ML20057E692
| ML20057E692 | |
| Person / Time | |
|---|---|
| Issue date: | 09/30/1993 |
| From: | Rourk C NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| REF-GTECI-142, REF-GTECI-NI, TASK-142, TASK-OR NUREG-1453, NUDOCS 9310130042 | |
| Download: ML20057E692 (21) | |
Text
'
NUREG-1453 ReguLa~:ory Ana;ysis :for ile l Resolution 0:? Generic Issue 1L2: Leakage t:aroug:a E ec:rical Iso ators in Instrumenta: ion Circuits I
U..S. Nuclear Regulatory Commission OITice of Nuclear Regulatory Research C. J. Rourk e arcuq s
e' 930930 9]joiggg 1453 R PDR
I l
i l
AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents. cited in NRC publications will be available' from one of the following j
sources" 1.
The NRC Public Document Room 2120 L Street, NW, Lower Level, Washington, DC l
20555-0001 2.
The Superintendent of Documents, U.S. Government Printing Office, Mail Stop SSOP, l
Washington, DC 20402-9328 3.
The National Technical information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publica-j tions, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Roorriinclude NRC correspondence and internal NRC memoranda; NRC Office of Inspection and, Enforcement bulletins, circulars, information notices, inspection and investi-gation notices; Licensee Event Reports; vendor reports and correspondence; Commission -
papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program; formal NRC staff and contractor reports, NRC-sponsored conference proceed-ings, and NRC booklets and brochures. Also available are Regulatory Guides NRC regula-tions in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances, i
~
i Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by l
the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
l Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register i
l notices, federal and state legislation, and congressional reports can usually be obtained from these libraries, i
1 Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the l
. publication cited.
P Single copies of NRC draft reports are available froe', to the extent of supply, upon written.
i request to the Office of Information Resources Management, Distribution Section, U.S.
l Nuclear Regulatory Commission, Washington, DC 20555-0001.
[
l Copies of industry codes and standards used in a substantive manner in the NRC regulatory -
process are maintained at the NRC Ubrary, 7920 Norfolk Avenue, Bethesda, Maryland, and
[
j are available there for reference use by the public. Codes and standards are usually copy-righted and may be purchased from the originating organization or, if they are American i
National Standards, from the American National Standards Institute, 1430 Broadway, New York, NY 10018.
I h
k i
b Regu atory Ana:ysis :for t:ae t.
- Reso...u ion 0:: ueneric Issue LL2: Leaxage tarough Electrical Isolators in Instrumentation Circui:s l U.S. Nuclear Regulatory Commission Ollice of Nuclear Regulatory Researcli C. J. Rourk s,
o
- gegggg93o'3o 1453 R PDR
-.=- -
I i
j
,i AVAILABILITY NOTICE i
r Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
1.
The NRC Pubhc Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555-0001 2.
The Superintendent of Documents, U.S. Government Printing Office, Mail Stop SSOP, i
Washington, DC - 20402-9328 3.
The National Technical information Service, Springfield. VA 22161 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
l Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Office of j
inspection and Enforcement bulletins, circulars, information notices, inspection and investi-gation notices; Licensee Event Reports; vendor reports and correspondence; Commission I
papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceed-ings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regula-l tions in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
l Documents available from the National Technical Information Service include NUREG series i
reports and technical reperts prepared by other federal agencies and reports prepared by j
the Atomic Energy Cornmission, forerunner agency to the Nuclear Regulatory Commission.
l l
Documents available from public and special technical libraries include all open literature stems, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained l
I from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are availab!e free, to the extent of supply, upon wotten request to the Office of information Resources Management, Distribution Section, U.S.
Nuclear Regulatory Commission. Wash ngton, DC 20555-0001.
Copies of industry codes and standards osed in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Eiethesda, Maryland, and i
are available there for reference use by the pubhc. Codes and standards are usually copy-righted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards institute, 1430 Broadway, New York, NY 10018.
L
i I
NUREG-1453 Al Regulatory Analysis for the Resolution of Generic Issue 142: Leakage through Electrical Isolators in Instrumentation Circuits i
i Mannwript Completed: August 1993 Date Published: September 1993 C. J. Rourk Division of Safety Issue Resolution OITsce of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 g%
18(
T g
o e
1 l
AllSTRACT i
I
'This report contains the llegulatory Analysis for Gencric common-mode challenge to redundant safety-related sys-Issue 1.42, "I.cakage Through lilectrical Isolators in in-tems. This llegulatory Analysis presents the staff's pro-l strumentation Circuits." This generic issue pertains to posed resolution (the basis for a cost-benefit analysis), the j
isolation devices which are used at the interface between technical basis for the resolution, and a backfit analysis.
j safety-related and non-safety-related instrumentation
'lhe backfit analysis showed insufficient safety benefit
+
and controls circuits in nuclear power plants. If these from the types of actions in the proposed resolution.
l isolation devices are electrically challenged, the potential liowever, it was concluded that the proposed iesolution j
exists for unwanted electrical energy to propagate from should be applied to future plants, because they may be i
the non-safety-related system to the safety-related sys-more susceptible to such challenges, and the costs of tem. lireakdown of isolation devices could result in a implementation will be significantly less.
j
'l i
I l
I l
I l
l l
iii NUllEG-1453 I
4 n
-. =. -
~_ -
l 2
i l
4 -
l CONTENTS Page iii AllSIRACT vii EXECUllVE SUMM AltY 1'
1 S IWiliMENT OF Tlili PitOllLEM 2
OlljECilVES OF Tile PitOPOSED RESOLUllON 3
3 3
EVALUA110N OF A1:lEltNNilVES.
1 3.1 Itejected Alternatives.....
3 i
3.1.1 Guidance Applies to Existing Plants.
3 3.1.2 No Regulatory Action.
3 4
f 3? Prh;wited Hevilnlian-Guidance Applies Only to Future Plants..
r 4
4 COSTillENEFIT ANALYSIS t
4 i
4.1 Specific Objectives of I'roposed llackfit.
4.2 llackfit itequirements 4
5 l
4.3 Incicase/ Decrease in l'oblic Risk From llackfit 1
6 4.4 Increase / Decrease in Plant Employee Risk From Backfit 4.5 Installation and Continuing Cost of llackfit.
6 7
4.6 Impact on Plant Opcations of the Proposed llackfit 8
I 4.7 Estimated Cost to the NRC.
I i
8 l
4.8 Impact of Differences in the Facility on the Proposed llackfit.
8-4.9 Status of Proposed Hackfit i
4.10 Cost in $/ Person-Rem Averted.
8 8
4.11 Forward. Fit Cost Estimate 5
DECISION RAllONALE,
8-i l
8 5.1 Engineering Evaluation.
r 9-5.1.1 Operatmg flistory of ids 1
9 5.1.2 Test Pesults.
5.1.3 Application of ids in Older Plants 10 10 -
5.2 Probability of an ID Challenge.
i Il 5.3 Conclusion.
11-6 1MPLEMEN'lWilON..
[
11
[
7 REFERENCES.
TABLES 2
1(olation Device (ID) Installation Trends 1
7 6
2 Isolation Device Statistical Data.
t i
1 Y
i
i i
d EXECUTIVE SUMM ARY This generic issue was mised during staff review of test "Ihe backfit analysis is based upon the low probability of results for electrical isolators, which are used to create a an isolation device challenge, as determined from the barrier between Class lli electrical instrumentation and historic failure data. "Ihe existing plants have 1 & C sys-controls (I & C) systems and any non-Class 1E I & C tems which are based largely upon electromechanical systems which interface with the safety systems. These relays, which may be more resistant to misoperation or i
tests, conducted by the licensecs and Idaho National En-damage from electrical transients than digital compo-gineering laboratory (INEL), indicated that there is a nents. The staff has concluded that isolation devices do-f possibility of signal leakage from the non-Class IE out-not currently appear to present a significant concern to put of the isolation device to the Class 1E input.
plant safety. A greater potential exists for isolation device challenge to result in misoperation or damage to Class 1E
[
equipment if digital devices are used to a greater extent in Although a leakage signal could possibly affect a pro-future plants than they are currently used in existing tected Class lli system, there is no evidence to suggest plants.
that this event has ever occurred, based in part upon over p
i 700 failurc records of isolation devices, as reported in the in order to prevent this concern from recurring in the Nuclear Plant Reliability Data System (NPRDS). Fur-future, guidance should be issued which outlines accept-4 thermore, the probability of a multiple channelchallenge able test criteria for isolation devices which will be used in is very small, and the decrease in core damage frequency new plants. This guidance could be in the form of a (CDF) which could be achieved by back. fitting question.
Branch Technic:d Position to be included in the Standard able isolation devices does not meet the backfit rule crite-Review Plan, or in the form of a regulatory guide, as rion of pioviding a substantial increase in public health appropriate. This guidance should contain recommended and safety. Furthermore, the safety benefit would not be test procedures and acceptance criteria, which will be
[
grcat enough to justify the cost of backfit.
based in part upon the specific design of any future plants.
i i
e I
i 4
6 i
i I
l'!
i
?
vii NURI&1453
l i
i 1 STATEMENT OF Tile PROllLEM the basis of an analysis of the possibic impact of common.
mode challenges to the ids (Refs. 2-11). Ilowever, the only system analyzed with regard to ID failure was the l
In 1971, the Institute of Electrical and Electronics Engi-reactor protection system (RPS). The assumed failure neers(IEEE) issued a revision of Standard 279," Criteria mode for the SEP analyses was that after the ItPS chan-a for Protection Systems for Nuclear Power Plants," which nels received a severe challenge, they would fail to oper-defined the requirements for electrical isolation devices ate. The conclusions of these final reports werc typically (ids) with respect to nuclear power plant control systems.
based on a comparistm with the calculated probability of
'lhe revised standard required that anyinterfacc between core damage from failurc of thc ltPS to operatc as a r esult a safety-related (Class II!) and non-safety-related (non-of rncchanical failure of control rods to insert into the Class 1 E) system have an ID, in addition to any interface core. For most licensees, this probability was an order of i
between two redundant ch;mncis of a protection system, magnitude greater than the probability of core damage if f
and at any interface between two redundant trains of a the RPS were inoperabic. Since the actual probability of protection system. These devices were required to be RPS failure is very low, the staff c(mcluded that no action designed such that "no credible failure at the output of an was needed.
isolation device shall prevent the associated protection system channel from meeting the minimum performance Ilowever, ids are used in many systems other than the requirements specified in the design bases" (Ref.1).
ItPS. It s also possible that ID challenge could lead to
}
Work on this standard had been in progress for several small signal leakage from the output to the input causing [
years befor e it was issued, and the requirement for Ihe use spurious operation of associated valves, pumps, or simila i
of ids in instrumentation and control (!&C) systems for equipment. A possible scenario rnight be failure of the nuc! car power plants had been anticipated by the industry high. pressure core cooling system in conjunction with before II EE 279 was revised in 1971.
actuation without indication of the pressurizer power op-erated relief' valves (PORV). Ilecause the control loops in 1971, the U.S. Nuc! car Regulatory Commission (NRC) that are connected to ids are also connected to bistables incorporated the standard into a regulation in Section for actuating ot her cquipment. the possible c<msequences 50.55a(h)ofTitle 10 of the CodeoffederalRegulations(10 of 1D challenge could be significantly worse than simply CFR). Ilowever, the NRC did not issue any additional losing the associated systemffhcrefore, even though the regulatory guidance at that tune to clarify ambiguous findings in the SEP final reports did not indicate a prob-terminology m the standard For example, ids are re-Icm with ID usage in older plants, the analysis was not as quired to be used at the interface between Class lE and rigorous as later work suggested might be necessary, non-Class 1 E I&C syst ems and to prevent the application of the maximum credible ac or de potential (the so-called
'lhe number of ids m. nuclear power plants increased maximum credible fault (MCF)) on the non-Class lE ID output from interfering with the operation of the Class significantly af ter the requirement for the safety parame.
1E system, llecause beensees had not receised any infor-ter display system (SPDS) was rmplemented in 1980 (sce mation regarding acceptable qualif cation test procc_
Table 1)(Refs.12 and 13)flhese ids typically receive an dures, credible fault s oltage levels, or acceptable levels of input from the existing Class 1E 1&L system signal kiop.
signal leakage, they were not able to uniformly verify which ultimately ccmnects to a process sensor, such as a
{
a implementation of Ihis requirem ent by the system design-pressure transmitter. The output from the ID rs con-ers to standards endorsed by the staf f.
nected to the non-Class IE SPDS panel, recorder, or compulcr.
In addition, before nuclear safety cystems were devel-l oped. ids were used in a control or instrumentation sys-
'lhe SPDS modifications had two significant affects on tem to prevent low power, high-frequency noise from licensecs. '!he first was that ID clectncal characteristics passing the barrier and entering the system. 'lherefore, were scrutinized by the staff, which resulted in require-some ids might not have been expbcitly designed to meet ments for some licensees to obtain qualification test re.
10 CI:R 50.55ath), but for less demanding service condi-suits before installing the ids (Refs.14-16). 'Ihc quahfi-tions.
cation testmg was prunanly required to certify that the r
ids met the MCF requirement 'the results of some of l
In li hroary 1977 the NRC initiated the Systematic these quahhcation tests raised concerns among the staff j
c livaluation Program (SEP) m order to review the designs regarding the allowable leakape energy that could pass i
of older operating plants to determine their comphance through the ID before failure. In most cases, licensecs with then-current safety requirements. 'lhe final SEP were required to justify the leakage signal measured by i
reports prov>Jed information on the u<.e of ids in 10 of providmg allowable rror levels within the electne:d con-the carher plants.'lhe hnal reports mdicated that 7 of the trol signal hops. 'lhese issues were addressed by Idaho l
10 plants were not required to unplement any mahfica-National Engmeering 1aboratory (INhl) in some pre.
l tsons or perform addrhonal quahhcation tests for ids on hminary work on ID qualification (Refs.17-21).
l 1
N t J R EG -1453
- l
I Table 1 Isolation Device (ID) Installation Trends GE Westinghouse Il&W CE
-}
j Year ids Total OLs*
ids Total OLs*
ids Total 05s*
~ ids Total OLs*
1963 1
1964 1
l 1967 1
1968 15 15 1969 2
15
[
1970 210 225 2
1971 6
6 1
128 353 3
3 1972 6
12 3
227. 580 2
4 7
.1 1973 12 3
593 1173 6
26 26 2
7 2
1974 20 32 8
324 1497 4
131 157 4
7 1
1975 7
39 175 1672 1
4 161 86 93 -
1 1976 39 2
1000 2672 4
161 107 200 2
s 1977 39 817 3489 2
106 267 2
52 252 1978 39 1
246 3735 1
267 2
254 1-l 1979 5
44 4 3739 267 254 1980 44 46 3785 2
267 72 326 1981 44 1
986 4771 4
267 3
329 j
1982 16 60 2
139 4910 1
20 287 329 1
1983 8
68 19 4929 1
2 289 200 529 2
1984 27 95 4
918 5847 3
75 364 83 612 1985 43 138 3
799 6646 4
11 375 250 862 2
t 1986 340 478 4
532 7178 2
1 376 164 1026 1
1987
- 478 2-857 8035 5
4 380 7 1033 1
1988 31 509 392 8427 2
48-428 83 1116 1989 19 528 2
506 8933 3
428 11 1127 i
1990 16 544 293 9226 428 2 1129 1991 275 819
- 279 9505 45 473 60 1189 l
- Operating licenses issued that year The second effect was that many licensees were required tion Circuits," to address the unresolved concerns that to significantly increase the number of ids in order to exist regarding early application of ids and the applica-provide the required inputs for the SPDS without violat.
tion of ids which resulted from the SPDS requirement.
l ing safety guidelines. These inputs would be taken from The objectives of GI-142 were to i
Class IE systems, such as the neutron flux monitoring I
system or the steam generator level monitor, in which it (1) quantitatively define the extent of ID use in would be difficult or prohibitively expensive to mstall a nuclear power plants that had received a construc-new, mdependent sensor.'Dicrcfore, a typical resolution tion permit (CP) before IEEE 279 was issued on of thg,s problem was to place ids into an existing Class II:
- January 1,1971, and determine if the electrical.
'I
- ciremt.The output conductors from the ids are classified separation between Class 1E and non-Class 1E l
-as non-Class 1 E by almost every licensee and are typically systems was adequate for these plants gathered into one panel, plotter, or display. This configu-ration creates a condition in which a common-mode chal-t lenge of the safety-related systems could occur. Although (2) research ID failure modes, and detcrmine if
[
the SPDS requirement resulted in increased scrutiny of common-mode failures are possible j
ID qualification, it also may have res.ilted in increased j
probability of a common-mode challenge to ids, with the (3) determine the possible elfects of common-mode -
possibility of failure or misoperation of the associated failure on the Class 1E equipment in the control safety-related system-circuit i
i (4) determine if existing probabilistic risk assessment in 1987. the staff identified Generic Issue 142 (GI-142).
(PR A) models could be modified to include the
l cakage Through Electrical isolators in Instrumenta-cffects of ID failure i
- N UREG-1453 2
j
t I
r 2 011JIsCTIVIG 017 TIII?
the NRC. This analysis was required because of the lack "I " ""' 'i " S '" "d "'"P'""" "I'"i ' '5S"i"8 8"id -
4 PROPOSICD RESOLUTION ance will prevent the concerns that resulted m this ge-neric issue f rom arising in the future.
'Ihe proposed resolution for GI-142 is to develop and 3 ICVALUATION OF issue guidance that identif es the criteria for determining ALTERNATIVES i
MCF levels and acceptable leakage signal levels. On the I
basis of the backfit analysis presented in this report, the On the basis of previous war k regarding the qualification henefit to be obtained by testing and replacing existing ids in licensed facihties is not significant enough tajustify requirements for ids, there does not appear to be any unresolved issue regardmg what techmcal requirements the expected cost of replacement. However, specification need to be verified for an unqualified ID design. As a of these criteria for plants that are not yet designed will result, there are only three alternatives for the resolution result in a negligibic increase in ihe cost of these facilities.
These additional criteria constitute the minimal require _
of thisgenericissueflhe rejectedalternativesare: (1)the new guidance should also apply to existing plants and (2) ments by which to ensure that ids will function as re-there should be no change in the regulatory require.
quired by 10 CIH 50.55a(h).
ments. The proposed resolution is that guidance should be issued for application only at future plants.
lhe objective of the proposed resolution is to ensure that future plants comph with the NRC interpretation of the 3.1 Rejected Alternatives MCF as used in IEEE 279-1971.The contemplated guid-ance will specify the qualificatiori tests and acceptance 3.1.1 Gilidance Applies to Existing Plartts cnteria that should be used to verify the operating charac-teristics of ids for a specific plant. Although it is not 1hc tests performed byINEl on ids indicate that IDsar e necessary for an ID to provide a perfect barrier to a MCF susceptible to damage from signals that are within the
{
challenge, applicants must demonstrate that the ID will hmits specified in IEEE 472 and IEEE 587 (Refs.17-21).
limit fault signalleakage to a level that will not interfere This damage includes both leakage across the isolation with the operation of the protected Class IE system.
boundary and physical destruction of the components.
Either of these could result in degradation of the pro-1he specified quahfication tests and acceptance criteria 3ected system, because the ID units are usually installed in panels with other safety-related components.
do not exceed the regulatory requirements of 10 CH(
50.55a(h).1hese tests are based on IEEE standards that However, failure records from the Nuclear Plant Reli-are currently used t(i specify requirements for other elec-ability Data System (NPRDS) and the Nuclear Power trical control sptem equipment used in nuclear power Experience (NPE) databases do not indicate that a signifi-i plants. Existing standards for component and system de-cant ID challenge has ever occurred at a licensed facility.
I sign guidelines should be applied uniformly because fail-With regard to the NPRDS database, ID challenge was ure to do so could create a more severe emironment for a not a factor in approximately 800 reported failures for i
specific nonconforming component. These standards 12,000 monitored components. This may be due to the were written after 1EliE 291-1971 was issued and include design of existmgsystems, or the rare occurrence in actual IEEE 472-1974. " Guide for Surge Withstand Capability plant operatior of the levels specified in the test stan-(SWC) Tests" (Ref. 22) and IEEli 587-1980, "IEEE dards.
Guide for Surge Voltages in Inw-Voltage AC Power i
Circuits" (Ref. 23). The conditions identificd in these new A backfit analysis was also performed and is given in standards fall within the category of a maximum credible Section 4 of this report.The risk reduction associated with j
fault as specified in IEEE 279-1971.
testing existing ids, analyzing existing systems, and re-placing unacceptable ids is not substantial. Funher, the.
Specifying MCF test criteria and ID quahfication proce_
costs are not justified by the decrease in risk that would be achieved.1hese results are due to the low probability of a dures will ensure that manufacturers and system design _
ers provide egmprnent that adequately anticipates appli-nmitipic channel ID challenge.
c:mts' needs, and will help applic;mts specify or design On the basis of the historical data on ID failure and the their equipment to staff-approved entena with mimmal results of the backfit analysis, no modifications are re-NR C mvolvement. GI-142 originated because ofconcern quired for existing plants.
alont the adequacy of ids in light ofinsufficient specifica-tion of ID requirements and unclear results from ID 3M No %Wm Mim qualifimiion tests Although the fmdings in this report indicate that ids used by licensees are adequate, this lloth the staff and hcensees have expended a ccmsider-l information was established only af ter lengthy analysis by able amount of effort as a result of the vague wording in j
i 3
l l
I l
IEEE 279-1971Jlhe overriding concern is to ensure that 4 COST / BENEFIT ANALYSIS i
placing ids in Class 1E control circuits will prevent com-i mon-mode failure. If guidance is not developed and is-sued, this concern might not be addressed by applicants 4.1 Specific Objectives of Proposed during design of the control circuit when proscriptive BackIlt measures can be casily taken. Furthermore, compliance with 10 CFR 50.55a(h) will be addressed on an individual
'1he resolution of GI-142 is based on j
basis and could lead to qualification critena that are not i
uniform.
(1) an apparent absence of any significant events caused by ID challenge, It is also likely that new plants will rely on solid-state and (2) the results of tests performed on ids by INEL i
microelectronic signal processing to a greater extent than and bcensecs, which mdicate that most meet the plants designed before or during the 1970's. Even though MCl requirements of IEEE 279-1971, a potential problem has not been found with ids used in (3) a review of available c<mtrol system design infor-cxistmg plants, thts could be a result of the electrome-mation, which indicates that the circuitry is not in chamcal nature of older control systems, which are inher-a configuration which would be damaged by ently more reststant to high-frequency transients than previousiv measured values of energy leakage, and solid-state components. It is destrable to clearly identify the requirements for ids before new plants are approved (4) the low probability that a MCF or other postu-for construction and to umformly apply these require-lated event could challenge the ids.
ments to avoid uncertainty.
None of these reasons, taken alone, are sufficient to es-tablish that the probability of an ID challenge leading to 3.2 Proposed Resolution-Guidance core damage is insignificant.The combination of all four Applies Only to Future Plants is enough to reasonably suggest that.the proposed re-quirements for ids are not needed for existing plants. If these requirements were made retroactive, it would be Historical data on ID failure do not indicate that the necessary for the licensee to test every modci of ID that is cxisting use of ids presents a serious concern regardmg used, to determine the Icvel of signal leakage under chal-ID challenge and signal leakage. However, the tests per-lenge, and to then analyze every plant system to deter-formed by INEl. indicate that the potential exists for ids mine the maximum acceptable signal leakage in the event to be seriously damaged and to allow significant signal of ID challenge. Any unacceptable ids would need to be leakage, either of which could result in a common-mode replaced.
l failute of Class 1E equipment and possible core damage.
4.2 Backfit Requirements i
'lhe requirements of IEEE 472 and IEEE 5S7 currently
'lhe ID testing performed by INEL in the 1980s suggests apply to all other control system components to which ids that ids do not create a perfect barrier to the potential may be connected, such as relays and bistables, and challenges that could occur at the ID output or power should be applied uniformly to provide a high degree of leads. However, a perfect barrier is not required, if the assurance that components will not fail under conditions protected Class IE system could continue to function as that the system is designed to withstand. The additional designed after the ID challenge occurred. 'therefore, industry costs associated with developing ids that meet backfit requirements should be sufficient to verify that all the recommendations of the proposed guidance would bc ids used at the interface between safety and non-safety small (see Section 4.ll). lD manufacturers can design and systems will prevent a signal from leaking through that test their equipment to ensure that it meets the guide-could cause the safety system to fail to perform as de-lines. System designers will be able to request this design signed.To completely climinate this concern,it would be information and compensate for any signal leakage, necessary to (1) expand the requirements for ids to in-clude IEEE 472 and IEEE 587 tests (2) require licensees to evaluatc all controi circuitry to determine what level of Without guidance, manufacturers are more likely to pro-noise leakage through ids is acceptab!c (3) requir e licen-vide ids that will not withstand an MCF and system sees to perform tests on existing ids to determine if they designers will have hmited access to ID failure character-
.are acceptable (4) require licensees to perform tests on l
istics.'therefore, the recommended resolution of G1-142 any replacement ids. if the existing ones are unaccept-is to issue guidance which explicitly states requirements able (5) replace any deficient ids. which would include lor MCF iciels and requires compliance with IEEE 472 drawing changes and possibly new cabling and panel and IEEE 572, that will apply only to future plants, mothfications
[
4 NUIWG-1453 4
g vv.,..
a For future plants, these steps will be unnecessary. ID approach taken was to review the PRA of a typical plant manufacturers will be able to perform the required tests and assume that ids were placed in any system that either based on regulatory guidance when developing new com-was known to have them.or possibly had them. The as-ponents. Applicants and system designers will be able to sumption was then made that an ID challenge would r equest these test reports for design qualification and will result in activation of associated equipment.
be abic to design the system to withstand any leakage that occurs /!herefore, any additional costs would be included Sandia National laboratory (SNL) performed an analysis f
in the cost of cach new device as a one-time development of the Surry plant because of the existence of PRA data, cost.
the relatively large number ofinstalled ids (189), and the availability of a limited number of design drawings. SNL C""'I"d d th *'# "C'* I "' "'" S "h I" 'h II'"8' 4.3 Increase / Decrease in Public Risk could have a significant impact on plant safety:
I<, rom Ilackfit (1) the effect of an ID challenge causing the align-I
'lhe most probable initiating event for ID challenge ap-ment of a low-pressure system to a high-pressurc pears to be wiring error events in panels (e.g. inadvertent system resulting in an interfacing-systems loss-of-short circuits while usingjumpers)on the basis of the past coolant accident (ISLOCA) frequency of possible initiating events (none of these events have ever resulted in ID challenge, but may have (2) the effect of an ID challenge inadvertently result-resulted in challenge of another component or may have ing in operation of a PORV been a potential challenge). A scarch of the NRC nuclear documents system (NUDOCS) database and the NPli (3) the effect of an inadvertent pump start resulting database indicates that at ! cast 30 of these wiring crror from an ID challenge
[
events occurred between 1975 and 1991 which resulted in the generation of a licensec event report (1.liR). Of these (4) the effect of an ID challenge on the RPS.
j 30 crents,15 occurred while the plant was at power, and This analysis showed that the Surry PR A documented in f
15 occurred durmg refuchng, cold shuidown, or power NUREG-ll50 (Ref. 28) contained many of the possible i
. ascension. Ihis is approximately 1.Oli-2 crent/rcactor events, such as inadvertent pump actuation and RPS fail-year. An additional factor of 0.001 is used to quantify the ure (Ref. 26). In some cases, the product of the probabil-i probability that the panel will have terminations from the ity of failure on demand and the frequency of demand was output of multiple ids (probability - 1.011-2) and that greater than the postulated annual frequency for the contact will occur at a critical point in the panel, based MCI event (1.0E-5). Other events would reqmre multi-l upon the typical size of pancis and the large number of plc, random failures which result m a negligible probabil-noncritical 1crminations in a panc! (probability ity of occurrence.1 or example, the ISLOCA sequence
=
1.0E-1). Therefore, the high estimate of the probability w uld require the random f ailure of check valves in com-of an initiating event is believed to be about 1.0E-5 cvent/
bination with the random occurrence of ID challenge, reactor-year. The best estimate and low estimate are not which results in a negligible probability product.
used in this an dysis, but arc expected to be significantly less than 1.0E-5 cvent/ reactor-year.
For Surry, the combined risk reduction for climination of all events that were similar to postulated ID challenges llecause an ID challenge is a random event with a low was a pproximat ely 3.11M/rcact or-year /Ihis was taken as probability of occurrence, the increase in core damage a conservative estimate of the CDF, because the actual frequency (CDF) r esul ting fr om simultan eous, independ-frequency of ID challenge events is much lower'than the ent occurrence of an unrelated event (e.g. station black-frequency of these events. It was also assumed that ID out)and the loss or misactivation of Class-1E equipment challenge will result in a signal that causes pump actua-i due o isolator challenge would be too small to reqmre tion or RPS failure, even though other possible scenarios a
regulatory action (i.e. result mg in an increase in CDF less exist that have less significant effects (pump failure, RPS l
than LOli-5) (Ref. 25). Ilowever, a concern which is po-actuation, no effect). 'Iherefore, the upper-bound reduc-tentially more sigmfic:mt is whether the ID challenge lion in CDF for the cost / benefit analysis was assumed to itself could precipitate core damage. An example of one he 3.11M/ reactor year.
j such event is activation of the PORV, subsequent loss of coolant, and concurrent damaging of the PORV status
'Ihe best estimate of the reduction in CDF that could be i
indication. The powibihty of such events can only be obtained by improved testing of IDS was obtained by determined b) reviewing the design of each plant.
disregarding the effect of the loss-of.rnain-feedwater event. 'lhas estimate is based on the mean frequency for
'lhis type of design mformation is difficult and tirne con-the loss-of mam-feedwater event, which is 9.4E-1/yr sum mg to obtain for individual plants. even with access to compared with an expected ID challenge frequency of all plant records, drawings, and equ pment. Instead, the 1.0E-5/yr.The loss-of-main feedwater event contributes 5
NUREG -1453
i 1.7E-6/yr to the CDFin the upper. bound estimate and is (2) testing of existing ids (by model and licensee) l assumed not to contribute to the CDF for a best estimate, because of the significant difference between the initiat-(3) testing of replacement ids (by model and ing event frequencies.Therefore, the contribution to the licensec) i upper-tmund CDF from the loss-of-main.feedwater event was subtracted to yield the best estimate of the (4) drawing changes for replacement ids reduction in CDF, which is 1.4E-6/ reactor-year.
(5) physical changes for replacement ids l
1he Surry PRA was also used to obtain a low estimate of the reduction in CDF that would be achieved by the Approximately 12,000 ids are currently reported in proposed action.The loss of the RPS is thc only event that NPRDS (see Table 2), and the average licensee has 4
[
has an initiating frequency about equal to the expened different models of ID. Testing might not be feasible if a r
initiating frequency of events resulting from ID cha!.
model were no longer being manufactured, and it might lenges.The reduction in CDF for increasing the rcliability be necessary to change panel configuration and add cir-of the RPS to 1.0 is approximately 1.3E-6 and was chosen cuitsand raceways to accommodate new ids. Each device as the low estimate for increasing the reliability of system would require approximately 1 person-week of effort to i
isolation. However, even this low estimate is likely to be evaluate.This evaluation would consist of finding all af-greater than the risk reduction that could actually be fccted ids and all associated wiring diagrams and compo-l assumed, since the components that are protected by ids nent drawings and evaluating the range and effects of (relays, pumps, valves, etc.) have a probability of spurious signal leakage resulting from ID challenge. This estimate activation that is likely to be greater than the probability is probably low, but would cornpensate for ids with simi-of multipic ID challenges and subsequent signalleakage lar design and application features.The average cost per 1
on the basis of operating data. Therefore, it is likely that person-week is assumed to be $3.5E + 3 or a total review the probability of an ID challenge leading to spurious cost of $4.2E+ 7.
j operation or failure of equipment is less than the prob-ability that the actuators for that equipment will Table 2 Isolation Device Statistical Data
- spuriously operate on their own.
Data BWRs PWRs 1he same values for reducing CDF were used for boiling-Total Number S19 1116' water reactors (BWRs), even though they have fewer ids on the average than pressurized-water reactors (PWRs).
Reporting Plants 23 74 i
ids / Plant 36 151 BWRs tend to be less dependant on ids, by design, to ensure system independence than are PWRs.
Reported Failures 15 720
% Failure 1.8 6.4 4.4 Increase / Decrease in Plant Pre-lEEE 279 Plants 11 37 Eniployee Risk From Backfit Post-IEEE 279 Plants 12(9)"
36 i
Evaluation and replacement of ids could possibly result ids / Plant, Pre-IEEE 279 11 153 l
in some additional exposure to employees, depending on ids / Plant, Post-IEEE 279 58(11)"
153 i
the location of ids in the plant and the amount of addi-tional cable that would have to be installed to replace
.NPRDS data are current as of September 1991, cxisting ids. There would be some additional benefit
" Numbers in paranthesis exclude major outliers.
i from the backfit, that would be a function of the decrease in CDF and the type of radiation release which would be Each licensee will be responsible for individual test re-expected from an 1D-tmtrated fait ure. For the purposes of sults. It is possible that licensecs with similar ids will pool this evaluation, both of these figures are assumed to be resources, but they have not done this when performing negligible and subject to too much uncertainty to be of qualification tests for the SPDS. Each licensee will also any benefit.
have different test requirements, depending on the de-
{
sign of the plant systems. For the purpose of this analysis, 1
4.b_
IHSlallal.lon and COnl.inuing Cost it is assumed that each utility will conduct independent OfIlaCkfit tests for each model of ID that it uses. Testing costs are assumed to be $100.000 per device, including the cost of Costs for the backfit are more readily calculated on a the tested devices.The total number of models estimated per-ID or per-model basis than on a per-licensee basis from NPRDS data under these assumptions was approxi-and c:m be broken down into five categories:
mately 380 models for the entire industry or approxi-matcly 4 different models per licensee This yields a total (1) evaluation cost of $3SE + 7.
NUR EG-1453 6
l The number of II)s that will need to be replaced is diffi-PWR:
cult to determine, since it will depend on each licensees Upper Bound =
acceptance entena and design. On the basis of the results
($1.65E + 9)(3.1E-6HtY) - $5.1 E + 3ntY of INEl. tests, it is msumed ' hat 25 percent of the ID liest Estimate -
t models wdl need to be replaced, and each replacement
($1.65E + 9)(1.4E-6/RY) = $2.3E + 3dtY model will also need to be tested at a cost of $100,000 per lower Hound =
model tested, including the cost of the tested devices. On
($1.65E + 9)(1.311-6$1Y) = $2.1E + 3/RY the basis of an initial number of 380 models,95 models will need to be replaced for the entire industry or approxi-g.p, mately 1 per licensec. 'Ihisyields a total cost of 59.5E 4 6.
Upper llound =
($1.65E + 9)(3.111-6/RY) ~ $5.1E + 3/RY Drawing changes will be required for all ids that are Hest listimate -
replaced. For the purpose of this analysis, it is assumed
($ 1.65E + 9)(L4E-6dtY) = $2.3E + 3/RY that 25 percent of the total number of ids will need to be wer Hound -
replaced, which would result in the replacement of 3000
($165!i + 9)(1.3E-6/R Y) - $2.1 E + 3/RY ids for the entire industry or approximately 30 ids pt.r t
licensee. This results in a total cost of $6.3E 4 7, assuming TotalIndustry Cost Savings Due to Accident Asold.
e an average of three affected drawings per device and 2 persen.wceks for drafting, engmeering review, and issu-ance, plus an additional $3.0E +7 for replacement ids' Sensitivity Case Total assuming $5.011+ 3 for each and for one spare.
Upper Hound
$1.8E + 7 r
The ids that are acceptable will not uniformly fit existing fjf*und U
l j
3 panels or circt.itry, which wdl subsequently require some modifications. I or the purpose of this analysis, it is os-Total Industry Resources for Safety issur Resolu.
sumed that 50 percent of the devices that wdl need to be
'.* " I"* I' * * "'"I ". "
replaced (or 12.5 percent of the total number, approxi-mately 1500 lbs) wdl require panel and/or circuitry modi.
.Ihe industry resource requirements for testing ids, buy-fications. Estimated cost is 2 person. months of labor per ing replacement ids, installing the replacement ids, and device. I wo drawing changes are estimated to be required documenting the changes are summanzed below. He-for panel modif cations or cable installation, at 2 person-cause costs are estimated on a per-1D basis for a popula-weeks per drawing for draf ting. engineering review, and tion of 12,000 ids, total industry costs ar e re;mrted.
csuance. lhis yields a total cost of $6.311+ 7.
Testing, Analysis, and Documentation
(
' F
"}
CoM Petunt of Total Total from above
$1.5E + 8 Evahiation
$4.2E 4 07 17.1 t
11ardware and Installatm.n Test existing ids
$3.8E + 07 15.5 Test replacement 1Ds
$9.51i4 06 3.8 Total from above 59.3E + 7 1)rawmg changes
$6.3E 4 07 25.7 tIDs
$3.0E + 07 12.2 h
Total Industry Cost for SIR Implementation (NI) changes
$6.3E4 07 25.7 NI - $2.5E4 8 l
Total
$2.5E4 08 Operating and rnaintenance costs are assumed to be equal for new and replaced ids.
Total industry cost for SIR implementation mmus-upper bound estimate of industry cost savings due to accident All PWRs and HWRs are assumed to be affected: 90 avoidance is $2.3E 4 8 PWRs plus 44 HWRs or a total of 134 plantsflhe average i
remaining lives of affected plants 26.4 years for PWRs 4.6 Irnpact on Plant Operations of the and 25.0 years for llWRs, or 25.9 years for all plants
- Proposed liacklit lindustry Costs Replacing ids would have no significant impact on the plant other than cost for testing and replacement.1Ds are Per Plant Industry Cost Savings Due to Accident currently used at the locations throughout the plant e
As oidance where replacement ids would be installed. Replacement 7
F ei
i I
of these ids with more durable ids should not signifi-criteria. 'Iherefore, development costs of $5.0E+5 are cantly affect the plant, unless modifications to panels or probably much greater than actual costs would be. Even control wiring are incorrectly performed.
with this likely overestimate of cost, the above cost / bene-i fit ratios indicate that a forward-fit of the proposed guid-l 4.7 Estimated Cost to the NRC ance would meet the current agency criterion of 51000/ person-rem if there were two or more future NRC costs for support of SIR implementation were esti-plants.
mated in (Ref. 27) to be about $2.0E+ 5 per plant for j
NRC reviews of plant modifications, for a total of 5 DECISION RATIONALE
$2.7E + 07 for 134 plants.
4.8 Impact of Differences in the 5.1 Engineering Evaluation Facility on the Proposed Backfit To analyze the effect of ID challenge on plant safety, it Traditionally, PWRs have incorporated more ids in the was first necessary to determine the scope of the analysis.
plant control systems than have BWRs. However, some It would not be possible to review the design of each plant l
HWRs have up to 300 ids.Therefore, no plants would be to determine the extent ofID use.This information would
(
exempt from the backfit requirement.
only be available on design drawings, since ids are indi-
~
vidual components within complex systems. The only 4.9 Status of Proposed Backfit available database that could be used to provide informa-tion on the extent ofID use is the nuclear plant reliability This backfit would be a final backfit.
data system (NPRDS) database, which is managed by the l
Institute of Nuclear Power Operations (INPO) Informa-4.10 Cost in $/ Person-Rem Averted tion from NPRDS was used to evaluate the extent of ID use in the industry.
l Cost ($/ Person. Rem)
On t h e basis of the data in NPRDS, the decision was made i
Upper Bound 1.l E + 4 Best Estimate 2.7E + 4 to review the Surty Unit 1 plant. T1us plant has a signifi-lower Bound 2.9E + 4 cant number oflDs (189)and a compiete probabilistic risk assessment (PRA) model. 'Ihe intent was to determine if A value of 2E + 6 person-rem per core melt is assumed for it would be possible to include the ids in the Surry PRA this analysis. Total costs are totr' "iustry cost plus esti-and to determine analytically what effect ID challenge mated costs to the NRL, which au sm additional cost to would have on plant safety. However, it was not possible industry (total cost = $2.5E + 8) to obtain enough information on the plant to determine j
the location of the ids or the design of the systems in 4.11 Fonvard-Fit Cost Estimate which they were located, unless a significant amount of I
effort was to be spent reviewing design documents.
Even though there is an average of four ID models per plant as discussed in Section 4.5,60 percent of the ids The Surry PRA was reviewed to determine what effect ID J
used were manufactured by a single manufacturer (Wes-challenge could have, assuming ids were located at the tinghouse), and several plants use only a single model of rnost critical locations and the challenge would result in ID. 'Iherefore, it can be assumed that a new plant could the worst possible signal leakage (i.e. equipment dawmn I
use a single type of ID. With development costs of spurious operation, etc.). Although this hypoth l
=
$5.0E + 5, the cost of SIR implementation would depend analysis overestimates the general effect of ID cualenge on the number of future plants built. Assuming that the on an average plant the CDF used in the cost / benefit safety benefit will remain the same or increase for future analysis was determined through this analysis.
t plants, the cost for SIR implementation for future plants 4
would be:
As shown above, even with this overestimate of safety benefit, the requirements of the backfit rule are not satis-Number of Cost fied. 'lhat is, for current plants, the proposed resolt tion l
Future Plants
($/ person rem) does not provide a substantial increase in &c overall 1
2.0E + 3 protection of the public health and safety, nor would the 2
1.0E + 3 costs of implementation be justified in view of the in-3 5.0E + 2 creased protection obtained. On the other hand, the 4
front-fit analysis provided atrve shows that the imple-Some of the ids tested as documented in Reference 21 mentation of proposed guidance is justified for future would require very little mothfication to meet the new plants.
NURI G-1453 8
)
i
-l i
The results of the INELand licensee tests are reviewed in absence of any reported incidents is notable, in light of j
section 5.1.2 in light of this analysis. Es en though the test the severity of the results in the test reports.
results indicate that it is possible for signals to backfeed through some ids, the operating data indicate either this 5.1.2 Test Results backfeed has not occurred in service, or that if it has occurred, that it did not result in degraded operation of in 1985,INEL reported the results of tests conducted on J
the protected systemflhe more significant finding is that 19 different models of ids (Ref.11). The tests consisted some ids can physically destruct when exposed to IEEE of challenging the ids using a method consistent with
+
standard tests. '
industry standards, such as IEEE 279 (MCF tests)(Ref.
}
1), IEEE 472 (relry surge tests) (Ref. 22), and IEEE 587
[
(power line surge tests) (Ref. 23). These tests are stan-5.1.1 Operating IIistory ofIDs dard for electrical control system components such as relays, which are used with ids in Class IE control sys-The NPRDS database, which was developed by the tems. 'lhe test signals were applied to the ID power leads Edison Electric Institute, has been managed b' INPO or the output ! cads, and the response on the input leads P
I since January 1,1984. Ilefore that it was manage 6 by joint was recorded.
committeesof the American NationalStandards Institute (ANSI). While the database was managed by ANSI, the The MCF tests did not reveal any significant concerns 1
quality of the data was considered poor, oue in pcrt to with signal leakage. Of the 19 ids,4 (21 perma) allowed poor utility participation. The move by INPO to marnge energy in the form of a short duration, low-voltage pulse l
NPRDS preempted a decision by the NRC to issue a t ule to pass through the barrier. The pulses lasted less than i
for the reporting of operational data.The NRC Ns been 130 msec and had absolute magnitudes of less than 4 V.
f monitoring INPO's progress since 19M Since the ids are typically connected to a control circuit that uses de voltage and 4-20 m A of current, these pulses INPO performs a iechnical reaew of all data that are would create a minor fluctuation in the signal. In addition, t
input into the database for accuracy and consistency. Li-the control circuitry in most licensed facilities is electro-censees have also betn instructed to track ID application mechanical as opposed to solid-state, and has a response
[
and failure in NPRDS. For these reasons, the NPRDS time constant which may exceed the duration of these database is a reliable and valuable source of information transients. The greatest concern raised by these tests was on ID use and failure modes.The latest NRC review of the physical destruction of some of the ids. Of 19 ids, i
NPRDS (Ref. 24) indicates that some concerns remain appeared to have 7 (37 percent) burned or emitted sparks mth the thoroughn& of utility reporting. However, for or missiles when tested. 'lhis behavior in service could the purpose of this analysis, the data in NPRDS are suffi-cause panel fires in multiple channels of safety equip-l cient to determme the probability of ID challenge and ment in the event of an ID challenge.
i' subsequent effects. All NPRDS data referenced in this report are current as of September 1991.
'Ihese tests were performed with the ID input open-cir-cuited..,nich creates the maximum possible voltage on j
t he bput leads. In service, the ID input will be connected Of the approximately 12,000 ids tracked in NPRDS, ap-to an impedance. For one model of a Westinghouse-de-proximately 800 failures have been reported. Three of these failures resulted in a plant trip; one of the trips sign ID,1(us impedance is approximately 0.25 percent of the mput impedance, wmch would attenuate the voltage resulted because another channel was out of service for to an insignificant level, Westinghouse ids account for maintenance, and the wcond trip resuhed because of 62.9 percent of all ids. It is also expected that most ids j
fai:ure to detect the failed ID as a result of a wiring error.
would be used m a manner simdar to that used by Westm-j None of the ID failures were the result of an MCF event or any identifiable surge event. Furthermore, none of the phouse (i.e. with a control circuit current k>op, using an j
mput resistance to derive a voltage signal from the cur-j ID failures tesuhed in damage to the associated equip, rent signa 4 ment or spurious operation of emergeng core cooling system (liCCS). 'lhe majority of failures were due to Several licensee-sponsored ID tests are on record.The random failure of electronic components, at the rate of resuhs of these tests are consistent with the INEL tests.
j approximately 10-6 failures per hour. Ihis is consistent Two of the tests (Refs. 4 and 6) were conducted at engi-l with the failure rate of individual components in other neering laboratories, and were relatively thorough. Al-ciectromc devices.
thougli some ids allowed energy backfced, the magni-tude and duration of the signal were such that the NRC I
Other sources of information were also searched to find staff determined that the ids were neceptable for use at cvidence of ID failure (Ref. 26). This additional research the plant.
did not identify any ID failures resultmg from MCF or other electncal challenge, inadvertent operation of
~1hc third set of tests (Ref. 5)was conducted by the licen-ICCS. or damage to associated equipment. In fact, the see themselves and was less thorough. These tests j
i 9
NU Rl!G-1453 i
k l
t
')
indicated that a condition not as severe as the MCF (a requirement. If these early plants did not use ids, it is current liraited condition) could result in more energy important to determinc if it is because t hey were designed being backfed through the ID than from an MCF. How-not to need them, or if there is some possible safety ever, the test procedure was not described, the type and signific mce. Several sources suggest that ids were used i
sensitivity of the current and voltage metering equipment in early plants to the same extent as in later plants.
were not provided, and there was no burden (resistance)
NPRDS data are shown in Table 2. For PWRs, there are on the ID input.'Ihe NRC staff reviewed the results of exactly the same average number of ids in the 36 plants these tests and found that the ids were acceptable for use that received a CP after January 1,1971 (post-1EEE 279) j at the plant.
as there arc in the 37 plants that received a CP before January 1,1971 (pre-IEEE 279). The statistics for HWRs i
in summary, no tests performed on ids have provided are not as straightforward, with an average of 58 ids for i
conpelling evidence that an MCF applied to the ID out-post lEEE 279 plants, and an average of 11 ids for pre-i put will severely affect the ID input for one the following IEEE 279 plants. liowever, if three plants are excluded reasons:
from the post-lEEE 279 figures (Clinton 1 with 310 ids, Nine Mile Point 2 with 210 ids, and 11 ope Creek I with 81 l
The small percentage of ids that allowed energy to ids), the average for the post-lEEE 279 plants drops to pass through the barrier only allowed a low-power, 11.
low-voltage pulse of short duration.
Other sources of data on ID use in older plants are the e
'lhe test conditbas did not adequately simulate op.
final safety analysis reports (FSARs) for pre-lEEE 279 erating conditions.
plants,19 of which are reviewed in Reference 26. All of j
these units used ids to some extent, although some were i
Information known abcut the test equipment or con-reported using relays as ids, which cannot transfer analog e
ditions is insufficient to allow the results to be re-data. Ilowever,14 of thesc 19, or 73.7 percent, were using i'
pcated.
isolation amplifiers when the FSARs were issued.
It is not likely that the energy leakage seen for H)s could A third source of information is the Systematic Evalu-l result in damage or inadvertent operation of associated ation Program (SEP) final reports (Refs.12-21). These equipment. All other aspects of the tests, such as the reports contain information on ID use in 10 of the oldest l
4 IEEE 472 and lEEE 587 tests, and destructive failurc of plants. Many of the plants reported that ids were not some ids created a greater concern. liowever, requiring used between some data channels and the process record-i licensees to verify that installed ids can pass these tests ers. Limited PRA analyses indicated that this lack was not would constitute a new requirement, which is considered significant because of a low increase in core damage fre-in the backfit analysis in this report, quency resulting from a total absence of the RPS.110w-ever, as discussed, these analyses did not consider the There are several possible reasons why these tests are not effect of spurious equipment operation or misleading representative of failure modes of ids in service. First, information on plant safety.
the test criteria might be too severe and not representa-tive of transients experienced in nuclear power plant con-5.2 Probability of,an ID Challenge j
trol systems. Second, there may be a greater amount of The worst-case ID challenge is defined in this study as long cable nms in nuclear plants, which would create a small signal leakage through the ID barrier, resulting in high impedance for the high-frequency,mpulses speci-inadvertent operation of Ihe equipment to which the ID is i
fiedinlEEE472andlEEE 587. Third most nuclear plant attached, with a subsequert loss-of-coolant accident or control systems are fed from uninterruptible power sup-equipment damage, but no impact on the functioning of phes, which can provide very clean power with less noise the control system. A less severe scenario of damage to than is typically present on power lines.1 mally, because the actuation system without inadvertent actuation might l
of the short duratmn of most transients not enough en-result from a more severe ID failure. In my case, a
[
crgy rnay be transferred or the transients may not last hyng mechanism is r equir ed to simultaneously challenge rnulti-enough to cause the predommantly electromechamcal ple channels.
controls m older plants to respond. In light of the re-i ported failure data, there does not appear to be any need The predominant concerns are cable or raceway fires or
~
to backfit existing ids.
faults, and panel fir es or faults. A review of cable' shorting events shows that the most likely source of shorting is 5.L3 Application ofIDs in Older Plants through panel wiring errors, such as when a technician
{
i drops a cabic in a panel er inadvertently 1 ouches a 1crmi-l Task 2 in the task action plan (Ref. 29) was to determine nation.The probability that this scenano could lead to an i.
whether ids were used in plants that received a CP be-ID challenge was assessed to be 1.0E-5/ reactor-year. It fore January 1,1971, when IEEE 279-1971 became a appears that all initiating events for multiple channel I
. NUREG-1453 10
i l
4 i
i challenges to 1.D output would occur at this Ircquency or 3.
U.S. Nuclear Regulatory Commission, NUREG-less. For example, a fire in a cable tray or conduit (0.001 0821, " Integrated Plant Safety Assessment, Sys-events per reacic7 ear) would create a challenge only if tematic Evaluation Program, R.E. Ginna Nuclear output cables froin multiple ids were in the same race-Power Plant," Final Report, December 1982.
t way, lost insulation on only I conductor, and simultane-ously shortened to a potential source before protective 4.
U.S. Nuclear Regulatory Commission, NUREG-p relays or fuses operated. 'lhe probal2ity of this sequence 0822, " Integrated Plant Safety Assessment Sys-t of events is considered to be less than 1.0E-5/ reactor-tematic livaluatior. Program, Oyster Creek j
year.
Nuclear Generating Station," Final Report, Janu-i ary 1983.
l The transients modeled by the IEEE 472 and IEEE 587 5.
U.S. Nuclear Regulatory Commission, NUREG-tests are lightning surges, power line transients, and noise 0823 " Integrated Plant Safety Assessment, Sys-created by intense, high frequency electromagnetic activ-tematic Evaluation Program, Dresden Nuclear ity such as arc weldmg. Even though these events occur Power Station Unit 2," Final Report, February frequently in power plants, and the response of the ids to y933'
?
the above tests was less acceptable than the response of the ids to the MCF tests, there are no reported incidents 6.
(J.S. Nuclear Regulatory Commission, NUREG-of ID challenge or failure resulting from these events.
5824, " Integrated Plant Safety Assessment, Sys-tematic Evaluation Program, Millstone Nuclear i
i 5.3 Conclusiott Power Station Unit 1," Final Report, February 1983.
Isolation devices are used extensively in operating nu.
7.
U.S. Nuclear Regulatory Commission, NUREG-clear power plants.'lhe NPRDS database, which contains detailed reports of over 12,000 ids and 800 ID failures, 0825, " Integrated Plant Safety Assessment, Sys-i tematic Evaluation Program, Yankee Nuclear indicates that there are no cases of ID challenge similar to the conditions tested for in the INEL tests. In addition, Power Station," Final Report, June 1983.
t the test results in the INEL reports do not indicate that 8.
U.S. NucIcar Regulatory Commission, NUREG-the amount of energy leakage is significant in the event of barrier failure. Considered in light of the calculated low 0826, " Integrated Plant Safety Assessment, Sys-tematic Evaluation Program, liaddam Neck increase in CDF from ID challenge, there is no basis for requiring backfit of ids in existing plants. Ilowever, be-Plant," Fm, al Report, June 1983.
9.
U.S. Nuclear Regulatory Commission, NUREG-I cause I&C design for future plants may be more suscepti-ble to failure ft om such challenges, existing IEEE test and OSE " Integrated Plant Safety Assessment, Sys-
~
acceptance criteria should be consistently applied for tematic Evaluation Program, lacrosse Boiling i
these plants.
Water Reactor," Final Report, June 1983.
6 IMPLEMENTATION 10.
U.S. Nuclear Regulatory Commission, NUREG-
{
0828, " Integrated Plant Safety Assessment, Systematic Evaluation Program, Big Rock Point j
'lhe NRC should develop new guidance containing rec-Plant," Final Report, May 1984.
l ommended levels of testing and leakage criteria, and re-11.
U.S. Nuclear Regulatory Commission, NUREG-1 quiring compliance with the criteria in IEEE 472 and 0829, " Integrated Plant Safety Assessment,.Sys-I IEEE 587 for implementation on future plants' tematic Evaluation Program, San Onofre Nuclear Generating Station Unit 1," Final Report, Decem-l 7 REFEllENCES ber 19s6.
l 1
12.
U.S. Nuclear Regulatory Commission, NUREG-0737," Clarification of TMI Action Plan Require-1.
Institute of Electrical and Electronics Engineers, ments, November, M 279-1971," Criteria for Protection Systems for Nu-13.
Generic Letter 82-33, " Supplement to NUREG-j clear Power Plants."
0737."
l 2.
U.S. Nuclear Regulatory Commission. NUREG-t 0820 " Integrated Plant Safety Assessment, Sys-14.
Letter. Irom II.W. Keiser, PP&l, to Dr. W.R. Ilut-i tematic Evaluation Program for Palisades Plant,"
ler, NRC, "Susquehanna isolation Device Oualifi-i Draft Report. April 1982.
cationTesting" April 15,1991.
'l
.i 11 NUREG-1453 i
_ _=.
i
?
I 15.
letter, from MJ. Davis. NRC, to distnbution, 23.
Institute of Electrical _and Electronics Engineers,
" Summary of Meetings to Discuss SPDS Testing 587-1980, "IEEE Guide for Surge Voltages in
' Program Results, " December 12,1986.
l.ow-Voltage AC Power Circuits."
i 16.
Ietter, from G.C. Andognini, SMUD, to F.J.
24.
U.S. Nuclear Regulatory Commission, SECY-Miraglia, NRC " Request forInformation on SPDS91-244 " Nuclear Plant Reliability Data System lsolation Devices." July 24,1987.
(NPRDS)," August 7,1991.
25.
U.S. Nuclear Regulatory Commission, SECY--
17.
J.R. Nielsen ct. al., " Preliminary Electrical Signal l.
Isolation Device Evaluation Plan,"
EGG _
91-270 " Interim Guidance on Staff Implementa-EE4220 EG&G Idaho, Inc. April 1983.
tion of the Commission's Safety Goal Policy,"'
August 27,1991.
-l 18.
J.R. Nielsen," Surge and Fault Test Procedures for Class IE Isolation Devices." EGG-EE-6583, U.S. Nuclear. Regulatory Commission, NURhG/
26.
CR-5863, W. R. Cramond, D. B. Mitchell, S. P.
-j EG&G Idaho, Inc. June 1984.
Miller, J. L. Yakle, " Risk Assessment of Isolation Devices in Safety Systems," Sandia National 12bo-19.
J.R. Nicisen, " Isolation Device fest Progmm De-ratories January 1993.
sign Basis Event Criteria," FGG-EE4621. EG & G Idaho, Inc. September 1984.
27.
U.S. Nuclear Regulatory Commission, NUREG-0933, "A Prioritization of Generic Safety Issues,"
5 20.
J.R. Nielsen, " Isolation Device Evaluation Crite-1983.
I ria," EGG-EE4892, EG&G Idaho, Inc. Novem-l ber 1985.
28.
U.S. Nuclear llegulatory Commission, NUREG- -
l 1150," Severe Accident Risks: An Assessment for 21.
U.S. Nuclear Regulatory Commission, NUREG/
Five U.S. Nuclear Power Plants," Final Report, CR-3453, J.R. Nicisen, " Electronic Isolators used December 1990.-
l in Safety Systems of U.S Nuclear Power Plants"
[
EG&G Idaho, Inc. March 1986.
29.
Memorandum, from W. Minners, NRC, to E.S.
j lleckjord, NRC,rask Action Plan (RAP) for Ge-22.
Institute of Electrical and Electronics Engineers, neric issue (GI) 142, 'Irakage Through Electrical-472-1974,"" Guide for Surge Withstand Capability Isolators in Instrumentation Circuits,'" December Tests."
31,1990.
e i
l l
l l
i i
i 1
i i
NURiiG-1453 12
.~
NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION
- 1. REPORT NUMBER I
(2D
( Assigned t>y NRC, Add Vol.,
NRCM 1102-Supp., Rev., and Addendum Num-3M 32 2 BIBLIOGRAPHIC DATA SHEET t" * - " ="v )
l f
(See instruct 40ris on the reverse)
- 2. TITLL AND SubilILL
- 3. DATL RL POf tT PUBLISHLD Regulatory Analysis for the Resolution of Generic Issue 142: Leakage uoy7g ve,n Through Electrical isolators in Instrumentaiton Circuits September 1993
- b. Au l t+0N di
- 6. T YPE OF HEPORT C. J. Rourk Regulatory
- 7. PERIOD COVERED (inclusive Dates) 8 Pf FR ORMING OHGAN:2 ATIOf 4 - NAME AND ADDRESS 111 NHC, provide Dey!sion, OfSce er Reegion. U S. Nocear Hegulatory Commission, and maibrq address; sf contractor, provide name and mail ng address. )
Division of Safety Issue Resolution Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 9.
SPONSORING ORGANIZ ATION - NAME AND ADDRESS (If NRC, type "Same as above"; sf contractor, provsde NHC Devisson Office or Region.
U S. Nuclear Revplatory Commission, and maihng address. )
Same as 8. above
- 10. SUPPLE ME Ni ANY NOTLS 1
11, ABSTRACT (200 worets or less)
Generic Issue (GI) 142 deals with staff concerns about the design of isolation devices used to ensure separation be-tween Class 1E and non-Class 1E electrical control and instrumentation circuits. This issue was initiated in June 1987. Staff reviews of the implementation of the Safety Ibrameter Display System (SPDS) requirement indicated that some isolation devices used to provide an interface between the non-Class IE SPDS and the Class IE safety systems would allow signal leakage if electrically challenged. It was unknown if the amount of leakage posed a haz-ard to safe operation of the Class 1E system. A review of failure records does not reveal any incidents of system damage caused by isolation device challenge. Furthermore, a review of existing PRA data indicates that the safety significance of ID challenge is low, at the expected challenge event frequency. However, based upon the potential i
design variations in future control systems resulting from application of computer technology, additional design and I
quahfication test requirements for future plants are recommended.
P 12 KEY WORDS!DE SCRIDTORS (List worcs cv pnrases that witt assest researctwrs in locating the report. I
- 13. AVAILADILITY STATEME.NT Unlimited
- 14. SECURITY CLASSIFICATION Generic issue 142 m.is i am Isolation Device Unclassified IEEE 279 Interface
( * "P*")
Unclassified lb. NUMblR OF PAGES
. PR,C<
NRC FORM 335 (2-89) 1
i i
l i
1 4
Printed
- on recycled paper Federal Recycling Program
-+my
'- er
, [i i!
I h
I t
i i
- i e
w w
=
'3 tA D
9 9
LP 1 ~
AS 6
I 7
y R
ME E
E G
B SF v.
S DRO M
A N NN E
L S T T
C A UI E - M P
TS G R
E RA E
S DT P
S Or'
+
w ST
- U e
r 2C u
4 R
,c 1
I e
EC U N e
S O S
I I
T i.
C A I
R T E N g
E N
g i
EM S
g GU C
g R
V 2
F T S
OS NN I
S g
s I
O A
N g
N 1
O w
I TI N
I c
US A
T
=
LR 1
A OO C
ST 1
I EA RL L
E O R
I S UG I I 1
DE T L 3M A
RA 5DRU g OC 9A N g F I 3CA -
7 R
ST 1 - !R G
IS C 5 COD 7
e N E.
5o.FP3g I l 5N
- g AE 0
V C n,g Ni 7 SIC l
A G 1UDTey w
YU R O OR Tl e
i AT c
L O
1 IS0 S0 0
I 0
0
. M-3 e
5 t
M 5 SO5 S S E
e EC0 S U T
2 E
A Y NET R.
IS T
A S O C.
U v Bi TD R
DA L
P EL,
A N
t R
TU C
I O
1 O
NG T FFF UE G O Y R
T N
L 3
RI A
5 A H N
4 S
E E
P 1
LA G
CW E
U R
N UN 1
NUREG-1453 REGULATORY ANALYSIS FOR Tile RESOLUTION OF GENERIC ISSUE 142:
' SEPTDtBER 1993 LEAKAGE TIIROUGli ELECTRICAL ISOLATORS IN INSTRUMENTATION CIRCUITS UNITED STATES riasi CLASS Mall NUCLEAR REGULATORY COMMISSION
. POSTAGE AND FEES PAID WASHINGTON, D.C. 20555-0001 usnac.
1 U{ P C-Ot.0M0555139531 13q137 PERWT, NO. G-67 p f pg, p LICAIION$ 5VCS OFFICIAL BUSINESS PENAt TY FOR PRIVATE USE, $300 r-pi7 WASHINGTCtJ DC 20555
..m2 m
s.+-.-e w.wo,-m*es
%e+
- =.,--e.-v
..,.-*v,-
a-,w+r-e-v,.
--e
- --.meer--*..r+ee
--+w ew w
-e---.ew-+--~~<w-4 e4me-<w w ne r. %,e v
.w.,-w+-vw-o---
e
.eww---
mm,-we +
w..-ter,..--e
-