ML16341C389
| ML16341C389 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 05/28/1980 |
| From: | Basdekas D NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | Udall M HOUSE OF REP., INTERIOR & INSULAR AFFAIRS |
| Shared Package | |
| ML16340B451 | List: |
| References | |
| NUDOCS 8102260700 | |
| Download: ML16341C389 (14) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSlON WASHINGTON, D. C. 20555 pe 28 1880 The Honorable Morris K. Vdall
- Chairman, Subcommittee on the Energy and the Environment Committee on Interior and Insular Affairs United States House of Representatives washington, DC 20515
Dear Mr. Chairman:
In response to your letter of February 7, 1980, regarding reactor control systerr. failures, which could lead to accident. sequences not previously anticipated in Commission regulations, the Commission transmitted to you its position on this matter on May 14, 1980.
The purpose of this letter is to briefly comment on the Commission's
- response, clarify my bases for differing with the Commission's official position on this important matter, and reiterate on the record my long-standing
- concerns, the reasons for them, and a proposed interim solution that I believe is prudent, practical, and long overdue.
I agree with Commissioners Gilinsky and Bradford that the Commission's response of May 14,
- 1980, down plays a serious problem.
I also agree with them that a better discussion of the safety implications of control systems is provided in the October 22, 1979 memorandum from Mr. Denton.
However, although Mr. Denton's discussion is better than that given by the Commission, the position he has taken with respect to the need for Failure Modes and Effects Analysis (FMEA),
and the interim derating of all operating nuclear power plants is not correct.
The Commission's response is in essence that given to the ACRS and the Congress in 1976-77~ reflecting a standard position that "Ve are aware of the problem, we have no fundamental disagreement on the need to learn Nore about it, we are working on it, and no regulatory. action is necessary."
It is largely premised on the faulty assumption that "safety systems will mitigate control system failures at any power."
This illusion appeared to have dissipated quickly in the aftermath of the'MI accident and several near accident events (Rancho
- Seco, Oconee, and Crystal River);
Surprisingly enough, however, it is surfacing again as an official Commission position despite the overwhelming technical evidence 'that it is wrong. It is very much like someone advancing the argument that "You should not be overly concerned about the functional integrity of the steering mechanism of your automobile because even ifit fails, at any speed,
The Honorable Horris K; Vdall g,
2 8 19S".
you have a.seat belt to protect you."
Does the Commission's statement on the safety implications of control systems imply that Class 9 accident initiator
'equences are to be brushed aside again, or be given a cosmetic, prolonged lip service?
The Kemeny Commission Technical Staff Analysis Report on the Failure of the Pilot-Operated Relief Valve (PORV),
a non-safety grade control system component,~
concluded that:
"The TNI-2 accident would probably not have progressed beyond a severe feedwater transient, had the PORY been recognized and treated as a safety-related component."
Furthermore, on page 35 of the same report it is stated that:
"This PDRV failure is a clear indication of the need for better configur-ation control and interface coordination.
It provides a good opportunity for a failure mode and effects analysis (FHEA)."
The Commission's response cites examples of control system failures in Crystal
- River, and the dismissed potential of "control system failures leading to unaccepta"le consequences" in all plants caused by high energy line breaks.
These are just two more examples of the "band-aid," reactive approach to safety, that has been rather characteristic of the regulatory process.a Even in'he traditional "band-aid" approach, the Commission has failed to address, for instan:e, the effects of control system failures in operating plants due to an earthquake.
Control systems are not seismically qualified, and an earthquake could cause massive failures driving the plant to extremely unsafe conditions.
Esn't the Commission and its staff concerned about thatP The hard reality remains that the most likely way to find out what is wrong with the design, configuration and qualification of control systems is for something wrong to happen.
Certainly this is not the correct appro'ach to safety.
It appears that there is a growing tendency within the industry and the NRC to not only for get or down play the deficiencies brought out by the TMI accident, but to view this accident as a confirmation that "The system worked; nobody was killed." It is true that nobody was killed, but tt is clear that the system did not work; unless one of its un~ritten design bases was to bring us within 30 minutes of disaster, cause damages and losses exceeding the cost of the plant, and substantially disrupt life in nearby communities.
No, the system did not work except'in the sense of, hopefully, driving the point home that we aust recognize and correct the deficiencies in nuc1ear power plants before it is too late.
The matter of poorly designed and installed control systems, and their arbitrary classification as "non-safety" systems are not the only things that require prompt and resolute attention.
The following is a summary of points I have made in the past~,
and would serve to illustrate the extent and compounding of the problem of deteriorating safety, its reasons, and an interim solution to it.
fO 1
The Honorabl e Horris
~ K. Udal 1 NY R8 589 P
The safety of operating nuclear po~er plants has been deteriorating since the Three Nile'Island accident.
The reasons for this irony relate directly to the "corrective actions" taken by the Commission prompted by the TMI accident.
Their net contribution to safety, at an already unacceptable level before the TNI accident, has been negative because of:
1.
Fragmented and haphazard changes in design and procedures without proper, if any, consideration of their effects on overall safety.
2.
Attempts to compensate for design deficiencies by instituting Nore and more procedures for the already overburdened operator.
3.
Lack of basic understanding of plant dynamic characteristics and the importance to safety of the so-called "non-safety" control'ystems, which continue to go unreviewed.
4.
Continuing improper use of reliability and risk assessment
- methods, and repetition of mistakes made during and after the study reported in MASH-1400.
Sound and tested engineering methods and practices that have served the aerospace and defense industries well, known as Failure Node and Effects Analyses (FMEA) are indispensible prerequisites for any meaningful reliability and risk assessment.
'onetheless, XRC shies away from them as if it feared what they might uncover.
An example of what an FMEA should uncover is given in Reference 7, and it could prevent a catastrophe.a Even a
preliminary analysis of this matter may very well show the ne. d to tempo arily shutdown aany plants.
The interim solution to these and pre-existing problems is to derate all
~ operating nuclear power plants to about 65K of full power until their dynamic characteristics are established and well understood, proper and meaningful revie~s of their 'control and other so-called "non-safety" systems are performed, and their results evaluated.
During this time of two to three years,. a thorough review of some 130 unresolved safety issues, along with the "corrective actions,"
taken since THI should be performed outside the XRC.
The proposed derating will substantially enhance safety, while producing a ainimal impact on integral power generation, due to adjustments in the refueling schedules that will be possible (see Figure 1).
Power generation may be aug" m nted by issuing ~here appropriate, derated operation licenses to a liiited number af new plants already completed.
Pot only can we afford to implement this interim solution, we can't afford not to.
Failure
~o decidedly reverse the present trend will most likely result
$ n a catast".or hir.,".ucl~~r aqcidenta within the next two years or so; and with it a den'.al "; the nuclear option to this country, even as a "last resort" component of ou" ener~ s!~ply. It wi11 not be possible then to undo the hara, and too late to save tha nuclear option.
k
.k
This letter has not been concurred by any supervisory Commission personnel
<nd it $ s submitted under the provisions of 10 CFR Part 0.735-55, Annex A.
The references cited are available'from HRC or subcommittee f)les.
1f I can be of further assistance, lease let. me know.
Respectfully, cc:
Rep.
Stephen'ymms Oemetrios L. Basdekas Reactor 5afety Engineer
~.
I The Honorable HorrisiK. Udall f')AY 28 1S80 Notes and
References:
Letter from H'. Bender, ACRS to H. Rowden, Issue Ho. 22, Report on Selected Safety Issues Related to Light Mater Reactors-Issues 16-27, dated February 23, 1977.
2..
3.
4.
5.
Technical Staff Analysis Report on Pilot Operated Relief Valve (PORV) Design and Performance to the President's Commission o'n the Accident at Three Mile Island, dated October 31, 1979.
Hemorandum from D.
L. Basdekas to J.
F. Ahearne, Safety Implications of Control Systems and Plant Oy'anmics, dated October 25, 1979.
Hemorandum from D.
L. Basdekas to J.
F. Ahearne, Safety Implications of Control Systems and Plant Dynamics Recommendation to Derate Operating Plants to 65 Percent of Rated
- Power, dated December 20, 1979.
Institute of Electrical and Electronics Engineers (IEEE) Standard 352-1972-75 "General Principles for Reliability Analysis of Nuclear Power Generating Station Protection Systems."
6.
Hemorandum from D.
L. Basdekas to the Commissioners, Review of Uses of RASH-1400 in Regulatory Decision Making Identification of Unresolved Safety Issues, and Report to the Congress, HUREG"0510, dated February 14, 1979.
7.
Memorandum from D; L. Basdekas, to J. Hurley, Failure of Hain Feedwater Control System Resulting in Unacceptable Overcooling of Reactor Vessel, dated February 27, 1980.
8.
It is likely that a loss-of-control sequence of unprotected events vill involve the failure of the reactor vessel7 and/or steam generator
- tubes,
'esulting from malfunctions in the feedwater/steam control systems, and/or main steam line breaks.
~
~
85 O
jan%
TIME Refueling Schedule for Operation at 100% and 65% Power l.ovals FIGURE 1
r
LIST OF DOCUMENTS SUPPLIED BY DEHETRIOS L. BASDEKAS, RSR TO M. CUTCHIN, ELD ON OCTOBER 23, 1980
- 1. Professional gualifications Summary of Demetrios L. Basdekas 2.
Memo to B.
C.
Rusche from D. L. Basdekas December 20, 1976
- 3. Final Draft of NUREG-0153 sent for comment by Rusche.(
Comnents by Basdekas given in No.
2 above)
- 4. Letter to M. Rowden from H. Bender February 23, 1977 5.
Memo to the Commissioners from D. L. Basdekas February 14, 1979
- 6. Note for the Commissioners May 25, 1979 7.
Memo to Commissioner J.
F. Ahearne from D. L. Basdekas October 25, 1979 8.
Nemo to the Comnissioners from H. Denton October 25, 1979
- 9. Technical Staff Analysis Report on PORV Design and Performance to the President's Commission on the Accident at Three Mile Island.
10.
Record of Briefing of Chairman John F. Ahearne December 17, 1979.
ll.
Memo to Chairman Ahearne from D. L. Basdekas December 20, 1979 12.
Memo to T.
E. Hurley from D. L. Basdekas February 27, 1980 13.
Memo to D. L. Basdekas from T. E. Murley February 28, 1980 14.
Memo to L. C. Shao and L; S.
Tong from T. E. Hurley February 28, 1980 15.
Memo to Charles Z. Cerpan from D. L. Basdekas July 31, 1980 16.
Memo to T. E. Hurley from D. L. Basdekas May 28, 1980
%gal+
I
\\\\