ML20206U687
| ML20206U687 | |
| Person / Time | |
|---|---|
| Issue date: | 03/30/1993 |
| From: | Saltos N NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML20206U672 | List: |
| References | |
| FOIA-99-82 NUDOCS 9902170272 | |
| Download: ML20206U687 (25) | |
Text
_ _ . _ . _ _ . . .. . _ . . . . . . .
ggm eg _ ^ t&9
, j
~
,LY :
" PRE DEC OHAL INFORM ONiOFFICI AL USE - ;
c f,;?. :i 1
4 j
. t
~
- .m _ --
.. .. y M .. . -
- f :
hyph
%3Nhhh}{fhkb;fifill;&Qn 4 S . 4,
. ., d ; ..
'4 g' .J' a i
RISK IMPACT OF ENYlRONMENTAL QUALIFICATION ! REQUIREMENTS FOR ELECTRICAL EQUIPMENT ! AT OPERATING NUCLEAR POWER PLANTS .
'l I
Q ? ;,a 9:.
.j.2,l
., .c , -
. \
l 3 Nlchclas T. Saltos Probabilistic Safety Assessment Branch , Office of Nuclear. Reactor Regulation -l l l March 30,1993 l l
~l
- pe , . , y .; .,
l 1 h 3
.., n -
7 w 9902170272 990211 [ Sh2 PDR. ,, ; e igl*-DO~l 9
P t PRE D ISIONAL INFO ATION O CIAL USE ONLY TABLE OF CONTENTS 1 Page ; i j t r
; ABSTRACT ....................................... 11 ,
( J 1.0 INTR OD U CT10N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I
, 1.1 Background .................................... I ! 1.2 Scope and objectives .............................. I 1.3 Li mi ta tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.4 Methodology and approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1
2.0 INSIGriTS FROM LITERATURE REVIEW ..................... o 2.1 Electrical equipment components supporting risk important operations in harsh environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Qualitative failure data base of electrical equipment components ; 1 hnsh environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3 Issues assaiated with *old' EQ requirements . . . . . . . . . . . . . . . 12 . 2.4 Risk.important electrical components with potentially reduced ' 4 reliabilities in harsh environments due to issues associated with *old" EQ requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.0 PLANT SPECIFIC RISK ASSESSMENT . . . . . . . . . . . . . . . . . . . . . . . 14 , l 3.1 PWR plant specific risk assessment ..................... 14 l 3.2 BWR plant specific risk assessment ..................... 18 ! \
4.0 CONCLUSION
S AND RECOMMENDATIONS FOR FtJTURE WORK . . . . 20 l
\
REFERENCES ....................................... 21 it 1 } i i I v
)
I _ __Y_
[ ! PRE- ISIONAL RMATION - L'.AL USE Y-l ABSTRACT ! Historically, plants licensed at different times were subject to different guidance and i i requirements for electrical equipment environmental qualification (EQ). Newer plants follow j NUREG 0588 Category I requirements (the EQ rule acceptable standard). A group of older ! I plants follows NUREG 0588, Category H requirements, while the oldest plar.ts follow DOR ll 4 Guidelines. De latter two groups involve relamation in EQ requirements such as ; j qualification by testing, application of margins and consideration of aging and synergistic ;
- effects. These differences in EQ requirements, in conjunction with experience data and !
preliminary test results of cables (e.g., Okonite), indicate the existence of uncertainties l 3 associated with qualification methodologies and the reliability of equipment that must !
- function in accident induced harsh environments. Dese uncertainties may be risk l 3 significant. .
The objective of this preliminary risk analysis is to use probabilistic risk assessment (PRA) j i techniques to quantify the risk impact of electrical equipment qualified under the "old" EQ : requirements (i.e., DOR guidelines or NUREG-0588 Category H requirements). However, Inmitations in current PRA models and data precluded an accurate quantitahe risk j assessment. Instead, a screening evaluation of the potential risk impact of electricas i , equipment that were qualified according to *old" EQ requirements was performed. His was i achiesed by parametrically reducing the reliabilities of equipment that are supported by
- electrical power and are required to operate in accident-induced harsh environments. These equipment include electrical components (cables, connectors, and solenoids) that must
~
function in accident. induced harsh environments and which could be major contributors to core damage.
- The scope of this preliminary analysis was limited to core damage prevention (considering .
internal esents only) and to in containment electrical equipment, with emphasis on cables. This was primarily due to time limitations and to the assumption that in-containment i electrical equipment c..rtponents are the most likely to be exposed to harsh environmena.
- Although not included in this preliminary analysis, harsh environment reduced reliabilities of
' components which support accident mitigation equipment (e.g., containment fans and sprays), , could be important to overall plant risk. In this evaluation, the emphasis is on cables since they are not routinely replaced, and they receive minimal maintenance.
I
- The first step was to identify potentially important accident sequences, for both PWR and
} BWR plants, involving harsh environments in the containment. This was followed by the identification of equipment operations that must be performed during each of these sequences 4 (e g ,2 of 2 PORVs must open for feed and bleed). Next, generic insights from PRAs and related studies were utilized to select several accident sequences for more detailed evaluation , and esentual inclusion in a parametric (sensitivity) risk study. The results of this scoping study were used, in conjunction with qualitative assessments of aging of in-containment 4 elecincal components to assess the potential risk impact of *old* EQ requirements. I l ii i b H 1
PRE- ISIONAL INFORMA ON - OFFI US Y Three plants wer: selected for quantitative risk analysis. These include two PWRs (Sequoyah and Surry) and one BWR (Peach Bottom). Resulting plant core damage frequency increases were found to be between 1 x 108 and 7 x 108 per reactor year for Sequoyah, between 8 x 108 and 5 x 10d per reactor year for Surry, and between 1 x 10' and I x 10d per reactor year for Peach Bottom. Such increases are of comparable magnitude to the core damage frequencies for these plants reported in the NUREG-1150 PRAs. More details are presented in Tables I,2 and 3 in chapter 3. Major conclusions of this preliminary risk analysis are: 1) the risk impact of 'old' EQ requirements could be significant if electrical component reliabilities are reduced in the presence of a harsh environment; 2) the magnitude of core damage frequency impact is plant specific; and 3) due to lack of reliability data bases and limitations in current PRA models, an accurate assessment of the risk associated with harsh environments is not possible at this time. Recommendations for future and more accurate evaluation of this issue are also included . i e f P b i iii w i4
' +
,i,,y, a4 , , .,
P -DECISIONA ORMAT10N o CIAL US i l
1.0 INTRODUCTION
1.1 Background _ Nuclear power plant electrica] equipment used to perform a safety func00n must be capable , of operating reliably under all service conditions, i.e., norma] operation as well as accidents , postulated to occur during the equipment's installed life. 'Ihis must be demonstrated by ;
- environmental qualiGration" (EQ) of the equipment. Since safety systems rely on redundant
-l equipment, EQ aims at demonstrating that a common-cause failure will not occur during 3) design basis events. Specific requirements pertaining to EQ of certain electrical equipment j important to safety are contained in 10CFR50.49.
EQ has evolved gradually over the years in terms of design criteria, technical sophistication, and licensing requirements. Plants of various vintages are committed to differing NRC EQ 5 requirements [1]. The EQ rule implies that meeting the provisions of NUREG-0588 ,l Category I (IEEE 3231974 and Regulatory Guide 1.89, Revision 1) constitutes compliance -> _ with the ru!c. It requires that all new and replacement equipment in existing plants be quahned to its requirements unless there are sound reasons to the contrary. However, it does not mandate that any equipment previously requiring quali6 cation to lower standards (i c., NUREG 0588 Category II or DOR Guidelines) be requaliSed to the rule. This is termed as the rule's "grandfathering" provision. Grandfathering maintained important differences in EQ requirements for different groups of plants. Newer plants follow NUREG- i 0588 Category I requirements (the EQ rule acceptable standard). A second group of older
- p. ants follows r4UREG-0588 Category D requirements, while a third group (the oldest) follows DOR Guidelines. The latter two groups involve relaxation in EQ requirements such ;
as qualification by testing, application of margins and consideration of aging and synergistic effects as well as a reduction in the quali5ed limits for certain equipment. 1 1 There are approximately 84 operating reactors with "old* EQ requirements (i.e., NUREG- l 0588 Category !! and DOR Guidelines). These differences in EQ requirements, in . -l conjunction with preliminary test results of cables (e.g., Okonite and other pre aged cable testing at Sandia National Laboratories), indicate the existence of uncertainties associated
'l
with quahfication methodologies and the re!3bility of equipment that must function in harsh environments. These uncertainties may be risk significant, in particular for plants qualified under the DOR guidelines or NUREG-0588 Category !! requirements. Therefore, quanti 6 cation of the risk impact of electrical equipment quali0ed using *old" EQ requirements (i.e., DOR guidelines or NUREG 0588 Category 11 requirements) is needed. His would provide an overall risk perspective of issues related to *old" EQ requirements. 1 _= 1.2 Scope and Objectives j A complete analysis of the risk impact of the environmental qualification (EQ) of electrical equipment should consider equipment in all locations, both in containment and outside l _i _ l e!
,,m
l ! P DECISIONAL RMAT10N OFF USEJ)NLY I . containment, where a harsh environment can occur during certain accidents. For each of l these locadons, the effect of the harsh environment on the reliabilities of electrical
- =
components, which support equipment that serve either a core damage prevention or an . accident minganon function, should be assessed. i The scope of the present analysis uns limited to core damage prewntion (considering Imernal , ennis only) and to in-containment electrical equipment, with enphasis on cables. This was ' j primarily due to time limitations and to the assurnpdon that in<:ontainment c!cctrical , j equipment components are the most likely to be exposed to harsh environments (e.g., during LOCAs and in-containment main steam line breaks). It should be noted, however, that reduced reliabilities of some electrical equipment located outside the containment, due to the j
- presence of a harsh environment (e.g., high energy pipe breaks and interfacing system i LOCAs), could also have significant risk impact at some plants. Moreover, reduced =-
- reliabilities of electrical components which support equipment used for accident mingadon =
i (e.g., containment fans and sprays), during the presence of a harsh environment, could be - l l important to overall plant risk. The emphasis was on cables because they are not routinely j replaced and receive only minimal maintenance. It is recommended that $e scope of the g-present analysis be extended in the future to include c!cctrical components outside the K l containment as wels a those supporting equipment performing an accident mingadon j function. I 1 l The major objectives of this preliminary risk ana.tysis are listed below. i
- Identify electrical equipment components, such as cables, connectors, and L solenoids, that must function in accident induced harsh environments and 1 l which could be major contributors to core damage. l
- Use probabilistic risk assessment (PRA) techniques to conduct a screening
, esaluafx of the potential risk impact of electrical equipment that were
- qualified according to *old" (i.e., DOR or NUREG-0588 Category II) EQ j
, requirements. I l It is recommended that the present analysis be extended in the future to include the following j objectives. f Obtain a more accurate assessment of the risk associated with EQ issues and ,
- use it to compare the risk impacts of the several EQ requirement standards (i.e., NUREG-0588 Category I, Category f1 and DOR guidelines).
j e identify areas where additional analyses and/or testing may be necessary to { reduce EQ.related uncertainties. i j 2 m
/ .
P ECISIONAL INFP JdATION O IAL USE Y
- Um PRA technique to identify and dernonstrate the effecti.cness of measures for reducing risk (e.g., uw of reliability assurance and maintenance rule requirements).
1.3 Llrnitations As operating plants become older, their safety related electrical equipment and components should maintain their ability to perform reliably in a harsh environment. Studies have shown that aging related degradations, of both active components (e.g., valves and pumps) and passive components (e.g., cables), could cause significant risk increases if aging is not effectively managed. Ideally, PRA provides a method to assess the importance of harsh environment equipment reliabilities on risk. Models were developed to quantify the risk due to an increase in active standby component unavailability, passive component failure probability, and accident initiating event frequency. "Ihis increase is estimated as a function of equipment age, equipment aging rate and the quality and effectiveness of Ae plant maintenance program. In reality, there are limitations in current PRA models and data that preclude an accurate quantitative assessment of the risk significance of issues associated with the environmental qualification of safety related equipment. The most important of these . limitations are summarized below. ; i e Lack of reliability data basesfor equipment in harsh environments. PRAs assume the same reliabilities in hush environments as for normal operation. This implies that ensironmental qualification assures that equipment reliabilities stay at their normal . operation levels when esposed to harsh environments during accidents. This PRA assumption, howeser, has not been validated by caperimental evidence. In fact, in i some cases, there is evidence to the contrary. : e lack ofmodels to twiuate the impact of EQ requirements on equipment reliability. In particular, there are no models to evaluate the impact of the lower qualification -[ standards associated with "old* EQ requirements on ciectrical equipment reliability in harsh environments. ' e Lack of aging related degradation data. There are no adequate data for aging related l degradation of electrical components in their normal operation environments. This is particularly true for passive components, such as cables. e back of correlations betsten aging-related degradation of equipment and their ability to perform under accident induced harsh ensironments. This includes modeling the
~
potential for common cause failure of redundant equipment or componente, in a harsh ; environment, following their aging related degradation. I 3 - l
4 l P ECISIONAL INFO TION - OFFI USE Y :
- Lack of the detailed system descrfprions required to assess .the risk signficance of EQ lssucJ. For example, current PRA models do not contain the level of detail that is necessary to investigate the operability of the steam generator level transmitters or the operability of a motor-operated valve control cable.
e Lack ofplant status instrwnentarlon models. Instrumentation indications are used by i the operator during an accident to diagnose the status of the plant, make informed ; emergency response decisions, and develop appropriate accident mitigat ion strategies. For example, containment pressure indications will automatically actuate chemical ;
) sprays. However, in the event that automatic initiation fails, the operator can i manually initi:te spray operation if other indications are available. Current PRAs lack models that relate risk, via the operator interface, to containment pressure indi.e. *.
e insuficient PM analysesforpipe breaks outside ofcontainment.
- Limited models ofpost core melt accid,'nt management strategies.
? Due to the above mentioned limitations, a parametric (scoping) risk analysis was performed. De reliabilities of equipment that are supported by electrical power and are required to operate in a harsh environment, were reduced parametrically to simulate the effect of potential common cause failures. 1.4 h!cthodology and Approach j ne first step was to identify potentia!!y important accident sequences, for both PWR and 1 BWR plants, involving harsh environments in the containment. This was followed by the identincation of equipment operations that must be performed during each of these sequences ! (e.g.,2 of 2 PORVs must open for feed and bleed). Next, generic insights from PRAs and' related studies were utilized to select several accident sequences for more detailed evaluation and esentual inclusion in a parametric (sensitivity) risk study. The judgement for this l selection was based on a combination of the following considerations. e ne presence of in containment electrical components (e.g., cables, instrumentation and solenoid operators) which support safety equipment operations needed to prevent or mitigate accidents. i e Accident sequences during which these safety equipment operations take place, including timing and potential for recovery.
- De presence of electrical components for which there are reasons to believe that their i reliability may be reduced during operation in harsh environments. ,
.)
l 4
I 5 I i P DECISIONAL T10N - OFFIC L USE Y l FinaDy, the selected acciderat sequences were used to perform a scoping risk study by l parametrically reducing equipment rdiabilities to simulate the effect of potential common- ! cause failures in a harsh environment. The results of this scoping study were used, in conjunction with qualitative assessments of aging ofin-containment electrical components and l the limited experience information avannble, to assess the potential risk impact of 'old' EQ , j requirements. i ) 1 i ! l i '
+
i
+
I
! t 1
) I i , l, i - i. 4 5 l 1 i 1 J J
; 5
ECISIONAL INF 'I1ON - OFFIC SE ONLY
. l 4
2.0 INSIGHTS FROM LTTERATURE REVIEW ' A literature review was conducted to identify information that could be used to assess the risk impact of EQ requirements for electrical equipment at operating nuclear power plants. " An early conclusion was that none of the published PRAs have explicitly considered aging and that no adequate data and models were available to perform a detailed quantitative risk i assessment in the short term. For this reason, it was decided to perform a preliminary risk ; scoping study to assess the potential risk impact of 'old* EQ requireme-ts. Equipment : i reliabilities were reduced parametri: ally to simulate the effect of potential common <ause failures in a harsh environment. Only if this preliminary risk analysis indicates that the risk ; impact of "old" EQ requirements is potentially high, will a more detailed analysis be tiecessary. The literature review provided several insights that guided this preliminary risk scoping study and could form the framework for a more detailed risk analysis in the future. These insights i were used to achieve the following: focus the analysis on electrical equipment components supporting risk important
, operations which take place in accident induced harsh environments (Section 2.1) e develop a qualitative data base including information related to failures of electrical j f equipment components in harsh environments such as failure modes, failure ;
j mechanisms, NRC information notices and industry research test results (Section 2.2) l
- identify EQ issues, i.e.,
- deficiencies" associated with the lower standards of the '
*old" EQ requirements such as not considering aging and synergistic effects (Section 2.3) '
i e identify risk irrportant electrical equipment components which may have, as a result of the lower standards of the "old" EQ requirements, reduced reliabilities when exposed to a harsh environment (Section 2.4) 2.1 Electrical equipment components supporting risk Important operatforts In harsh ensIronments In containment electrical equipment components whose failure (random or common-cause) can affect risk important operations were identified (2]. 'They are summarized below. PWRs Cable systems (e.g., cable, connectors, penetrations, splices) t
- PORV solenoid operators 4
6
P -DECISIONAL INFO TION - OFFI USE ONLY o PORY block valve motor operators o Instrumentation (pressurizer pressure and level, SG level detectors, containment pressure, primary RTDs, hydrogen detectors, and high range radiation monitors) j o Electrical components providing support to containment isolation valves, containment j fans and spray system (accident mitigation only) BWRs ! o Cable systems (e.g., cable, connectors, penetrations, splices) ) o Safety relief valve (SRV) and Main Steam Isolation Valve (MSIV) solenoid operators i ! o MSIV bypass valve motor operators o low pressure and vessel level sensors, and reference leg detector piping i j o High range radiatian monitor (provic s information to the operator nor accident management, e.g., offsite evacuation) i I Failure of these components can affect safety system operation, as well as operator a:tions, l in one or more of the following ways: l o Failure to provide motive and control power to components inside containment (e.g., { to start and run pumps and fans and open or close motor-operated and solenoid-l operated valves). o Failure to generate and convey electrical signals from in-containment instrumentation for automatic actuation and operation of ESF systems as well as for control room displays (e.g., SG level, BWR vessel water level, and containment pressure). o Likelihood that a failure of an in containment electrical component (e.g., cable) is spread to components outside containment (e.g., due to failure of protective devices, miscoordination among circuit breakers of different sizes, and erroneous signal). An important factor that affects the reliability of the above mentioned electrical components in a harsh environment is the time of exposure to such an environment. Equipment operations that are required to take place at the beginning of an accident that causes a harsh 7
)
l PRE- ECISIONALINFO TION - OF IAL USE ONLY
/
environment have better chances of success than equipment operations required several hours i into the accident. \ 2.2 Qualitative failure data base of electrical equipment components in hcrsh environments Stressors Service conditions include normal (environmental and operational) as well as harsh environment conditions. Certain elements or " stressors' of service conditions can affect equipment condition and performance. Harsh environment stressors, in general more v.- e than normal (environmental and/or operational) stressors, may cause immediate failures m age degraded compor.a.'s because of the high intensity or unusual nature of the stressor. This could defeat system redundancy by incapacitating the two or more paths or trains available for providing essential safety functions (common cause failures). EQ programs aim to prevent such common cause failures resultir.g from harsh environmental stressors contributing to aging of electrical components. Examples of normal environmental stressors are temperature, radiation, moisture, dust and distortion pressure. Examples of normal operational stressors contributing to aging of electrical components are thermal cycling, maintenance disturbances (e.g., flexing of cables) and current or voltage surges. Examples of harsh environment stressors, which can lead to common-cause failures of electrical components aged by normal stressors, are steam condensation, high temperature Icvels and
, gradients, radiation and chemical sprays.
- I l Degradation Sites Normal aging of c!cct.:ct! components could lead to degradations of concem and jeopardire the required safety performance under either normal or harsh environmental conoitions. De latter condition is more critical because of the potential for high risk common-cause failures.
In order to assess the degree of depadation of the various in-containment electrical components, it is necessary to focus on locations where aging stressors are most severe. If components in those locatiom are free of degradation,'then similar components in less !j stressed locations are likel; - be in good condition. 4 Considerations that help identify potentially serious degradations sites are: a) maximum environmental severity during normal plant operation; b) physically demanding installation configuration; c) potentially susceptible designs; and d) records of experience. Exampics of degradation sites are: 1) electrical penetrations to devices; 2) maximum therrr.al/ radiation areas; and 3) wet or moist locations, ne review of aging rehted failures during normal
. operation indicates the presence of events in the following categories: corrosion, dirt, 5
defective connector, loose connector, short/ grounded, open circuit, cable insulation I i
. 8
- x. ,
. . .m .e.
PRE- ECISIONAL INFO ON - OFFICIAL ONLY breakdown, and cable embrittlement. Dese event categories can be associated with one or more type of degradation sites. Aging Afechanisms Aging mechanisms describe how stressors affect particular material properties or componenu of electrical equipment in ways that may lead to several aging induced failure modes when 1 exposed to a harsh environment. Examples of aging mechanisms for cable systems are listed below [3J. <
- Temperature / Radiation / Oxygen diffusion induced chemical reactions occur over time in polymeric compounds used as cable insulation and jacket materials. Dese 4
reactions inject or leave electrolytes, charged ions, or other molecular debris in the
. molecular structure of these compounds. De effect of this is to increase the de i
leakage currents (lower the insulation resistance), increase the ac losses and reduce the elasticity (increase brittle fracture) of the compound. When these cumulative ', chr ges in electrical and mechanical properties are followed by a rise in temperature. radiation dose rate and humidity, as during the presence of a harsh environment, the result is an immediate ed substantial increase in leakage currents and ac losses and h. j susceptibility to moisture induced shorts and grounds.
- Moisture entering cables as a result of breaks in (or diffusion through) the jackets initiates corrosion of shields. Moisture within cables and seepage through broken i
seals of connections may lead to the corrosion of connector contacts. This occurs over long periods of time leading to random failures during normal service. However, in a harsh environment, this failure mechanism is accelerated. Sudden intrusion of water into corrosion sensitive components can cause the loss of shield continuity and raise the noise level. The functional failure of the a'fected circuit
; depends on its sensitivity to noise. Such failures, when combined with connection ,
failares caused by accident related ficxing or vibration, would become common-cause l failures.
- Cable flexing or vibration can compromise the silicone rubber seals used in cables with mineral insulated connectors at cable terminals. His results in a decrease of tie insulation resistance (increases Icakage) and functional degradation.
i
.I Potential Failure hfodes .
Normal operation stressors affect electrical equipment performance by initiating aging mecha,. isms which may lead to degradation and eventual random or common-cause failure if this equipment is subsequently exposed to harsh environment stressors such as those of a LOCA. Equipment in locations where stressors are the most severe (degradation sites)is the most vulnerable. The various modes a particular equipment can fail (i.e., its ' failure I 9 l l
,- P DECISIONAL INFO , ON . OFFICIAL SE ONLY
,' modes") are coupled with the stressors, failure mechanisms and degradation sites that are associated with that particular equipment. Eaampics of potential failure modes for cable systems are listed below [3).
- 1. Increased series resistance (an open circuit being the entreme case)
- 2. Increased leakage current (decrease of insulation resistance)
- 3. Grounding of a conductor i
- 4. Short circuit between conductors
- 5. I.arge changes in ac losses or capacitance (impedance change)
- 6. Spurious signals from electrolyte or thermoelectric effects 1
I
- 7. Increased noise pick up (shielding or grounding problems) l l In general, metallic conductor as.d connector components of cable systems possess characteristics that relate to the occurrence of failure modes I and 6; characteristics of insulating components relate to modes 2 through 5; and the properties of cable jacket and shielding components relate to modes 5 and 7. It is important to note that the sensitivity of l operating electrical circuits to changes and noise in the cable system vary widely depending )
on the connected devices and the required accuracy of these devices. For this reason, the assessment of the cabic performance in harsh environments must be based upon realis*ic circuit tolerance figures. NRC Initiatives and Test Program Through 1991, NRC has issu'ed 172 information notices,41 bulletins, and 15 generic letters "related to EQ of various electrical equipment components. Several of these NRC actions involved in-containment components whose failure affects risk important operations (see
. Section 2.1 above). In addition, NRC has sponsored several research tests related to electrical equipment performance in harsh environments. Relevant information for risk-important electrical components is summarized below (2). -
MolpLQPualoin EQ related deficiencies of Limitorque valve operators (approximately 95% of motor operators used by the nuclear industry) were found. Deficiencies included the use of underrated terminal blocks, the use of terminal blocks that lack proper EQ, improper switch settings, unqualified internal wiring, problems with the similarity analyses, improper materials selection and assembly, and installation practices different from the tested , configuration. i 10 1 7 ww
PRE ECISIONAL INFORMA OFFICIAL USE NLY - 1 Solenoid Ooet112I1; Many solenoid operators are continuously energized during normal operation in order to fail safely in the event of loss of power. nis creates higher internal temperatures, and can lead to faster aging, than those experienced by non-continuously j 4 energized solenoid operators. Operating problems with solenoid operators are mentioned due to causes such as higl temperature ambient conditions, presence of hydrocarbon
; contaminants, and chloride contaminants causing open circuits in coils. NRC research testing of solenoid operators in harsh environments revealed considerable intrusion of water into the coil housing and a sensitivity to the use of air as a process medium.
Cables: In 1977 Sandia National Laboratories eaamined 55 cab!c qualification summary reports performed by Franklin Research Institute for its customers, typically cable
, manufacturers. His examination indicated that during harsh accident environments cables may fail with probabilities much hi;her than those assumed in the PRA. Recent Sandia LOCA testing of pre-aged cables showed that 18% of cables pre-aged to 20 years and subsequently exposed to a simulated LOCA environment failed. He percentage of failure increased to 23% for cables pre aged to 40 years and to 32% for cables pre aged to 60 years.
l ' Another indication of potential reduced reliability of cables in harsh environments is the recent Sandia LOCA testing and observed failures of Okonite cables. It is diff crit to draw t 'l strong conclusions based on the small sample size. These results lack unaged control samples for comparison. De testing does not approve or disapprove the adequacy of current qualification practices and requirements. However, these results should be a cause for 4 concern since all risk important operations in a hush etnironment rely on cable performance. ! ElectrisadsncirAtionn Extensive qualification and research testing has been performed on
- c!cctncal penetrations. De results indicated that, depending on the harshness of the -
i ensironment, integrity can only be insured for time periods of 3 to 24 hours. Thus, failure { probabilities in excess of those used in PRAs would be expected during the latter portions of . exposure to a harsh environment. The major concern is that in containment instrumentation l circnits might provide erroneous readings if electrical penetrations have low insulation
, resistances between circuits or to ground. LOCA testing of electrical penetration assemblies (EPAs) performed at Sandia National Laboratory indicated a low insulation resistance for i approximately 4% of the circuits early in the simulation and for approximately 85% of the
! circuits during post test cooldown. Post-examination of the electrical penetration ! feedthroughs suggestc.J that degradation was aggravated by the accelerated aging exposures l that preceded the harsh environmer.t exposure. Iermioaulleds NRC inspections found use of unqualified terminal blocks even though , ! utilities base replaced terminal blocks used in instrumentation circuits inside containment. In ; i the presence of condensing steam, terminal block leakage is high. Hence, PRA failure
- probabilities that are based on normal operation performance of terminal blocks may be j inappropriate to describe performance in harsh environments.
i [ l1 l l 2 I
- ECISIONALINF
, P ATION - OFFIC SE ONLY Trammittere Test results suggest that transmitters may function with less reliability in harsh l
environments than that assumed in PRAs. There are several NRC notices on transm operability such as installation problems affecting the differential pressure sensing lines and 1 transmitter errors caused by thermalinstability during the first hour of erposure to a harsh
!{ cnvironment.
A j 2.3 Issues associated with "old" EQ requirements Plants designed, constructed, and licensed at different times have different guidance and ]j. requirements for the pre-aging, type testing, and documentation of electrical equipment i component qualification. For example, in contrast to guidelines for later plants, guidelines for earlier plants do not require that samples for LOCA testing be pre-aged before testing. > Also different samples are permissible for demonstrating resistance to aging stresses and resistance to a LOCA. Absence of voltage breakdown during the LOCA test of cab!cs is
- j. cons: tered acceptable with no examination or post environmental test to demonstrate margin.
l Doc .n.< itanon required for the electrical equipment qualification of early plants can basically ,, state t;. the tests were done. 1
- \
important issues, associated with *old" EQ requirements whose effect on equipment reliability in harsh environments needs to be evaluated, are listed below [2,3]. Not taking into account aging (e.g., due to exposure to environmental and operational I stressors such as temperature, radiation and humidity). {
- l Not taking into account synergistic effects (e.g. simu.r.neous exposure to radiation i and steam as opposed to sequential exposure).
- Failure to demonstrate margin (to account for normal variations in commercial production of equipment and reasonable errors in denning satisfacto;f performance).
i j
- Qualification by analysis (e.g. to demonstrate functional performance requirements of
- components).
l W Functional and material similarity between installed and qualified components. fh Not taking into account installation practices during qualification (e.g., component orientation and interfaces). , i i - Not taking into account potential variations in electrical inputs during qualification { (e.g., degraded e itage).
- f i(
S M
$ 12
- p lk
,e I y, . I I
- k.
, w wl
?
P ECISIONAL INFORM ON - OFFICIAL ONLY
. 2.4 Risk In,portant electrical components with potentially reduced reliab!Ilties in barsh environments due to issues associated with "old" EQ requirements i
i i The following electrica! components support risk significant operations in harsh environments. They also may have, as a result of the lower standards of 'old' EQ ' requirements, reduced reliabilities when exposed to a harsh environment [2]. l l' ] PWRs j
- Solenoid and Motor Operators (including associated cables, connectors, penetrations, ;
j and valve position indication devices). Historically, PORV-related operators were not l l included in utility EQ rnaster lists; have been the focus of NRC information notices, ! inspection findings and research programs; and are susceptible to aging which was not
- considered in plants with "old" EQ requirements. -
- Steam Generator Level Detection Circuits. Typically consist of a differential pressure l transmitter and associated connections, splices, cables, and electrical penetrations; and :
i i have been the focus of NRC information notices, inspection findings and research programs. They are susceptible to thermal degradation of transmitter electronics and [ age degradation of O-ring seal with subsequent moisture intrusion to the transmitter ciectronics. ! BWRs , l I
- Solenoid and Motor Operators (including associated cables, connectors, penetrations
- and valve position indication devices).
i
)
l l 1 i { 13 l l 1 r nm.m w.
P ECISIONAL INFO { TION - OFFIC SE rNLY
~
, 3.0 PLANT SPECIFIC RISK ASSESSMENT nree plants were selected for quantitative risk analysis. These include two PWRs (Sequoyah and Surry) and one BWR (Peach Bottom). Among the reasons for sclecting these plants were the availability of PRAs [4), the availability of drawings showing corr'ponents inside containment, they are representative of PWR and BWR plant populations, and they follow *old' EQ requirements.
Risk important electrical components with potentially reduced reliabilities when operating in a harsh environment, common to all PWR plants, are: 1) electrical components supporting PORV and PORY block valve operations; and 2) steam gene.ator level detector circuits. Similarly, risk important electrical components with po:entially reduced reliabilities when i operating in a harsh environment, common to all BWR plants are: 1) electrical components supporting Safety Relief Valve (SRV) operations and 2) electrical components supporting Main Stearn Isolation Valve (MSIV) and MSIV bypass operations. A brief review of safety systems at several plants indicated a plant specific variauon of components, inside the containment, in addition to the common components mentioned above, which may be important risk contributors if their reliabilities are reduced when they are required to operate in a harsh environment. Examples are: Sequoyah, Surry, and Indian Point: Normally closed MOVs are required to open, at approximatch 15 hours into a large or medium LOCA, to provjde hot leg a recirculation. Indian Point 3: Two of the four pumps which are used for emergency core cooling during the recirculation phase of a LOCA, as well as their associated normally closed MOVs, are located inside containment. These pumps are required to o;.;nte in a harsh environrnent for several hours during a LOCA. l 3.1 PWR Plant Specific Risk Assessment
- Risk important core damage sequences, and related in-containment components facing harsh environments, were identified. This was achieved by combining generic information from the litera:ure review, presented in chapter 2.0, with plant specific information extracted from the Sequoyah and Surry PRAs [4). These sequences, which are the same for both plants, are listed below.
1
- 1. LargCM mcdiumJ.OCAs wilUaihge of hot leg recircultdom Hot leg recirculation )
is required at both plants at approximately 15 hours into the LOCA to prevent flow ' blockage due to concentration of boron in the reactor vessel. Affected in contJnment comr ..nents are: 14
P ECISIONAL INFO TION - OFFICIAL U ONLY : l At Sequoyah, one normally closed motor-operated valve (MOV)is required to l open, by remote manual actuation, at approximately 15 hours into the accident , to allow low pressure recirculation through the hot legs. If this valve fails to open, the operator will try to use the safety injection pumps as a back up. At Surry, one of two normally closed MOVs must open at approximately 18 hours into the LOCA, to provide hot leg recirculation.
- 2. Small and transient induced LOCAs followed by failures of AFW and " feed and i bleed' ooeration In the event of small break or transient induced LOCAs, core j cooling is maintained by either high pressure injection and auxiliary feedwater (AFW) t or by " feed and bleed" operation using high pressure injection and pilot-operated
- relief valves (PORVs). In-containment components affected by the harsh environment (for both Sequoyah and Surry) are:
- Steam generator (SG) level detectors: failure to provide correct indication to l the operator, at several hours into the LOCA, will impact AcW flow and .,
q possibly AFW operation. , i {
- PORV solenoid and block valve operators: common-cause failure would prevent PORVs and block valves to open for " feed and bleed" when demanded at several hours into the LOCA (following failure of AFW) 4 l Current PRAs use normal operation statistks to model both the reliability of the AFW l
function and the " feed and bleed" function. However, both of these functions rely on
; operation of electrical components that are located in containment and hence subjected to the ;
hanh environment caused by the small or transient induced LOCA. De above accident l l sequences and associated affected components were used to conduct a screening evaluation of ; the potential risk impact of electrical components that were qualified according to 'old" (i.e., i DOR or NUREG-0588 Category f!) EQ requirements. His was achieved by parametrically - reducing the reliaoilities of affected equipment to simulate the effect of potential common- j i cause failures in a harsh environment. It was assumed that the probability of AFW failure l j following incorrect SG level indications is 0.2. This implies that the operator can use l altemative instrumentation effectively to control AFW flow following the failure of SG Icvel detectors. l j The re:ults of the parametric risk analysis are presented in Table I for Sequoyah and Table 2 j for Surry. De. probability of failure cf a single coinponent when demanded, A, was varied .
; from 0.1 to 0.3. This reDects a subjective assessment of the qualitative information 1 presented in Chapter 2. De percentage of all failures affecting single, redundant, components which are due to common-cause, #, was taken to be either 50% or 100%. nis is consistent with the high probability assumed for single components which implies the presence of common-cause failure mechanisms. De product of Xo and S gives the common- ! cause failure probability, X,,,
i 15
~
= MNN,'FW 4 m,___
I l l
~
. PRE-D ISIONAL INFORMATIO OFFICIAL US NLY l l
Table 1. Core Dar. age Frequency (CDF) Increase Due to Common-Cause Failures of l Electrical Components in a Harsh Environment for Sequoyah (Base Case CDF: l 1E-4/yr). i l SINGLE COMPONENT AND AFFECTED AFFECTED COSB10N CAUSE CDF l SEQUENCE" COMPONENTS FAILURE PROBABILITIES INCREASE (per year) I Ao 4(%) ke ' Large and Hot log recirculation 0.1 - - 2E-6 l Medium MOV (fails to open) 0.2 - - 4E-6 LOCAs 0.3 - - 6E-6 Small LOCAs PORV solenoid 0.1 50 0.05 IE-5 operators; PORV 0.2 50 0.1 2E-5 block valve motor 0.2 100 0.2 4E 5 operators; SG level 0.3 100 0.3 6E-5 , detectors Transient- PORV solenoid 0.1 50 0.05 IE-7 I
- Induced LOCAs operators; PORV 0.2 50 0.1 2E-7 ;
- block valve motor 0.2 100 0.2 4E-7
- operators; SG level 0.3 100 0.3 6E-7 ;
detectors ! l All affected Hot leg recir- 0.1 50 0.05 IE-5 l sequences culation MOV; 0.2 50 0.1 2E-5 1 PORV solenoid 0.2 100 0.2 4E-5 operators; PORV 0.3 100 0.3 7E-5 block valve motor operators; SG level l detectors 16 l
~
. - I ,
l PRE D, S!ONAL INFORMATIO CIAL USE OyL'? Table 2. Core Damage Frequency (CDF) Increase Due to Common Cause Failures of , Electrical Components in a liarsh Environment for Surry (Base Case CDF: ; 2.5E 5/yr). l t i SLNGLE CO51PONEAT AND I a AFFECTED AFFECTED C05DION-CAUSE CDF
- SEQUENCES COh!PONENTS FAILURE PROBABILITIES rNCREASE A, #(%) Ace ,
Large and The twa hot leg 0.1 50 0.05 SE-5 Medium recirculat;on MOVs 0.2 50 0.1 IE-4 LOCAs (fail to open) 0.2 100 0.2 2E-4 03 100 0.3 3 E-4 PORV solenoid ! Small LOCAs operators; PORV 0.1 50 0.05 IE-5 block valve motor 0.2 50 0.1 2E 5 operators; SG level 0.2 100 0.2 4 E-5 detectors 0.3 100 0.3 6E 5 Transient- PORV solenoid 0.1 50 0.05 2E-5 Induced LOCAs operators; PORV 0.2 50 0.1 4E 5 block valve motor 0.2 100 0.2 8E-5 operators; SG level 0.3 100 0.3 IE-4 detectors { dll affected Hot leg recir- 0.1 50 0.05 8E-5 , sequences culation MOVs; 0.2 50 0.1 2 E-4 PORV soienoid 0.2 100 0.2 3E-4 operators; PORV 0.3 100 0.3 5E-4 l block valve motor operators; SG level detectors l 17 j
, mmy m e w ee en
PRE-y ISIONA1. INFO TION - OFFICIAL. US M.Y for redundant components (such n PORV solenoid operators and SG 1evej detectors). Resulting plant core damage frequency increases vary from 1 x 108/ year to 7 x 108/ year for Sequoyah and from 8 x 108/ year to 5 x 10d/ year for Surry. Such increases, which are comparable with NUREG-1150 estimates of base case core damage frequency for these plants, indicate that the risk impact of "old' EQ requirements can be significant if electrical component reliabilities are reduced due to the presence of a harsh environment. 3.2 BWR Plant Specific Risk Assesstnent Risk-important core damage sequences, and related in-containment components facing harsh environments, were identified. This was achieved by combining generic information from the literature review, presented in chapter 2.0, with plant specific information extracted from the Peach Bottom PRA [4]. These sequences, are listed below. .
- 1. Inlinncdiate and small LOCAs followed by random failure of high pressure coolant inigslion (HPCI) and common-cause failure of the safety relief valves (SRVs) to ooen in a harsh environment: Opening of SRVs it required to depressurize the primary system so that low pressure coolant injection (LPCI) systems can be used to cool the core. Affected in-containment components are SRV solenoid operators whose failure will prevent SRVs to open when demanded, possibly at several hours into the LOCA.
- 2. Transierit with loss of suppression pool cooling followed by common-eause failures of SRVs and MSIVs in a harsh environment (TW secuesch The MSIVs must open, in a harsh environment, to restore the power conversion system and thus avoid further heat up of the suppression pool. Failure of the MSIVs would lead to failure of the HPCl/RCIC pumps (due to seal failure) and need to use the SRVs to depressurize and continue core cooling by low pressure injection. Failure of the SRVs to open in a harsh environment leads to core damage. Affected in containment components are SRV and *.!SIV solenoid operators and MSIV bypass valve motor operators. SRV operation could be required for approximately 22 hours during the accident.
Operation of MSIVs may be demanded any time before core melt. i i The above accident sequences and associated affected components were used to conduct a
)
screening evaluation of the potential risk impact of electrical components that were qualified ! according to "old" (i.e., DOR or NUREG 0588 Category !!) EQ requirements. This was l achieved by parametrically reducing the reliabilities of affected equipment to simulate the effect of potential common-cause failures in a harsh environment. The results of the parametric risk analysis are presented in Table 3. The probability of , failure of a single component when demanded, Ao, was varied from 0.1 to 0.3. This reflects ; a subjective assessment of the qualitative information presented in Chapter 2. The percentage of failures affecting single, redundant, components that are due to common-cause, B, was taken to be either 50% or 100%. This is consistent with the high probability assumed 18 l l
~
PRE DF ' SiOrwAL INFORM ON - OFFICIAL USE Y for single compon is whi:t imphesits pusence of cormnen :ause failure mechanisms. l ne product of ( and 4 gwes the wmmorre.euse failure probability, A.,, for redundant
; components (such as SRV solenoid operators, MSfV solenoid operators, and MSIV bypass 1 valve motor operators). Resulting plant core damage frequency increase estimates vary from ; ! l x 108/ year to 1 x 10'/ year. Such increases, whi:h are comparable with the NUREG-1150 l l estimate of base case core damage frequency for Peach Bottom, indicate that the risk impact i;
{ of 'old' EQ requirements can be significant if electrical component reliabilities are reduced l due to the presence of a harsh environment. ( ! Table 3. Core Damage Frequency (CDF) Increase Due to Common-Cause Failures of j Electrical Components in a Harsh Environment for Peach Bottom (Base Case CDF: SE 6/yr). SINGLE COMPONENT AND i AFFECTED AFFECTED COMMON CAUSE CDF SEQUENCES COMPONENTS FAILURE PROBABILITIES INCREASE l A, #(%) Ace i ! Intermediate SRV solenoid 0.1 50 0.05 3E-6 l and Small operators 0.2 50 0.1 6E-6 LOCAs 0.2 100 0.2 1E-5 { ! 0.3 100 0.3 2E-5 i l Transient with SRV and MSIV 0.1 50 0.05 IE-5
- loss of solenoid operators 0.2 50 0.1 2E-5
- suppression and MSIV bypass 0.2 100 0.2 4E-5
- pool cooling valve motor 0.3 100 0.3 6E-5 (TW sequence) operators l
l All affected SRV and MSIV 0.1 50 0.05 IE-5 l sequence.s solenoid operators 0.2 50 0.1 3E-5 and MSIV bypass 0.2 100 0.2 SE-5 valve motor 0.3 100 0.3 IE-4 l operators j .
- 19
.- - \
. PR&D ISIONAL INFORMA - OFFICIA ONLY .
j
4.0 CONCLUSION
S AND RECOMMENDATIONS FOR FUTURE ' WORK The major conclusions from this preliminary risk analysis are summarized below. e Core damage frequency estimates for both PWR and BWR plants could increase significantly if electrical equipment reliabilities are reduced due to the presence of a
- harsh environment.
e Current PRA perceptions regarding important risk contributors could change if { electrical equipment reliabi:ities are reduced due to the presence of a harsh environment. 4 e The magnitude of core damage frequency impact is plant specific.
- Due to the lack of reliability data bases and the limitations in current PRA models, an accurate assessment of the risk associated with harsh environments is not possible at i
this time. ; The following future work is recommended. e Identify potential failure modes of aged in-containment e, .ical equipment required to be able to function in harsh environments. e Devise a grouping scheme for c!cctrical equipment in harsh environments to guide the selection of failure probabilities for the severtl failure modes. Such a scheme could be based on expert clicitation using available information (e.g., failure modes and + associated stressors, failure mechanisms, and degradation sites as well as other available qualita.ive information on "old" EQ requirements and specific compone ,t j vulnerabilities) and substituted for the lack of reliability data bases.
- Assess the likelihood that a failure of an in<ontainment electrical component is
- propagated to components outside containment (e.g., due to failure of protective devices, miscoordination among circuit breakers of different sizes, erroneous signals, etc.). ,
I
- Assess the need for human reliability analysis which takes into account the presence l of erroneous indications, failure of required automatic actuations as well as the l presence of undesirable actuations.
e Use the above mentioned information in accident scenarios associated with harsh environmental conditions to obtain more realistic estimates of the increases in core l damage frequency and better insights regarding the risk significance of electrical equipment EQ issues. 1 20
PRE-DECIS NAL INFORMATION CIAL USE l REFERENCES ~
- 1. NUREG4588, Rev.1, ' Interim Staff Position on Environmental Qualification of l Safety Related Electrical Equipment,' 1983.
l
- 2. NUREG/CR-5313, ' Equipment Qualification (EQ) Risk Scoping Study,1988.
1
- 3. NUREG/CR-4731, Vol. 2, ' Pressurized Water Reactor and Boiling Water Reactor Cables and Connections in Containment," 1989.
- 4. NUREG/CR-4550, Volumes 3,4, and 5, " Analysis of Core Damage Frequency From Internal Events: Surry, Sequoyah, and Peach Bottom." 1990.
l l i 21 l j 7 -- _ _ _ _ __ _g}}