ML17010A051
| ML17010A051 | |
| Person / Time | |
|---|---|
| Site: | Byron, Braidwood  |
| Issue date: | 11/15/2016 |
| From: | Miranda S - No Known Affiliation |
| To: | Mccree V NRC/EDO |
| References | |
| 2.206 | |
| Download: ML17010A051 (17) | |
Text
November 15, 2016 Mr. Victor M. Mccree, Executive Director for Operations U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001
SUBJECT:
Enforcement Petition (10 CFR §2.206} Regarding Exelon's Byron and Braidwood Stations Samuel Miranda (the Petitioner} hereby submits this Petition, pursuant to the terms of 10 CFR §2.206, regarding the licensing and operation of the Byron and Braidwood Stations. Specifically, the Licensee (Commonwealth Edison; which was succeeded by Exelon} has obtained the NRC's authorization to operate its Byron and Braidwood Stations at uprated power levels, based upon evaluations of certain anticipated operational occurrences (AOOs} that are rife with errors, and omissions. More importantly, the Licensee employed a circular logic that failed to demonstrate that the Byron and Braidwood plant design meets all of its design requirements. Hence, this petition for enforcement.
The technical review staff of the NRC's Office of Nuclear Reactor Regulation (NRR} had approved the Licensee's applications for power upratings for the Byron and Braidwood plants [9] [10] [16] that claimed it had complied with a key design requirement [2] [3], which requires nuclear plants to be designed in a way that prevents AOOs from developing into more serious events. The Licensee's claim relied upon its plants' pressurizer safety valves (PSVs} to perform safety functions that are outside their design basis. The Licensee also submitted, under Oath and Affirmation, a statement of no significant hazards, as per 10 CFR §50.92.
The Petitioner requests the NRC to take the following actions:
(1) Revoke the Licensee's authorizations to operate its Byron and Braidwood Stations at any uprated power level.
(2) Impose a license condition, on current.operations, requiring the Licensee to provide an acceptable demonstration of compliance with the aforementioned design requirement. See [11]
for a precedent.
(3) Require the Licensee to file a 10 CFR §21 report regarding its statement of no significant hazards.
Please read Attachments (B through E} for the particulars:
(A} Summary of the Petitioner's education and experience, and disclosures, (B} Anticipated Operational Occurrences (AOOs}: defined and evaluated, and relevant issues, (C} Summary and evaluation of the Licensee's compliance rationale, and (D} Statement of safety significance, as per 10 CFR §50.92 (E} Summary and Conclusion, and References Please contact the Petitioner for additional details.
With respect and concern, Samuel Miranda, PE sm0973@gmail.com (301} 585-3289
Attachment A A summary of the Petitioner's education and experience in nuclear safety analysis and licensing The Petitioner, Samuel Miranda, holds Bachelor's and Master's degrees in nuclear engineering from Columbia University, and a Professional Engineer's license in mechanical engineering, in the Commonwealth of Pennsylva'hia.
He has more than 40 years of experience in reactor safety analysis and licensing at Westinghouse and the NRC.
At Westinghouse (25 years), he worked in their Nuclear Safety Department, where he performed nuclear safety analyses of Westinghouse plants, CE-designed plants, and Soviet VVER plants to resolve reactor safety questions, to improve nuclear power plant operability, and to support the licensing of nuclear plant modifications, core reloads, and changes in operating procedures. He also developed standards and methods for use in nuclear safety analysis, and automatic reactor protection systems design. His work in reactor protection systems design included the preparation of functional requirements, component sizing, and determination of setpoints, time response limits, and Technical Specification revisions. In the 1980s, the Petitioner managed a program, for more than 30 utilities in the Westinghouse Owners Group, to develop a system to improve power plant availability and safety by reducing the frequency of unnecessary automatic reactor trips (see patent no. 4,832,898).
At the NRC (14 years), the Petitioner worked in NRR's Division of Safety Systems (DSS), where he reviewed license amendment requests (LARs) for license renewals, power upratings, and modifications of protection systems in PWR and BWR reactor systems. This included presenting and defending review results before the Advisory Committee.on Reactor Safeguards (ACRS). He al~o revised several sections of the Standard Review Plan (NUREG-0800), and presented them to the ACRS. The Petitioner wrote RIS 2005-029 [12] regarding compliance with the design requirement that is the subject of this Petition.
The Petitioner retired from the NRC in August, 2014, at grade GG-15.
Disclosures:
(1) The Petitioner was directly involved in the production of References [4], [8], [11], [12], [14], [15],
[16], and [17].
(2) While working at the NRC, as an NRR technical reviewer, the Petitioner withheld his concurrence
[17] in the acceptance of the Licensee's application for a power uprating [16], based upon the
- - use of PSVs.
(3) While working at Westinghouse, as an analyst, the Petitio~er was nbt involved, directly or indirectly, in the production of [7].
Attachment B Anticipated Operational Occurrences (AOOs), evaluation of AOOs, and relevant issues The introduction to the General Design Criteria (GDCs) [1] defines two basic types of events:
"anticipated operational occurrences" (AOOs), and "postulated accidents" (PAs). AOOs are, those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit. PAs are less frequent; but more serious events, such as loss of coolant accidents (LOCAs). If risk is defined as the product of consequences and frequency of occurrence, then the risk of an AOQ would be about the same as the risk of a LOCA. This principle was established in 1971, and published in 1983 [5], The nuclear safety criteria ... have been established on the premise that: a. Those situations in the plant that are, assessed as having a high frequency of occurrence shall have a small
~onsequence to the public, and b. Those extreme situations having the potential for the greatest consequence to the public shall be those having a very low frequency of occurrence.
According to the American Nuclear Society (ANS) standard of 1973 [3], AOOs " ... shall be accommodated with, at most, a shutdown of the reactor with the plant capable of returning to operation after corrective action. In other words, AOOs must not require anything more, for protection, than a reactor trip. The Licensee commits to meet the following requirements for AOOs [9] [13]:
- a. Pressure in the reactor coolant and main steam systems should be maintained below 110% of the design values,
- b. Fuel cladding integrity shall be maintained by ensuring that the minimum departure from nucleate boiling ratio (DNBR) remains above the DNBR limit, derived at a 95% confidence level and 95% probability, and
- c. An incident of moderate frequency should not generate a more serious plant condition without other faults occurring independently.
These requirements: (a), (b), and (c), will hereinafter be designated as the overpressure requirement, the DNB requirement, and the non-escalation requirement, respectively.
The AOOs of concern are those events that cause water to be added to the reactor coolant system (RCS)
[2], such as the inadvertent operation of the emergency cooling system (IOECCS). The IOECCS is an AOO (or Condition II event) that could generate a more serious plant condition (e.g., a Condition Ill or IV event) by (1) filling the pressurizer, (2) raising pressurizer pressure to the power-operated relief valve (PORV) opening setpoint, and (3) causing the PO RVs to open and relieve water. If the PO RVs are not qualified to relieve water, then they cannot be relied upon to reseat (i.e., they must be assumed to stick open). In this way, stuck open PORVs produce a more serious plant condition (e.g., a Condition Ill LOCA).
If there is no concurrent instance of another, independent fault or operator error, then the resulting Condition Ill LOCA is evidence that the plant design does not meet the non-escalation requirement.
Attachment C A summary and evaluation of the Licensee's compliance rationale The Licensee's compliance rationale is found in Chapter 15.5.1, Inadvertent Operation of Emergency Core Cooling System during Power Operation, of its UFSAR [13]. This is repeated in the Licensee's 2000 application for a power uprating [9]. Inter alia, the Licensee claims that the non-escalation requirement is met by the operation of its pressurizer safety valves (PSVs).
This summary of the Licensee's compliance rationale will focus upon sections of [9] and [13] wherein important points are either omitted or mistaken.
In [9] and [13], the Licensee states, the inadvertent ECCS actuation at power event is analyzed to determine the maximum RCS pressure encountered throughout the accident. ... The SI flow refills the pressurizer until the pressurizer is water solid, and the SI flow' results in liquid discharge through the \
pressurizer safety relief valves. (Note: Pressurizer safety relief valves are also known as PSVs).
Unnecessary overpressure analysis This analysis addresses only the overpressure requirement. In this case, the Licensee's assumption that the PO RVs do not open is conservative, since it demonstrates that the. PO RVs are not required to meet RCS overpressure requirement.
It would be even more conservative to assume that the PSVs would also remain closed. Then the ECCS flow will continue to pressurize the RCS past the PSV opening setpoint, of 2500 psia, until the pressure reaches the ECCS charging pumps' shutoff head (i.e., about 2650 psia, or 100 psi below 110% of RCS design pressure). The RCS pressure will eventually plateau at the ECCS charging pumps' shutoff head.
Therefore, it is not necessary to rely upon the PSVs for the IOECCS event to demonstrate compliance with the overpressure requirement. It is also not necessary to perform an overpressure analysis of the IOECCS.
{Error 1} The Licensee's unnecessary overpressure analysis reveals a lack of understanding of the IOECCS.
Unnecessary DNB analysis The licensee's.UFSAR [13], and its 2000 uprating application [9] also present an analysis to show that the DNB requfrement is met. This analysis is performed to show that fuel cladding integrity is not jeopardized (i.e., by showing that the minimum DNBR,does not drop below the DNBR safety limit). In this case, it is assumed that the PO RVs open, as designed, and limit the reactor coolant system (RCS) pressure to the PORV opening setpressure (2350 psia). This is a conservative assumption, since a lower RCS pressure, at power, would cause a greater decrease in calculated DNBR.
However, DNB is not a concern for the IOECCS. The ECCS sequence begins with an immediate reactor trip. So, it is not possible to enter a DNB condition when no power is being generated. A DNB analysis is
not necessary. This is verified by the reported results of the Licensee's DNB case analysis, which conclude that:' the minimum DNBR was obtained at time zero for both units.
{Error 2} The Licensee's unnecessary DNB analysis reveals a lack of understanding of the IOECCS.
Missing non-escalation case analysis The licensing basis [9] [13] does not provide an analysis or evaluation to demonstrate that the non-escalation requirement is satisfied.
{Omission 1} The only necessary analysis (i.e., the non-escalation case) is not submitted.
{Error 3} The missing non-escalation case analysis reveals a lack of understanding of the IOECCS.
Non-conservative assumptions In [9] and [13] the Licensee states, the SI flow results in liquid discharge through the pressurizer safety relief valves. In order for the PSVs to open, the PO RVs would have remain closed. This would not be a conservative assumption in analyses that are performed to show compliance with the non-escalation requirement. Since [9] and [13] do not contain a non-escalation requirement case analysis, the reader must construe this to mean that either (1) it is the overpres~ure requirement case analysis that is presented to demonstrate compliance with the non-escalation requirement, or (2) the PO RVs are somehow to be kept closed during an IOECCS.
{Error 3} The IOECCS evaluation is either non-conservative, or based upon a requirement to prevent the PO RVs from opening. Either of these interpretations indicates the Licensee lacks an understanding of the IOECCS.
No discussion of PORV response The UFSAR indicates the PSVs will open, in lieu of the PO RVs, but does not explain how or why the PORVs will remain closed when the RCS pressure rises to their opening setpoint.
{Omission 2} There is no description of how the PORVs would respond to an IOECCS.
Nd justification for the use of PSVs, in lieu of PORVs The PO RVs, not the PSVs, are designed to operate during AOOs. The PO RVs, as well as pressurizer spray and heaters, comprise the pressurizer pressure control system. They are designed to prevent -,
unnecessary reactor trips, and challenges to the PSVs. The PO RVs are designed to relieve enough pressure to keep the plant online during AOOs (e.g., turbine trips and partial load rejections). Some Westinghouse plants, known as full load rejection plants, are equipped with three PORVs. These plants, are capable of keeping the plant on line following a turbine trip at full power.
On April 7, 1994, there was a mass addition AOO at Salem, Unit 1, in New Jersey. This was a reactor trip (also an AOO) that was accompanied by an automatic actuation of the SI system. Flow from the SI
-system filled the pressurizer and caused repeated operation of the plant PO RVs. During the event, each
of Salem's two PO RVs cycled more than 100 times. [21, 22] Both PORVs reseated fully, even though they had relieved water. Three years later, the PORVs at Salem Units 1 and 2 were qualified for water relief and upgraded to safety grade status. [8] This made it acceptable to assume the operation of the Salem PORVs, in FSAR accident analyses, to relieve water, and then reseat properly. There was no attempt to qualify the PSVs for water relief.
The Licensee does not explain why it would be permissible, or even possible to use the PSVs; in lieu of the PO RVs, to respond to AOOs. There is no explanation as to how the PSVs, which are intended for accidents that are not expected to occur more than once in a plant's lifetime, could be reasonably expected to open as often as several times a year.
{Omission 3} The Licensee does not justify the use of PSVs, in lieu of PO RVs, to respond to AOOs.
Invalid comparison between two dissimilar events The Licensee claims that, if the pressurizer safety relief valves do not reseat, then the transient will proceed and terminate as described in Section 15.6.1, "Inadvertent opening of Pressurizer Safety or Relief Valve." This event is also classified as an event of moderate frequency. [9] [13]
It is not true that both events are events of moderate frequency (i.e., AOOs or Condition II events).
There isn't even a common basis for comparison. Consider the differences:
The Inadvertent opening of Pressurizer Safety Valve:
(a) PSV relief occurs at 2250 psia.
(b) This is an AOO, or Condition II event.
(c) The analysis of this AOO, in Section 15.6.1, is performed to demonstrate compliance with the DNB requirement. Consequently, the analysis is ended after only a few seconds, when the automatic reactor protection system (RPS) detects a reduction in core thermal margin, and trips the reactor before the calculated DNBR can drop below its safety limit value.
(d) ECCS is not actuated. The analysis of this AOO, in Section 15.6.1, is ended before the ECCS can be actuated by a low RCS pressure condition. The "Inadvertent opening of Pressurizer Safety or Relief Valve", of Section 15.6.1, cannot be compared to the IOECCS, because its analysis is ended too soon.
The IOECCS, with a stuck open PSV:
(a) PSV relief occurs at 2500 psia. (If this were a stuck open PORV, then the initial pressure would be 2350 psia)
(b) If a PSV sticks open, it would be a consequential failure, due to the IOECCS. The result is a Condition Ill event (a hot leg LOCA) with the frequency of occurrence of an IOECCS.
(c) A stuck open PSV would not be diagnosed, by the operators, until after the RCS has depressurized to below the PSV closing setpressure. If they have already shut off the ECCS flow, then the situation could be worse than that of Three Mile Island accident (i.e., a stuck open PORV with no ECCS flow), since a PSV is about twice the size of a PORV. In this scenario, it is possible to open, and stick open, three PSVs. Three open PSVs create the equivalent of a 3.7 inch hot leg LOCA.
(d) It is necessary for the operators to somehow restore ECCS flow, since stuck open PSVs are not isolable . One can argue that only one operator error separates this event from a TMI scenario.
{Error 4} The Licensee makes an invalid comparison between two dissimilar events.
ECCS flow will not match PSV water relief rate The Licensee claims that the flow through a stuck-open PSV would be a minor RCS leak. It states, American Nuclear Society standard 51 .1/NlB.2-1973 ... describes ... a condition II event as a "minor reactor coolant system leak which would not prevent orderly reactor shutdown and coo/down assuming makeup is provided by normal makeup systems only." ... normal makeup systems are defined as those systems normally used to maintain reactor coolant inventory under respective conditions of startup, hot standby, power operation, or coo/down, using onsite power. Since the cause of the water relief is the ECCS flow, the magnitude of the leak will be less than or equivalent to that of the ECCS (i.e., operation of the ECCS maintains RCS inventory during the postulated event and establishes the magnitude of the subject leak). [9] [13) This text is copied, directly, from a letter that Westinghouse (the Vendor) sent to its customers, in 1993. [7]
The situation that the Licensee describes, where in the flow through the open PSV would be matched by the flow that is delivered by the ECCS flow, would be true only after RCS pressure has dropped to very low levels, late in the IOECCS scenario; long after the non-escalation requirement has been violated. At high RCS pressures, the critical (choked) water flow, through the PSV, will be much greater than the ECCS flow that is delivered. Here is an illustration of this relationship for one PSV. This is a conservative depiction, since (1) ECCS flow is high (i.e., the maximum ECCS flow rate is represented) , and (2) the PSV relief rate is low (i .e., there could be as many as three stuck open PSVs) . At worst, as many as three PSVs could stick open, and create a hole that is equ ivalent to a 3.7 inch hot leg LOCA.
PSV Relief Flow and ECCS Delivery 1,200,000
~ 1,000,000 Vl
.0 s0 800,000 u::
V) 600,000 - - ECCS a_
-0 - - 1 PSV Water c 400,000 ro V) - - 1 PSV Steam u
u 200,000 w
0 500 1,000 1,500 2,000 2,500 Pressurizer Pressure (psia)
The figure shows that ECCS flow rate will not exceed the PSV water relief rate until the RCS pressure approaches the accumulator injection setpoint (about 600 psia}.
{Error 4} The Licensee claims that ECCS flow will match PSV water relief rate.
Lack of Vendor oversight The Licensee submitted this Vendor-supplied information, under Oath and Affirmation, without first reviewing it for accuracy.
{Error 5} The Licensee fails to use due diligence when passing on Vendor-supplied information to the NRC.
ECCS is not a normal RCS makeup system The charging pumps, when actuated by an SI signal, cannot be considered to be a normal makeup system. This charging flow is not controlled by a pressurizer level program or by letdown flow rates. It operates, simply, at maximum capacity, and it does not shut down until the operator shuts it down. That is, when they're actuated by an SI signal, the function of the charging pumps is to supply emergency core cooling, not to maintain a programmed pressurizer water level.
{Error 6} The Licensee claims that the ECCS is a normal RCS makeup system.
Lack of Contractor oversight In licensing basis accident analyses of certain AOOs, the PORVs are assumed to remain closed, and the PSVs are applied to verify that adequate RCS overpressure protection can be provided without the use of PORVs. These analyses are like component sizing calculations. They do not require the PO RVs to be prevented from opening.
PSVs are designed to open during Condition IV events. PSVs sticking open during Condition IV events are of little or no concern, since (1) the event escalation requirement does not apply to Condition IV events (i.e., it's not possible to escalate an event beyond Condition IV), and (2) stuck open PSVs are just one more problem, in a host of problems that are posed to the operators during a once-in-a-plant's-lifetime Condition IV accident.
The PSVs are designed to provide last-resort RCS overpressure protection. PSVs are designed to open (not to close), and relieve steam (not water) to prevent overpressure during Condition IV events.
Therefore, failure of a PSV to close is not assumed, during Condition IV events, because PSVs are not required to close! This is why the UFSAR Feedwater System Pipe Break analysis (Chapter 15.2.8) does not apply the single failure criterion with respect to a PSV sticking open.
The Licensee substitutes PSVs for PORVs to address the non-escalation requirement. To do this, it becomes necessary to show that all the PSVs will reseat after having relieved water. [9] [13] The Licensee claims its PSVs are qualified to relieve water, based upon valve tests that were conducted, in 1988, by the Idaho National Engineering Laboratory (INEL}, for Commonwealth Edison's Byron and Braidwood plants [6]. INEL's report of the valve test results contains this entry:
Section 4.2.3, Extended High Pressure Injection Event The limiting extended high pressure injection event is the spurious actuation of the safety injection system at power .... For a four-loop plant, both the safety valves and PORVs will be challenged. Both steam and water discharge are expected. In this event, however, the safety valves or PORVs open on steam and liquid discharge would not be observed until the pressurizer becomes water solid. .... This would not occur until at least 20 minutes into the event which allows ample time for operator action.
Thus the potential for liquid discharge in extended HP/ events can be disregarded.
INEL is wrong when it states that, both the safety valves and PORVs will be challenged. The opening of one PORV will provide enough relief capacity to prevent the opening of any safety valves. In fact, this is one* of the functions of the PO RVs. This statement reveals that INEL does not understand the IOECCS event, and the demands it makes upon the PORVs.
{Error 7} The Licensee failed to identify and correct INEL's error. The Licensee transmitted INEL's report to the NRC staff without verifying its accuracy.
Missing valve test results It is clear, from [6], that no valve tests were conducted on any PORVs or PSVs, under water relief conditions.
{Omission 4} The Licensee did not provide the valve test results needed to qualify the PSVs for water relief.
PSVs must relieve water, and then reseat When the Licensee assumes the PSVs will relieve water, and then reseat, it effectively imposes two new design requirements on the PSVs. Currently, the PSVs are designed to operate during Condition IV accidents, like feedline breaks, and beyond design basis events, like anticipated transients without scram (ATWS) [4], where RCS overpressure is the sole issue. Once opened, the PSVs will have fulfilled their RCS overpressure safety function. It is not necessary to require the PSVs to relieve water, and then reseat, unless they are intended to open during AOOs.
{Error 8} The Licensee requires the PSVs relieve water, and then reseat.
No discussion of the design change process The Licensee does not describe the design change process it used, including quality controls, to determine, and specify the functional, and component requirements for PSVs, when operated during AOOs (e.g., the IOECCS).
{Omission 5} There is no discussion of the design change process employed by the Licensee.
Failure to meet GDC 21 When the Licensee repurposed the PSVs, for use during AOOs, it became necessary to consider the possibility of a PSV failing to close. GDC 21 becomes a requirement for closure of PSVs a.swell as opening of PSVs. GDC requires that, redundancy and independence designed into the protection system shall be
sufficient to assure that ... no single failure results in loss of the protection function. One failed-open PSV would create a Condition Ill LOCA that violates the non-escalation requirement.
GDC 21 is a design requirement that applies to protection systems that are used to deal with all events, from AOOs to Condition IV accidents (e.g., major LOCAs). The GDC 21 requirement does not depend upon nature of the single failure. For example, the ECCS is designed to flood the core after a major LOCA. One of two ECCS trains is assumed to fail, as per GDC 21, and the remaining train is required to fulfill the safety function of both ECCS trains. There is no specification as to why an ECCS train will fail.
The ECCS train fails because that reduces the level of redundancy. One PSV will stick open for the same reason. The PSVs' reliability in relieving water has nothing to do with meeting the single failure requirement of GDC 21.
The PSVs are connected in parallel, and not isolable. This system can readily meet the GDC 21 single failure requirement when the PSVs are required to open; but cannot meet it when the PSVs are required to close. The Licensee's plan to substitute PSVs for PORVs cannot meet the GDC 21 single failure requirement.
{Error 9} The Licensee fails to meet the GDC 21 single failure requirement.
No evaluation of potential damage to the PSVs Although the PSVs are safety grade equipment, they are not qualified to relieve water. Qualifying the PSVs for water relief would be very difficult if the temperature of the water relieved is too low. This issue prevented Diablo Canyon, Units 1 and 2, from qualifying their PSVs for water relief, in 1998 [18].
This question was also addressed, nine years later, in NSAL-07-10 [20], which stated, subcooled water relief through the pressurizer safety valves (PSVs) could potentially cause damage to the valves, rendering the RCS boundary unisolable. PG&E opted, instead, to upgrade their PORVs to safety grade level, for their Diablo Canyon Units, in 2004 [19].
Each PSV is about twice the size of a PORV. If the PSVs cycle open and closed, like PO RVs, it is possible that one or more of them will be damaged. This can result in significant leakage, through the reseated PSVs. The damaged PSVs could leak by up to 200 gpm. This cannot be an acceptable outcome for an AOO. This might not even be a leak, since 200 gpm is about the flow capacity of a charging pump, at 2500 psia.
{Omission 6} The Licensee does not evaluate potential damage to the PSVs.
PSVs are opened after the AOO has escalated No evaluation of the number of pressurization cycles incurred Recall that AOOs, " ... shall be accommodated with, at most, a shutdown of the reactor [3]. The high pressure reactor trip setpoint is 2400 psi a. The opening setpoint of the PSVs is 2500 psi a. Therefore, the PSVs will not open until after the event will have progressed beyond the defining boundary of an AOO.
The event is no longer an AOO. Therefore, it must be a Condition Ill event. Worse, it is a Condition Ill event with the frequency of occurrence of an AOO. Worse still, the frequency of occurrence will be the sum of the frequencies of occurrence of all AOOs that pressurize the RCS to the opening setpressure of the PORVs.
The Licensee's compliance strategy, which prevents the PORVs from opening, allows the RCS pressure to exceed (by 100 psi) the reactor trip setpoint in order to open the PSVs. This pressure level is beyond the defining boundary of an AOO. Therefore, it becomes necessary to generate a more serious plant condition in order to open any of the PSVs. In this respect, The Licensee begs the question. In other words, the Licensee claims that certain ANS Condition II events must be allowed to progress to more serious ANS Condition Ill events in order to demonstrate that those ANS Condition II events will not progress to more serious ANS Condition Ill events!
The Vendor misleads its customers when it suggests the application of PSVs, in its 1993 letter [7], which states, Licensees should determine if their Pressurizer Safety Relief Valves are capable of closing following discharge of subcooled water. If the PS RVs were designed or qualified to relieve subcooled water, the Inadvertent ECCS Actuation at Power accident will not degrade into a more serious Condition Ill event, since these valves will close once ECCS flow has been terminated. The Vendor does not equip its PWRs with PSVs that are designed to relieve water. Even if the Licensee has water-qualified PSVs, they will not open until after the AOO has developed into a Condition Ill event.
{Error 10} Application of the PSVs comes too late to meet the non-escalation requirement.
{Omission 7} There is no evaluation of the number of pressurization cycles against the plant's limit.
New accident is created New accident is not addressed the no significant hazards statement Recall that the PORVs are designed to prevent unnecessary challenges to the PSVs. The Licensee's compliance strategy prevents the PO RVs from opening, and relies upon the PSVs to open in lieu of the PO RVs. This creates a new accident. For the purpose of this Petition, it can be called an unnecessary challenge to the PSVs (UCPSV). This is an AOO that pressurizes the RCS, past the reactor trip setpoint (2400 psia) to the'PSV opening setpoint (i.e., the RCS design pressure). The frequency of occurrence for this AOO would be the sum of the frequencies of occurrence of the several AOOs would cause the PO RVs to open. A PSV, if it were to stick open, as required by GDC 21, would be about twice the size of a PORV, and it would not be isolable.
{Error 11} The Licensee creates a new accident
{Omission 8} The Licensee does not address the new accident in its no significant hazards statement.
Attachment D Safety significance, as per 10 CFR §50.92 10 CFR §50.92, Issuance of amendment. Section (a) states, in determining whether an amendment to a license ... will be issued to the applicant, the Commission will be guided by the considerations which govern the issuance of initial licenses ... to the extent applicable and appropriate.
It goes on to state, (c) The Commission may make a final determination ... that a proposed amendment to an operating license ... involves no significant hazards consideration, if operation of the facility in accordance with the proposed amendment would not:
(1) Involve a significant increase in the probability or consequences of an accident previously evaluated; or (2) Create the possibility of a new or different kind of accident from any accident previously evaluated; or (3) Involve a significant reduction in a margin of safety.
The Licensee submitted negative answers to all of these questions [9]. The Petitioner's responses would differ, in the following manner:
(1) Involve a significant increase in the probability or consequences of an accident previously evaluated The Licensee, from [9]:
All systems will continue to be operated in accordance with current design requirements under uprated conditions, therefore no new components or system interactions have been identified that could lead to an increase in the probability of any accident previously evaluated in the Updated Final Safety Analysis Report (UFSAR).
The Petitioner:
All systems will not continue to be operated in accordance with current design requirements. New design requirements have been imposed upon the PSVs, when operated during the IOECCS, and any other AOOs that pressurize the RCS to the PORV opening setpoint. Now, the RCS will have to pressurize to the PSV opening setpoint (i.e., the RCS design pressure) during each of these AOOs. The PSVs will also be required to reseat, after having relieved water. Therefore, a new failure mode has been introduced:
failure of a PSV to reseat. If this occurs, the result will be a small, hot leg LOCA. This LOCA will be more frequent than the currently analyzed LOCA. The probability of this Condition Ill LOCA will increase to equal the sum of the probabilities of all the AOOs that currently cause the RCS to pressurize to the PORV opening setpoint.
The consequences of the initiating AOOs are also increased, since operation of the PSVs, at 2500 psia, will always be required during instances in which the PO RVs would currently open. The consequences of stuck open PSVs, if they occur, would be greater than the consequences of stuck open PO RVs.
Operation of the PSVs during AOOs is not in their design basis. Frequent pressurization of the RCS to its design pressure could also be outside the RCS design basis.
(2) Create the possibility of a new or different kind of accident from any accident previously evaluated The Licensee, from [9]:
Analyses of transient events have confirmed that no transient event results in a new sequence of events that could lead to a new accident scenario.
The basic design of all systems remains unchanged and no new equipment or systems have been installed which could potentially introduce new failure modes or accident sequences.
The Petitioner:
A new accident is created. For the purpose of this Petition, it can be called an unnecessary challenge to the PSVs (UCPSV}. This is an AOO that pressurizes the RCS to the PSV opening setpoint (i.e., the RCS design pressure). The frequency of occurrence for this AOO would be the sum of the frequencies of occurrence of the several AOOs in which PSVs are opened, in lieu of PO RVs. Note that, in the 1980s, the NRC was concerned with the safety implications of the high frequency (at that time) of unnecessary automatic reactor trips that were incurred at operating plants. Industry, which included the Petitioner, worked to reduce the incidence of these trips (see patent no. 4,832,898). The UCPSV could pose a greater threat to the public health and safety than the unnecessary automatic reactor trip, since the consequences of this event could be potentially greater. For example, a stuck open PSV would have a about twice the relief capacity of a PORV, and it would not be isolable. It could also exceed the number of allowable pressurizations of the RCS.
(3) Involve a significant reduction in a margin of safety The Licensee, from [9]:
The margin of safety of the reactor coolant pressure boundary is maintained under uprated power conditions. The design pressure of the reactor pressure vessel and reactor coolant system will not be challenged as the pressure mitigating systems were confirmed to be sufficiently sized to adequately control pressure under uprated power conditions.
The Petitioner:
Wh~n the. PORVs are applied, the margin of safety, to RCS overpressure is 400 psi (2750 psi minus 2350 psi). When the PSVs are applied, the margin of safety, to RCS overpressure is reduced to 250 psi (2750 psi minus 2500 psi). The margin of safety is thus reduced by 37.5%.
It is possible, in the Byron and Braidwood plant designs, for ANS Condition Ill events to occur with the combined frequencies of occurrence of certain AOOs. This increase in the total frequency of occurrence for ANS Condition Ill events (e.g., from once in the plant's lifetime to one or more times per year of operation) is an unquantified reduction in safety margin.
Attachment E Summary and Conclusion The licensing basis ofthe Licensee's Byron and Braidwood plants contains at least 8 omissions, and 11 errors. This summary will focus upon the more important errors and omissions, especially those that pertain to the Licensee's no significant hazards statement, in Attachment (D).
The Licensee relies upon the PSVs to open, in lieu of the PO RVs, relieve water, and then reseat. The Licensee claims that no PSVs will fail open due to water relief, and therefore would not create a LOCA at the top of the pressurizer. To reach this conclusion, it is necessary to re purpose the PSVs for service during AOOs, and to bypass the GDC 21 single failure requirement.
The PSVs will not open until after the RCS pressure, during an AOO, rises beyond the pressure for which the AOO is defined (i.e., after the high RCS pressure reactor trip setpoint is reached). By the time the PSVs open, the AOO will have escalated to a Condition Ill event. The Licensee focuses upon qualifying the PSVs for water relief duty, in order to substitute them for PORVs; but qualifying valves that will not open makes no sense. Consequently, the Licensee does not have the option of selecting the PSVs, over the PO RVs, to operate during AOOs. The only available alternative is operation of the PO RVs (i.e., this is a Hobson's choice). Here is a summary of the options regarding PO RVs and PSVs, including the one chosen by the Licensee, in column (d). If the Licensee's choice seems to be inconsistent, it is due to the circular logic upon which it is based.
(a) PORVs (b) PORVs (c) PSVs (d) PSVs (Control grade) (Safety grade; (Safety grade; not (Safety grade; water qualified) water qualified) water qualified)
Current use Most PWRs are Safety grade; All PWRs are Licensee claims its equipped with water qualified equipped with PSVs are qualified control grade PORVs - installed safety grade PSVs for steam and PO RVs. in about half a that are qualified water relief dozen PWRs [8] for steam relief Purpose, and Prevent Prevent Prevent RCS Prevent RCS Safety Function unnecessary unnecessary overpressure overpressure, and reactor trips (at reactor trips, escalation to a 2400 psia), and challenges to Condition Ill or IV challenges to PSVs PSVs, and meet event. (imposed (at 2500 psia), no non-escalation by Licensee) safety function requirement.
Operation Open and close Open and close Open during PAs Open, relieve during AOOs, during AOOs, and ATWS events water, and close before reactor before reactor during Condition trip conditions are trip conditions are Ill events that reached reached originate as AOOs.
Single Failure GDC 21 does not GDC 21 applies to GDC 21 applies; GDC 21 applies.
apply to control upgraded PORVs. but PSVs are not PSVs are required systems. All One PORV could required to close. to close (imposed PO RVs that open fail to close, as by Licensee).
could fail open the single failure.
Non-escalation All PORVs could Two diverse Non-escalation Non-escalation requirement stick open and backups allow for requirement does requirement is create a Condition closure or not apply to PAs imposed by Ill LOCA. Does not isolation. Both are Licensee; but not meet the non- safety grade. met.
escalation Meets non-requirement escalation without timely requirement.
operator action to prevent water relief.
The Licensee does not recognize the basic difference between PORVs and PSVs, and their respective functions in the plant. If the Byron and Braidwood plants were automobiles, then the PO RVs would be seat belts, and PSVs would be air bags. PORVs, like seat belts, are used often, to protect the driver during abrupt stops and occasional fender benders. PORVs, like seat belts, can be engaged, disengaged, and even disconnected (i.e., isolated). The PSVs, on the other hand, are used once (maybe) in a car's useful lifetime, to protect the driver during a head-on collision.
Briefly, the Licensee assumes that the PO RVs will not open. Therefore, a PORV that does not open cannot fail open, and thus the non-escalation requirement is satisfied. The Licensee's conclusion assumes the premise (i.e., the Licensee begs the question). In the process, the Licensee creates a new accident, the UCPSV.
The Licensee's compliance rationale does not (and cannot) demonstrate that its Byron and Braidwood plant designs will prevent AOOs from developing into more serious events. Therefore, there is no assurance that Condition Ill events will not occur at the frequency of Condition II events, in the Byron and Braidwood plants.
It is necessary for the Petitioner to request the NRC staff to take the following enforcement action with respect to the Byron and Braidwood plants:
(1) Revoke the Licensee's authorizations to operate its Byron and Braidwood Stations at any uprated power level.
(2) Impose a license condition, on current operations, requiring the Licensee to provide an acceptable demonstration of compliance with the aforementioned design requirement. See [11]
for a precedent. r-(3) Require the Licensee to file a 10 CFR §21 report regarding its statement of no significant hazards.
References
[1] 10 CFR §50, Appendix A, 36 FR 12733, July 7, 1971
[2] Regulatory Guide 1. 70, Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants, Rev 0, February 1972 {ADAMS No. ML11255A151)
[3] American Nuclear Society, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants, ANS-N18.2-1973, La Grange Park, Illinois, August 6, 1973
[4] Westinghouse Electric Corporation to U.S. NRC, ATWS SUBMITTAL, NS-TMA-2182, dated December 30, 1979 (ADAMS Accession No. ML041130109)
[5] ANSl/ANS-51.1-1983, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants", April 29, 1983
[6] U.S. NRC, letter from L.N. Olshan to H.E. Bliss, Commonwealth Edison Company, NUREG-0737, ITEM 11.D.1, PERFORMANCE TESTING ON RELIEF AND SAFETY VALVES FOR BYRON STATION, UNITS 1 AND 2 (TAC NOS. 56200 AND 63240), dated August 18, 1988, (ADAMS Legacy Accession No.8808170184)
[7] NSAL-93-013, G.G. Ament and K.J. Vavrek, Westinghouse ESBU, June 30, 1993, and NSAL 013, Supplement 1, J.S. Galembush, Westinghouse ESBU, October 28, 1994 (ADAMS Accession No. ML052930330)
[8] U.S. NRC, Salem Nuclear Generating Station, Unit Nos. 1 and 2 (TAC Nos. M97827 and M97828}
Amendment Nos.194 and 177, dated June 4, 1997 (ADAMS Accession No. ML011720397)
[9] Commonwealth Edison Company to U.S. NRC, Request for a License Amendment to Permit Uprated Power Operations at Byron and Braidwood Stations, dated July 5, WOO, (ADAMS Accession No. ML003730544 and ML003730536)
[10] U.S. NRC, letter from George F. Dick, Jr., to Oliver D. Kingsley, Exelon Generation Company, LLC, "Issuance of Amendments; Increase in Reactor Power, Byron Station, Units 1 and 2, and Braidwood Station, Units 1 and 2 (TAC Nos. MA9428, MA9429, MA9426, and MA9427)," dated May 4; 2001, (ADAMS Accession No. ML033040016)
[11] FPL Energy Seabrook Station to U.S. NRC, SBK-L-05226, Seabrook Station Facility Operating License NPF-86 Completion of License Condition 2.K, November 7, 2005, (ADAMS Accession No. ML053140139)
[12] NRC RIS 2005-29, Anticipated Transients that Could Develop into More Serious Events, December 14, 2005 (ADAMS No. ML051890212)
[13] Exelon Generation Company, LLC, "Byron/Braidwood Nuclear Stations Updated Final Safety Analysis Report (UFSAR)," Revision 15, dated December 2014 (ADAMS Accession No. ML14363A393).
[14] NRC RIS 2005-29, Rev 1, Anticipated Transients that Could Develop into More Serious Events, July 17, 2015 (ADAMS No. ML15014A469)
[15] ICONE24-60472, Strategies to Prevent Benign Transients from Becoming Serious Accidents, Samuel Miranda, Proceedings of the 2016 24th International Conference on Nuclear Engineering, ICONE24, June 26-30, 2016, Charlotte, NC
[16] U.S. NRC, letter from Joel S. Wiebe to Michael J. Pacilio, Exelon Generation Company, LLC, Braidwood Station, Units 1 and 2, and Byron Station, Unit Nos. 1 and 2 - Issuance of Amendments Regarding Measurement Uncertainty Recapture Power Uprate (TAC Nos. MF2418, MF2419, MF2420, and MF2421), dated February 7, 2014 (ADAMS No. ML13281AOOO)
[17] U.S. NRC, memorandum from Samuel Miranda to Christopher P. Jackson, Making Non-Concurrence NCP-2013-04 Public, dated February 28, 2014 (ADAMS No. ML14063Al74)
[18] LER 98-001-01, Diablo Canyon Units 1 and 2, Pacific Gas & Electric, Reactor Coolant System Outside Design Basis for Inadvertent Emergency Core Cooling System Actuation at Power Due to Non-Conservative Assumptions for Pressurizer Safety Valve Operation, October 22, 1998, (ADAMS No. 9810270409)
[19] Diablo Canyon Power Plant, Unit Nos. 1 and 2 - Issuance of Amendment Re: Credit for Automatic Actuation of Pressurizer Power Operated Relief Valves, USN RC (ADAMS No. ML041950260)
[20] NSAL-07-10, Loss-of-Normal Feedwater/Loss-of-Offsite AC Power Analysis PORV Modeling Assumptions, J.T. Crane and A.J. Macdonald, Westinghouse, November 7, 2007 (ADAMS No.
M L100140163)
[21] Information Notice 94-55, Problems with Copes-Vulcan Pressurizer Power-Operated Relief Valves, USN RC, August 4, 1994 (ADAMS No. ML031060536)
[22] Press Release No.94-157, NRC Staff Proposes to Fine PSE&G $500,000 for Alleged Violations at Salem Nuclear Power Plant, USN RC, October 5, 1994 (ADAMS No. ML003702822)