Resolution of Generic Safety Issues: Issue 160: Spurious Actuations of Instrumentation upon Restoration of Power (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was raised1481 by NRR following a review of events at 3 operating BWR plants that involved inadvertent ESF actuations upon loss and subsequent restoration of power to Rosemount analog transmitter trip units (ATTUs). NRC Information Notice No. 90-221528 was issued to alert OLs and CPs of this concern.
Equipment response to loss and restoration of power would normally be a design consideration for equipment and control system designers. As such, there was no specific NRC guidance for re-energizing instrumentation that may be inadvertently de-energized. Except for the Information Notice,1528 there had been no communication from the NRC, between licensees and vendors, or among utilities regarding this potential problem and its possible corrective actions. This issue addressed inadvertent actuation of any equipment upon restoration of power and was not limited to equipment actuated by Rosemount ATTUs. Thus, the scope of this issue was broader than that addressed in the Information Notice.1528
The concern of this issue was the effects of restoration of power to safety-related equipment that is normally energized but which inadvertently loses power. The effect of restoration of power might not be as thoroughly analyzed as the effect of a loss of power. In many plants, safety-related instrumentation is powered from interruptible buses because of the "fail safe" response of the instrument upon the loss of power. However, the response of these instruments to a restoration of power may be undesirable or could lead to risk significant events.
The main concern raised by NRR was that these events had the potential for initiating an ISLOCA and/or low temperature overpressurization (a Ltop event) by improper actuation of MOVs. NRR believed1481 that there was a need to evaluate the effects of re-energizing of instruments on a broader scale than was done for the operating events experienced. For instance, although all of the events occurred in BWRs that have analog trip units manufactured by Rosemount, a potentially significant risk exists if single channel interlocks are used in valve circuits, or single channel permissives are used regardless of the type of reactor involved. Similarly, a potentially significant risk exists if multiple channels are subjected to a loss of power at the same time (e.g., loss of offsite power) and subsequently re-energized with power available to the actuated equipment before the control logic is reset.
Any resolution to this issue should address the potential for inadvertent ESF actuations upon loss and restoration of power. In particular, the inadvertent opening of PIVs and the corresponding increased risk of ISLOCA and Ltop accident sequences should be considered. The following were possible solutions:
(1) Improve ATTU power supply reliability.
(2) Improve operator training and procedures to respond to ISLOCA and Ltop events.
(3) Improve the design of power supplies and ESF actuation circuitry so that spurious actuation of valves or pumps does not occur upon restoration of power.
(4) Implement auctioneering circuit from two ATTU voltage converters, one converter taking input from a 120V AC instrument bus and the other converter taking input from a 125V DC source.
(5) Use a diverse interlock for PIV opening, e.g., use a contact from the RHR pump motor breaker to signal that the RHR pump is running.
The concern stated by NRR involved the potential effects from misoperation of equipment upon restoration of power and was not limited to cases involving the Rosemount ATTUs identified in Information Notice No. 90-22.1528 Two accident sequences were identified by NRR that could result from spurious actuation of equipment due to loss and restoration of power. These were ISLOCA and Ltop resulting from spurious actuation of MOVs, both of which had been studied previously by the NRC.
The regulatory analysis1501 for the resolution of Issue 105 presented the results of a cost benefit analysis for proposed actions to resolve the concern regarding ISLOCA. The resolution of Issue 105 fell within the scope of that proposed for Issue 160, thus permitting use of relevant information from NUREG-1463.1501 Based upon the results of this cost benefit analysis, the recommended resolution for Issue 105 was to perform plant-specific reviews for ISLOCA vulnerabilities in conjunction with the IPE program.
One of the recommended actions in NUREG-14631501 for decreasing the risk of ISLOCA was to perform a leak test of the pressure isolation check valves between the LPCI system and the high pressure RCS by cycling open any normally-closed MOVs upstream from these valves at least once per year, because latent failure of these check valves could result in ISLOCA upon opening of the normally-closed MOV. This action would reduce the initiating event frequency for ISLOCA to 2.5 x 10(7)/RY for any plant that utilizes a valve configuration with a normally-closed MOV upstream from two check valves. Based upon the events reported in Information Notice No. 90-221528 and a review of LERs, the frequency of spurious actuation of these MOVs due to an inadvertent SI signal resulting from the loss and restoration of power was approximately 5 x 10(3) event/RY. This value was about 10% of the assumed frequency of inadvertent SI (6.4 x 10(2) /RY) reported in NUREG/CR-5102,1500 the source of the analysis in NUREG-1463.1501 Therefore, the decrease in initiating event frequency that could be realized by preventing spurious actuation of these MOVs upon loss and restoration of power would be approximately 2.5 x 10(8)/RY, which was not a significant decrease.
Some plants cycle the MOVs between the LPCI system and the RCS as frequently as once per month during full power operation; Calvert Cliffs 1 is one such example.1500 These plants would gain little benefit from preventing an additional spurious actuation with a frequency of 5 x 10(3)/RY. In addition, MOVs at the interface between the LPCI system and the RCS for many PWRs are normally open such that a spurious LPCI actuation signal would not inadvertently open these valves. Based upon the results of Issue 105, it was concluded that there was no significant potential for spurious actuation of MOVs to cause an ISLOCA.
Using relevant information from NUREG-13261291 (the regulatory analysis for Issue 94), the solutions to Issues 94 and 160 are consistent with each other. Implementation of the resolution of Issue 94 (see Generic Letter 90-06) would reduce the mean CDF for Ltop events from 3.24 x 10(6) to 3.5 x 10(7) event/RY. It was assumed in this analysis that elimination of all spurious actuations upon restoration of power would result in the elimination of the remaining risk from Ltop events. This was a conservative assumption because BWRs are not at risk from Ltop.
In order to determine if any other events that involved the misoperation of equipment upon restoration of power had occurred, a search of the Sequence Coding and Search System (SCSS) database was conducted. This ORNL database contained data from over 35,000 LERs reported after 1980. The search identified 198 events that involved the spurious actuation of pumps or valves upon loss and restoration of power. It was assumed that any significant events that occurred since 1980 would be identified by the SCSS search; however, it was noted that the results of the SCSS search did not include the 3 events reported in Information Notice No. 90-22.1528 The most likely explanation for this fact was that the 3 events did not involve a loss and restoration of power, but instead were caused by an increase in voltage above the trip setpoint of the trip units. The SCSS search was still quite relevant, because the concern stated by NRR involved the effects of loss and restoration of power to all equipment, whereas the problem identified in the Notice1528 resulted from the unique characteristics of the Rosemount ATTUs.
The review of these events did not reveal any additional concerns. Eight of the 198 LERs involved spurious actuation of equipment upon restoration of power; these are listed in Table 3.160-1. Six of these eight events involved systems operating as designed and were resolved by specifying correct test or maintenance procedures. The seventh event involved the concurrent failure of an electronic controls component with restoration of power. This component likely failed prior to loss and restoration of power as a second replacement component was also failed prior to installation. The eighth event involved a pressure signal spike because of a dead bus transfer and was resolved by rewriting procedures to avoid dead bus transfers. These events involved failure to consider available design and performance criteria of equipment during the systems design and in the specification of maintenance or test procedures. In addition, none of these events resulted in system responses that were significant accident sequence precursors.
None of the spurious actuations involved the ISLOCA sequence initiating event described earlier (opening of normally-closed MOV upstream from pressure isolation check valves). Based upon the 3 events reported in Information Notice No. 90-221528 that occurred during the 6-year period from 1984 to 1990 and involved de-energization of Rosemount ATTUs due to overvoltage, the ISLOCA initiating event frequency resulting from this concern was approximately 5 x 10(3) event/RY (3 events in approximately 600 RY).
Spurious Actuation of Equipment Upon Restoration of Power
|Event||Number of Occurrences|
|Decay Heat Cooler TS Violation||1|
|RHR Suction Valve closure||1|
|Partial SI Actuation||1|
|Accumulator Valve Opened During Shutdown||1|
Because this review did not reveal any additional areas of concern, this analysis was limited to the ISLOCA and Ltop events identified.1481 Although it was possible that other events had occurred that were not identified in this SCSS search, such events were either not clearly caused by the loss and restoration of power or did not involve an event precursor of significant frequency or severity. Hence, a review of operational history showed that, not only were inappropriate responses to power restoration rare, but such responses did not appear to cause significant problems.
It was assumed that 74 PWRs and 37 BWRs with average remaining lives of 24.7 years and 23.3 years, respectively, would be affected by the resolution of this issue. The cost estimates for this issue were taken mainly from NUREG/CR-4627961 and NUREG/CR-2800.4
As discussed above, the base case included the implementation of all recommendations from the resolution of Issue 94. Although there was some risk remaining from ISLOCA after implementation of the recommendations in Issue 105, this risk would not be significantly mitigated by reduction of the frequency of spurious actuation of equipment due to loss and restoration of power. No other significant event precursors were identified from the review of the 198 LERs identified by the SCSS relating to inadvertent equipment actuation.
The estimated decrease in CDF that could result from resolution of this issue was the CDF remaining after implementation of the recommended actions for Issue 94. The remaining risk for Ltop events after implementation of the recommended resolution of Issue 94 was assumed to be the potential safety benefit from the resolution of this issue.
The remaining CDF after implementation of the resolution of Issue 94 was 3.5 x 10(7) event/RY. It was assumed that resolving this issue would result in a decrease in CDF of 3.5 x 10(7) event/RY. This estimate included safety benefits that would not be realized by the resolution of the issue, such as CDF reduction in BWRs which are not susceptible to the Ltop event. Thus, for the 111 affected plants, it was estimated that the total CDF reduction from resolution of the issue would be 3.89 x 10(5) event/year.
A dose of 4.5 x 106 man-rem/event was given in NUREG/CR-51861527 for PWRs and BWRs. Based on an average remaining operating life of 24.2 RY for the affected plants, the estimated total public risk reduction was (3.89 x 10(-5))(24.2)(4.5 x 10(6)) man-rem or 4,230 man-rem.
Industry Cost: Implementing the possible solution consisted of two parts. The first part was the cost of labor for training and installation of new equipment/components due to modification and was estimated to be 2 man-years/plant. Assuming all the modification and installation could be done during a scheduled plant outage, no replacement power costs were included. The second part was the equipment/component costs estimated to be $200,000/plant. Labor requirements to perform the enhanced training and inspection program were assumed to be integrated with or to replace existing programs. Therefore, no additional labor was assumed for operation and maintenance of the solution. Using the labor rate of $100,000/man-year from NUREG/CR-2800,4 the total industry cost for implementation of the possible solution at 111 plants was estimated to be $45M.
NRC Cost: Development of the proposed solution was estimated to require 24 man-months to further evaluate the issue, develop a resolution, and perform a regulatory analysis. Using the referenced(4) labor rate, the cost for development of the resolution was estimated to be $200,000. The cost to support its implementation was estimated to be 1 man-week/plant, for an additional cost of $210,000. The labor for review of operation and maintenance of the possible solution was estimated to be 1 man-day/RY, for an additional cost of $1M. Thus, the total NRC cost was estimated to be $1.4M.
Total Cost: The total industry and NRC cost associated with the possible solution was estimated to be $(45 + 1.4)M or $46.4M.
Based on a total potential public risk reduction of 4,230 man-rem and a cost of $46.4M, the impact/value ratio was given by:
(1) It was estimated that utility labor in radiation zones would be required for installation of new equipment. A total of 3 man-weeks/plant were estimated and a 75% utilization factor was assumed for labor in radiation zones. It was further assumed that the dose rate in the radiation zones was 100 millirem/hour. With 111 plants, this ORE increase was 1,000 man-rem.
(2) It was assumed that one additional man-week of utility labor in radiation zones would be required for examination of equipment installed or exchanged as a result of the resolution. Assuming a 75% utilization factor, the incremental labor in radiation zones for operation and maintenance was estimated to be 30 man-hours/RY. Using the estimated 2,690 remaining operating years, the total increase was 6,100 man-rem. Thus, the total ORE associated with the possible solution was 7,100 man-rem.
Based on the overall consideration of the backfit solution for operating plants, this issue was placed in the DROP category. In an RES evaluation,1564 it was concluded that consideration of a 20-year license renewal period would only move the issue to a low priority ranking.