Resolution of Generic Safety Issues: Issue 142: Leakage Through Electrical Isolators in Instrumentation Circuits (Rev. 4) ( NUREG-0933, Main Report with Supplements 1–34 )
Electronic isolators are used to maintain electrical separation between safety and non-safety-related electrical systems in nuclear power plants, preventing malfunctions in the non-safety systems from degrading performance of safetyrelated circuits. Isolators are primarily used where signals from Class 1E safety-related systems are transmitted to non-Class 1E control or display equipment.
There are a number of devices which may qualify as electrical isolators in a nuclear power plant, including fiber optic and photo-electric couplers, transformer-modulated isolators, current transformers, amplifiers, circuit breakers, and relays. These isolators are designed and tested to prevent the maximum credible fault applied in the transverse mode on the non-Class 1E side of the isolator from degrading the performance of the safety-related circuit (Class 1E side) below an acceptable level.
This issue was identifiedl270 by the staff in June 1987 and arose from observations made during SPDS evaluation tests that, for electrical transients below the maximum credible level, a relatively high level of noise could pass through certain types of isolation devices and be transmitted to safety-related circuitry.1269 In some cases, the amount of energy that can pass through the isolator may be sufficient to damage or seriously degrade the performance of Class 1E components while, in other cases, electrically-generated noise on the circuit may cause the isolation device to give a false output.
Observations had shown instances in which isolation devices subjected to failure voltages and/or currents less than maximum credible fault levels passed significant levels of voltage or current, but the same devices performed acceptably at maximum credible levels. The safety system on the Class 1E side of the isolation device may be affected by the passage of small levels of electrical energy, depending upon the design and function of the safety system.
In the event that safety systems are affected by less than maximum credible faults on the non-Class 1E side of isolators, the effects can range from degradation to failure of single or multiple trains of safety systems resulting in failure on demand or inadvertent operation. In one recorded incident, a voltage transient induced by a power line fault caused a false indication that the turbine-generator output breaker had tripped, resulting in a reactor scram.
The assumed solution to this issue would require the staff to determine the extent to which potentially susceptible isolators are used in nuclear power plants and to identify the systems in which they are used. An NRC bulletin to all licensees to provide input on these questions would be necessary. Assuming that the staff determines from the licensee responses to the proposed bulletin that a potential problem exists, a research program consisting of two major objectives would have to be initiated to develop the solution to the issue. The first objective would be to develop test procedures and acceptance criteria for isolators that licensees could use to determine the adequacy of installed isolators. The second objective would involve development of appropriate hardware fixes that could resolve the issue.
Electrical hardware exists either to reduce the amount of energy that may leak through electrical barriers provided by various types of isolation devices, or to minimize the consequences of any unwanted signals that may leak through the isolator. Some of these devices are described below.
Surge arresters, also called lightning arresters, provide an effective means of eliminating high voltage transients from a circuit. These devices are simply connected from the conductor directly to ground, preferably as close as possible to the device to be protected. The arresters function by simply shunting to ground any voltage spikes above a certain level.
Filter chokes and capacitors can greatly attenuate high frequency electrical noise. These components create an impedance to the passage of electrical energy proportionate to the frequency of the signal and are especially effective against radio frequency noise. Filter chokes (or reactors) also function as current limiters in AC circuits and thus offer additional protection from overload currents.
At power frequencies, power conditioners can be employed to eliminate all unwanted signals. Power line conditioners function by rectifying an AC signal into DC and then reconverting power through an invertor into a clean, noise-free AC signal. These devices prevent notches, spikes, radio frequency, brownouts, and overload power at the input terminals from degrading the quality of power at the protected output.
The final step in the solution to this issue would be the issuance of a generic letter to licensees with the following guidelines for: (1) inspection and testing of all electrical isolation devices between Class 1E and non-Class 1E systems; (2) repair/replacement of isolators that fail the tests, including description of acceptable hardware fixes to the isolators; and (3) implementation of an annual program to inspect and test all electronic isolators between Class 1E and non-Class 1E systems.
It was assumed that a total of 90 PWRs and 44 BWRs with average remaining lives of 28.8 and 27.4 years, respectively, were potentially affected by the issue.
There were several sources of uncertainty associated with this issue, the most important of which were: (1) the extent to which potentially susceptible isolators were used at nuclear power plants; (2) the amount of electrical energy leakage through isolation devices that could compromise the function of Class 1E system components; and (3) the number of components in which such compromises would be critical. While a recent studyl269 indicated that a safety problem may exist due to energy leakage through electronic devices, no definitive research had been conducted at the time of this evaluation to indicate the character and magnitude of the associated safety concerns. As a result, a sensitivity analysis was performed to bound the potential public risk reduction associated with the issue. Estimates of the upper and lower bounds were developed as well as a third case that represented the "best estimate" based on the available information.
The Oconee-3 and Grand Gulf-1 PRA studies were used as representative of PWRs and BWRs, respectively.64 The parameters affected by the issue were those involving control circuitry failures and functional failure of ESF actuation systems. These components may be directly affected by energy leakage through isolation devices that are intended to protect them from signals originating in connected non-Class 1E systems. It is also possible that sensors in the Class 1E safety systems may be affected by the electrical energy leakage from the non-Class 1E system. These sensors may include valve position, temperature, and pressure sensors that alert plant operators to take a particular action. In this case, plant operators may be misled into not taking appropriate actions when required. For this reason, operator error terms are also included as potentially affected parameters. The affected parameters in the Oconee-3 and Grand Gulf-1 PRAs were identified and modified to model the three sensitivity cases.
Best Estimate: All of the affected control circuitry failure, ESF actuation functional failure, and operator error terms were multiplied by a factor of two (assumed) to account for the potential additional failures associated with electrical isolators. The factor of two was based on engineering judgment and the findings of previous prioritization analyses.
Upper Bound: All of the affected control circuitry failure, ESF actuation functional failure, and operator error terms were multiplied by a factor of ten (assumed) to account for the potential additional failures associated with electrical isolators. The factor of 10 was likewise based on judgment and previous analytical experience.
Lower Bound: The control circuitry and ESF actuation functional failures were multiplied by a factor of 1.4. This was based on an assumed factor of two increase in only the probability of fuse failures which are included in the control circuitry unavailability values. No effect on the operator error terms were assumed in this case.
Varying all the control circuitry, ESF function failure, and operator error terms was a conservative approach. Logic dictated that not all the terms would be affected at the same time and that a plant-specific detailed evaluation would probably result in a reduced sensitivity. After the failure terms were modified, they were combined with the remaining unaffected portions of the parameter unavailabilities to calculate the revised unavailabilities. The affected cut-set elements and their base case and adjusted case unavailability values are shown in Table 3.142-1.
In performing the risk analysis, it was assumed that the isolator failures were not considered as potential causes of failure in the original Oconee-3 and Grand Gulf-1 PRAs. (This assumption may also introduce additional conservatism.)
Since the base case was intended to represent the situation in which isolator failures are considered as possible causes of safety system failures and the adjusted case represented the
|Base Case and Adjusted Case Values of Affected Parameters|
|Parameter||Adjusted Casea||Base Case 1b||Base Case 2c||Base Case 3d|
|SAC, SBC, SCC||0.00123||0.00223||0.00163||0.0102|
a - Original Oconee-3 and Grand Gulf-1 PRA values
b - Best estimate
c - Lower bound case
d - Upper bound case
In performing risk analysis , it was assumed that the isolator failures were not considered as potential causes of failure in the original Oconee and Grand Gulf PRAs. (This assumption may also introduce additional conservatism.)
Since the base case was intended to represent the situation in which isolator failures are considered as possible causes of safety system failures and the adjusted case represented the situation after the resolution is implemented, the modified parameter values were used in the base case and the adjusted case represented the original Oconee-3 and Grand Gulf-1 parameter values. The base case and adjusted case values of the affected parameters were then incorporated in the Oconee-3 and Grand Gulf-1 PRAs to derive the estimated core-melt frequency and the associated public risk reduction. Based on the data in Table 3.142-1, the following core-melt frequency reduction was estimated for the representative PWR and BWR.
|Core-Melt Frequency Reduction|
|Best Estimate||2.59 x 10-5/RY||7.98 x 10-6/RY|
|Lower Bound||5.37 x 10-6/RY||2.07 x 10-6/RY|
|Upper Bound||4.35 x 10-4/RY||1.17 x 10-4/RY|
Utilizing generic release categories and containment failure modes, the public risk reduction was estimated64 to be as follows:
|Public Risk Reduction (man-rem/RY)|
Based on the public risk reduction estimates presented before for the representative PWR and BWR and the three sensitivity cases, the following public risk reduction was estimated (weighted average over all affected PWRs and BWRs and their remaining lives):
|Best Estimate||=1,580 man-rem/plant|
|Lower Bound||=378 man-rem/plant|
|Upper Bound||=26,752 man-rem/plant|
Industry Cost: It was assumed that the proposed generic letter would contain the following guidelines applicable to all affected plants: (1) inspection and testing of all electrical isolation devices between Class 1E and non-Class 1E systems; (2) replacement of failed or unacceptable isolators, including descriptions of acceptable hardware fixes to the isolators; and (3) implementation of an annual program to inspect and test all electronic isolators between Class 1E and non-Class 1E systems.
The initial testing and inspection program at each plant was estimated to require approximately 4 man-weeks for planning and 8 man-weeks for review and evaluation of the data, preparation of the final response to the generic letter, and preparation of a safety analysis. The cost to conduct the initial test program was highly uncertain because there were unknown numbers of affected systems and susceptible isolators at each plant. For this analysis, the number of potentially affected isolators was estimated using the number of safety system components in the Oconee-3 and Grand Gulf-1 PRAs with functional and/or control circuitry failure terms. Accordingly, 46 isolators for BWRs and 78 isolators for PWRs were estimated. Assuming a two-man team can test 10 isolators per day, labor requirements for the initial test/inspection required by the generic letter were estimated at 10 man-days/plant for PWRs and 16 man-days/plant for BWRs.
Furthermore, isolators that fail the initial tests must be replaced or repaired. It was conservatively assumed that 25% of the tested isolators would fail the tests; this would result in 12 failures at PWRs and 20 failures at BWRs. The cost to purchase, install, test, and perform adequate QC of acceptable replacement isolators was estimated at $10,000/isolator and included approximately 2 man-days/isolator for replacement. Thus, the total isolator replacement costs were estimated to be $120,000/plant and $200,000/plant for PWRs and BWRs, respectively. Assuming a cost of $2,270/man-week, the total implementation cost (including hardware) was estimated to be $156,000/plant and $239,00/plant for PWRs and BWRs, respectively.
The generic letter was assumed to include a requirement for annual testing and inspection of all electronic isolators. The industry labor requirements for this activity were estimated to be 1 man-week/RY for test planning (this was significantly lower than the 4 man-weeks for planning the initial test program), plus 10 man-days/RY to conduct the tests at PWRs and 16 man-days/RY to conduct the tests at BWRs. An additional 1 man-week/RY at all plants to review the test results and prepare a report for the NRC was also included. This resulted in estimated labor requirements of 4 man-weeks/RY and 5.2 man-weeks/RY for PWRs and BWRs, respectively.
Furthermore, the annual testing program was likely to determine that there were additional failed or suspect isolators that required replacement. It was assumed that all the remaining isolators (i.e., other than those that were replaced as a result of the initial test program) will eventually be replaced with acceptable components. The number of remaining isolators to be replaced at PWRs was estimated to be 38 (i.e., 46 - 12) over a 28.8 year period or 1.2/RY. At BWRs, the annual replacement rate was 58 (i.e., 78 - 20) over a 27.4 year period, or 2.1/RY. The annual replacement costs at each plant were thus estimated to be $12,000/RY and $21,000/RY for PWRs and BWRs, respectively.
At $2,270/man-week, the total cost of maintenance and operation (including hardware) of the possible solution at each plant was estimated to be $21,000/RY and $33,000/RY for PWRs and BWRs, respectively. Using a 5% discount rate, the present worth cost associated with plant maintenance and operation for PWRs and BWRs was estimated to be $11,600/RY and $18,300/RY, respectively.
NRC Cost: It was assumed that the first activity would involve issuance of a bulletin to determine the extent to which potentially susceptible isolators were used in nuclear power plants and to identify the systems in which they were used. It was estimated that 2 man-weeks ($4,000) would be required to prepare the bulletin. To perform the review and analysis of licensee responses to the bulletin, it was estimated that 6 man-months ($50,000) of technical support would be needed at a cost of $54,000.
Assuming that, after analyzing licensee responses, the staff concluded that the issue warranted further attention, the second activity would involve a research program that would develop the details of the final resolution to the issue. This program would involve two major objectives. First, test procedures and acceptance criteria for isolators would be developed for licensee use in determining the adequacy of their installed isolators. It was estimated that a $50,000 contract plus $10,000 for NRC contract support would be needed to accomplish this objective. Second, appropriate hardware fixes would be developed that could resolve the issue. Safety and cost analyses to determine the cost-effectiveness of the proposed hardware fixes would also be necessary. An estimated $150,000 contract plus $20,000 for NRC contract support would be needed to accomplish this activity. Thus, the total cost of this activity was estimated to be $230,000.
The next step was to prepare and issue a generic letter to all licensees. Approximately 4 man-weeks ($10,000) were estimated to prepare and issue the letter. It was estimated that 6 man-months of staff time would be required to review and evaluate each licensee response. (This was equivalent to a $55,000 contract and $10,000 for NRC contract support.) Thus, the total estimated cost for this effort was $75,000.
Based on the above estimates, the total NRC cost for development of the possible solution was $355,000. Averaging this cost over the 134 affected plants resulted in a cost of $2,650/plant for development.
It was assumed that the staff would review the implementation of the requirements in the generic letter, review the test procedures, review plant-specific implementation plans, and prepare a safety evaluation. The cost for this review was estimated to be 4 man-weeks/plant. At $2,270/man-week, this cost was $9,080/ plant.
An additional 0.5 man-week/RY of NRC effort would be required for an annual review of the operation and maintenance of the solution. Summing this cost over the remaining lives of the affected plants at $2,270/man-week resulted in a cost of $32,200/plant. Using a 5% discount rate, the present worth of this review was $17,900/plant.
Therefore, the total NRC cost for the development and implementation of the possible solution was estimated to be approximately $30,000/plant.
Total Cost: The total industry and NRC cost for implementation of the proposed solution was estimated to be $0.6M/plant.
Based on the above estimates, the following value/impact scores were calculated for the three cases considered.
(1) Implementation of the possible solution was assumed to include repair, replacement, and testing of potentially susceptible isolators. This resulted in labor estimates of 34 man-days/plant for PWRs and 56 man-days/plant for BWRs in radiation zones. Radiation fields of 25 millirem/hr were assumed to exist inside containment where most of the isolators were located. Utilizing a 75% efficiency factor for labor in radiation zones, the occupational dose increase for implementation of the possible solution was estimated to be 9.1 man-rem/plant and 14.9 man-rem/plant for PWRs and BWRs, respectively.
(2) Licensee labor requirements in radiation zones for operation and maintenance of the possible solution included:
|Annual Test Program||10||16|
|Replacement of Isolators||2.4||4.2|
Again, utilizing a 75% efficiency factor for labor in radiation zones and radiation fields of 25 millirem/hr resulted in an estimated increase in ORE of 3.3 man-rem/RY and 5.4 man-rem/RY for PWRs and BWRs, respectively. Summing these values over the remaining lives of the affected plants (28.8 years for PWRs and 27.4 years for BWRs) resulted in an increase in ORE of approximately 95 man-rem/plant and 148 man-rem/plant for PWRs and BWRs, respectively.
The best estimate of public risk reduction associated with preventing leakage through electrical isolators was significant and indicated a high priority ranking. However, the calculation of risk reduction included a number of conservative assumptions. Generally, use of conservative assumptions where real data does not exist will always result in overprediction of potential risk reduction. In acknowledgement of the conservatism in the analysis, a medium priority ranking was assigned to the issue (See Appendix C). This ranking was consistent with the qualitative judgments of the staff and was further supported by NRR's stated intention to process a research request to initiate an electrical isolator testing program to improve the current state of knowledge concerning isolator characteristics at less than maximum credible fault levels. The resolution of the issue was expected to address the safety concern of Issue 156.4.1.
In resolving the issue, the staff determined from operating experience that isolation devices perform satisfactorily in the operating environment and have not been exposed to failure mechanisms that resulted in signal leakage. This determination was based in part on plants that predominantly use electromechanical controls and may not be applicable to control systems with digital or electronic components. Therefore, RES recommended1511 the development of an SRP11 Section to provide review guidance for future plants that use digital systems, and for OLs that convert safety-related systems from analog to digital. This recommendation was referred to the appropriate NRR Division for consideration.947 The regulatory analysis was published in NUREG-14531593 and the issue was resolved with no new requirements.1511 In an RES evaluation,1564 it was concluded that consideration of a 20-year license renewal period did not affect the resolution.