Text

D881122 The Honorable Lando W. Zech, Jr.

Chairman U.S. Nuclear Regulatory Commission Washington, D.C. 20555

Dear Chairman Zech:

SUBJECT:

SAFETY EVALUATION REPORT FOR THE "POWER REACTOR INHERENTLY SAFE MODULE" (PRISM) DESIGN During the 343rd meeting of the Advisory Committee on Reactor Safe-guards, November 17-18, 1988, we reviewed a draft of the subject safety evaluation report (SER). The ACRS and its Subcommittee on Advanced Reactor Designs have reviewed these matters in previous meetings.

During these meetings we had the benefit of discussions with representa-tives of the NRC staff and its consultants, and with representatives of the Department of Energy (DOE) and its contractors, including represen-tatives of the General Electric Company, the lead design contractor. We also had the benefit of the documents referenced.

The PRISM conceptual design is a product of a DOE program to develop designs for possible future power reactor systems that would have enhanced safety characteristics. Other design projects in the program are the Modular High Temperature Gas-Cooled Reactor (MHTGR) and the Sodium Advanced Fast Reactor (SAFR). The NRC staff is reviewing these designs in accordance with the Commission policy on Advanced Nuclear Power Plants. These preapplication reviews are intended to provide NRC guidance on licensing issues at a relatively early stage of design development. The ACRS has previously commented to you on NUREG-1226, "Development and Utilization of the NRC Policy Statement on the Regula-tion of Advanced Nuclear Power Plants," in June 1987, on key licensing issues associated with the entire program in July 1988, and on the SER for the MHTGR in October 1988.

We understand that issuance of the SER will not constitute approval of the PRISM design. Further engineering development and documentation will be required to support a future application for design certifica-tion.

The PRISM design incorporates several small, modular reactors cooled by liquid sodium. The standard PRISM plant would consist of nine reactor modules, each generating 425 MWt, providing a total plant output of 1245 MWe. Each reactor, along with its intermediate heat exchangers and pumps, is immersed in a pool of sodium. A steel vessel containing this pool is located within a secondary steel container. The steel con-tainers share a common head. Each such unit is installed within an underground concrete silo. Secondary sodium coolant flows to steam generators which are also located below grade, but are outside the silo along with the remainder of the "balance of plant" (BOP) equipment.

The PRISM design provides several features for enhancing safety of a nuclear power plant.

~ a passive system for emergency removal of decay heat

~ inherent mechanisms for negative feedback of reactivity

~ large thermal inertia in the pool of sodium coolant

~ metal fuel, offering greater opportunity for on-site fuel reprocessing

~ small component sizes, providing opportunities for factory fabrication

~ opportunity for prototype testing of a single module

~ separation of safety-related functions from BOP systems On the basis of its review, the NRC staff has concluded that the PRISM design has the potential for a level of safety at least equivalent to current light water reactor (LWR) plants, provided that a number of specific issues are resolved. Our general recommendation is that, from the perspective of safety and licensing, design development of PRISM should continue, taking into account the points made by the staff.

A number of safety issues remain to be completely addressed, a program of continuing research and development is necessary to support further design, and plans for extensive prototype testing should be developed.

In the following paragraphs we comment on a number of specific safety issues which we believe should be considered by the staff in its final SER, and by DOE in its continuing development and design activities.

Containment Although a secondary vessel is provided to contain leakage of sodium coolant, the PRISM design does not include a conventional containment capable of resisting high temperatures and pressures. It is contended that the potential for core disruptive accidents, for which such a containment might provide mitigation, is so low that a conventional containment is not needed. Both deterministic and probabilistic argu-ments are made in support of this contention. Although these arguments have technical merit, we are not yet convinced. Our position is as stated in our report to you of July 20, 1988 on the key licensing issues associated with DOE sponsored reactor designs and our report to you of October 13, 1988 on the preapplication safety evaluation report for the modular high temperature gas-cooled reactor.

However, there is a problem. One reason for providing a strong physical containment is to protect the public against unforeseen accidents. But,

precisely because they are not foreseen, the design requirements for a containment are not obvious. Therefore, engineering and policy judg-ments must be made about the need for, and nature of, containment that might be used with PRISM. We believe that further study is appropriate before final judgments are made.

Absence of a Backup Shutdown System The PRISM design provides a control rod system consisting of six control rods, a safety grade means of scramming these rods by gravity, and a safety grade electrical system to drive the rods into the core. How-ever, the design provides no backup to this control rod system other than the inherent characteristics of the core. We question whether these inherent characteristics are adequate as a backup system, for two reasons. First, they may not act fast enough to compensate for certain fast transients without scram. Second, they are not capable of making the reactor subcritical and taking it to cold shutdown conditions.

Therefore, we believe the need for a backup system or suitable demon-stration of scram reliability deserves further study.

Need for Local Flow and Temperature Monitoring The PRISM safety analysis indicates that blockage of flow through one fuel assembly may possibly damage that assembly, but will not damage adjacent assemblies. Early work with oxide fuel has demonstrated that propagation is unlikely, but experiments and analysis with metal fuel have not been as extensive. Especially because the design does not provide for monitoring flow and effluent temperature from individual assemblies, we believe this requires further study.

Individual Rod Worth Each of the six control rods is sufficient, individually, to shut down the reactor and maintain it in cold shutdown. Therefore each rod has a very large reactivity worth, about two dollars. There is thus potential for serious consequences from a rod ejection accident. This potential is ameliorated in two ways. First, for startup, rod operations are interlocked so that the rods can be withdrawn only in a carefully orchestrated sequence. This rod sequencing system will have to be very carefully designed, operated, and maintained. Second, for power opera-tion, the expected reactivity change of a core through its lifetime is expected to be so flat that only very small rod insertion will be necessary at the beginning of core life, thus reducing the effect of a rod ejection accident. These features will be effective only with accompanying administrative controls on core design and rod operation over the lifetime of PRISM plant operations. This should be acknowl-edged in the SER.

Role of the Operator

We believe that insufficient attention has been given to the role of the operator. Claims that a PRISM plant would have such inherently stable and safe characteristics that the operator will have essentially no safety function are unproven. Operation of nine reactors, possibly in several different operational states at any given time, may be a daunt-ing challenge for the small operations crew envisioned. Opportunities for cognitive error, which might defeat favorable safety characteristics of the reactor, might be more abundant than is now recognized. Further study appears to be desirable.

We believe insufficient attention has been given to the physical securi-ty of the plant's operating and technical support staff. It is claimed that the control room, with all of its contents, including operating personnel, can be destroyed and that the plant can be safely shut down from remote control stations that are within the physical security controlled areas of the plant. Therefore, the control room and techni-cal support areas are now proposed to be located outside the physical security boundary. We believe, given an external threat, such as an attack by terrorists, that it is essential to preserve the operating and technical expertise on-site, and recommend that the control room and appropriate technical support personnel be located within the physical security boundary.

Other Operational Considerations In addition, certain features that have been found to be desirable in LWR plants are not provided in the PRISM design. No technical support center is provided. Although remote shutdown capability is provided, it appears to lack some of the attributes of such systems in current LWR plants. Also, the design does not include Class 1E AC electric power systems, but relies entirely on 1E DC power from batteries. It is not clear that adequate consideration has been given to the potentially large power needs of essential auxiliary functions such as space cooling and emergency lighting.

Protection Against Sabotage With regard to the need for designing protection against sabotage, the following statement from our report of July 20, 1988 should be given early consideration as the design of this plant progresses:

"It is often stated that significant protection against sabotage can be inexpensively incorporated into a plant if it is done early in the design process. Unfortunately, this has not been done consistently because the NRC has developed no guidance or requirements specific for plant design features, and there seems to have been no systematic attempt by the industry to fill the resulting vacuum. We believe the NRC can and should develop some guidance for designers of advanced reactors. It is probably unwise and coun-terproductive to specify highly detailed requirements, as

those for present physical security systems, but an attempt should be made to develop some general guidance."

Sodium Fires Further study of the potential for and suppression of sodium fires and consideration of their possible consequences is needed. Such studies should include the possibility of fires resulting from earthquake effects.

Sincerely, Forrest J. Remick Acting Chairman

References:

1. Office of Nuclear Regulatory Research, "Safety Evaluation Report for the Power Reactor Inherently Safe Module (PRISM)/Liquid Metal Reactor Conceptual Design," dated September 10, 1988 (Predecisional Draft)

2. General Electric/Nuclear Systems Technology Operation (DOE Con-tract), GEFR-00793, "PRISM Preliminary Safety Information Docu-ment," Volumes I through V, 1986