. At the time of the evaluation of this issue in July 1986, the affected plants were those W plants with the SSPS, i.e., 19 of the 38 operating W plants.
It was believed that incorporation of additional diversity for the UV driver function would reduce the probability of an ATWS event. In particular, it was assumed that the UV driver reliability could be improved by installing a relay driver and associated relays to duplicate the function of the UV driver, thereby providing diversity for the function.
It was assumed that the AMSAC required by the ATWS rule for W plants was in place and operational.
Reliability block diagrams for the W SSPS were used in the calculation of frequency estimates of core damage events as a result of SSPS failures. These figures were provided to the staff as part of the W Owners Group response to staff questions during the review of WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection System," (Proprietary).
Diversity exists in two basic forms. The first is from the standpoint of measured parameters and sensors that initiate a reactor trip, and the second is the diverse trip features of the reactor trip breakers (shunt and UV trip coils). For the analog channels, comparators are the major component that are common to each channel. For the logic cabinet, input relays and the universal (logic) cards are common for each trip function, with the UV driver common to all trip functions. For the reactor trip breakers, the remaining components (primarily mechanical) are common to all trip functions.
Table 3.115-1 summarizes the estimates for common mode failures of the protection system on the bases of the listed failure rates, a Beta factor of 0.01 and a monthly test interval. A Beta factor of 0.01 was used to be consistent with that used for logic channels as noted in SECY 83-293.904 TS required testing of breakers and logic every 62 days on a staggered test basis (one train or the other is tested every 31 days such that the time interval for finding common mode failures would be monthly). Based on the review of WCAP-10271, the staff approved quarterly testing of analog channels. Since the majority of the trip functions consisted of 3 or 4 channels, quarterly tests on a staggered test basis for a 3-channel system resulted in one channel being tested monthly. Thus, a monthly test interval was also used for analog channels.
The channel comparators were the major contributor to the common mode failure unavailability since they have the largest hourly failure rate. However, if the hourly failure rate for the UV driver was estimated based on the five known failures and an estimate of 90 RY for W plants that had the SSPS with two UV drivers, the common mode failure unavailability of the UV driver (see Table 3.115-2) would become the dominant contributor.
In addition to initiating reactor trip, the SSPS is used to initiate engineering safeguard systems. While these functions of the reactor protection system use many of the same components as the reactor trip system (comparators, logic input relays, and universal logic cards), the reactor protection system differs from the reactor trip system in its final output configuration. Instead of a UV driver that turns off 48V DC to the actuated component, a relay driver is provided which supplies 48V DC to energize a master relay which, in turn, energizes slave relays that provide contacts to actuate engineered safeguard components. Thus, a relay driver and associated relays could be used to duplicate the function of the UV driver for the reactor trip function and thereby provide diversity. This would eliminate common mode failures of the UV driver as the dominant contributor to the probability of an ATWS event due to protection systems failures (see Table 3.115-3).
The event trees used by the ATWS Task Force were altered to substitute the above estimates of SSPS electrical unavailability for the value previously used to estimate a base case frequency of core damage events and a CDF after supplementing the UV driver function. Values for the probability of all other events were those used by the ATWS Task Force. The specific events incorporated into the event trees were: number of transients (AT); MTC overpressure; SSPS mechanical failure; auxiliary feedwater failure; and high pressure injection (HPI) failure.
|Components||Common Modea Failure Unavailability (10-5)|
|Channel Comparators||2.90x 10-6/hr||1.100|
|Logic Input Relays||8.70 x 10-8/hr||0.032|
|Universal Logic Cards||7.70 x 10-7/hr||0.290|
|Undervoltage Driver||1.95 x 10-7/hr||0.073|
|Breaker Mechanical Components||1.95 x 10-8/hr||0.031|
a - U = BT/2 (Average unavailability due to common mode failure)
|Undervoltage Driver Failures||5|
|Reactor-Years (Est) SSPS Plants||90|
|Failure Rate,||0.028/yr (3.17 x 10-6/hr)|
|Common Mode Failure Probabilitya||1.14 x 10-5|
|All Other Components (1.53 - 0.073) x 10-5||1.46 x 10-5|
|Total Failure Probability||2.60 x 10-5|
a - U = BT/2 (Average unavailability due to common mode failure)
The base case frequency of core damage events was estimated to be 8.9 x 10-6/RY when the five UV driver failures were considered. The frequency of core damage events was estimated to be 4.7 x 10-6/RY when the increased reliability of SSPS afforded by supplementing the UV driver function was considered. This resulted in a reduction in core-melt frequency of 4.2 x 10-6 /RY for the proposed modification to the SSPS.
Total System Unavailability
|Event||Existing System||Diverse UV Driver|
|Common Mode failures||2.60 x 10-5||1.46 x 10-5|
|Random failures||4.33 x 10-6||(b)|
|Testing||6.34 x 10-6||(b)|
|TOTAL:||3.67 x 10-5||1.46 x 10-5|
b - The additional diversity decreases the random failure unavailability to less than 10-6 and eliminates testing unavailability.
The total whole-body man-rem dose was obtained using the CRAC Code results.64 These results assumed a uniform population density of 340 people per square-mile (which was the average for U.S. domestic sites in the year 2000) within the area between ½- and 50-mile radius from the plant. Typical (Midwest plain) meteorology, no evacuation, and no ingestion pathway were also assumed. The Oconee-3 RSSMAP study had been adopted as the evaluation model for PWRs and was, therefore, assumed to adequately represent the selected group of affected plants for this issue. In the Oconee-3 RSSMAP, the only ATWS dominant risk sequence (T2KMU) was assumed to result in a Category 3 release with a probability of 0.5, a Category 5 release with a probability of 0.007, and a Category 7 release with a probability of 0.5. Thus, a weighted average of 2.7 x 106 man-rem/event for the consequences of ATWS events was derived using the CRAC Code results. (It should be noted that the ATWS Task Force assumed a consequence, in terms of public exposure, of 107 man-rem/event in arriving at its recommendations.)
The 19 W operating plants utilizing the SSPS had an average remaining life of 25.5 years. When the estimated reduction in core-melt frequency (4.2 x 10-6/RY) was multiplied by the average consequence (2.7 x 106 man-rem/event), the number of affected plants (19 plants) and the average remaining life of the affected plants (25.5 years), an estimate of 5,500 man-rem was obtained.
Industry Cost: Based upon discussions with plant operators, the following licensee implementation costs were identified:
(1) Engineering analysis of the problem was estimated to take about 2 man-weeks to design and document the modifications to the SSPS. At $2,270/man-week, this was estimated to cost $4,540.
(2) Relays and other hardware were assumed to cost $3,000.
(3) Installation was assumed to require 1 man-week at an estimated cost of $2,270. Since this modification could be completed during normal outage time, no replacement power cost was included.
(4) Possible TS changes were assumed to require 4 man-weeks. At $2,270/man-week, this was estimated to cost $9,080.
In addition, it was assumed that, following completion of the modifications to the scram system of the SSPS, a functional (acceptance) test would be necessary. It was estimated that this test would take the better part of a shift to perform and would involve time from the shift supervisor, systems engineering, control room operators, and I&C technicians. The functional test was estimated to take 42 man-hours at a cost of $2,400/plant. QA efforts during the design, installation and testing of the scram system modifications and during the development of TS revisions were estimated to take an additional 66 man-hours for a cost of $3,800/plant.
The cost of the above requirements was estimated to be about $25,000/plant for a total licensee implementation cost of $475,000 for the 19 affected plants. The affected plants were assumed to not require any additional operation/maintenance beyond that normally required. Therefore, the licensees' operation and maintenance cost was zero.
NRC Cost: It was estimated that the NRC labor requirement for development of requirements was 8 man-weeks. At $2,270/man-week, this was estimated to be $18,160. The cost for a technical assistance contractor was assumed to be $20,000. Therefore, the total NRC cost for development of requirements was ($18,160 + $20,000) or $38,000.
NRC cost tracking had shown that, on the average, about 1.7 staff-years were required to process a generic requirement from the point where it is acted on by the CRGR until its resolution in the form of a specific MPA. At approximately $135,000/staff-year, this amounted to about $230,000. In light of the relatively large societal risk and the rather small industry cost estimated for this issue, it was assumed that the NRC requirement processing cost would be less than the existing average and would be about $150,000.
Using historical cost information provided in NUREG/CR-3971,906 the NRR implementation cost/plant was estimated for the plant-specific review of licensee design changes, the review and processing of plant-specific TS changes, and OIE review of the licensees' implementation actions. The estimated NRC implementation costs/plant were:
|NRC Design Review||$ 6,000|
|TS Review and Processing||14,000|
|OIE Implementation Review||4,000|
For the 19 affected plants, the NRC implementation cost was estimated to be $456,000. Since no additional operational/maintenance costs were estimated for the licensees, no additional costs for NRC review of the licensees maintenance and testing were estimated. Thus, the total NRC cost was estimated to be $644,000.
Total Cost: The total industry and NRC cost associated with the possible solution was estimated to be $1.12M.
Based on a potential public risk reduction of 5,500 man-rem and an estimated cost of $1.12M for a possible solution, the value/impact score was given by:
Reduction in the frequency of core damage events would result in an averted ORE for cleanup of the 19 affected plants. When a value of 19,900 man-rem/event for ORE following a severe core damage event was multiplied by the change in core-melt frequency, the number of affected plants and their average remaining life, an averted ORE of about 40 man-rem was estimated. Likewise, the rather large reduction in core-melt frequency would also result in an appreciable averted accident savings to the licensee. At a cost of $1.65 billion per core-melt event, the averted accident savings for this issue was calculated to be $3.3M.
Based on discussions with plant operators, the assumed modifications to the SSPS would not require labor for installation or maintenance in a radiation zone. Therefore, no ORE was estimated for these efforts.
The proposed modifications to the SSPS might result in an increase in the frequency of inadvertent or spurious trips which would represent an economic loss to the industry due to lost power production/replacement power costs. This was not considered in this analysis but should be estimated and accounted for in the resolution of this issue and the development of a regulatory analysis for any proposed new requirement(s).
Based on the potential risk reduction and the high value/impact score, the issue was given a high priority ranking (see Appendix C). In pursuing a resolution to the issue, W investigated the five UV driver card failures and determined that they were caused by poor maintenance and test-related practices. These practices involved the inadvertent shorting of the scram breakers' UV trip coil, causing a shorted failure of the output transistor in the UV card. To eliminate this safety problem, W modified the design of the UV card to provide a fuse link in the output circuit which will open the circuit when the UV coil is shorted. This will produce a UV trip signal to the scram breaker which will persist until the card is removed, repaired (by W), and replaced.
W Technical Bulletin NSID-T8-85-16 dated July 31, 1985, was issued to the W utilities, as required by the Salem ATWS Generic Letter (83-28),520 recommending installation of the modified UV cards. The Bulletin also recommended specific maintenance and test procedures that should be followed to prevent failures of this type pending installation of the modified UV cards. It was expected that the affected W licensees would take action to modify their test and maintenance procedures and to procure and install the modified UV driver cards. The staff sought verification of the licensees' responses to the W recommendations. The W recommended solution was not viewed as providing the same degree of risk reduction as that which could be altered by providing diversity for the UV drive scram function. Resolution of the issue was expected to take into consideration the potential risk reduction afforded by the W "fix," if it was adopted by the affected licensees, and a determination was to be made as to whether any further risk reduction offered by providing diversity for the UV driver scram function could be justified by value/impact analysis.
During the course of resolving the issue, the staff gained certain insights which were deemed to be useful in improving the reliability and overall performance of reactor protection systems. These insights were suitable for industry initiatives to improve safety and to reduce the regulatory burden on the affected licensees while extending the life of reactor trip breakers. The staff's technical findings were documented in NUREG/CR-51971200 and the regulatory analysis was published in NUREG-1341.1201 Thus, the issue was RESOLVED with no new or revised requirements.1202
In March 1999, a follow-up study of the reliability of risk-significant safety systems resulted in the publication of NUREG/CR-5500,1752 Volume 2. This study provided an estimate of the reactor protection system unavailability based on actual and test demands between 1984 and 1995, and identified dominant contributors to potential system failure. Recommendations for improving risk-informed regulatory activities were made.1753