Resolution of Generic Safety Issues: Issue 171: ESF Failure from Loop Subsequent to a LOCA (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was identified1585 by NRR following the issuance of NRC Information Notice (IN) 93-171586 which was based in part on a deficiency in the Surry Power Station emergency diesel generator (DG) loading. This deficiency could have resulted in overloading the DGs if a LOCA occurred and was followed by a LOOP prior to reset of the safety injection signal. The staff subsequently learned from the NSSS Owners' Groups that other plants also were not necessarily designed to respond properly to a LOCA followed by a delayed LOOP if reset of the SIS had not occurred. The NRC did not request any specific action by (or information from) licensees in IN 93-17.1586
Nevertheless, on April 29, 1993, the Nuclear Utility Backfitting and Reform Group (NUBARG) objected to IN 93-171586 on the grounds that it "reflects new staff positions and presents the potential for plant-specific backfits." NUBARG requested that CRGR review IN 93-171586 because "the generic position stated in IN 93-171586 could be used to seek additional licensee analysis and costly plant modifications." NUBARG based its contention that IN 93-171586 was a backfit solely on the resolution of Issue 17, "Loss of Offsite Power Subsequent to a LOCA." The resolution of Issue 17 was based on the assumption that a LOOP would be an independent event following a LOCA and would not be precipitated by a LOCA.
Pursuant to NUBARG's request, CRGR reviewed IN 93-17.1586 In its response to NUBARG, CRGR first noted that the concern identified in Issue 17 was not the same scenario as that described in IN 93-17,1586 but did agree with NUBARG that the wording of the IN "implies the existence of an approved generic position," despite the fact, conceded by NUBARG, that the IN did not "include a request for specific action by licensees." The only change to the IN required by CRGR was to "clarify NRC intent with regard to any backfit concerns raised by the initial wording and to place emphasis on the potential safety concern being addressed." The letter finally noted that "the staff is considering the need for further generic action to determine if all power reactor licensees should be required to demonstrate the capability to withstand the LOCA/delayed LOOP sequence of concern" and that any "new proposed NRC generic position or requirement in this area would, of course, be subject to review under the backfit rule in accordance with existing NRC backfit procedures."
When a LOCA occurs at a PWR, the ESFAS will be actuated by one of four automatic signals, or by manual operator action if the plant operators detect the LOCA before the automatic signals respond. These four automatic signals are:
(1) Low Pressurizer Pressure
(2) High Containment Pressure
(3) High Steam Line Flow Rate Coincident with either Low Steam Line Pressure or Low-Low Tavg
(4) Steam Line High Differential Pressure.
The ESFAS will cause the following system responses:
(A) Reactor trip initiated
(B) Safety Injection Sequence initiated (ECCS pumps started and aligned for core cooling)
(C) Phase "A" containment isolation
(D) Auxiliary feedwater initiated
(E) Main feedwater isolated
(F) Emergency DG Startup
(G) Auxiliary Cooling System Line-up (pumps started in essential service water and Component Cooling Water systems)
(H) Control Room and Containment Ventilation Isolation.
The DGs might be unable to handle the simultaneous starting of all of the pumps and motors actuated by the ESFAS and for most plants it is necessary to sequence the startup of all ESFAS-actuated systems to prevent overloading of the DGs. There are similar system responses for LOCAs at BWRs.
This issue concerns the ability of the ESFAS sequencing to respond to a LOOP which might occur during the sequencing. Issue 17 addressed only one aspect of this issue: the probability of a randomly occurring LOOP after a LOCA. Issue 171 was primarily concerned with a LOOP caused by the LOCA event and ESFAS sequencing. Thus, the LOCA and subsequent LOOP would not be independent events. The loss of a large amount of electric power generation, as might be precipitated by the trip of the unit with the LOCA, can cause transmission system grid instability resulting in a total LOOP. The loss of generation from the LOCA unit can also result in degraded voltage at the unit switchyard, resulting in actuation of degraded voltage protection and subsequent total LOOP. Plants that have no TS upper setpoint limit on degraded voltage sensing and have little margin between the setpoint and minimum operating grid voltage may be susceptible to this problem.
Besides transmission system grid problems, a LOOP may also occur because of plant electrical distribution system problems. In many plants, the main generator normally feeds the plant loads through a unit auxiliary transformer. When the reactor trips, the main generator often remains connected to the plant electrical systems and high voltage switchyard until protective relaying transfers the power source from the main generator to an offsite power source. If the transfer fails during the ESFAS sequencing, the buses which provide power to ESF systems would become isolated from offsite power sources and the DGs would be required to provide power in that event.
It is possible that the DGs could be damaged with no immediate possibility of recovery during this scenario if they attempt to re-energize the entire portion of the previously sequenced load without resequencing. Two utility reports identify another failure mechanism in which circuit breaker protective devices lock out the circuit breaker to protect it from potential damage resulting from repeated opening and closing (referred to as "pumping"). The operator actions required to reset the circuit breakers may be quite complicated and could result in a high probability of failure to recover. A third failure mechanism involves the lockup of timers in the accident load sequencing logic which could result in the loss of all automatic accident loading capability.
In addition to the electrical power system and control system concerns, the coolant systems may also be vulnerable to damage resulting from plant transients during ESF sequencing. Drain-back in coolant systems during power supply transients and switchovers, even assuming that the power is eventually restored, can result in the formation of voids in outlet piping that can lead to water hammer. Water hammer can damage pipes and pipe supports. Restarting a pump which has open outlet valves can require significantly more power than the pump motor was designed to draw during startup, which can exacerbate the electrical power system problems.
These concerns can be modeled for prioritization purposes as a failure of ECCS in the event of LOCA with no possibility of recovery. Other accident sequences are not effected, because the failure scenario in this issue only occurs when a LOOP occurs during or shortly following ESFAS sequencing.
Any solution should address the potential for failure of ESF systems resulting from a LOOP subsequent to the initiation of ESF sequencing. The potential for a loss of power or other interruption of the ESF during sequencing may have been considered in the initial design of the ESF systems, despite the absence of prescriptive NRC requirements or a documented staff position requiring such analysis. If this analysis had been done, it is possible that many licensees will not need to make modifications to their existing designs. The following elements are presented as possible solutions for plants that may require some action.
(1) Analyze and reset protective relaying and control circuitry to respond properly to a LOOP during ESF sequencing.
(2) Analyze coolant systems to verify that a loss and restoration of power will not result in water hammer, cavitation, or other potentially damaging conditions.
(3) Analyze power transmission system and plant electrical distribution system capability under ESF sequencing conditions to demonstrate sufficient system capability.
The worst case response to a LOOP during ESF sequencing initiated by a LOCA would be non-recoverable damage to the DGs and ECCS pump motors. This damage could occur if the DGs were switched to ESF buses without phase-synchronizing relays or other protective devices to prevent out-of-phase connection. The transient currents created by out-of-phase connection between a motor and a generator would be limited only by conductor resistances and machine sub-transient reactances, and could be of sufficient magnitude to severely damage the motor or generator windings and phase leads. Such damage would require several days to repair at a minimum. For the purposes of this analysis, it was assumed under the above stated scenario that all ECCS will fail without possible recovery in the event of a LOOP after a LOCA. There are other scenarios, such as DG overloading, that could potentially damage the DGs with no immediate possibility of recovery, but the out-of-phase connection was used as a representative worst case.
The probability of ECCS failure following an out-of-phase connection would not be 100%, because some degree of phase angle difference between the DGs and the ECCS motors could probably be tolerated without causing damage to the motor or generator windings, or actuation of overcurrent protection. An exact determination of the tolerance for out-of-phase switching would require a system- and component-specific analysis, but it was conservatively assumed that damage will occur if the DGs and the load are greater than 90 electrical degrees out of phase. This situation will occur on a random basis 50% of the time.
The probability of a LOOP subsequent to a LOCA was previously addressed in Issue 17 where the only source of LOOP considered was a random occurrence. The events which resulted in the identification of Issue 171 involved the loss of offsite power to the ESF buses that would be dependent on the initiating event, ESF actuation, which causes a reactor trip and sequential loading of the ESF buses. In addition, there was also a concern that the transmission system might lose stability or not be able to maintain sufficient voltage following the loss of generation from a nuclear power plant at a probability greater than 10-3, which was the probability used in WASH-140016 and Issue 17. For comparison, the probability used in NUREG-11501081 and NUREG/CR-45501318 was 2 x 10-4.
In AEOD/E93-02, a review of LOOP events indicated that 37% of all plant-centered LOOP events (15 out of 41 events) that occurred during power operation resulted in a total LOOP. This statistic indicates that offsite power source independence is relatively poor in that, if a single offsite power source is lost, there is significant probability that all offsite power sources will be lost. The results of the AEOD study are used in the analysis of this issue as the upper limit for the probability of a loss of offsite power in the event of a LOCA.
The size of nuclear power plants has increased significantly since the mid-1970s when WASH-140016 was published and power companies have relied increasingly on dispersed non-utility generation. These changes in the transmission system as well as additional load growth may have resulted in a greater probability of transmission system instability in general, and degradation or loss of offsite power at a large nuclear power plant subsequent to rapid load shedding in particular. In order to accurately determine the probability of a LOOP subsequent to a LOCA, it would be necessary to perform plant-specific analyses of their transmission systems and plant distribution systems. For the purposes of this analysis, a range of probabilities from 30% to 0.1% was considered.
The increase in CDF resulting from the non-recoverable failure of ECCS after a LOOP during ESF sequencing was estimated for three plants: Surry, Grand Gulf, and Zion. These three plants were initially analyzed under the assumption that a LOOP subsequent to a LOCA would not cause non-recoverable ECCS failure. The failure of the ECCS was modeled as the product of the probability of LOOP (ranging from 0.3 to 0.001), the probability of out-of-phase synchronization in the absence of phase-sequencing relays (0.5), and the LOCA-initiating event frequency. Therefore, the base case CDF was the initiating event frequency for the LOCA events times the probability of a LOOP and DG/ECCS failure, minus any recovery actions which do not require ECCS or DGs.
For example, Surry has four LOCA events: large LOCA, medium LOCA, small LOCA, and very small LOCA. These events are described below. A similar analysis was used for Grand Gulf and Zion.
(1) Large LOCA - the large LOCA sequence requires the following systems for mitigation: accumulators, low pressure injection, containment cooling systems, and low pressure recirculation. Core damage is avoided in the base case only if all systems operate successfully, although if containment cooling fails, one sequence results in containment failure but no core damage. The initiating event frequency for a large LOCA is 5 x 10-4/RY.
(2) Medium LOCA - the medium LOCA sequence is similar to the large LOCA sequence, except that high pressure injection is also required for success. The initiating event frequency for a medium LOCA is 10-3/RY.
(3) Small LOCA - the small LOCA sequence is similar to the medium LOCA sequence, except that the reactor protection system, the auxiliary feedwater system, the pressure release valves, operator depressurization, and high pressure recirculation may be used for recovery. All recovery actions require low pressure recirculation and high pressure recirculation, so ECCS/DG failure is non-recoverable. The initiating event frequency for a small LOCA is 10-3 /RY.
(4) Very small LOCA - the very small LOCA sequence is similar to the small LOCA sequence, except that the main feedwater system and the residual heat removal system may be used for recovery. All recovery actions require low pressure recirculation and high pressure recirculation, so ECCS/DG failure is non-recoverable. The initiating event frequency for a very small LOCA is 1.3 x 10-2 /RY.
The sum of the above four LOCA-initiating event frequencies is 1.6 x 10-2/RY. The base case CDF was defined as follows: CDF = (Ploop)(Psync)(Pinit) where,
Ploop = probability of LOOP following LOCA
Psync = probability of out-of-phase synchronization
Pinit = initiating event frequency
The CDF for Surry, Grand Gulf, and Zion were summarized as follows:
|Dependent LOOP Probability||Surry CDF (/RY)||Grand Gulf CDF (/RY)||Zion CDF
|0.300||2.4 x 10-3||5.0 x 10-3||5.5 x 10-3|
|0.100||8.0 x 10-4||1.7 x 10-3||1.8 x 10-3|
|0.030||2.4 x 10-4||5.0 x 10-4||5.5 x 10-4|
|0.010||8.0 x 10-5||1.7 x 10-4||1.8 x 10-4|
|0.003||2.4 x 10-5||5.0 x 10-5||5.5 x 10-5|
|0.001||8.0 x 10-6||1.7 x 10-5||1.8 x 10-5|
The event was not originally modeled in any of the three PRA models under consideration. The calculated CDF for this accident scenario is therefore the total increase in CDF over the existing total CDF for each plant.
Resolution of this issue would result in no additional contribution to previously calculated CDFs from this accident sequence. Based on the estimated number of plants (73 PWRs, 35 BWRs) and remaining life (PWRs - 23 years, BWRs - 21 years), there were approximately 2,414 RY of operation affected by this issue (PWRs - 1679, BWRs - 735). Using the average of CDFs calculated for Surry and Zion for PWRs and the CDFs calculated for Grand Gulf for BWRs yielded the following estimated total reduction in CDF from resolution of this issue over the remaining life of these plants. It was assumed that all operating plants were in the worst-case condition. The actual number of plants in the worst-case condition is unknown, but is probably no more than 10% to 20%.
|Dependent LOOP Probability||PWR Events||BWR Events|
A radiation dose of 4.5 x 106 man-rem/event was given in Gore, et al., (1988) for PWRs and BWRs. This figure was used for simplicity because the accident sequences for large, medium, small, and very small LOCAs result in different energy levels of release.
Industry Cost: Implementing the possible solutions listed above would have variable costs. For plants already designed to recover from a LOOP during ESF sequencing, the only costs would be those associated with verification and responding to the NRC (Category A). For plants not designed to be capable of recovering from a LOOP during ESF sequencing, the amount of work required would depend on the magnitude of the design deficiency. If the ESF control logic were the only hardware/software requiring modifications, costs would be relatively modest (Category B). If the coolant system were not properly designed to allow timely recovery in the event that ESF sequencing is interrupted, then it is possible that check valves or other similar equipment may be required (Category C). These changes might require substantial capital. It should be noted that the plants that would incur the greatest costs would be those that are at the greatest risk of core damage from a LOOP during ESF sequencing.
The following ranges were estimated as the implementation costs that might be incurred for the possible solution:
Category A $1M or less
Category B $2M to $8M
Category C $5M to $20M
NRC Cost: Development of the possible solution was estimated to be $200,000 based on 24 man-months of labor to further evaluate the issue, develop a resolution, and perform a regulatory analysis. NRC support for implementation of the solution was estimated to require 1 man-week/plant for an additional cost of $210,000. Review of operation and maintenance associated with the solution was estimated to take 1 man-day/RY for an additional cost of $1M. Therefore, the total NRC cost was estimated to be $1.4M.
Because of the uncertainty of the number of plants in each of the three categories and the probability that the plants posing the greatest risk would be those requiring the most work to correct design deficiencies, a plant-specific impact/value assessment was calculated.
The maximum probability of a LOOP during ESF sequencing for plants in Categories A, B, and C was assumed to be 0.003, 0.1, and 0.3, respectively. Plants in Category A were those with properly designed coolant systems and ESF sequencing logic, but these plants may still be at a greater risk from a LOOP because of transmission system instability or other plant-specific features than were assumed in the analysis for Issue 17. Plants in Category B have inadequate ESF control logic which contributes to the probability of equipment damage, but nevertheless have adequately designed coolant systems that will be able to function as designed if offsite power is restored. Plants in Category C have both inadequate ESF control logic and coolant system design and are at risk of damaging equipment and not being able to recover.
The following table provides the impact/value scores for the ranges of values and impacts described above. The estimated NRC costs were less than the expected accuracy of the industry cost estimates. The estimated CDF was the average of the three plants considered in this evaluation (Surry, Grand Gulf, and Zion). Risk estimates were the product of the CDF, the average remaining life of 22.3 years, and the consequence estimate of 4.5 x 106 man-rem.
|A||4.3 x 10-5||4,300||1||231|
|B||1.4 x 10-3||140,000||2 to 8||14 to 57|
|C||4.3 x 10-3||430,000||5 to 20||12 to 47|
Occupational Dose Increase: Occupational dose increase would result from implementation and operation and maintenance of the solution.
Dose increase due to implementation would depend on the plant category. For plants in Categories A and B, it was estimated that utility labor in radiation zones would be required for resetting or re-wiring of existing equipment. A total of 1 man-week/plant was estimated and a 75% utilization factor was assumed for labor in radiation zones. It was further assumed that the radiation dose rate in the radiation zones was 100 millirem/hour. Assuming that 108 plants are affected, this yielded a total of 320 man-rem.
For plants in Category C, a total of 30 man-weeks/plant was estimated and a 75% utilization factor was assumed for labor in radiation zones. It was further assumed that the dose rate in the radiation zones was 100 millirem/hour. Assuming that 108 plants are affected, this yielded a total of 9,700 man-rem.
No increase in dose due to operation and maintenance would be required for Categories A and B plants. For Category C plants, it was assumed that one additional man-week of utility labor in radiation zones would be required for examination of equipment installed or exchanged as a result of the solution. Assuming a 75% utilization factor, the incremental labor in radiation zones for operation and maintenance was estimated to be 30 man-hours/RY. Using the estimated 2,414 RY of operation remaining, the total increase was estimated to be 7,200 man-rem. For 108 plants, this yielded a total occupational dose increase ranging from 320 to 17,000 man-rem.
Occupational Dose Reduction Due To Accident Avoidance: The occupational dose reduction due to accident avoidance was calculated from the reduction in CDF multiplied by the assumed accident dose of 19,900 man-rem.64 Using 108 plants and 2,414 RY of operation remaining, the total estimated dose reduction due to accident avoidance was calculated to range from 2,200 to 210,000 man-rem.
Cost Savings Due To Accident Avoidance: The total accident avoidance cost savings were estimated to be the reduction in CDF (from 4.3 x 10-5 event/RY for Category A to 4.3 x 10-3 event/RY for Category C) multiplied by the estimated cost of a core-melt accident ($1.65 Billion) and the estimated remaining operating years (2,414). This resulted in a total cost savings range of $170M to $17 Billion.
Based on the risk reduction potential and the impact/value ratio, this issue was given a high priority ranking in June 1995 (see Appendix C). The impact of a license renewal period of 20 years was to be considered in the resolution of the issue. However, studies conducted during resolution of the issue showed that the contribution to CDF from the sequence of events was far less than originally anticipated; these studies were documented in NUREG/CR-6538.1726 Thus, the issue was RESOLVED with no new requirements.1727