Resolution of Generic Safety Issues: Issue 120: On-Line Testability of Protection Systems (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was raised1271 by the staff in 1985 during the review of several plant TS when it was found that the protection system designs of some older plants did not provide as complete a degree of on-line protection system surveillance testing capability as other plants undergoing staff review and evaluation at that time.
The requirements for at-power testability of components are included in GDC 21 of Appendix A to 10 CFR 50. Supplementary guidance is provided in Regulatory Guides 1.221591 and 1.1181592 and IEEE Standard 338 to ensure that protection systems (including logic, actuation devices, and associated actuated equipment) will be designed to permit testing while the plant is operating without adversely affecting the plant's operation. These requirements apply to both the RPS and the ESFAS. Existing STS indicate that it is desirable to test all protection systems through their sub-group relays every 6 months.
This issue centered around the risk posed by those plants with lesser degrees of on-line testing capability and the value/impact effects of requiring modifications of the protection systems to allow for a greater degree of on-line testing. On-line testing increases the ability to detect existing failures of the protection system and could therefore result in improved reliability of the system; hence, a reduction in plant risk. In some older plants, a larger portion of the protection system hardware can only be tested through the sub-group relays during outages (i.e., shutdowns) which typically have an 18-month frequency. Therefore, modification of the protection system to allow for semiannual testing through the sub-group relays could result in risk reduction at those plants.
The following two options were identified as potential solutions:
(1) Recognize that there are cases where there are no practical system design modifications that will permit at-power operation of the actuated equipment without adversely affecting the safety or operability of a plant. Exceptions could be taken that include not testing the automatic initiating logic and associated actuating devices. Actions could include: (1) submittal of information by licensees to describe and justify any deviations from regulatory requirements and to describe the revision of the plant TS stating the testing required; and (2) testing of those systems that can be tested without defeating the ESFAS train or RPS.
(2) Design and implement modifications to allow compliance with the requirements for on-line testing of all systems without defeating the ESFAS train or RPS. Each channel of the reactor trip module (RTM) needs to be provided with two key-operated bypass switches, a channel bypass switch, and a shutdown bypass switch. The 2/4 system would then operate in the 2/3 mode during the testing.
It was believed that changing the testing frequency of the protection system components to 6-month intervals, instead of the existing 18-month intervals, would increase the reliability of these components and result in an overall enhancement of plant safety.
It was assumed that modifications would be made to allow for an increase in test frequency to 6 months (from 18 months) for 20% of the relays in the RPS. Changes in the test frequency for ESFAS relays were not considered because they could not be as readily incorporated into the representative plant PRAs.
The Oconee 3 and Grand Gulf 1 PRAs were used as the representative PWR and BWR, respectively, to estimate the change in the reliability of RPS components due to revised testing frequency (from the current 18-month testing interval to 6-month interval) and the resultant change in the core-melt frequency.64 Thus, the changes in core-melt frequency were estimated based on reductions in failure rates for relays in the RPS that would result from licensee implementation of potential solutions. It was assumed that the values in the Oconee 3 and Grand Gulf 1 PRAs were based on the 6-month test interval for all relays in the RPS and that these plants are in full compliance with on-line testing requirements. These values were then considered to be adjusted case values for the purposes of this analysis. Therefore, the base case represents the situation in which only a fraction of the relays can be tested during refueling outages or other extended shutdowns (an 18-month test interval for these relays is assumed).
The affected parameter in the Oconee 3 PRA was considered to be K, failure of RPS due primarily to test and maintenance faults (frequency = 2.6 x 10-5/demand). The affected parameter for Grand Gulf 1 was considered to be C, failure to render the reactor subcritical (frequency = 7.7 x 10-7/demand). These K and C estimates were then assumed to represent the adjusted case values. To calculate the base case values for a change in test frequency from 6 to 18 months, relay unavailability data from ANO-2 for the two testing frequencies were used. In addition, it was also assumed that the testing of all 100 relays, instead of the approximately 80 relays that are currently being tested, will increase the unavailability of 1 of 4 RTMs by 25%. The ANO-2 relay unavailability data for the 6-month and 18-month testing intervals were 7.2 x 10-4/demand and 2.2 x 10-3/demand, respectively.1272 By using these values in the RPS fault tree given in NUREG/CR-2800,64 base case values of 2.96 x 10-5/demand and 9.2 x 10-7/demand for K and C, respectively, were calculated. Note that these were the values relating to the 18-month testing intervals. Substituting these values for the affected parameters in the Oconee 3 and Grand Gulf 1 PRAs resulted in core-melt frequency reductions of 1.2 x 10-6 /RY and 10-6/RY for a PWR and BWR, respectively. The generic release categories and containment failure modes associated with this issue were as follows:64
|Release Category||Containment Failure Mode Probability||Whole Body Dose (Man-Rem)|
|PWR-3||0.5||5.4 x 106|
|PWR-5||0.0073||1.0 x 106|
|PWR-7||0.5||2.3 x 103|
|BWR-2||1.0||7.1 x 106|
Accordingly, the associated public risk reduction was estimated to be 3.3 man-rem/RY and 4.8 man-rem/RY for PWRs and BWRs, respectively.
A total of 42 operating plants were affected by this issue: 8 PWRs with an average remaining life of 27.7 years and 34 BWRs with an average remaining life of 25.2 years. For the 8 affected PWRs, the estimated risk reduction was [(8)(27.7)(3.3)] man-rem or 731 man-rem. For the 34 affected BWRs, the estimated risk reduction was [(34)(25.2)(7.1)] man-rem or 6,083 man-rem. Thus, the average risk reduction was approximately 162 man-rem/reactor.
The plants affected by this issue were divided into two groups: Group 1, consisting of plants where no design modifications that would permit testing of the RPS at full power were possible; and Group 2, consisting of plants that could possibly implement design modifications that would permit this testing. It was assumed that the affected plants were divided equally into these two groups (21 plants each) and had an average remaining life of 26.9 years.
Industry Cost: The implementation of the possible solution for Group 1 plants would require 16 man-weeks/plant broken down as follows:
|Inspection/review of current plant configuration||= 1 man-week|
|Researching possible design modifications||= 3 man-weeks|
|Analyze/justify deviations from regulatory requirements||= 4 man-weeks|
|TS changes and associated technical/legal/administrative support||= 8 man-weeks|
At approximately $2,270/man-week, the cost of implementation for Group 1 plants was estimated to be (16 man-weeks/plant)($2,270/man-week) or $36,000/plant. The implementation cost for Group 2 plants was estimated to consist of about $50,000/ plant hardware costs and about 21 man-weeks/plant of labor itemized as follows:
|Inspection/review of current plant configuration||= 1 man-week|
|Design modifications||= 3 man-weeks|
|Install and test design modifications||= 16 man-weeks|
|Revise testing procedures||= 2 man-weeks|
Similarly, at $2,270/man-week, the labor cost was estimated to be (21 man-weeks/ plant)($2,270/man-week) or $48,000/plant. Therefore, the total implementation cost/plant for Group 2 plants was ($48,000 + $50,000) or approximately $100,000. Thus, the average implementation cost for the 42 affected reactors was $68,000/plant.
It was assumed that Group 1 plants would require additional inspection activities during outages associated with assuring the operability of the relays in the RPS. It was estimated that an additional 4 man-hours/relay (i.e., those 20 relays that cannot be tested at power) would be required every 6 months for Group 1 plants for a total of 160 man-hours/RY. For Group 2 plants, it was estimated that an additional 2 man-hours/relay would be required every 6 months for a total of 80 man-hours/RY. Since most of the work would be in radiation zones, a 75% utilization factor for labor (210 man-hours/RY for Group 1 plants and 110 man-hours/RY for Group 2 plants) was assumed. At $2,270/man-week, maintenance and operation costs for Group 1 and Group 2 plants were estimated to be $12,000/RY and $6,200/RY, respectively. Using a 5% discount rate, the present worth of the recurring costs associated with plant maintenance and operation for Group 1 and 2 plants were $6,700/RY and $3,400/RY, respectively. Thus, the estimated operations and maintenance costs were $180,000/plant and $91,000/plant for Group 1 and Group 2 plants, respectively, and the average cost for all affected plants was $136,000/plant.
NRC Cost: NRC resource requirements consisted of preparation of a generic letter to the affected plants to inform them of the potential problems and requiring licensee inspection/review of the RPS testing capabilities, as well as the technical analyses and/or design modifications needed to implement the proposed resolutions. This effort was estimated to require 6 man-weeks of NRC labor or $14,000. For the 42 affected plants, this cost averaged $330/plant.
In addition, it was estimated that approximately 12 man-weeks (or $27,000/plant) of NRC labor were required for each Group 1 plant to review and approve licensee evaluations and TS changes. For each Group 2 plant, it was estimated that 10 man-weeks (or $23,000/plant) would be required for the review and approval of licensee evaluation, proposed design modifications, and TS changes. Thus, the average NRC cost for this effort was $25,000/plant for the 42 affected plants.
Inspection-related costs for each plant would be about $4,600/year for the remaining life of the affected plants. At a 5% discount rate, this translated to a present worth of $2,600/RY. This cost was $70,000/plant based on the average remaining life of the affected plants.
Total Cost: Based on the above estimates, the average cost for implementing the possible solutions was $[68,000 + 136,000 + 330 + 25,000 + 70,000]/plant or approximately $0.3M/plant.
Based on a potential public risk reduction of 162 man-rem/reactor and an average cost of $0.3M/reactor, the value/impact score was given by:
(1) It was estimated that, for Group 1 plants, 1 man-week of utility labor in a radiation zone will be required to inspect the non-testable relays and review the system design. Group 2 plants would be subjected to this review and would also require an additional 10 man-weeks to install the design modifications and 4 man-weeks to test the modified system. It was assumed that testing would be performed outside containment where the dose rate is 2.5 millirem/hr. It was further assumed that the work involved a 75% utilization factor. The implementation dose was, therefore, estimated to be about 1 man-rem/plant.
(2) It was estimated that, for Group 1 plants, operation and maintenance would require additional inspection activities during plant outages associated with assuring the operability of the relays in the RPS. It was estimated that a total of 160 man-hours/RY would be required for Group 1 plants. For Group 2 plants, it was estimated that the labor requirements were 110 manhours/RY in a radiation zone. Assuming a 75% utilization factor, the total operation and maintenance dose was estimated to be about 12 man-rem/plant.
The estimated potential public risk reduction resulting from improvement in the on-line testability for the RPS at some older plants was significant and the value/impact score indicated a medium priority. Neglecting the ESFAS relays could result in an underprediction of the total potential risk reduction. Experience showed that testing of protection systems at power can have the potential for subtle interactions with other safety systems and/or plant operation that might result in negative effects on plant risk (i.e., an increase in plant risk). In addition, the negative aspects of increased testing (human error and reduced redundancy) could also produce a competing impact on plant risk. Based on these considerations and the value/impact score, this issue was given a medium priority ranking (See Appendix C) and RESOLVED with no new requirements.1508 In an RES evaluation,1564 it was concluded that consideration of a 20-year license renewal period did not affect the resolution.