Text

-

o MAR 9 1993 MEMORANDUM FOR:

James M. Taylor Executive Director for Operations FROM:

Eric S. Beckjord, Director Office of Nuclear Regulatory Research

SUBJECT:

RESOLUTION OF GI-142, " LEAKAGE THROUGH ELECTRICAL ISOLATORS" Generic Issue (GI) 142, " Leakage through Electrical Isolators," was initiated to address the concern that isolation devices in licensed nuclear power plants might allow levels of signal leakage when challenged which would cause the protected system to misoperate or fail, thus creating a mechanism for common mode failure.

In addition, GI-142 addressed the concern that isolation devices might not have been installed before being required by 10 CFR 50.55a(h).

Based upon operating experience, the staff has determined that isolation devices perform satisfactorily in the operating environment, and have not been exposed to failure mechanisms which have resulted in signal leakage which causes protected systems or components to misoperate or become damaged.

In addition, the staff has reviewed proprietary design documents and FSARs for early plants, and has determined that the system designers were aware of the need for isolation devices and installed them as required. The enclosed draft Regulatory Analysis for GI-142 reports the staff's analysis and recommendations in greater detail. The ACRS supported the staff's proposed resolution and close-out in a memorandum dated February 19, 1993.

This determination is based in part on operating experience for plants which predominantly use electromechanical controls, and may not be applicable to control systems using digital or electronic components. Therefore, we recommended to NRR that guidance be developed for use in reviewing future plants, or current plants where the existing analog safety-related system is being replaced with a digital system. We suggested that this guidance be included in a revision to the Standard Review Plan, and provided proposed test criteria to be used in developing such guidance.

In a February 18, 1993 memorandum, NRR requested that RES delay resolution of Generic Issue 142 until the results of a separate RES test program on isolation device qualification testing is completed. We do not believe that it is necessary to wait for the completion of this program. As shown in the regulatory analysis, even some adverse information on isolators from this program is highly unlikely to justify new requirements under the constraints of the Backfit Rule.

Initial indications from tests performed so far show isolators performing adequately as expected.

Furthermore, the close-out of 9312220214 931529

'~

PDR NUREO 0933 C PDR

7-

_g

,1 g& h l

James M. Taylor-MAR S 1993 this issue has already been postponed about 6 months and we do not feel' that i

any further delay is justified.

If unexpected new information is discovered, the need for additional requirements could always be reconsidered.

If any further information is needed, please contact Chris Rourk at 492-3938.

i CRIG1:iAL SIGEED 3%

Eric S. Beckjord, Director Office of Nuclear Regulatory Research 1

Enclosures:

As stated

{

6 DISTRIBUTION:

RES Circ /Chron

~

DSIR c/f EIB.r/f T. Murley i

E. Beckjord C. Heltemes l

W.Minners?

J.' Murphy

• l' R. Baer P. Kadambi C. Rourk

~ pccf ';,

PDR i

1 i

I i

?

hk y

• SEE PREVIOUS CONCURRENCE 5

-)

~

0FFC: DSIR/EIB : DSIR/EIB : DSIR/EIB : DSIR/DD :

1 -

NAME: CRourk:jf : PKadambi

RBaer

-: JMuhby : W(ifnehi

.i

.DATE: 03/01/93* : 03/01/93* : Q3/02/93* :

/ /h : 4/v/93 j

M%l 0FFC:\\RES/DD': RES/DD NAME: CHeltemes : EBeckjord :

DATE: 4,/-? 193 : Y h 193 :

~

"0FFICIAL RECORD COPY"

'I 1

.y

_9.,

=

b DRAFT OF NUREG-1453 REGULATORY ANALYSIS FOR GENERIC ISSUE 142, LEAKAGE THROUGH ELECTRICAL ISOLATORS IN INSTRUMENTATION CIRCUITS i

4 0

)

N, i

EXECUTIVE

SUMMARY

j i

1 This generic issue was raised during staff review of test results for electrical isolators, which are used to create a barrier between Class IE electrical instrumentation and controls (I.& C) systems and any non-Class IE I

& C systems which interface with the safety systems. These tests, conducted j

by the licensees and Idaho National Engineering Laboratory (INEL), indicated t

that there is a possibility of signal leakage from the non-Class IE output of the isolation device to the Class.1E input.

Although a leakage signal could possibly affect a protected Class IE system,:

there is no evidence to suggest that this event has ever occurred, based in part upon over 700 failure records of_ isolation devices, as reported _ in -the Nuclear Plant Reliability Data System (NPRDS). Furthermore, the probability.

of a multiple channel challenge is very small, and.the decrease in core damage l

..; ency (CDF) which could be' achieved by backfitting questionable isolation i

w t does not meet the backfit rule criterion of providing a substantial increase in public health and safety. Furthermore, the safety benefit would not be great enough to justify the cost of backfit.

1 The backfit analysis is based upon the low probability of an isolation device challenge, as determined from the historic failure data. The existing plants j

have ! & C systems which are based largely upon electromechanical relays, y

which may be more resistant to misoperation or damage from electrical

_i transients than digital components. The staff has concluded that isolation j

devices do not currently appear to present a significant concern to. plant safety. A greater potential exists for isolation device challenge to result i

in'misoperation or damage to Class IE equipment if digital devices are used to j

a greater extent in future plants than they are currently used in_ existing 4

plants.

In order to prevent this concern fra cecurring in the future, guidance should be issued which outlines acceptable test criteria for_ isolation devices: which will be used-in new plants. This guidance could be in the form of a Branch' Technical Position to be included in the Standard Review Plan, or in the form l

of a regulatory guide, as appropriate. This guidance should contain recommended test procedures and acceptance criteria, which will be based in l

1 part upon the specific design of any future plants.

i l

i

)

i NUREG-1453 1

a

v 1 STATEMENT OF THE PROBLEM In 1971, the Institute of Electrical and Electronics Engineers (IEEE) issued a revision of Standard 279, " Criteria for Protection Systems for Nuclear Power Plants," which defined the requirements for electrical isolation devices (ids) with respect to nuclear power plant control systems. The revi3ed standard required that any interface between a safety-related (Class-1E) and non-safety-related (non-Class IE) system have an ID, in addition to any interface between two redundant channels of a protection system, and at any interface between two redundant trains of a protection system. These devices were required to be designed such that "no credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases" (Ref. 1). Work on this standard had been in progress for several years before it was issued, and the requirement for the use of ids in instrumentation and control (I&C) systems for nuclear power plants had been anticipated by the industry before IEEE 279 was revised in 1971.

In 1971, the U.S. Nuclear Regulatory Commission (NRC) incorporated the standard into a regulation in Section 50.55a(h) of Title 10 of the [opg_af o

Federal Reaulations (10 CFR). However, the NRC did not issue any additional regulatory guidance at that time to clarify ambiguous terminology in the standard.

For example, ids are required to be used at the interface between Class-lE and non-Class IE I&C systems and to prevent the' application of the maximum credible at or de potential (the so-called maximum credible fault (MCF)) on the non-Class IE ID output from interfering with the operation of the Class-lE system.

Because licensees had not received any information regarding acceptable qualification test procedures, credible fault voltage levels, or acceptable levels of signal leakage, they were not able to uniformly verify implementation of this requirement by the ::/ stem designers to standards endorsed by the staff.

In addit Wn, before nuclear safety systems were developed, ids were used in a control or instrumentation system to prevent low-power, high-frequency noise from passing the barrier and entering the system. Therefore, some ids might r

not have been explicitly designed to meet 10 CFR 50.55a(h), but for less demanding service conditions.

1 In February 1977 the NRC initiated the Systematic Evaluation Program (SEP)in order to review the designs of older operating plants to determine their compliance with then-current safety requirements. The final SEP reports provided ir. formation on the use of ids in 10 of the earlier plants.

The final reports indicated that 7 of the 10 plants were not required to implement any modifications or perform additional qualification tests for ids on the basis of an analysis of the possible impact of common-mode challenges to the ids (Refs. 2-11). However,' the only system analyzed with regard to ID failure was the reactor protection system (RPS). The assumed failure mode for the SEP j

analyses was that after the RPS channels received a severe challenge, they j

would fail to operate. The conclusions of these final reports were typically i

btsed on a comparison with the calculated probability of core damage from failure of the RPS to operate as a result of mechanical failure of control rods to insert into the core.

For most licensees, this probability was an NUREG-1453

~..

f O

order of magnitude greater than the probability of core damage if the RPS were inoperable. Since the actual probability of RPS failure is very low, the staff concluded that no action was needed.

However, ' ids are used in many systems other than the RPS.. It is 'also possible that ID challenge could lead-to small signal leakage from the output-to the-l input causing spurious operation of associated. valves, pumps, or similar

-)

equipment. A possible scenario might be failure of the high-pressure core cooling system in conjunction with actuation without indication'of the i

pressurizer power operated relief valves (PORV). Because the control loops.

ll that are connected to ids are also connected to bistables for actuating other q

equipment, the possible consequences of ID challenge could be significantly -

~~

worse than simply losing-the associated system. Therefore,'even though the i

findings in the SEP. final reports did not indicate a problem with ID usage in l

older plants, the analysis was not as rigorous as later work suggested migh be necessary.

The number of ids in nuclear power plants increased significantly after the.

i requirement for the safety parameter display system (SPDS) was implemented in 1980 (see Table 1) (Refs.12 and 13). These ids typically receive an-input from the existing Class-lE I&C system signal loop, which ultimately connects to a process sensor, such as a pressure transmitter. The output from the 10 is connected to the non-Class IE SPDS panel, recorder, or computer.

1 The SPDS modifications had two significant affects on licensees.

The first 1

was that ID electrical characteristics were scrutinized by the staff, which resulted in requirements for some licensees to obtain qualification test results before installing the ids (Refs.14-16). The qualification testing was primarily required to certify that the ids met the MCF requirement. The results of some of these qualification tests raised concerns among the staff regarding the allowable leakage energy that could pass through the 10 before failure.

In most cases, licensees were required to-justify the leakage signal measured by providing allowable error levels within the electrical control l

signal loops. These issues were addressed by Idaho National Engineering Laboratory (INEL) in some preliminary work on ID qualification (Refs.17-21).

l The second effect was that many licensees were required to significantly increase the number of ids in order.to provide the required inputs for the

-r SPDS without violating safety guidelines. These inputs would be taken from Class-IE systems, such as the neutron flux monitoring system or the steam generator level monitor, in which it would be difficult or prohibitively expensive to install a new, independent sensor.~ Therefore, a typical resolution of this problem was to place-ids into an existing Class-lE~ circuit.

j The output conductors from the ids are classified as non-Class IE by almost every licensee and are typically gathered into one panel, plotter,- or display.

t This configuration creates a condition in which a common-mode challenge of the safety-related systems could occur. Although the SPDS requirement resulted in increased scrutiny of ID qualification, it also may have resulted in increased.

probability of a common-mode challenge to ids, with the possibility of failure or misoperation'of the associated' safety-related system.

5 NUREG-1453 4

In 1987, the staff identified Generic Issue 142 (GI 142), " Leakage Through Electrical Isolators in Instrumentation Circuits," to address the unresolved concerns that exist regarding early application of ids and the application of ids which resulted from the SPDS requirement. The objectives of GI 142 were to (1) quantitatively define the extent of ID use in nuclear power plants that had received a construction permit (CP) before IEEE-279 was issued on January 1,1971, and determine if the electrical separation between Class-lE and non-Class 1E systems was adequate for these plants (2) research ID failure modes, and determine if common-mode failures are h

possible (3) determine the possible effects of common-mode failure on the Class IE equipment in the control circuit (4) determine if existing probabilistic risk assessment (PRA) models could be modified to include the effects of ID failure 2 OBJECTIVES OF THE PROPOSED RESOLUTION The proposed resolution for GI 142 is to develop and issue guidance that identifies the criteria for determining MCF levels and acceptable leakage signal levels. On the basis of the backfit analysis presented in this report, the benefit to be obtained by testing and replacing existing ids in licensed facilities is not significant enough to justify the expected cost of repl acement. However, specification of these criteria for plants that are not yet designed will result in a negligible increase in the cost of these facilities. These additional criteria constitute the minimal requirements by which to ensure that ids will function as required by 10 CFR 50.55a(h).

The objective of the proposed resolution is to ensure that future plants comply with the NRC interpretation of the MCF as used in IEEE 279-1971. The contemplated regulatory guide will specify the qualification tests and acceptance criteria that should be used to verify the operating characteristics of ids for a specific plant. Although it is not necessary for an ID to provide a perfect barrier to a MCF challenge, licensees must demonstrate that the ID will limit fault signal leakage to a level that will not interfere with the operation of the protected Class-lE system.

The specified qualification tests and acceptance criteria do not exceed the cegulatory requirements of 10 CFR 50.55a(h). These tests are based on IEEE standards that are currently used to specify requirements for other electrical control system equipment used in nuclear power plants.

Existing standards for component and system design guidelines should be applied uniformly because failure to do so could create a more severe environment for a specific nonconforming component. These standards were written after IEEE 279-1971 was issued and include IEEE 472-1974, " Guide for Surge Withstand Capability (SWC)

Tests" (Ref. 22) and IEEE 587-1980, "IEEE Guide for Surge Voltages in Low-Voltage AC Power Circuits" (Ref. 23).

The conditions identified in these new standards fall within the category of a maximum credible fault as specified in IEEE 279-1971.

NUREG-1453 5

I o

I Specifying MCF test criteria and'ID qualification procedures will ensure that

)

manufacturers and system designers provide equipment that adequately anticipa.tes licensees' needs, and will help licensees specify or design their-equipment to staff-approved criteria with minimal NRC involvement. GI-142-originated because of concern about the adequacy of ids in 1.ight of' j

insufficient specification of ID requirements and unclear results frem ID qualification tests. Although the findings in this report indicate that ids

l used by licensees are adequate, this information was. established only after l'

lengthy analysis by the NRC. This analysis was required because of the lack of qualification tests and acceptance criteria.

Issuing guidance will prevent the concerns that resulted in this generic issue from arising in the future.-

J

+

3 EVALUATION OF ALTERNATIVES

{

On the basis of previous work regarding the qualification requirements. for j

ids, there does not appear to be any unresolved issue regarding what technical requirements need to be verified for an unqualified ID design. As a result,

~!

there are only three alternatives for the resolution of this generic issue.

The rejected alternatives are: (1) the new guidance should~ also apply to l

existing plants and (2) there should be no change in the regulatory -

requirements. The proposed resolution is that guidance should be issued for J'

application only at future plants.

.l 3.1 Re.iected Alternatives i

3.1.1 Guidance Applies to Existing Plants 1

The tests performed by INEL on ids indicate that ids are susceptible to damage from signals that are within the limits specified in -IEEE 472 and IEEE 587 a

(Refs. 17-21). This ~ damage includes both leakage across the isolation boundary and physical destruction of the components.

Either of these could a

~

result in degradation of the protected system, because the ID units are.

usually installed in panels with other safety-related components.

However, failure records from the Nuclear Plant Reliability Data System (NPRDS) and the Nuclear Power Experience (NPE) databases do not indicate that i

a significant ID challenge has ever occurred at a licensed facility.. With regard to the NPRDS database, ID challenge was not a factor-in 735 reported

-4 failures for 11,986 monitored components. This may be due to the-design of existing systems, or the rare occurance of the levels tested in the standards in actual plant operation.

A backfit analysis was also performed and is.given in Section 4_ of this report. The risk reduction associated with testing existing ids, analyzing existing systems, and replacing unacceptable ids is not substantial.

Further, the costs are not justified by the decrease ~in risk that would be achieved.

These results are due to the low probability of a multiple channel.ID.

challenge.

i y

On the basis of the historical data on ID failure and the results of the '

l backfit analysis, no modifications are required for existing plants.

NUREG-1453 6

q

)

q i

l

't a.-

3.1.2 No Regulatory Action Both the staff and-licensees have expended a considerable amount of effort as a result of the vague wording in IEEE 279-1971. The overriding concern is to ensure that placing ids in Class IE control circuits will prevent common-mode failures in safety-related systems resulting from the propogation of-electrical faults.

If guidance is not developed and issued, this concern might not be addressed by licensees during design of the control circuit when proscriptive measures can be easily taken.

Furthermore, compliance with 10 CFR 50.55a(h) will be addressed on an individual basis and could lead to qualification criteria that are not uniform.

It is also likely that new plants will rely on solid-state and microelectronic signal processing to a greater extent than plants designed.before or during the 1970's. Even though a potential problem has not been found with ids used in existing plants, this could be a result of the electromechanical nature of older control systems, which are inherently more resistant to high-frequency transients than solid-state components.

It is desirable to clearly identify i

the requirements for ids before new plants are approved for construction and to uniformly apply these requirements to avoid uncertainty.

3.2 Proposed Resolution - Guidance Applies OnlY to Future Plants Historical data on 10 failure do not indicate that the existing use of ids present a serious concern regarding ID challenge and signal leakage.

HowcVer, the tests performed by INEL indicate that the potential exists for ids to te seriously damaged and to allow significant signal leakage, either of which could result in a common-mode failure of Class IE equipment and possibile core damage.

The requirements of IEEE 472 and IEEE 587 currently apply to all other control system components to which ids may be connected, such as relays and bistables, and should be applied uniformly to provide a high degree of assurance that components will not fail under conditions that the system may be designed to withstand. The additional industry costs associated with developing ids that meet the recommendations of the proposed guidance would.be small (see Section 4.11).

ID manufacturers can design and test their equipment to ensure that it meets the guidelines.

System designers will be able to request this design information and compensate for any signal leakage.

Without guidance, manufacturers are more likely to provide ids that will not withstand an MCF and system designers will have limited access to ID failure characteristics. Therefore, the recommended resolution of GI 142 is to issue guidance which explicitly states requirements for MCF levels and requires compliance with IEEE 472,and IEEE 587, that will apply only to future plants.

L I

e NUREG-1453 7

3

e'

L 4 COST / BENEFIT ANALYSIS 4.1 Specific Ob.iectives'of Proposed Barkfit I

The resolution of G; 142 is based on (1)

&n apparent absence of any significant events caused by ID challenge, (2) the results of tests performed on ids by INEL and licensees, which indicate that most meet the MCF_ requirements of IEEE 279-1971, (3) a review of available control system design information, which indicates that the circuitry is not in a configuration which would be damaged by previously measured values of energy leakage, and i

(4) the low probability that a MCF or other postulated event could challenge the ids.

None of these reasons, taken alone, are sufficient to establish that the probability of an ID challenge leading to core damage is insignificant. The combination of all four is enough to reasonably suggest that the proposed requirements for ids are not needed for existing plants.

If these requirements were made retroactive, it would be necessary for the licensee to test every model of ID that is used, to determine the level of signal leakage under challenge, and to then analyze every plant system to determine the maximum acceptable signal leakage in the event of ID challenge. Any

';racceptable ids would need to be replaced.

4.2 Backfit Reauirements The 10 testing performed by INEL in the 1980s suggests that ids do not create a perfect barrier to the potential challenges that could occur at the ID output or power leads. However, a perfect barrier is not required, if the protected Class IE system could continue to function as designed after the IP challenge occurred. Therefore, backfit requirements-should be sufficient to verify that all ids used at the interface between safety and non-safety systems will prevent a signal from leaking through that could cause the safety system to fail to perform as designed. To completely eliminate this concern, it would be necessary to:

(1) expand the requirements for ids to include IEEE 472 and IEEE 587 tests (2) require licensees to evaluate all control circuitry to determine what level of noise leakage through ids is acceptable (3) require licensees to perform tests on existing ids to determine if they are acceptable (4) require licensees to perform tests on any replacement ids, if the existing ones are unacceptable (5) replace any deficient ids, which would include drawing changes and possibly new cabling and panel modifications for future plants, these steps will be unnecessary.

ID manufacturers will be able to perform the required tests based on regulatory guidance when developing new components.

Licensees and system designers will be able to request these test reports for design qualification and will be able to design-the system to. withstand any leakage that occurs. Therefore, any additional costs would be included in the cost of each new device as a one-time development cost.

NUREG-1453 8

l 4.3 Increase / Decrease in Public Risk From Backfit;-

The most probable initiating event for ID challenge appears to be wiring error events in panels (e.g. inadvertent short circuits while using jumpers) on the basis of the past frequency of possible initiating events (none of these events have ever resulted in ID challenge, but may have resulted in thallenge of another component or may have been a potential challenge). A search of the NRC nuclear documents system (NUDOCS) database and the NPE database indicates that at least 30 of these wiring error events occurred between 1975 and 1991 which resulted in the generation of a licensee event report (LER). Of these 30 events, 15 occurred while the plant was at power, and 15 occurred during refueling, cold shutdown, or power ascension. This is approximately 1.0E-2 event / reactor year. An additional factor of 0.001 is used to quantify the probability that the panel will have terminations from the output of multiple ids (probability - 1.0E-2) and that contact will occur at a -itical point in the panel, based upon the typical size of panels and the lai. e number of noncritical terminations in a panel (probability - 1.0E-1).

Therefore, the high estimate of the probability of an initiating event is believed to be 1.0E-5 event / reactor-year. The best estimate and low estimate are not used in this analysis, but are expected to be significantly less than 1.0E-5 event / reactor-year.

Because an ID challenge is a random event with a low probability of occurence, the increase in core damage frequency (CDF) resulting from simultaneous, independent occurrence of an unrelated event (e.g. station blackout) and the loss or misactivation of Class-lE equipment due to isolator challenge would be too small to require regulatory action (i.e. resulting in an increase _ in CDF less than 1.0E-5) (Ref. 25). However, a concern which is potentially more significant is whether the ID challenge itself could precipitate core damage.

An example of one such event is activation of the PORV, subsequent loss of coolant, and concurrent damaging of the PORV status indication. The possibility of such events occurring can only be determined by reviewing the design of each plant.

This type of design information would be difficult or impossible to obtain as a practical matter for individual plants, even with access to all plant records, drawings, and equipment.

Instead, the approach taken was to review the PRA of a typical plant and assume that ids were placed in any system that either was known to have them or possibly had them. The assumption was then made that an ID challenge would result in activation of associated equipment.

Sandia National Laboratory (SNL) performed an analysis of the Surry plant because of the existence of PRA data, the relatively large number of installed ids (189), and the availability of a limited number of design drawings.

SNL concluded there were four areas where ID challenge could have a significant impact on plant safety:

(1) the effect of an ID challenge causing the alignment of a low-pressure system to a high-pressure system resulting in an interfacing-systems loss-of-coolant accident (ISLOCA)

(2) the effect of an ID challenge inadvertently resulting in operation of a PORV (3) the effect of an inadvertent pump start resulting from an ID challenge HUREG-1453 9

,m

)

i

'(4) the effect of an ID challenge on the RPS.

This analysis showed that the Surry PRA documented in NUREG-1150 (Ref. 28) contained many of the possible events, such as inadvertent pump actuation and RPS failure.

In some cases, the product of the frequency of failure on demand

.l and the frequency of demand was greater than the postulated annual frequency l

-for the MCF event. Other events would require multiple, random failures which l

results in a negligible probability of occurrence.

For example, the ISLOCA j

sequence would require the random failure of check valves in combination with a

the random occurrence of ID challenge, which results in'a negligible

-l probability product.

j For Surry, the combined risk reduction for elimination of all events that were similar to postulated ID challenges was approximately 3.lE-6/ reactor-year.

This was taken as a conservative estimate of the CDF, because the actual frequency of ID challenge events is much lower than the frequency of these-events.

It is note' that ID challenge is assumed to result in a signal that i

simulates the initiating event, even though other possible scenarios exist that have less significant effects (signal causes pump failure or no effect).

Therefore, the upper-bound reduction in CDF for the cost / benefit analysis was assumed to be 3.1E-6/ reactor year.

l The best estimate of the reduction in CDF which could be obtained by improved I

testing of ids was obtained by disregarding the effect of the loss-of-main feedwater event. This estimate is based on the mean frequency for the loss-of-main-feedwater event, which is 9.4E-1/yr compared with 'an expected ID challenge frequency of 1.0E-5/yr. The loss-of-main-feedwater event contributes 1.7E-6/yr to the CDF in the upper-bound estimate.and is assumed i

not to contribute to the CDF for a best estimate, because of the significant difference between the initiating event frequencies. Therefore, the contribution to the upper-bound CDF from the loss-of-main-feedwater event was subtracted to yield the best estimate of the reduction in CDF, which is 1.4E-6/ reactor-year.

The Surry PRA was also used to obtain a low estimate of the reduction in CDF l'

that would be achieved by the proposed action. The loss of the RPS is the only event that has an initiating frequency about equal to the expected initiating frequency of events resulting from ID challenges. The reduction in CDF for increasing the reliability of the RPS to 1.0 is approximately 1.3E-6 and was chosen as the low estimate for increasing the reliability of system isolation. However, even this low estimate is likely to be greater than the risk reduction that could actually be assumed, since the components that are protected by ids (relays, pumps, valves, etc.) have a~ probability of spurious activation that is likely to. be greater than the probability of _ multiple ID challenges and subsequent signal-leakage on the basis of operating data.

Therefore, it is likely that the probability of an ID challenge leading to spurious operation or failure of equipment is less than the probability that~

the actuators for that equipment will spuriously operate on their own..

' The same values for reducing CDF were used for boiling-water reactors (BWRs),

even though they have fewer ids on the' average than pressurized-water reactors (PWRs). SWRs tend to be less dependant on ids, by design, to ensure sys_ tem i

NUREG-1453 10 f

i independence than are PWRs.

4.4 Increase / Decrease in Plant Employee Risk From Backfit Evaluation and replacement of ids could possibly result in some additional exposure to employees, depending on the location of 10s in the plant and the amount of additional cable that would have to be installed to replace existing ids. There would be some additional benefit from the backfit, that would be a function of the decrease in CDF and the type of radiation release which would be expected from an ID-initiated failure.

For the purposes of this evaluation, both of these figures are assumed to be negligible and subject to too much uncertainty to be of any benefit.

4.5 Installation and Continuina Cost of Backfit Costs for the backfit are.more readily calculated on a per-ID or per-model basis than on a per-licensee basis and can be broken down into five categories:

(1) evaluation (2) testing of existing ids (by model and licensee)

(3) testing of replacement ids (by model and licensee)

(4) drawing changes for replacement ids (5) physical changes for replacement ids Approximately 12,000 ids are currently reported in NPRDS (see Table 2), and the average licensee has 4 different models of 10. Testing might not be feasible if a model were no longer being manufactured, and it might be necessary to change panel configuration and add circuits and raceways to accommodate new ids. Each device would require approximately 1 person-week of effort to evaluate. This evaluation would consist of finding all affected ids and all associated wiring diagrams and component 'rawings and evaluating the range and effects of signal leakage resulting from ID challenge. This estimate is probably low, but would compensate for ids with similar design and

~

application features. The average cost per person-week is assumed to be 53.5E+3 or a total review cost of $4.2E+7.

Each licensee will be responsible for individual test results.

It is possible that licensees with similar ids will pool resources, but they have not done this when performing qualification tests for the SPDS.

Each licensee will also have different test requirements, depending on the design of-the plant systems.

For the purpose of this analysis, it is assumed that each utility will conduct independent tests for each model of ID that it uses. Testing costs are assumed to be $100,000 per device, including the cost of the tested devices. The total number of models estimated from NPRDS data under these 3

assumptions was approximately 380 models for the entire industry or approximately 4 different models per licensee. This yields a total cost of 53.8E+7.

The number of ids that will need to be replaced.is difficult to determine, since it will depend on each licensees acceptance criteria and design. On the basis of the results of INEL tests, it is assumed that 25 percent of the ID models will need to be replaced, and each replacement model will also need to HUREG-1453 11 1

1

be tested at~a cost of $100,000 per model tested, including the cost of the tested devices. On.the basis of an initial ' number of 380 models 95 models.

will need to be replaced for the entire industry or approximately 1 per

. licensee. This yields a total cost of $9.5E+6.

Drawing changes will be required for all ids that are replaced.. For-the purpose of this analysis, it is assumed that 25 percent of the total. number of ids will need to be replaced, which would result in the replacement of 3000 ids for the entire industry or approximately.30. ids per licensee.

This results in a total cost of $6.3E+7, assuming an average of three affected drawings per device and 2 person-weeks for drafting, engineering review, and' issuance, plus an additional $3.0E+7 for' replacement. ids, assuming $5.0E+3 for -

each and for one spare.

The ids that are ' acceptable will not uniformly fit existing panels or circuitry, which will subsequently require some modifications.

For'the purpose of this analysis, it is assumed that 50 percent of the devices that-will need to be replaced (or 12.5 percent of the total number, approximately 1500_ ids) will require panel and/or circuitry modifications.

Estimated cost i

is 2 person-months of labor per device. Two drawing changes are. estimated to be required for panel. modifications or cable installation, at 2 person-weeks per drawing for drafting, engineering review, and issuance. This: yields a-total cost of $6.3E+7.

QlLt Percent of Total Evaluation

$4.2E+07 17.1 Test existing ids

$3.8E+07 15.5-Test replacement ids-

$9.5E+06 3.8 Drawing; changes

. $6.3E407.

25.7 Replacement ids

$3.0E+07 12.2-Panel / circuitry changes

$6.3E+07 25.7 Total

$2.5E+08

' Operating and maintenance costs are assumed to be equal for new and replaced ids.

NUREG-1453 12

h' a-All PWRs and'BWRs are assumed to be affected: 90 PWRs plus 44 BWRs or a total'-

of 134. plants. The average remaining lives of affected plants 26.4 years for-.

i PWRs and 25.0 years for BWRs, or 25.9 years for ~all plants.

l Industry Costs o

Per Plant Industry Cost Savinas Due to Accident Avoidance-f

^

P' WR:

l Upper Bound - ($1.65E+9)(3.lE-6/RY) - $5.lE+3/RY Best Estimate - ($1.65E+9)(1.4E-6/RY) - $2.3E+3/RY lower Bound - ($1.65E+9)(1.3E-6/RY) -'$2.lE+3/RY BWR:

a L

Upper-Bound - ($1.65E+9)(3.1E-6/RY) - $5.1E+3/RY-Best Estimate - ($1.65E+9)(1.4E-6/RY) - $2.3E+3/RY l

Lower Bound - ($1.65E+9)(1.3E-6/RY) - $2.lE+3/RY o

Total Industry Cost Savinas Due to Accident Avoidance I

Sensitivity case-Total

t Upper Bound

$1.9E+7 Best Estimate

$8.6E+6 Lower Bound

$7.9E+6 o

Total Industry Resources for Safety Issue Resolution Implementation i

The industry resource requirements for testing ids, buying replacement ids, f

installing the replacement ids, and documenting the changes are summarized below. Because costs are estimated on a per-ID basis for a population of 12,000 ids, total industry costs are reported.

Testina. Analysis. and Documentation (total for 12.000 IDsl Total from above

$1.5E+8 l

1 Hardware and Installation Total from above

$9.3E+7 o

Total Industry Cost for SIR Implementation (nil NI -~$2.3E+8

]

o Total Industry Cost Total industry cost for SIR: implementation minus-upper bound estimate of industry cost savings due to accident avoidance is $2.2E+8 j

NUREG-1453 13 i

1

i

-l

)

4.' 6 Impact on Plant Operations of the Proposed Backfit Replacing ids would have no significant impact on the plant other than cost for testing and replacement.

ids are currently used at the locations throughout the plant where replacement ids would be installed. Replacement of l

these ids with more durable ids should not significantly affect the plant, unless modifications to panels or control wiring are incorrectly performed.

4.7 Estimated Cost to the NRC l

NRC costs for support of SIR implementation were estimated in (Ref. 27) to be about $2.0E+5 per plant for NRC reviews of plant modifications, for a total of-

$2.7E+07 for 134 plants.

4.8 Impact of Differences in the Facility on the Proposed Backfit Traditionally, PWRs have incorporated more ids in the plant control systems than have BWRs. However, some BWRs have up to 300 ids. Therefore, no plants would be exempt from the backfit requirement.

4.9 Status of Proposed Backfit This backfit would be a final backfit.

4.10 Cost in $/ Person-Rem Averted Cost ($/ Person-Rem)

Upper Bound 1.1E+4 Best Estimate 2.4E+4 Lower Bound 2.6E+4 A value of 2E+6 person-rem per core melt is assumed for this analysis. Total costs are total industry cost plus estimated costs to the NRC, which are an additional cost to industry (total cost - 52.5E+8) 4.11 Forward-Fit Cost Estimate Even though there is an average of four ID models per plant as discussed in Section 4.5, 60 percent of the ids used were manufactured by a single manufacturer (Westinghouse), and several plants use only a single model of ID.

Therefore, it can be assumed that a new plant could use a single type of ID.

With development costs of $5.0E45, the cost of SIR implementation would depend on the number of future plants built. Assuming that the safety benefit will remain the same or increase for future plants, the cost for SIR implementation for future plants would be:

Number of Future Plants Cost ($/oerson-reml 1

2.0E+3 2

1.0E+3' 3

5.0E+2 NUREG-1453 14

t Some of the ids tested as documented in Reference 21 would require very little modification to-meet the new criteria. Therefore, development costs of l

55.0E+5 are probably much greater than actual costs would be.

Even with this likely overestimate of cost, the above cost / benefit ratios indicate that a forward-fit of the recomendations of the proposed regulatory guide would meet the current agency criterion of $1000/ person-rem if there were two or more future plants.

5 Decision Rationale 5.1 Enaineerino Evaluation To analyze the effect of ID challenge on plant safety, it was first necessary l

to determine the scope of the analysis.

It would not be possible to review l

the design of each plant to determine the extent of ID use. This information would only be available on design drawings, since ids are individual components within complex systems. The only available database that could be used to provide information on the extent of ID use is the nuclear plant reliability data system (NPRDS) database, which is managed by the Institute of Nuclear Power Operations (INPO).

Information from NPRDS was used to evaluate l

the extent of ID use in the industry.

On the basis of the data in NPRDS, the decision was made to review the Surry Unit 1 plant. This plant has a significant number of ids (189) and a complete l

probabilistic risk assessment (PRA) model. The intent was to determine if it would be possible to include the ids in the Surry PRA and to determine analytically what effect ID challenge would have on plant safety.

However, it was not possible to obtain enough information on the plant to determine the location of the ids or the design of the systeus in which they were located, l

unless a significant amount of effort was to be spent reviewing design

' j i

documents.

i The Surry PRA was reviewed to determine what effect ID challenge could have, l

assuming ids were located at the most critical locations and the challenge would result in the worst possible signal leakage (i.e. equipment damage, spurious operation, etc.). Although this hypothetical analysis overestimates j

the general effect of ID challenge on an average plant the CDF used in the ~

cost / benefit analysis was determined through this analysis.

As shown above, even with this overestimate of safety benefit, the requirements of the backfit rule are not satisfied. That is, for current plants, the proposed resolution does not provide a substantial increase in the i

overall protection of the public health and safety. nor would the costs of implementation be justified in view of the incre ad protection obtained. On the other hand, the front-fit analysis provided above shows that the implementation of proposed guidance is justified for future plants.

]

The results of the INEL and licensee tests are reviewed in section 5:1.2 in light of this analysis.

Even though the test results indicate that it is possible for signals to backfeed through some ids, the operating data indicate either this backfeed has not occurred in service, or that if it has occurred, NUREG-1453 15 u

..~

1 i

i that it did not result in degraded operation of the protected system.

The.

more significant finding'is'that some ids can physically destruct when exposed to IEEE standard tests.

l 5.1.1 Operating History of ids i

The NPRDS database, which was developed by the Edison Electric Institute, has been managed by INP0 since January 1, 1984. Before that it was managed by joint committees of the American National Standards Institute '(ANSI).

While i

the database was managed by ANSI, the quality of the' data was considered poor,-

due in part to poor utility participation. The move by INP0 to manage NPRDS-'

pre-empted a decision by the NRC to issue a rule for the reporting of operational data.

The NRC has been monitoring INP0's progress since 1984.

i INP0 performs a technical review of all data that are input into the database 1

for accuracy and consistency. Licensees have also been instructed to track ID application and failure in NPRDS.

For these reasons, the NPRDS database is a i

reliable and valuable source of information on ID use and failure modes. The latest NRC review of NPRDS (Ref. 24) indicates that'some concerns remain with the thoroughness of utility reporting. However, for the purpose of this

- i analysis, the data in NPRDS are sufficient'to determine the probability of ID challenge and subsequent effects. All NPRDS data referenced in this report l

are current as of September 1991.

Of the approximately 12,000 ids tracked in NPRDS,.approximately 800 failures

4' have been reported. Three of these failures resulted in'a' plant trip; one of.

the trips resulted because another channel was out; of service for' maintenance, and the second trip resulted because of failure to detect the failed ID as a result of a wiring error. None of the ID failures were the result of an MCF event or any identifiable surge event. 'Furthermore, nonelof the ID failures-1 resulted in damage to?the associated equipment or spurious operation of-j emergency core cooling system (ECCS). The majority of failures were due to random failure of electronic components, at the rate of approximately 10-*

i failures per-hour. This is consistent with the failure rate'of individual

l components in other electronic devices.

j Other sources of information were also searched to find evidence of ID failure (Ref. 26). This additional research did not identify any ID failures resulting from MCF or other electrical challenge, inadvertent operation of 1

ECCS, or damage to associated equipment.

In fact, the absence of any reported incidents is notable, in light of the severity of the results in the. test reports.

5.1.2 Test Results In 1985, INEL reported the results' of tests conducted on 19 different.models 1

of' ids (Ref. 11). The_ tests consisted of' challenging the ids using.a method-consistent with industry standards, such as IEEE:279 (MCF tests) (Ref.1),

~

IEEE 472 -(relay surge-. tests) (Ref. - 22),- and IEEE 587 (power line. surge tests)

. (Ref. 23). These. tests are standard'for electrical control system components j

such 'as relays, which are' used with ids in Class IE control systems.

The test NUREG-1453 16 t

signals were applied to the ID power leads or the output leads, and the response on the input leads was recorded.

The MCF tests did not reveal any significant concerns with signal leakage. Of the 19 ids, 4 (21 percent) allowed energy in the form of a short duration, low-voltage pulse to pass through the barrier.

The pulses lasted less than 130 msec and had absolute magnitudes of less than' 4 V.

Since the ids are typically connected to a control circuit that uses de voltage and 4-20 mA of current, these pulses would create a minor fluctuation in the signal.

In addition, the control circuitry in most licensed-facilities is electromechanical as opposed to solid-state, and has a respose time constant which may exceed the duration of these transients. The greatest concern raised by these tests was the physical destruction of some of the ids. Of 19 ids, approximately 7 (37 percent) burned or emitted sparks or missiles when tested. This behavior in service could cause panel fires in multiple channels of safety equipment in the event of an ID challenge.

These tests were performed with the ID input open-circuited, which creates the maximum possible voltage on the input leada.

In service, the ID input will be connected to an impedance.

For one model of a Westinghouse-design ID, this impedance is approximately 0.25 percent of the input impedance, which would attenuate the voltage to an insignificant level. Westinghouse ids account for 62.9 percent of all ids.

It is also expected that most ids would be used in a manner similar to that used by Westinghouse (i.e. with a control circuit current loop, using an input resistance to derive a voltage signal from the current signal).

Several licensee-sponsored 10 tests are on record. The results of these tests are consistent with the INEL tests. Two of the tests (Refs. 4 and 6) were conducted at engineering laboratories, and were relatively thorough. Although some ids allowed energy backfeed, the magnitude and duration of the signal were such that the NRC staff determined that the ids were acceptable for use at the plant.

The third set of tests (Ref. 5) was conducted by the licensee themselves and was less thorough. These tests indicated that a condition not as severe as the MCF (a current limited condition) could result in more energy being backfed through the 10 than from an MCF. However, the test procedure was not described, the type and sensitivity of the current and voltage metering equipment were not provided, and there was no burden (resistance) on the ID input. The NRC staff reviewed the results of these tests and found that the ids were acceptable for use at the plant.

In summary, no tests performed on ids have provided compelling evidence that an MCF applied to the ID output will severely affect the ID input for one the following reasons:

The small percentage of ids that allowed energy to pass through the o

barrier only allowed a low-power, low-voltage pulse of short duration.

o The test conditions did not simulate operating conditions.

NUREG-1453 17

t t

o Information known about the test equipment or conditions is insufficient to allow the results to be repeated.

It is not likely that the energy leakage seen for ids could result in damage or inadvertent operation of associated equipment. All other aspects of the tests, such as the IEEE 472 and IEEE 587 tests, and destructive failore of some ids created a greater concern. However, requiring licensees to verify that installed ids can pass these tests would constitute a new requirement, which is considered in the backfit analysis in this report.

There are several possible reasons why these tests are not representative of failure modes of ids in service. First, the test criteria might be too severe l

and not representative of transients experienced in nuclear power plant control systems. Second, there may be a greater amount of long cable runs in nuclear plants, which would create a high innpedance for the high-frequency impulses specified in IEEE 472 and IEEE 587.

Third, most nuclear plant control systems are fed from uninterruptible power supplies, which can provide very clean power with less noise than is typically present on power lines.

Finally, because of the short duration of most transients not enough energy may be transferred or the transients may not last long enough to cause the predominantly electromechanical controls in older plants to respond.

In light of the reported failure data, there does not appear to be any need to backfit existing ids.

5.1.3 Application of ids in Older Plants Task 2 in the task action plan (Ref. 29) was to determine whether ids were used in plants that received a CP before January 1,1971, when IEEE 279-1971 became a requirement.

If these early plants did not use ids, it is important to determine if it is because they were designed not to need them, or if there is some possible safety significance. Several sources suggest that ids were used in early plants to the same extent as in later plants. NPRDS data are shown in Table 2.

For PWRs, there are exactly the *ame average number of ids in the 36 plants that received a CP after January 1,1971 (post-IEEE 279) as there are in the 37 plants that received a CP before January 1, 1971 (pre-IEEE 279). The statistics for BWRs are not as straightforward, with an average of 58 ids for post-IEEE 279 plants, and an average of 11 ids for pre-IEEE 279 plants. However, if three plants are excluded from the post-IEEE 279 figures (Clinton I with 310 ids, Nine Mile Point 2 with 210 ids, and Hope Creek I with 81 ids), the average for the post-IEEE 279 plants drops to 11.

Other sources of data on ID use in older plants are the final safety analysis reports (FSARs) for pre-IEEE 279 plants, 19 of which are reviewed in Reference

26. All of these units used ids to some extent, although some were reported using relays as ids, which cannot transfer analog data. However, 14 of theso 1

19, or 73.7 percent, were using isolation amplificrs when the FSARs were issued.

Third sources of information are the Systematic Evaluation Program (SEP) final reports (Refs. 12-21). These reports contain information on ID use in 10 of the oldest plants. Many of the plants reported that ids were not used between some data channels and the process recorders.

Limited PRA analyses indicated

@ EG-1453 18

1 that this lack was not significant because of a low increase in core damage frequency resulting from'a total absence of the RPS. However, as discussed, these analyses did not consider the effect of spurious equipment operation or misleading information on plant safety.

5.2 Probability of an ID Challence The worst-case ID challenge is defined in this study as small signal leakage through the ID barrier, resulting in inadvertent operation of the equipment to which the ID is attached, with a subsequent loss-of-coolant accident or equipment damage, but no' impact on the functioning of the control system. A less severe scenario of damage to the actuation system without inadvertent actuation might result from a more severe ID failure.

In any case, a mechanism is required to simultaneously challenge multiple channels.

The predominant concerns are cable or raceway fires or faults, and panel fires or faults. A review of cable shorting events shows that the most likely source of shorting is through panel wiring errors, such as when a technician drops a cable in a panel or inadvertently touches a termination. The probability that this scenario could lead to an ID challenge was assessed to be 1.0E-5/ reactor-year.

It appears that all initiating events for multiple channel challenges to ID output would occur at this frequency or less.

The transients modeled by the IEEE 472 and IEEE 587 tests are lightning surges, power line transients, and noise created by intense, high-frequency electromagnetic activity such as arc welding.

Even though these events occur frequently in power plants, and the response of the ids to the above tests was less acceptable than the response of the ids to the MCF tests, there are no reported incidents of ID challenge or failure resulting from these events.

5.3 Conclusion

+

Isolation devices are used extensively in operating nuclear power plants. The NPRDS database, which contains detailed reports of over 12,000 ids and 800 ID failures, indicates that there are no cases of ID challenge similar to the conditions tested for in the INEL tests.

In addition, the test results in the INEL reports do not indicate that the amount of energy leakage is significant in the event of barrier failure. Considered in light of the calculated low increase in CDF from ID challenge, there is no basis for requiring backfit of ids in existing plants. However, because I&C design for future plants may be more susceptible to failure from such challenges, existing IEEE test and acceptance criteria should be consistently applied for these plants.

6 IMPLEMENTATION The NRC should develop guidance containing recommended levels of testing and leakage criteria, and requiring compliance with the criteria in IEEE 472 and s

IEEE 587.

NUREG-1453 19

.o e

Table 1 Isolation Device (ID) Installation Trends GE Westinahouse B&W CE Year ids Total Ols' ids Total Ols' ids Total Ols' ids Total Ols"

- 1 1963 1964 1

1967 1

1968 15 15 1969 15 -

2 1970 210 225 2 3

3 1971 6

6 1

128 353 4

7 1

1972 6

12 3

227 580 2 7

2 1973 12 3

593 1173 6 26 26 2 1974 20 32-8 324 1497 4 131 157 4 7

1 1975 7

39 175 1672 1 4

161 -

86 93 1

161 -

107 200 2

1976 39 2

1000 2672 4 39 817 3489 2 106 267 2 52 252 1977 1978 39 1

246 3735 1 267 -

2 254 1

4 3739 -

267 -

- 254 1979 5

44 46 3785 2 267 -

72 326 1980 44 1981 44 1

986 4771 4 267 -

3 329 1982 16 60 2

139 4910 1 20 287

- 329 1

200 529 2

1983 8

68 19 4929 1 2

289 1984 27 95 4

918 5847 3 75 364 83 612 250 862 2

1985 43 138 3

799 6646 4 11 375 1986 340 478 4

532 7178 2 1

376 -

164 1026 1

478 2

857 8035 5 4

380 7 1033 1

1987 1988 31 509 392 8427 2 48 428 83 1116 1989 19 528 2

506 8933 3 428 11 1127 1990 16 544 293 9226 -

428 2 1129 1991 275 819 279 9505 -

45 473 60 1189

' Operating licenses issued that year 4

i e

]

NUREG-1453 20 l

1

A-Table 2 Isolation' Device Statistical Data' Data BWRs PWRs Total Number 819 11167 Reporting Plants 23 74 ids / Plant 36 151 Reported failures 15

- 720

% Failure-1.8 6.4 Pre-IEEE 279 Plants 11 37 Post-IEEE'279 Plants 12(9)"

-36 l

ids / Plant, Pre-IEEE 279 11 153 ids / Plant, Post-!EEE 279 58(11)"

153

• NPRDS data are current as of September 1991.

" Numbers in paranthesis exclude major outliers.

i i

h' NLLREG-liS3 21 1

7 REFERENCES 1.

Institute of Electrical and Electronics Engineers, 279-1971, " Criteria for Protection Systems for Nuclear Power Plants."

2.

U.S. Nuclear Regulatory Comission, NUREG-0820, " Integrated Plant Safety Assessment, Systematic Evaluation Program for Palisades Plant," Draft Report, April 1982.

3.

U.S. Nuclear Regulatory Commission, NUREG-0821, " Integrated Plant Safety Assessment, Systematic Evaluation Program, R.E. Ginna Nuclear Power Plant," Final Report, December 1982.

4.

U.S. Nuclear Regulatory Commission, NUREG-0822, " Integrated Plant Safety Assessment, Systematic Evaluation Program, Oyster Creek Nuclear Generating Station," Final Report, January 1983.

5.

U.S. Nuclear Regulatory Comission, NUREG-0823, " Integrated Plant Safety Assessment, Systematic Evaluation Program, Dresden Nuclear Power Station Unit 2," Final Report, February 1983.

6.

U.S. Nuclear Regulatory Commission, NUREG-0824, " Integrated Plant Safety Assessment, Systematic Evaluation Program, Millstone Nuclear Power Station Unit 1," Final Report, February 1983.

7.

U.S. Nuclear Regulatory Comission, NUREG-0825, " Integrated Plant Safety Assessment, Systematic Evaluation Program, Yankee Nuclear Power Station," Final Report, June 1983.

8.

U.S. Nuclear Regulatory Comission, NUREG-0826, "Integr..ed Plant Safety Assessment, Systematic Evaluation Program, Haddam Neck Plant," Final Report, June 1983.

9.

U.S. Nuclear Regulatory Commission, NUREG-0827, " Integrated Plant Safety Assessment, Systematic Evaluation Program, Lacrosse Boiling Water Reactor," Final Report, June 1983.

10.

U.S. Nuclear Regulatory Commission, NUREG-0828, " Integrated Plant Safety

~

Assessment, Systematic Evaluation Program, Big Rock Point Plant," Final Report, May 1984.

11.

U.S. Nuclear Regulatory Comission, NUREG-0829, " Integrated Plant Safety Assessment, Systematic Evaluation Program, San Onofre Nuclear Generating -

Station Unit 1," Final Report, December 1986.

12.

U.S. Nuclear Regulatory Commission, NUREG-0737, " Clarification of TMI Action Plan Requirements," November,1980.

13.

Generic Letter 82-33, " Supplement to NUREG-0737."

NUREG-1453 22

x B

14.

Letter, from H.W. Keiser, Pennsylvania Power & light, to Dr. W.R.

Butler, NRC, "Susquehanna Isolation Device Qualification Testing," April 15, 1991.

15.

Letter, from M.J. Davis, NRC, to distribution,

" Summary of Meetings to Discuss SPDS Testing Program Results, " December 12, 1986.

16.

Letter, from G.C. Andognini, Sacremento Municipal Utility District, to F.J. Miraglia, NRC, " Request for Information on SPDS Isolation Devices,"

July 24, 1987.

17.

J.R. Nielsen et. al., " Preliminary Electrical Signal Isolation Device Evaluation Plan," EGG-EE-6220, EG&G Idaho, Inc. April 1983.

18.

J.R. Nielsen, " Surge and Fault Test Procedures for Class IE Isolation Devices," EGG-EE-6583,.EG&G Idaho, Inc. June 1984.

19.

J.R. Nielsen, " Isolation Device Test Program Design Basis Event Criteria," EGG-EE-6621, EG&G Idaho, Inc. September 1984.

20.

J.R. Nielsen, "Isclation Device Evaluation Criteria," EGG-EE-6892, EG&G Idaho, Inc. November 1985.

21.

U.S. Nuclear Regulatory Commission, NUREG/CR-3453, J.R. Nielsen,

" Electronic Isolators used in Safety Systems of U.S. Nuclear Power Plants," EG&G Idaho, Inc. March 1986.

22.

Institute of Electrical and Electronics Engineers, 472-1974, "" Guide for Surge Withstand Capability Tests."

23.

Institute of Electrical d Electronics Engineers, 587-1980, "IEEE Guide for Surge Voltages in Le* Voltage AC Power Circuits."

24.

U.S. Nuclear Regulatory Commission, SECY-91-244 " Nuclear Plant Reliability Data System (HPRDS)," August 7, 1991.

25.

U.S. Nuclear Regulatory Commission, SECY-91-270 " Interim Guidance on-Staff Implementation of the Commission's Safety Goal Policy," August 27, 1991.

26.

U.S. Nuclear Regulatory Commission, NUREG/CR-5863, W. R. Cramond et al.,

" Risk Assessment of Isolation Devices in Safety Systems," Sandia National Laboratories, July 1992.

27.

U.S. Nuclear Regulatory Commission, NUREG-0933, "A Prioritization of Generic Safety Issues,"

1983.

28.

U.S. Nuclear Regulatory Commission, NUREG-1150, " Severe Accident Risks:

An Assessment for Five U.S. Nuclear Power Plants," December 1990.

i lLUREG-1453 23

(:

i; 29.

Memorandum, from W. Minners to Eric Beckjord, Office of Research, " Task Action' Plan (TAP) for Generic Issue (GI) 142, ' Leakage through Electrical Isolators _in Instrumentation Circuits,'" December 31 1990.

.y l

7

?

- k s

I l

s i

NUREG-1453 24 i