Resolution of Generic Safety Issues: Issue 117: Allowable Time for Diverse Simultaneous Equipment Outages ( NUREG-0933, Main Report with Supplements 1–35 )

DESCRIPTION

Historical Background

This issue was identified in 1985 when a concern was raised that, due to non-obvious interactions between diverse equipment, TS may permit a plant to be in a dangerous configuration by the simultaneous outage of equipment resulting from concurrent test and/or maintenance operations.¹²²¹

Safety Significance

Of the several thousand safety-related components that make up a nuclear power plant, it is conceivable that there may be several components out of service for test or maintenance at the same time. Of concern are the potential combinations of diverse components which may appear in the same accident sequence (cut sets). Such combinations, even though involving redundant divisions of the same system, can give rise to possible high risks which warrant immediate shutdown. The TS principally address simultaneous outages of redundant components in the same system or redundant systems performing the same or similar functions. Operators are frequently called upon to pass judgment on the acceptability of taking components out of service for maintenance or surveillance as well as tracking compliance with TS. It is believed that operators need more help than current documentation or training provide for identifying dangerous configurations that are often a function of valve alignments and switch settings as well as components declared inoperable. This issue is applicable to all operating and future plants.

Possible Solution

A proposed resolution involves the development of mini-computer-based software for use by control room operators in tracking and evaluating prevailing plant conditions. This software would include plant-specific event trees and detailed fault trees. Operators would manually enter the prevailing plant configurations such as valve alignments, switch settings, and equipment out of service at the time. The mini-computer would calculate the core-melt accident minimum cut sets and a core-melt frequency estimate based upon the prevailing configuration. The core-melt frequency estimate would be an instantaneous value and not a time-averaged value. A comparable system has been developed by the British for use in their advanced gas reactor plants.

After the instantaneous core-melt frequency has been calculated, the results are compared with a set of critical values to assist the operators in making their decisions regarding subsequent actions. The British have elected not to display the calculated core-melt frequency, but use the computer to compare the calculated frequency to two previously established thresholds. Above a critical

value, a fast shutdown is warranted, provided that the risk in the shutdown state is not greater than the risk which results from keeping the system in the operating mode. Below a lower threshold frequency, the plant can remain in the configuration indefinitely. In between, there is a finite allowable time during which the plant can remain in the configuration. In addition to providing input regarding plant shutdowns, the software can also be used to establish priorities for repairing components and to aid in decisions on maintenance or surveillance priorities.

PRIORITY DETERMINATION

Frequency Estimate

To determine the core-melt frequency reduction, the cut sets for Oconee 3 and Grand Gulf were reviewed to identify where dual elements with maintenance or test outages existed.⁶⁴ Two cut set elements A and B were defined as follows:

A = A_f + A_m and B = B_f + B_m

where A_f and B_f are those unavailabilities of A and B due to component failure and A_m and B_m are the unavailabilities of A and B due to test and/or maintenanceoutage. The likelihood that A and B would be simultaneously out of service is:

A x B	= (Af + Am)(Bf + Bm)
	= AfBf + AfBm + AmBf + AmBm

Three of the terms include either the unavailability of A due to failure, the unavailability of B due to failure, or the unavailability of both A and B simultaneously due to failure. The fourth or last term is the unavailability of both A and B simultaneously due either to test or maintenance. Removal of this latter product from the expansion of (A x B) approximates the effect of the possible resolution to this issue.

Three cut sets in the Oconee 3 analysis and eight cut sets in the Grand Gulf analysis were found to contain double maintenance or test terms. Removing the double test or maintenance contributions reduced each cut set by the following amounts:

(1) Oconee 3:	Cut Set	Reduction (Core-Melt/RY)
(2) Grand Gulf:	Cut Set	Reduction (Core-Melt/RY)
	S2D	4 x 10-8
	S3D	9 x 10-8
	T2MQD	1 x 10-7
	T1PQI	5.3 x 10-7
	T23PQI	7.0 x 10-8
	T1PQE	4.7 x 10-8
	T23PQE	2.0 x 10-8
	SI	8.0 x 10-8
	T1QW	1.7 x 10-7
	T23QW	3.0 x 10-7
	T1QUV	1.6 x 10-7

Consequence Estimate

The consequences of these accident sequences were obtained by using the CRAC Code⁶⁴ for PWR and BWR release categories given in WASH-1400.¹⁶ The release doses are based on the fission product inventory of a 1120 MWe PWR, meteorology typical of the Byron site, and a surrounding uniform population density of 340 persons per square mile over a 50-mile radius from the plant site, with an exclusion radius of one-half mile from the plant.

Based on the above, for the frequency reductions of the cut sets described, a dose reduction of 0.55 man-rem/RY for PWRs and 9.1 man-rem/RY for BWRs can be achieved by the resolution of this issue. For the 90 PWRs with an average life of 28.8 years, this reduction amounts to a decrease of 1,400 man-rem. For the 44 BWRs with an average life of 27.4 years, this reduction amounts to a decrease of 11,000 man-rem. Thus, the total estimated risk reduction associated with this issue is 12,400 man-rem.

Cost Estimate

It was assumed that the resolution of this issue will entail the development and implementation of a mini-computer-based PRA at each plant for performing analyses of the "instantaneous" core-melt frequency dependent upon the plant configuration. It was also assumed that the NRC will demonstrate the capability of this resolution on a selected plant, develop a rule and implement the requirement, and review and evaluate licensee responses. It was assumed that each licensee will develop the computer software for its plant, verify and validate the software package, train a group of licensed reactor operators to sufficiently understand the fundamentals of PRA and use the software, perform a plant-specific PRA (assumed to occur to fulfill the requirements of the IPE resulting in no cost for the PRA),¹²²² purchase the necessary computer equipment to run the program, and maintain and update the software to reflect changes in plant equipment.

Industry Cost: It was estimated that 2 man-years for software development and 0.8 man-years for verification and validation of the plant software would be required. The hardware costs were estimated to be approximately $5,250 for the computer and associated hardware, i.e., printer and color display. Over the life of the plant, it was further estimated that the computer equipment will be updated (replaced) one time for a total equipment cost of $10,500/plant. Training will be provided for two one-week courses for seven operators for a total of 14 man-weeks with an instructor at a cost of $5,000 per course. At a cost of $125,000/year for labor, the industry costs were estimated to be $40,000/plant. For 134 affected plants, the total estimated industry cost was $53.6M.

NRC Cost: It was estimated that it would require 2 man-years for validation and verification of the resolution and 0.5 man-year for the development and implementation of the rule. In addition, one man-week will be required to evaluate and approve submitted licensee changes. The total NRC cost was estimated to be $0.65M.

Value/Impact Assessment

Based upon a total public dose reduction of 12,400 man-rem and a total cost of $54.25M, the value/impact score is given by:

Other Considerations

The above score was based on the assumption that the PRA performed to satisfy the IPE would be adequate to develop the computer software. However, if it is assumed that 2 man-years/plant would be required to develop the PRA to a depth of detail necessary to develop the software, the value/impact score would then be 106 man-rem/$M.

CONCLUSION

Based upon the total estimated risk reduction and the value/impact score, this issue would have been given a medium priority ranking. Given the further consideration that ongoing studies indicated that generic maintenance outage times used in PRAs may be low by as much as a factor of 5, the priority ranking could have ben raised to high.¹²²³ However, it was determined that this issue was being addressed in a much broader investigation in the Technical Specification Improvement Program (TSIP).¹²²⁴ Any significant findings resulting from the staff's studies will be factored into the TS for future plants through the TSIP.

Therefore, this issue was DROPPED as a separate issue.

REFERENCES

0016. WASH-1400 (NUREG-75/014), "Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," U.S. Atomic Energy Commission, October 1975. 0064. NUREG/CR-2800, "Guidelines for Nuclear Power Plant Safety Issue Prioritization Information Development," U.S. Nuclear Regulatory Commission, February 1983, (Supplement 1) May 1983, (Supplement 2) December 1983, (Supplement 3) September 1985, (Supplement 4) July 1986, (Supplement 5) July 1996. 1221. Memorandum for W. Minners from F. Rowsome, "Candidate Generic Safety Issue: Allowable Outage Times for Diverse, Simultaneous Equipment Outages," May 9, 1985. [8506030097] 1222. Letter to All Licensees Holding Operating Licenses and Construction Permits for Nuclear Power Reactor Facilities from U.S. Nuclear Regulatory Commission, "Individual Plant Examination for Severe Accident Vulnerabilities—10 CFR § 50.54(f), (Generic Letter No. 88-20)," November 23, 1988 [ML031150465], (Supplement 1) August 29, 1989 [8908300001], (Supplement 2) April 4, 1990 [ML031200551], (Supplement 3) July 6, 1990 [ML031210418], (Supplement 4) June 28, 1991 [ML031150485], (Supplement 5) September 8, 1995. 1223. Proceedings of the International Topical Meeting on Probability, Reliability, and Safety Assessment, PSA '89, p.48, "Potential Underestimation of Test and Maintenance Unavailabilities in Probabilistic Risk Assessments," American Nuclear Society, April 2–7, 1989. 1224. Memorandum for B. Morris from F. Gillespie, "Prioritization of GI-117, `Allowable Outage Times for Diverse Simultaneous Equipment Outages,'" August 4, 1989. [9704100058]