Resolution of Generic Safety Issues: Issue 154: Adequacy of Emergency and Essential Lighting (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue arose as the result of an event at the Palo Verde Nuclear Generating Station (PVNGS) Unit 3 in which inadequate lighting conditions exacerbated an unrelated reactor trip.1468 During this event, half of the steam bypass control system malfunctioned, the ADVs failed to operate from both the control room and the remote shutdown panel, and both the normal and the emergency lighting for the main steam support structure failed where the ADVs are located.
One of the principal functions of backup lighting systems at nuclear power plants is the provision of sufficient illumination at the instruments and controls needed by the operators to bring the reactor to a safe (usually shutdown) condition following a plant transient or accident, if normal lighting systems should fail. Due to the necessity of reading posted instructions (and locating and operating controls) while relying only on hand-held flashlights for illumination, initiation of plant depressurization and cooldown through use of the ADVs was delayed at PVNGS-3.1468
During the interval the operators were attempting to open the ADVs, the plant was in a stable, steady-state condition with feedwater supplied to the steam generators by the AFW pumps and steam removed from the steam generators to the atmosphere through the secondary system safety valves. The plant could have been sustained in that stable condition for as long as water could be supplied to the AFW pumps. That safe time period would have been a minimum of several hours but more likely would have been several days, considering the small amounts of water needed (in comparison to that needed during power operation) and the multiple backup sources of water that were available. Thus, the plant was in no imminent danger and could have been maintained in the described stable condition for an indefinite period barring additional equipment failures or operator errors. However, during that time period, the risk from such potential additional failures was greater since the plant was not under full control by the operators; they wanted to (but could not) cool it below the saturation temperature corresponding to the pressure setpoint of the secondary system safety valves.
The corrective action considered involved NRC development of guidance on appropriate areas to be provided with emergency lighting, adequate illumination levels, and preventive maintenance criteria. Licensees could be required to install additional emergency lighting and upgrade existing lighting systems in compliance with any new requirements that might be developed.
It was assumed that 90 PWRs and 44 BWRs with average remaining lives of 28.8 27.4 years, respectively, were affected by this issue. Since emergency and essential lighting failures and their effects were not explicitly addressed in existing PRAs, the method described below was used.64
In the Oconee 3 PRA, seven sequences resulted in core damage and involved operator recovery action outside the control room. These seven sequences together accounted for a CDF of 2.54 x 10-5/RY. It was assumed64 that the relatively high Human Error Probability (HEP) of 0.1/demand for an operator failing to recover a failed component, used in the Oconee 3 PRA,889 was appropriate for plants with emergency and essential lighting systems as they existed before any improvements associated with the possible solution. The HEP for the adjusted case following resolution of the issue was assigned a value of 0.003, based on the HEP for selecting an incorrect valve from the control console that is clearly and unambiguously marked.889 These HEP values were used by PNL64 to calculate a failure probability for the recovery action P(NR), the probability of an operator either failing to diagnose the appropriate action, P(ND), or failing to perform the recovery action successfully, P(NA). P(NR) = P(ND) + P(NA) - P(ND).P(NA)
The probability P(ND) was estimated64 to be 0.039, assuming 15 minutes are allowed. Since the possible solution does not affect the control room operator's ability to diagnose the need for the recovery action, this parameter is common to both cases, i.e., before and after implementation of the possible solution. The probability P(NA) was derived by constructing a Human Reliability Analysis (HRA) event tree using the techniques described in NUREG/CR-1278339 that considers the probability that the technician sent into the plant will fail to perform the desired action, and that the control room operator will fail to monitor the feedback on his instrumentation (i.e., the control room operator will fail to detect that the technician has failed to perform the action). The resulting expression is:
|P(NA) = X1 + (A x B) + (C x D) + (E x F)|
|where||X1||= mechanical, physical failure prevents control room operator from getting message to technician (Negligible)|
|A||= error in message from control room operator to technician (0.001)|
|B||= control room operator fails to monitor feedback (0.003)|
|C||= technician fails to understand message from control room operator (0.001)|
|D||= control room operator fails to monitor feedback (0.003)|
|E||= technician fails to perform action [this is the previously-discussed HEP] (0.1)|
|F||= control room operator fails to monitor feedback (0.003)|
It was assumed that all the above values remained the same after implementation of the possible solution, except E = 0.003. Thus, the base case and adjusted case values of P(NR) were calculated as follows:
Base Case: P(NR) = 0.039 + (3.06 x 10-4) - (0.039)(3.06 x 10-4) = 3.92940 x 10-2
Adjusted Case: P(NR) = 0.039 + (1.5 x 10-5) - (0.039)(1.5 x 10-5) = 3.90144 x 10-2
The ratio of the P(NR) values for the base and adjusted cases was assumed to be approximately equal to the ratio of the CDF values before and after resolution of the issue, i.e., values for the affected sequences involving credit for operator recovery actions outside the control room. Thus, the following ratio was used: (3.92940 x 10-2)/(3.90144 x 10-2) = 1.0071666. Therefore, the change in the affected core-melt frequency was (1.0071666 - 1)(2.54 x 10-5)/RY or 1.82 x 10-7/RY.
For PWRs, the consequence estimate of 207 man-rem/RY associated with the core-melt frequency of 8.2 x 10-5/RY obtained from the Oconee 3 PRA analysis was used to calculate the potential public risk reduction.1469 Thus, the public risk reduction was estimated to be [(207 man-rem/RY)/(8.2 x 10-5/RY)][1.82 x 10-7/RY] or 0.459 man-rem/RY. For BWRs, the scaling relationship developed by PNL64 showed the public risk reduction to be greater than that for PWRs by a factor of 1.2. Thus, for all 134 affected plants, the total risk reduction associated with the solution to this issue was (0.459)[(90)(28.8) + (1.2)(44)(27.4)] man-rem or 1,854 man-rem.
Industry Cost: The cost estimate took into account the implementation of new guidance and/or requirements regarding appropriate areas to be provided with emergency lighting, adequate illumination levels, preventive maintenance criteria, any required installation of additional emergency lighting, and/or upgrading of existing lighting systems to comply with new requirements, if necessary. These activities were estimated64 to cost $13.37M.
NRC Cost: Development of a solution, support for its implementation, and review of associated operation and maintenance was estimated64 to cost $5.38M.
Total Cost: The total industry and NRC cost associated with this issue was estimated to be $(13.37 + 5.38)M or $18.75M.
Based on a potential public risk reduction of 1,854 man-rem and a cost of $18.75M, the value/impact score was given by:
(1) All seven events considered in this analysis represented recovery actions performed in the Standby Shutdown Facility (SSF); recovery actions in the remainder of the plant should have some significance. The event1468 at PVNGS-3 involved just such a recovery action (outside the SSF).
(2) Nuclear plants have multiple redundant safety systems and PRA analyses reflect the very small residual risk from all of them failing at the same time. For example, in the PVNGS-3 event, even given the problems with emergency lighting, the core was not damaged because, while the operators were attempting to open the ADVs without benefit of emergency lighting, the plant was in a stable, steady-state condition with feedwater supplied to the steam generators by the AFW pumps and steam removed from the steam generators to the atmosphere through the secondary system safety valves. The AFW system and steam generator safety valves both have redundancy and their total failure is extremely unlikely. This qualitative argument was quantitatively verified for the PVNGS-3 event by an analysis in NUREG/CR-4674,1470 Volume 12 (pp. B-420 to B-461). Given occurrence of all of the failures in the PVNGS-3 event, because of the multiple redundancy of the systems that remained operational and would have had to fail in order for core damage to occur, the analysis in NUREG/CR-46741470 showed the conditional core damage probability (CCDP) for the event was 4.9 x 10-5. This compared to a CCDP for a normal reactor trip, with no failures, of approximately 5 x 10-6. Thus, the PVNGS-3 event was shown by this type of analysis to be no more risky than approximately 10 normal reactor SCRAMs.
(3) This evaluation did not address the risk that might result from possible errors of commission by the auxiliary operators who were sent into the plant with instructions to open the ADVs, i.e., to change the status of the plant. When they arrived in the ADVs area incidentally equipped with a 24" pipe wrench, they found themselves in total darkness, without adequate instructions, confused by their unfamiliarity with the operation they were to carry out, and unable to easily find the posted instructions (and the equipment they were to operate) in the darkness. Their level of stress was not reduced by a nearby safety valve that was periodically opening to relieve pressure in the steam generator; such openings create an unexpected and terrifying loud noise.
Much of the problem at PVNGS-3 could have been avoided by better compliance with existing criteria and guidance regarding emergency lighting: 10 CFR 50 Appendix R, Section III.J, "Emergency Lighting"; 10 CFR 50 Appendix E, "Emergency Planning and Preparedness for Production and Utilization Facilities"; SRP11 Sections 9.5.1, "Fire Protection Program," and 9.5.3, "Lighting Systems"; and Information Notice 90-69.1471 Therefore, there was no need to pursue new requirements. Based on the potential public risk reduction, this issue was given a low priority ranking (see Appendix C) in January 1992. Consideration of a 20-year license renewal period did not change the priority of the issue.1564 Further prioritization, using the conversion factor of $2,000/man-rem approved1689 by the Commission in September 1995, resulted in an impact/value ratio of $10,101/man-rem which placed the issue in the DROP category.