Resolution of Generic Safety Issues: Issue 169: BWR MSIV Common Mode Failure Due to Loss of Accumulator Pressure (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was identified1684 by NRR following a request from Region I to review GE SIL 477 which identified the possibility of early containment bypass in a BWR, if any one of the MSIVs inside containment should fail to close, or fail to stay closed, during events that require main steam isolation. This failure could result from one or both of the following common causes: (1) valve operator spring pressure alone may not be adequate to close the MSIV; or (2) pneumatic accumulator pressure may not be adequately monitored and alarmed. Following a preliminary review of the safety concern, RES determined1685 that the installation of a pressure alarm switch that would monitor nitrogen pressure at the MSIVs inside containment had the potential to be a cost-beneficial safety enhancement.
Each steam line penetrating the containment of a BWR is fitted with two MSIVs, one inside containment (inboard) and one outside containment (outboard), which are designed to perform the following safety functions:
(1) Prevent damage to the fuel barrier by limiting the loss of reactor coolant water in the event of a major leak from steam piping located outside the primary containment;
(2) Limit the release of radioactive materials by closing the nuclear system process barrier in the event of a gross release of radioactive materials from the reactor fuel to the reactor coolant water and steam;
(3) Limit the release of radioactive materials by closing the primary containment barrier in the event of a major leak from the nuclear system inside the primary containment.
Each MSIV is operated by a combination air and spring actuation system. Helical springs surrounding the spring guide shafts close the valve if air pressure is not available. Each inboard MSIV is supplied with air from the containment drywell pneumatic or nitrogen system. These air supplies are supplied through check valves into accumulator tanks which provide a pneumatic reserve for the closing of each valve.
In BWRs, reactor steam is delivered directly to the turbine and other equipment located outside the containment. Radioactive materials in the steam can be released to the environment via process openings in the main steam system or via accidental openings. A major rupture in the steam system could drain water from the reactor core more quickly than it can be replaced by feedwater. This issue is applicable to all BWRs.
A possible solution to the issue was assumed to be additional instrumentation and alarms to provide improved monitoring of the pressure in the air accumulators to help ensure the availability of adequate air supplies to the MSIVs. Alarms in the control room would annunciate if the accumulator pressure on an MSIV were to fall below a pre-set level. This action would subsequently be expected to reduce the common cause failure probability that MSIVs would fail to close on demand.
It was assumed that all 37 operating BWRs do not have a monitoring and alarm system and would be affected by the issue. The average remaining life of these plants was assumed to be 22 years.
There are two types of conditions at a BWR in which the failure of an inboard MSIV to close or remain closed could lead to core damage with containment bypass: (1) the associated outboard MSIV closes, but the short length of piping connecting the two valves ruptures outside of containment; (2) the associated outboard MSIV fails to close or remain closed following the rupture of downstream main steam piping.
In an evaluation1686 of this issue by Science and Engineering Associates (SEA), the base case CDF (F) was estimated as follows:
= F1 P1a P1b + F2 P2a P2b
where, F1 = frequency of a break between the containment wall and the outboard MSIV
P1a = probability of a failure on demand of the spring on the adjacent inboard MSIV
P1b = probability that design pressure is not available in the inboard accumulator
F2 = frequency of a main steam line LOCA outside containment
P2a = probability of failure on demand of the springs in both the inboard and outboard MSIVs on the broken steam line
P2b = probability of unavailability of design pressure in both accumulators on the broken steam line
From PRAs in NUREG-4550, a main steam line break outside of containment is equivalent to a large LOCA. As an internal event, the frequency of a large LOCA was estimated to be 10-4 /RY. With the inclusion of external events in the PRA, the additional LOCA frequency from seismic events was estimated to be 1.9 x 10-5/RY. Thus, the frequency of a main steam line LOCA outside containment, F2, is (10-4 + 1.9 x 10-5)/RY or approximately 1.2 x 10-4/RY. Based on the approximate ratio of welds, 1:60, the frequency of a break between the containment wall and an outboard MSIV, F1, was estimated to be (1/60)(1.2 x 10-4/RY) or (2 x 10-6)/RY.
The probability of a failure on demand of the spring on the adjacent inboard MSIV, P1a, was the same as the probability of failure on demand of the springs in both the inboard and outboard MSIVs on the broken steam line, P2a. Based on sparse data, spring failure probability was estimated to be 0.1. Thus, P1a = P2a = 0.1.
An LER search conducted by SEA uncovered 16 events related to MSIV accumulators between 1978 and 1995, a 17-year period; all events were reported at PWRs. During this period, approximately 60 PWRs were in operation, each with 2, 3, or 4 MSIVs. This amounted to about 20 million MSIV operable hours. With at least 2 time-related common cause failures during this period, the common cause failure rate (FACC) was estimated to be 10-7/hour.
To derive an estimate for independent failures, it was assumed that a PWR licensee will postpone corrective action until the next cold shutdown, an average of about 6,000 hours. For time-related failures, the probability that a component is unavailable is the product of the failure rate and the average downtime. Therefore, the rate of occurrence of an accumulator failure while the redundant accumulator is still down is (2 x 6,000)(FA)2/hour, where FA is the rate of independent failures and the factor of 2 accounts for the fact that either accumulator may be the first to fail. To provide at least one such occurrence in 20 million MSIV hours, the estimate for the failure rate is given by FA = 2 x 10-6/hour.
Should the pressure of an accumulator on one MSIV fall below the design pressure, the BWR licensee may wait until the next cold shutdown to make repairs. This will average about 6,000 hours of downtime, regardless of whether the pressure is checked continuously or quarterly. Thus, the probability that design pressure would not be available in the inboard accumulator after installation of a monitoring/alarm system (P1c) would be approximately the same as before, i.e., P1b = P1c = (6,000)(FA + FACC) = (6,000)[10-7 + (2 x 10-6)] = 0.012.
Upon detection of simultaneous failure of both accumulators on one main steam line (both inboard and outboard MSIVs), licensees would go to cold shutdown to make repairs. For quarterly surveillance, the average downtime is about 1,000 hours. Therefore, probability of unavailability of design pressure in both accumulators on the broken steam line, P2b, is given by:
P2b = 1,000[FACC + (2 x 6,000)(FA)2]
= 1,000[10-7 + (12,000)(2 x 10-6)2]
= 1,000[10-7 + (0.48 x 10-7)]
= 1.48 x 10-4
Substituting the values stated above, the base case CDF is given by:
= [(2 x 10-6/RY)(0.1)(0.012) + (1.2 x 10-4/RY)(0.1)(1.48 x 10-4)]
= (2.4 x 10-9/RY) + (1.8 x 10-9/RY)
= 4.2 x 10-9/RY
Upon detection of simultaneous failure of both accumulators on one main steam line (both inboard and outboard MSIVs), licensees would go to cold shutdown to make repairs. For quarterly surveillance, the average downtime would be reduced to 8 hours by the possible solution.
The probability of unavailability of design pressure in both accumulators on the broken steam line after installation of a monitoring/alarm system, P2c, was given by:
P2c = 8[FACC + (2 x 6,000) (FA)2]
= 8[10-7 + (12,000)(2 x 10-6)2]
= 8[10-7 + (0.48 x 10-7)]
= 1.18 x 10-6
Thus, following implementation of the possible solution, the adjusted case CDF (F*) is defined by:
* = F1 P1a P1c + F2 P2a P2c
= [(2 x 10-6/RY)(0.1)(0.012) + (1.2 x 10-4/RY)(0.1)(1.18 x 10-6)]
= (2.4 x 10-9/RY) + (1.4 x 10-11/RY)
= 2.414 x 10-9/RY
Therefore, the reduction () in CDF is given by:
CDF = - *
= (4.2 x 10-9/RY) - (2.414 x 10-9/RY)
= 1.78 x 10-9/RY
Based on the assumptions that MSIV failure will result in consequences similar to those for a BWR-2 Release Category and that there will be a 2-hour delay prior to the initiation of fission product release from the core, the average consequence for an unisolated main steam line break was estimated1686 to be approximately 5 x 108 man-rem. For the 37 affected plants with an average remaining operating life of 22 years, the total potential risk reduction (W) associated with this issue is given by:
W = (1.78 x 10-9/RY)(37)(22)(5 x 108 man-rem)
= 724 man-rem
Industry Cost: It was assumed that plant modifications could be made during operation or scheduled outages. For MSIVs inside containment, it was assumed that instrumentation cables could be run through existing spare containment penetrations. The configuration assumed for each MSIV included one sensor circuit to generate an alarm to notify operators of accumulator air pressure loss; control cable and conduit will be required to be run from each transmitter to the control room.
It was estimated1686 that the cost/plant for the modifications of 8 MSIVs to be $206,500 including hardware ($67,000), installation labor ($67,000), engineering ($24,000), and health physics ($80,500). Plant simulator modifications were estimated to cost an additional $50,000. Engineering analysis is expected to cost $22,600 for an FMEA along with a cost/benefit analysis for alternative solutions. Staff training and revisions to plant operating procedures were estimated to cost $40,100. Periodic inspection, surveillance, test and maintenance of additional hardware were estimated to cost an additional $147,300. For the 37 affected plants, the total industry cost was estimated to be (37)($466,500) or $17.3M.
NRC Cost: It was estimated that 4 man-weeks, or $9,080, would be required to issue a generic letter to licensees for the new alarms. Review and approval of licensee design changes and inspection of modifications were estimated to cost $21,700/plant or $802,900 for all 37 affected plants.
Total Cost: The total industry and NRC cost associated with the possible solution was estimated to be $(17.3 + 0.8)M or approximately $18.1M.
Based on a potential public risk reduction of 724 man-rem and an estimated cost of $18.1M for a possible solution, the impact/value ratio was given by:
Affected Plants: It was conservatively estimated that no plant has alarms in place to monitor MSIV accumulator pressure. The total risk could be lower if some plants have already installed alarms.
License Renewal: Consideration of a license renewal period of 20 years would increase the public risk reduction to 1,383 man-rem. Additional maintenance costs for this renewal period would be ($30,000)(37) or $1.1M. Consideration of these two factors would reduce the impact/value score to approximately $13,900/man-rem.
Based on the impact/value ratio and the total risk reduction potential, this issue was placed in the DROP category.1736 Consideration of a license renewal period of 20 years did not alter this conclusion.