Text

Forwards Re Webb 790723 Rept, TMI Accident:Was It Class 9 Accident, in Response to ASLB 790710 Question 4
	ML18079B046
Person / Time
Site:	Salem
Issue date:	08/03/1979
From:	Valore C; LOWER ALLOWAYS CREEK, NJ, VALORE, C.
To:	;
References
	NUDOCS 7910050038
	Download: ML18079B046 (76)
	v • d • e

UNITED STATES OF AMERICA

~

NUCLEAR REGULATORY COMMISSION Before the Atomic Safety and Licensing In the Matter of Docket No. 50-272 PUBLIC SERVICE ELECTRIC ...

& GAS CO.

(Salem Nuclear Generating :

Station, Unit il ) Proposed Issuance of Amendment to Facility Operating License No. DPR-70 RESPONSE TO THE* ATOMIC SAFETY AND LICENSING BOARD ORDER DATED JULY 10~ *1979 .:.. QUESTION NO. 4 The Intervenor , .. Towhship of Lower Alloways Creek, hereby submits the technical report of Dr. Richard E .. Webb in response to the* Board's Question t*4.

TOWNSHIP OF LOWER ALLOWAYS CREEK

~)fta_QQ~

August 3,* 1979

--~ ~

) .- ~--

.* UNITED STATES OF l\MER.

NUCLEAR l£GUIJ\TORY COMMISSION Before the Atomic Safety and Licensing Board In the Matter of PUBLIC SERVI IE ELECTRIC DOCKET NO. 50-272

& GAS CO.

(Salem Generating Station Unit # 1)

CERTIFICATE OF ?E~VICE

~ ' . ..

l hereby certify that copies of Ric.hard: E. Webb '*s. technical report in response to Question #4 in the* above captioned matter have been served upon ti~ attached list by deposit' in the United States mail at the post office in Northfield, N.J., with proper postage thereon~ this 3rd day of Kugust , 1979.

~~.~/;&~-

Counsel for the Intervenor, the Township of Lower Alloways Creek

Cary L. Milhollin, Esq. Richard Fryling, Jr., Esquire Chairman, Atomic Safety Assistant General* Solicitor

& Licensing Board Public Service Electric &

1815 Jefferson Street Gas Company

/

Madison, Wisconsin 53711 80 Park Place

'Newark, N. J. 07101 Glen O. Bright Member, Atomic Safety Keith Ansdorff, Esquire .

& Licensing Board Assistant Deputy Public Advocate U. S. Nuclear Regulatory Commission Department of the Public Advocate Wdshington, D. C. 20555 Division of Public Interest Advocacy P. O. Box 141 Dr. James C. Lamb, III Trenton, New Jersey 08601

'.'!ember, Atomic Safety &

Licensing Board Panel Sandra T. Ayres, Esquire JL3 Woodhaven Road Department of the Public Advocate Chap~l Hill, N. C. 27514 .520 East State Street Trenton~ N. J. 08625 Chairman, Atomic Safety and Licensing Appeal Board Panel Mr. Alfred C. Coleman, Jr.

U. s. Nuclear Regulatory Commission Mrs. Eleanor G. Coleman Washington, D. C. 20555 35 "K" Drive Pennsville, N. J. 08070 Chairman, AtQmic Safety &

Licensing Board Panel

Office of the Secretary 1r. S. Nuclear Regulatory Commission Docketing and Service Section Washington, D. C. 20555 U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Barry Smith, Esquire Office of the E~ecutive Legal Director June D. MacArtor, Esquire

[I. S. Nuclear Regulatory Commission Deputy Attorney General Washington, D. C. 20555 Tatnall Building, P. O. Box 1401

.Dover, Delaware 19901 Mark L. First, Esquire Deputy Attorney General Mr. Frederick J. Shon DL'partment of Law & Public Safety Atomic Safety and Licensing Board Environmental Protection Section U. S. Nuclear Regulatory Commission 16 West State Street Washington, D. C. 20555 frenton, N. J. 08625 Mary O. Henderson, Clerk

>L1rk J. Wetterhahn, Esquire . Township of Lower Alloways Creek for Troy B. Conner, Jr., Esq. Municipal Building 1747 Pennsylvania Avenue, N. W. Hancock's Bridge, N. J. 08038 Suite 1050 Washington, D. C. 20006

-1 I

I THE THREE MILE ISLAND. ACCIDENT:

WAS IT A "CLASS NINE" ACCIDENT?

By Richard E. Webb, Ph.D July 23, 1979

TABLE OF CO~TENTS:

I. INTRODUCTION: -

THE BOARD'S QUESTION . . . * . . * * *

Page 1 II. REACTOR SYSTEM DESCRIPTION AND ACCIDENT CLASSIFICATION* IN l3RIEF III. DESCRIPTION OF THE THREE MILE ISLAND ACCIDENT Page 10 IV. COMPARISON~ *OF THE TML ACCIDENT WITH THE DESIGN BASIS ACCIDENTS * *. * * * * * * * * ..- * * * *. * *

Page 20 A. Multiple Failures ****** *

Page ~- 20 B. Zirconium Oxidation/hydrogen' generation * * * * * *.Page 20 C~ Hydrogen Explosion * * * ~ * * * * * * * .Page 21 o.; Fuel. Damage * ** * * * *. * * * *. * .Page 21.

E *.: The failure of the Engineered Safety Features and the Reactor Protective Systems * *. * . * .Page. 23.

F'., Reactor* is still not. under control! * *. * * * * *

Page 25 G. Brink of Cat as.trophy * * * * * * * *. * * *

Page 25 H *. Accident Consequences: Public Exposure to Radiation *. *. * * *. *. * * * *. * * *

Page 27

v. ANALYSIS AND INTERPRETATION OF THE DEFINITION OF CLASS NINE ACCIDENTS GIVEN IN THE ANNEX TO APPENDIX D, 10 CFR_50, and ITS *SIGNIFICANCE WITH RESPECT TO THE HEALTH AND SAFETY OF THE PUBLIC ** * * * * *

Page 29 A *. Interpreting the Text of the Annex * *. * * *

Page 31 B~ Maxiurnu Hypothetical Accident v *. Class Eight Accidents * * * *. * * * * * *. * * * * * * *

Page 39 VI. CLASSIFYING THE THREE MILE ISLAND ACCIDENT

Page 42 VII. NRC AND ATOMIC SAFETY AND LICENSING BOARDS' S INTERPRETATIONS OF CLASS NINE ACCIDENTS . * *

Page 45 A .. Black Fox . * * . . . . . . . . . . . . . . *

Page 45 B. Erie ... *- . . . . . , . . . . . . . . . . *

Page 4 7

c. Salem . .. *- . . .. . . . . . *

Page 48 D. The NRC's Regulations Overall, with res~ect to the Class Nine Issue * * * * * . * * . * . . * * . Page 50 VIII. THE SECOND PARI' OF THE BOARD'S QUESTION . . .. . Page 55 IX. CONCLUSION AND FI~AL REMARKS' . . . . . . . . ** . . Page 57

x. FIGURES Figure 1

.. Page Page 63--

63 Figure 2 ... . . . . . . .. . . . . . Page 64 XI. Attachment - 10 CFR50, App.~. . .. . Page 65 XII. References . .... . . . . . . . Page 70

I. INTRODUCTION:

THE BOARD'S QUESTION The Atomic Safety and Licensing Board of the U.S. Nuclear Regulatory Commission (NRC) has posed the following questions:

"The* Proposed Annex* to Appendix D, 10 CFR Part 50, appears to define a Class 9 accident as a sequence of failures which are more severe than those which the safety features of the plant are designed to prevent.

The sequence of failures at Three Mile Island produced a breach of the containment and a release of radiation which could not be prevented by the safety features.

Was the occurrence at three Mile Island therefore a Class, 9 accident? Was- the risk to pealth and safety and* the environment. "remote in 'probability," or "extremely low" at Three Mile Island, as those terms are used in the Annex?"* *

This- report offers an answer to the Board's questions. It is contended that the Three Mile Island (TMI) accident was (and .still is, since* the accident is sti~l go.ing on) a "class nine" accident as defined in the said Annex. The significance of TMI being a class 9 acci~ent is that the accident contra-dicts, and thus disproves, the safety basis of nuclear power plants, which is, that class 9 accidents are "incredible",

or remote in probability. Therefore, the accident should be cause for a full review and investigation of the hazards of nuclear power plants.

The said annex classifies the spectrum *of "all possible accidents" from class 1 accidents, which are "events" which are predicted to have "trivial consequences"; through class 8, ~hich are the "design-basis events", or the most serious

The board posed this question in the spent fuel licensing proceeding for the Salem nuclear power plant, Salem, New Jersey, July 10, 1979.

1

accident possibilities for which the plant and its safety

_equipment are designed. to control; and ending in* the class

~ accidents, which are the accidents "more severe" than the class 1 through class 8 accidents. It is contended that the TMI accident is- an accident which is more severe than the design basis accidents f"or pressurized water reactors (PWRs),j ipcluding TMI and Salem~ and th~t, therefore, the 0

~ ' '~:. " . . .

accident is a Class!9 accident. In this report we shall (1) describe briefly the reactor systems pertinent to the TM! accident, and then describe the TMI accident with annota-tions; (2) review and interpret the accident classes defined in tfie annex; and* (3) compare the TMI accident with respect to the definitions- of Class. 8, or design-basis, accidents and Class 9 accldents for the TMI reactor (Babcock and Wilcox design (PWRs) and the Salem reactor (Westinghouse PWRs) to demonstrate that th~ TMI accident is a class 9 accident.

rr. REACTOR SYSTEM DESCRIPTION AND ACCIDENT CLASSIFICATION IN BRIEF The TMI unit number 2 reactor system consists of the reactor, and its core of *fuel rods, a *pressurizer, two steam generators, and four *coolant pumps (see figure 1). The reactor core generates he~~ by the atomic fission reaction and by the radioactive fission products, which too give off heat. The fuel rods are cooled by water (coolant), which is ~irculated through the reactor 2

and the steam generators." The coolant in turn is heated up as it passes through the reactor. The steam generators in turn remove this heat from the coolant when the coolant passes through tubes inside the steam generator~. The tubes give up the heat held by the rector coolant to the boiler water in the steam generator vessel by boiling this water to form steam. That is, the hot steam generator tubes heat and boil the boiler water .

The steam: leaving the steam generator t~us carries off the heat

. g;enerated by the reactor. The steam can be discharged into the turbine, to make electricity, after which it is condensed back i~to water and fed back into the steam generators by means of the "feed water systems" of pumps; or the steam can be discharged to tlie atmosphere, but in this case make-up water must be supplied from a storage tank.

The pressurizer is a device which pressurizes the reactor coolant to prevent the hot reactor coolant from boiling apd hence forming steam in the reactor and its piping. The pressurizer is essentially a yessel connected to the reactor coolant piping and containing electric heaters to boil water to form a high pressure steam bubble inside the vessel.* The pressurizer is also equipped with pressure relief valves, which are set to pop open should the pressure rise to excessive levels, and water level gauges, which ineasure the water level in the pressurizer, to*ensure that the reactor and its coolant piping are filled

The pressure is norm~lly reduced by spraying cold water into the steam bubble by a spray nozzle (not shown in figur~ 1) to quench the steam.

3

with water. The water level gauges are also needed to ensure that the pressurizer does not become filled with water, since a stea~bubble is needed to avoid excessive pressu~e rises asso-ciated with injecting_ coolant into the reactor or coolant expansion upon heating up in temperature .

. The main heat generation in the reactor is the atomic fission reaction, which can be quickly terminated by rapid insertion of the nuclear "control rods" into the reactor. This process is called. a "reactor scram".'However, the radioactive fission products. continue* to generate heat in the fuel rods after a scram. This- heat level is about 7% of full power right after a scram,_ then decays to 3io shortly thereafter (minutes) and to lower and lower levels with the passage of time. Hence, it-is called the "2ecay he-at".' To shut down the reactor, the following procedure is followed.*: Flrst, the reactor control rods are inserted into the core to stop the fission power. The steam generators are then operated _for awhile (discharging the steam to the steam condenser) to cool down the reactor coolant, while also continuing to remove the core decay heat. As the reactor coolant cools, the pressure is decreased (by regulating the pressurizer operation). When the coolant temperature drops to*

below 212° F (the boiling temperature of unpressurized water),

th~~coolant circulation pumps are stopped, the steam generators are isolated*, and the Decay Heat Removal System is activated, which circulates coolant through the reactor and "coolers" for

Valves closed 4-

~

removal of the core decay heat until the core is removed or the rector is started back up.

Next, the reactor system is equipped with an emergency coolant injection system known as the "High Pressure Injection System" (HPI), which injects make-up coolant into the reactor in the event of a small break in the coolant piping or a stuck open pressure relief valve, eit~er of which would result in a loss of.*coolant accident situatioD .

Finally, the core consists of 177 bundles of fuel rods--about 200 rods per bundle. The bundles are packed together to form the core. The rods are spaced slightly apart to allow coolant to reach the core to cool the rods. Each fuel rod consists of a zirconium alloy tube (less than one half inch in diameter and about 12 feet long), inside of which are uranium dioxide fuel pellets. The fuel pellets fragmentize shortly after the fuel rods begin producing power (fission heat) in the reactor.

Thus, the zirconium tubing is the sole mechanical support for the f~el. (Se~ figure 2). If the zirconium should be destroyed, the fuel (fragmentized pellets) would simply crumble. To maintain the zirconium integrity, the fuel rod must be continuously cooled.

If the reactor should lose its coolant, or if a blanket of steam should form around the fuel rods, which would insulate the fuel rod and thus prevent heat removal, the rods would heat-up, by the decay heat at least, until the temperature of the zirconium reaches a level at which zirconium chemically reacts vigorously with the steam. The reaction consumes zirconium to form zirconium 5

~

dioxide powder and flakes and hydrogen gas, and it also produces heat to worsen the heat-up process .. In short, when the fuel rods over-heat,. the zirconium can be destroyed, and the fuel would then crumble into a pile of fuel debris. A bed of crumbled fuel can potentially be impermeable to coolant flow (1) in which case,it would dry out due to internal heat generation (at least the decay heat). Depending on the decay heat level (or fission power level), the dried-out fuei deb~is . pile could heat up to the melting temperature of the fuel, which is about 5000° F:

Molten fuel can then pour. forth into water remaining in the reactor vessel and cause the water to boil explosively--a process known as a "steam explosion". Ten percent or less of the fuel in the* core, if molten, is sufficient to produce a steam explosion powerful enough to rupture the reactor containment building, according to the best-available analysis. (2) Three per~ent or ~ess of the core fuel can produce a steam explosion which ruptures the reactoi vessel; (3) Which would result in a total loss of coolant and then a total core melt down. Hence, crumbling of a small fraction of the fuel could conceivably result in a steam explosion which crumbles the res~ of the core, thereby, causing a total core melt down. Hydrogen explosions (explosive burning of hydrogen formed by the zirconium-steam reactions) and steam.over-pressure due to hydrogen burning and rapid quenching of ~ hot core are other mechanisms for over pressurizing the containment building. (4) If the, reactor.vessel is ruptured when containing very hot, highly pressurized water, an explosion 6

L ..._

8.

equivalent to about 12,000 lb. of TNT would result, due to the explosive expansion into steam of the hot, pressureized water (a classic boiler explosion). This would certainly rupture the containm~nt building.

A rupture of the containment would lead to a massive release of radioactive fission product vapors and dust into the atmosphere, as the intense temperature of the core melt down would vaporize.

< *t ~ ~

radioactive materials from the fuel~* The radioactive materials (radioactivity) would then e~cap~ into the atmosphere through the ruptures in the reactor and the containment. In order to assuredly prevent a containment rupture and a catastrophic rele_ase of radioactivity into the atmosphere, the fuel rods must not be aflowed* to over-heat and* crumble or direclty melt down. That is, the fuel rods must remain basically intact; though a small degree of perforations of the zirconium cladding might be tolerable, aa the fuel material (core) would still be coolable, since coolant would easily flow through the core--through the flow spaces between the rods.

Accident possiblilit_ies exist which potentially can result in fuel rod crubling and/or melt down. However, the nuclear industry and the government have contended that the probability of such accidents is "remote". Those accidents which are considered "er.edible", or not remote in probability, are analyzed in, the s~r~ty analysis report of e*ach reactor, and are called the "design

The TMI-2 core did not even melt and yet about 33% of the Cesium-137 radioactivity--not the most ,volatile fission product--

escaped the core, according to reactor coolant samples.

(Dr. Lo, NRC to R. Webb, telephone conversation, July 18, 1979.)

7

basis accidents". These a~cident possibilities basically involve a failure of some single system or component, such as a spontaneous rupture of a coolant pipe, and are analyzed to show, by theoretical predictions, that* the reactor safety systems would act to prevent fuel. rod crumbling and melting, and. to. prevent excessive hydrogen production (excessive zirconium oxidation), in order to ensure against a containment rupture and a heavy release of radioactivity into the atmosphere. Therefore, 'the design basis accidents for water-cooled reactors, such as TMI-2, are those accidents postulated in the safety analysis reports and* analyzed theoretically to show that the fuel rods. would remain basically intact--that '

is, in a geometric configuration. in which the fuel can be cooled down*with certainty by keeping the fuel rods submerged in water (flooding*) and circulating water through the reactor. The annex of appendix D of 10 CFR 50 defines the class 8 accidents as the design basis. accidents.

The annex defines the class 9 accidents as those "sequences of postulated successive failures" which are "more severe" than the design basis accidents. The annex definition further specifies that the "consequences" of such accidents "could be severe".

Thus; for example, any accident which is caused by a succession or multiple of failures (excluding anticipated events) of equipment, systems, components, devices, etc., as distinguished from the single-failure characteristic of the design basis accidents, and* which would result in fuel rod crumbling or melting, or 8

an explosion, would be an accident which is "more severe" than the design basis accidents, since the state of the reactor would be closer to the brink of catastrophy or would result in a catas-trophic release of radioactivity.

A. Also, the consequences of such an accident, which in the context of the annex pertains to the radiation dosage received by the public due to an accident, could be severe.

B. * - Therefore, accordi~g to the annex, such a multiple-failure accident would be a class 9 accident.

C. If the accident were to actually occur, the consequences need not be found more severe than what was predicted for the design basi~ accidents in order for the accident to still retain its prior class 9 accident designation.

This iast point will be demonstrated later.

The significance of the class 9 accident classification is that the NRC by issuing the "proposed" annex has assured the public that the probability of class 9 accidents is remote (extremely low) and, therefore, such accidents pose no unacceptable risk and, hence, need not be discussed in the Environmental Reports.* But if the Three Mile Island accident were conceded or ruled by the NRC to be a class nine accident, the past assurance of the NRG that the probability of class 9 accidents is remote would be rendered nugatory. Such is the significance of the

These reports are to describe the environmental impact of a reactor to be operated.

9

~

question of the classification of the TMI accident with respect to the NRC's regulations. More concretely, if the TMI accident were ruled a class 9 accident, the NRC would surely have to question its assumption that the class 9 accidents are incredible, which would mean that each and every severe reactor accident possibility would have to be investigated and analyzed for their likelihood and. potential consequences, including the possibility of a reactor accident causing a loss of.water in the spent fuel

. . . ...\'.*

storage pool.

III. DESCRIPTION OF THE THREE MILE ISLAND ACCIDENT The accident at TMI-2 began on March 28, 1979 (4 a.m.)

when the reactor* was operating at full power with about 100 full power days of prior op~ration. The initial malfunction was the failure of the main feed water system, which normally pumps make up water into the steam generators. This failure resulted in reduced heat removal fro~ the reactor coolant and, consequently, a heating up of the reactor coolant. The coolant heatup caused the coolant pressure to rise. The rising pressure caused the pressurizer relief valve to pop open to limit the .

pressure rise, and the pressure instruments signaled the reactor to automatically scram, i.e., the control rods were automatically inserted to stop the fission heat generation in the reactor core. However, the decay heat continued to supply heat to the coolant, which also has to be removed. The plant was designed to remove the decay heat from the reactor in the event of a 10

loss of the main feed water system by providing two small auxiliary feedwater pumps to supply water to the steam generators, so that the steam generators could continue to remove heat from the reactor coolant and hence co61 down the r~actor by discharging steam to the atomosphere. (See figure 1). However, the outlet valves of the auxiliary feedwater pumps were closed, in violation of safety requirements which prevented feedwater flow to the

. II steam generators. The steam generators ~hen quickly boiled dry in about one minute. At this* point,. the steam generators ceased removing heat from the reactor coolant; and the coolant began a.rapid heatup. At the same time, the pressurizer relief valve failed to close when the excessive pressure was relieved--the reli~f valve stuck open--and the relief valve's position indicator erroneously indicated that the valve had re-closed. The stuck open relief val~e caused the reactor to lose coolant and the pressure to fall. This, plus the rapid heat up of the coolant, caused the coolant to boil, forming steam bubbles in the reactor and piping. The High Pressure Injection (HPI) activated automatically to inject coolant to make up for the loss of coolant. However, the core cooling capacity of HPI cold water injection and relief valve steam (heat) discharge was alone not enough to remove the core decay heat, as the HP! system depends on the steam generators to remove the bulk of the core decay heat (and the heat generated by the coolant pumps); but the steam generators were inoperable due to the closed auxiliary feedwater valves.

After eight minutes into the accident, the auxiliary feedwater 11

I

~

valves were opened and feedwater then flowed into the steam generators. The HPI system in conjunction with the steam generators might then have been able to remove the core heat and prevent overheating of the fuel. (Then again, the HPI might not have prevented overheating of the fuel, for there is a question whether the fuel has already overheated due to steam blanketing). However, the reactor operators turned off the HPI system when they noticed

' , ti that the water level in the pressurizer.was high, which indicated that the reactor*coolant system

. . was full of water. This action may hav~ worsened the acc~dent, because the reactor coolant system was* evidently not full of water but contained st~~m.*

The steam evidently displaced (pushed) water from the reactor, which then flowed into the pressurizer to cause an erroneous indication that the reactor was filled with water.

The* steam -

in the reactor coolant caused the main coolant circulation pumps to vibrate, which caused the operators to turn off the pumps after about an hour into the accident, i~

order to avoid pump failure. Apparently,_ the operators assumed that the coolant would flow through the core by natural convection (heated and therefore less dense coolant rising out of the core by bouancy forces); but the presence of steam in the reactor coolant system, or some other factor, such as fuel damage, prevented

And' possibly hydrogen gas.

12

this process from.functio~ing effectively to remove the core heat. Apparently, the coolant stalled in the core and the fuel rods began to overheat or continued to overheat.

At about two hours into the*accident the relief valve was finally determined to be stuck open. The. blocking valve upstream of the relief valve was.then closed, which then stopped the discharge of coolant (steam) through the relief valve. The coolant pressure then rose sharply and the relief-valve blocking valve was then opened periodically, to control the pressure.

At about seven hours into the accident, the operators attempted to activate the Decay Heat Removal System (DHRS), by opening the relief-valve *blocking valve and lowering *the pressure. (The DHRS ~perates at low pressures~) With the coolant still stagnant~

this could. have caused more steam formation in the reactor and continued fuel overheating. At about thirteen hours, the operators aborted their attempt to activate the DHRS, closed the relief-valve blocking valve, allowed the pressure to rise, and then started

up one of the four main coolant pumps. The core heat was then removed through the steam generators. High radiation levels were then detected in the containment building, indicating severe core damage. A large bubble of gas was then detected in the reactor vessel, which could only be hydrogen. From the size of the bu~ble, plus the amount of hydrogen in the containment bui.l..ding, it was estimated that at least 25% of the zirconium was oxidized (the NRC estimates 41%.) Since it is fair to assume that the zirconium oxidation occurred mostly in the upper half 13

of the core, it is likely that much of the fuel cladding was destroyed and the fuel in the upper half of the core had crumbled.

For several days, temperature sen~ors above the core indicated "hot spots" of hot steam jetting from the core, despite the fact that the core was submerged under water. This indicated that much fuel had crumbled and impeded coolant flow through the core, despite the operation of one of the main coolant pumps.

The crumbled and/or clogged sta'te of the core made it desirable to (1) Maintain a high coolant pressure, to prevent boiling in the core hot spots (clogged fuel rod bundles or compacted debris piles) and to prevent the hydrogen gas bubble from expanding and ~nterfering with core cooling; and (2) Operate the main coolant pump and remove the core decay heat through the steam generators. It w_as desirable to maintain this mode of cooling for as long as possible, even after the hydrogen bubble dissipated, as this mode of cooling had proved to stabilize (apparently) the core condition. The concern was that if the pumps were stopped and/or the pressure were to fall, some fuel debris might heat up due to insufficient coolant and trigger an uncontrolled core melt down and catastrophy.

Eventually, the coolant pump would have to be stopped and the core cooled by natural convection, though still removing he~~ through the steam generators, until the pressure can be reduced to atmospheric pressure and the core cooled by the DHRS or removed. But stopping the coolant pump could cause the coolant.

14

to heat up, expand, and f~ll the pressurizer and possibly cause excessive pressure surges. For this reason, a steam bubble had to be maintained in the pressurizer, to cushion the possible coolant expansion when the pump is stopped. This in turn required the functioning of at least one pressurizer water level gauge while the coolant pump was running, so that the operators could maintain a steam bubble in the pressurizer and yet ensure that the reactor was full of coolant~ Howeve!, approximately one day into the accident, two of the three pressurizer water level gauges failed, due presumably, to excessive radiation exposure.

The gauges were only designed for 1000,000 rads of radiation, but at the levels of 30,000 rads per hour in the containment, these gauges could not survive for long, and two of the gauges in fact failed early in the accident. Fortunately, one gauge operated for one month, which thus allowed the operation of the main coolant pump. On April 27, this gauge failed; whereupon the operators switched off the coolant pump, thus involuntarily switching to the natural convection mode of core cooling. So far, this mode has worked successfully. It is note worthy that the core decay heat had decayed considerably during the month period of operating the main coolant pump--to about one fifth of the level at the end of the first day--which may account for the success of the natural convection cooling process.

15

The status of the reactor has not changed since. The system is kept under high pressure to minimize the possibility of coolant boiling in the core and dry-out of fuel debris (and then over-heating), while the core decay heat diminishes, and expansion of hydrogen gas pockets that might interfere with the natural convection circulation.

A large amount of radioactivity. has escaped the reactor and resides in the containment build'ing'.. In addition, the contain-ment is flooded with about elght "feet of highly radioactive water from the coolant discharge through the relief valve. In the first five or so hours of the accident, reactor coolant had discharged from the containment into the auxiliary building, due to a failure to activate the automatic containment closure systems. (This aµtomatic system was designed to seal the containment in the event of a design basis accident.) This resulted in a breach of the containment and a large release of radioactivity into the atmosphere. However, despite the severity of the accident in regard to core damage and radioactivity release into the*

containment, it may be that the consequences of the accident, namely, the public's exposure to radiation, may have been less serious than the consequences predicted for the worst design basis accident in the TMI-2 safety analysis report, based on pr~~iminary information issued by the NRC on the radioactivity 5

release estimates for the TMI accident. One reason for this paradox is that the containment building was barely pressurized, 16

due to the low rate of co~lant .discharge

. compared-~o a large pipe rupture ac~ident, so that the leakage through the containment once the containment was closed was less than a design basis loss-of-coolant accident.

This concludes the brief description of the TMI accident.*

For further details, see this author's forthcoming report The Urgency of Closing Down Nuclear Power Plants--An Analysis of the Three Mile Island Accident, which is to be appended to this affidavit. This appended report will hereafter be referred to as the TMI Accident Analysis.

To summarize, the TM! "sequence of successive failures" which caused the accident were: (1) Failure of the entire main feedwater system; (2) Failure of two valves in the auxiliary feedwater system; (3) Failure of the pressurizer relief valve to close (stuck -open); and (4) Failure of the relief valve position sensor to indicate the stuck open condition. We now compare the TMI accident with the design basis accidents. There are two design basis accidents for the TMI reactor which are related to the accident that actually occurred at TMI: (1) Loss of the main feedwater system; and (2) An inadvertent opening and sticking open of one of the three relief valves on the pressurizer. In the loss-of-feedwater design basis accident, the pressure rises, which results in an (assumed) automatic reactor scram and opening of-the relief valve to limit the pressure, like the TMI accident.

Sources: See Ref. 8.

But unlike the TMI accide~t, this design basis accident assumes that (1) The relief valve will close when the pressure excursion is checked; and (2) The core decay heat will then be removed and the reactor coolant cooled down by the steam generators, aided by operation of the auxiliary feedwater system. No fuel damage is predicted in the B & W safety analysis reports for this design basis accident. 6 In the second design basis accident--an inadvertent opening of a relief valve--the drop in coolant pressure causes an automatic reactor scram and activation of the high pressure injection system to inject coolant into the reactor to make up for the coolant loss through the relief valve. The main and auxiliary feedwater systems are assumed to function prop~rly, so that the steam generators wou~d remove the decay heat from the reactor as well as cooling down the reactor. The system would th~n cool down and the pressure would fall until the decay heat removal system can be activated, at which time the reactor would be declared to be in the state called "cold shutdown." Again, the B & W safety analysis reports predict 7

no fuel damage, as the core is kept cooled by water.

The preceding discussion describes the two design basis accidents which are pertinent or related to the TMI accident.

It is of interest also to mention the most severe design basis accident for the TMI reactor, which is a large rupture of a 18

~

reactor coolant pipe. The emergency core cooling system (ECCS) is provided to cool the core in this event. The conservative design prediction of the ECCS performance during this design basis accident is that the fuel rods would suffer some damage (perforations in the zirconium tubing), but the fuel rods would remain basically intact (no fuel crumbling, for example.) No more than 1% of zirconium in the core is predicted to be oxidized, which limits the fuel damage and th~ hydrogen production. The release of radioactivity is also.limited: for example, 9.6 million curies of Xenon-133 is released from the perforated fuel rods in the core into the containment, but the automatic containment closure would limit the release to the atmosphere

. via leakage (imperfect seals) to about .04 million curies of Xenon-133.

Finally, a "maximum hypothetical accident" is also postulated in the safety analysis reports, which merely assumes, for example, that 100% of the xenon and krypton radioactivity (noble gases) is released from the core and into the containment, which includes 150 million curies of Xenon-133. However, the containment building is assumed to be closed, except for the slight leakage through imperfect seals; so the release to the atmosphere is only about

.9 millioncuries of Xenon-133, plus other radioactive material.

This maximum hypothetical accident is not a design basis accident for the containment system but is analyzed only to make a conserva-tive bound of the consequences of the design basis accidents, 19

~

to satisfy the NRC's "reactor site criteria" of public exposure limits for "credible accidents." The accident is arbitrarily defined, for it ignores the fact that a core melt down would have to occur to generate a full.release of the noble gas radio-activity from the core into the containment building and that the melt down would have the potential of rupturing the containment building; thus contradicting the assumption of a closed, low leakage containment, which is one of th~ assumptions allowed by the reactor site criteria- in defining the maximum hypothetical accident.

rv .. COMPARISON OF THE TMI ACCIDENT WITH THE DESIGN BASIS ACCIDENTS

we can now compare the TMI-2 accident with the design basis accidents.

A~ Multiple Failures: The TMI accident involves five failures which produced the accident: loss of the main feedwater system, two valves closed in auxiliary feedwater system, a stuck open relief valve, and a failed relief valve position sensor.

In contrast, the related design basis accidents assume a single failure for each case: either a loss of the main feedwater system, or an inadvertant opening of a relief valve which sticks open.

B. Zirconium Oxidation/Hydrogen Generation: The TMI accident resulted in 41% of the zirconium being oxidized (NRC's 9

estimate); whereas the related design basis accidents are predicted 20

to result in no oxidation~ For the worst design basis accident--the large coolant pipe rupture accident--the oxidation is predicted 10 and required by the NRC's regulations to be less than 1%.

C. Hydrogen Explosion: A'hydrogen explosion occurred in the containment which caused a single pressure pulse of 28 11 pounds per square inch (psi). the containment failure pressure has been stated to be 135 psi. 12 However, none df the design basis accidents assume the occurrence of a hydrogen explosion .

The reactor and none of the ~afety systems including the containment are designed to withstand hydrogen explosions.

D. Fuel Damage: The core of the TMI-2 reactor is severely

.destroyed. Based on the amount of hydrogen that has been determined to hqve been created and, hence, the amount of zirconium fuel rod cladding destroyed (41%), a large portion of the core fuel rods must be as~umed to have crumbled. (This is the NRC's assess-13 ment, too. ) This inference is *supported by the large radiation levels in the containment building, which must be greater than

~hat predicted for the worst design basis accident, which is the large pipe rupture accident. The proposed annex to appendix D of 10 CFR 50 indicates that the large pipe break design basis accident is assumed to release 2%

of the noble gas radioactivity 14 (xenon and krypton) from the fuel core into the containment.

The Preliminary Safety Analysis Report for Erie (a proposed B & W reactor) indicates that about 0.7% is calculated to be released; Table 15.6-4 of Chapter 15.

21

___J

The Salem Utility (PSE&G) has testified that the percentage release of the noble gases from the core in TMI-2 was 30%. 15 Therefore, the* fuel rods in TMI-1 must be assumed to be more severely damaged than what is pr~dicted in the worst design basis accident. Finally, the TMI-2 designers (B & W) and the NRC have estimated, based on measured reactor flow and tempe~ature measurements, that the frictional resistance the damaged core offers to coolant flow through it is' 20? to 400 times the normal flow resistance associated with intact and undamaged fuel rod bundles in the core.. 16 This means that the core has lost its original configuration of intact fuel rods with coolant 'flow spaces between fuel rods, and now exists in a form of' crumbled fuel*and cladding and debris which is clogging coolant passages through the core or resembles a pile of sand or small pebbles.

It is the NRC's-assessment that a large portion of the core (about 20% or more) consists of a pile of fuel debris--a bed of fuel particles mixed with other core structur~l debris. 17 In contrast, the related design basis accidents (the loss of main feedwater accident, and the relief valve opening accident) are predicted to result in no fuel damage. 18 For the worst design basis accidents (large pipe rupture) the fuel rods are predicted to remain intact except for limited perforations. (splits in the cladding) .

22

E. -

The. Failure Of fhe Engineered Safety Features And The Reactor Protective Systems: The design basis accidents are to be controlled by the following plant system and structures, known as the "engineered safety features" and "protective systems:"

The containment and its automatic closure devices (isolation systems); the emergency core cooling system, in this instance, the High Pressure Injection System (HPI); the Decay Heat Removal System (DHRS) for long term decay heat ~emoval; the Pressurizer Water Level Gauges; and the Steam Generators (for short term decay heat removal). However, in the TMI-2 accident, these systems and devices were rendered ineffectual, at least temporarily:

(1) The containment failed to automatically close (isolate) for several hours, which enabled radioactivity to escape the containment and into the atmosphere through the auxiliary building carried by reactor coolant overflowing into the auxiliary building. 1 ? The NRC has estimated 13 million curies of Xenon-133 were 5

released to the atmosphere; whereas the "maximum hypothetical accident" for TMI-2 was to release no more than 0.6 million curies of Xenon-133 to the atmos-phere (an estimate based on B & W's SAR-205 and the Erie PSAR.)

(2) The HPI system was ineffectual during the accident.

That is, it did not prevent sev~re car~ overheating and damage, nor hydrogen generation and explosion, nor radioactivity release from the core. In other 23

words, the HPI 1id not cool the core and prevent the performance design limits or criteria for the emergency core cooling systems from being exceeded in the accident.

(3) The DHRS could not be activated. An attempt was made but had to be aborted.

(4) The pressurizer water level gauges failed due to the severe environment in the containment building, which prevented the continued us~ of the main coolant pumps.

(5) The steam generators and the rest of the reactor coolant system were rendered ineffectual for several hours.

The steam generators are the primary means of dissipating the core decay heat in the relief-valve-opening design basis accident and the loss-of-normal feedwater accident.

Also the natural circulation capability of the reactor coolant system was ineffectual when it was attempted early in the accident.

In addition, considerable improvision and jury rigging was required.

Hydrogen burners and lead bricks had to be transported to the site to limit the hydrogen buildup in the containment.* Back up power supplies, major-steam generator modification, leakproof decay heat removal systems, and alternate reactor coolant pressure control systems were hurriedly designed and are presumably installed

Evidently, the hydrogen burners that were part of the plant equipment had failed to function. "NRC closed Meeting,"

Transcript, March 30, page 85.

24

20 by now. In the design b:sis accidents related to the TMI-2 accident, no such jury rigging (extra equipment) are supposed to be needed to bring the reactor to a so-called "safe condition."

F. Reactor Is Still Not Under Control: The design basi~

accidents related to the TMI-2 accident, namely, the loss-of-main-feedwater design basis accident, "cold shutdown" would be achieved sooner. In contrast, the TMI-2 reactor has never been under control and still is not under control.* Because of the uncertain crumbled fuel condition, and. the inability to determine the true temperature of the core debris,* the reactor pressure must be maintained at a high level, to ensure against coolant boiling and d*ryout of a portion of the fuel debris. 'h'( This has been the s-ituation since the start of the accident, namely, that the operators could not place the reactor in a "cold shutdown" state which would allow cleanup operations to commence. Furthermorej it is still possible, though seemingly less and less likely as time passes, that the core would spontaneously heat up again, due to gradual plugging of the pores through the fuel debris pile in the core.

G. Brink Of Catastrophy: Unlike the desig~ basis accidents, in which the core is predicted to suffer limited temperature excursions, little or no hydrogen generation, and limited or no fuel damage, so that the core would maintain its basic fuel

All that can be said is that it is apparently stable.

- Hydrogen gas pockets may be another concern, viz., expansion and interference with natural circulation.

25

and geometry, which prior~xperiments have demonstrated would be coolable, the TMI-2 accident came extremely close to potential catastrophy. The accident produced a core condition with respect to which there were no prior experiments and analyses that would establish that the core would not generate a catastrophic core melt down and explosion. That the reactor has not ended in a core melt down, explosion, and a catastrophic rupture of the containment and consequent disastrous release of radioactivity, is a consequence of extreme luck:

(1) Lucky the last water level gauge on the pressurizer operated for a month whereas two of its sister gauges 21 failed within about the first day of the accident.

The delayed failure of the third gauge pr*olonged core cooling by the main coolant pump and delayed the switch to the less efficient natural convection cooling while the decay heat diminished.

(2) Lucky the fuel was relatively new, and not highly irradiated, when the fuel rod tubing would be brittle, and, therefore, more susceptible to crumbling.

(3) Lucky the hydrogen explosion occured when the coolant pressure was low (500 psi) and not when the pressure was high (2300. psi). Shortly after the explosion occurred, the coolant pressure was raised to 2300 psi. Had the explosion occurred when the pre~sure was 2300 psi, the coolant pipes and control rod drive mechanism motor tubes would have been more highly stressed, 26

and might conce!vably then have ruptured due to the mechanical effects of the hydrogen explosion'. The uncontrolled coolant depressurization that would have resulted could have caused the core debris to overheat (dry out).

(4) Lucky the fuel debris formed in such a way as to permit adequate cooling.

There are other lucky circumstances of the accident (see this author's report, TMI Accident Analysis). The point to make is that if the very same accident occurred again, the consequences could be much more serious.

H. Accident Conseguences--Public Exposure To Radiation:

A measure of the public exposure.to radiation caused by the TMI-2 accident is the amount of radioactivity which escaped into the atmosp~ere. The NRC has issued estimates of the amount of Xenon-133 and Iodine-131 radioactivity that was released.

The following table compares these estimates with the release predicted for* the design basis pipe rupture accident (loss of coolant accident) and the maximum hypothetical accident. Also shown is the total quantity of these species of radioactivity in the core at the start of the accident, which would be released in a catastrophic accident. As is seen from the table, the release of Xenon-133 is about 21 times greater than the maximum hypo-theGical accident (MHA) whereas the release of Iodine-131 was about 0.14% of the MHA. The NRC has issued memoranda which indicate 27

mtPARISON OF RADIOACTIVI'IY RELFASFS INTO THE A'JM)SPHERE

\>K>RST MAXIM.JM DESIGN HYPalHEI'IC.AL BASIS . AC.CIDENr CORE 'IMI-2 ACT;IDENf RELEASE HAlF ANNEX IsaTOPE INVENIORY RELEASE* RELEASE** LIFE 8.1 I

Xemn-133 i49 Mei 13 Mei .04 r-ti ~62 Mei. 5.3.Days .01 Mei (less Icdine-131 74 r-ti 1.4 ci 75 Ci 1000 Ci 8 pays for Class 5) 1J Others:

N Kryp~on. ?

CX>

other Xenon Isotopes Note: Mei = Million Curies ci = 1 Curie

..'-k NRC figures, Ref. 5 Based on B & wIs SAR-205' reduced to awly to the power rating of 1MI-2

-** ~

that the release of the Xenon-133 occurred over an extended time period long after the accident started so that other noble gas isotopes had time to decay. 22 Had these other isotopes been released before their decay, their radiation, which is said by the NRC to be more powerful, would have caused a much greater radiation dose to the public. 23 Being chemically an iqert gas, Xenon-133 is implied by the NRC to b~ much less hazardous than Iodine-131, which of course is extremely hazardo~s to health.

24 Consequently, an NRC official has argued that although the Xenon-133 release was much greater than the MHA release, the relatively low release of lodine-131 (0.14% of MHA) means that the total effect of the accident with respect to the public health (potential hazard" of what was released) is overall less than the MHA.

This comparison is preliminary, and may be subject to change upon more definitive evaluation by the NRC and others.

V. ANALYSIS AND INTERPRETATION OF THE DEFINITION OF CLASS NINE ACCIDENTS GIVEN IN THE ANNEX TO APPENDIX D, 10 CFR 50, AND ITS SIGNIFICANCE WITH RESPECT TO THE HEALTH AND SAFETY OF THE PUBLIC.

In this section the definition of Class 9 accidents given in the annex of appendix D, 10 CFR 100, is analyzed and interpreted in the light of the text of the NRC regulation 10 CFR 50 and 100, past interpretations of the NRC and its Atomic Safety and Licensing Boards, and customary usage. It is- contended that 29

( (

a "Class 9" accident is aft accident that would be caused by a sequence of multiple failures which is apparently more severe than the design basis accident but which is not analyzed in

the official saf~ty analysis repbrt for the course the accident would take, even though the consequences of such an accident, prospectively, could be severer The Class ~ accidents and their potential consequences are not analyzed in the official safety analysis 1 ~_eports nor discussed in the official environmental reports. because the NRC judg~s and has always judged that the probability of these accident failure sequences is remote; that is, the NRC'.considers and has always considered these accidents to be "incredible." Conversely, multiple failure accident sequences which. could have severe consequences but which are* judged "incredi-ble are denominated Class 9 accidents. The only exception to this rule is of-the spontaneous rupture of the reactor vessel during normal operations and anticipated reactor system _transients, as such an accident would involve only a single failure. This single failure accident too is considered by the NRC as "incredi-ble", *and hence, a class nine accident. Class 9 accident sequences are not defined prospectively according to the potential conse-quences, other than that the consequences could be severe; nor are they defined retrospectively according to the actual consequences that occur in terms of the public exposure to radiation relative to .s-ome safety standard. Rather, the Class 9 designation was only to denote and express the NRC's opinion that possible multiple failure sequences that would cause accident and spontaneous reactor vessel failure accidents, either category of which could 30

have severe consequences, are "incredible" or extremely unlikely accident possibilities. This NRC opinion has been the fundamental assumption on which the NRC has based its regulatory judgment that nuclear power is safe. This Class 9 accident incredibility opinion has also been the official justification for the NRC's policy of not analyzing the Class 9 accidents to establish their potential consequences and informing the public of the results.

A. Interpreting The Text Of The I

Annex The main text of the annex to appendix D, 10 CFR 100--here-after, the "annex"--is reprinted in the appendix of this memorandum.

The annex defines nine classes of accidents, which range from Class 1 (trivial consequences) to Class 9 (the most severe).

The crucial.paragraphs of the annex with respect to the question at hnnd are as follows:

"Class 8 events are those considered in safety analysis reports and AEC staff safety evaluations. They are used, together with highly conservative assumptions, as the design--

basis events to establish the performance requirements of engineered safety features. The highly conservative assumptions and calculations used in AEC safety evaluations are not suitable for environmental risk evaluation, because their use would result in a substantial over-estimate of the environmental risk. For this reason, Class 8 events shall be evaluated realistically. Consequences predicted in this way will be far less severe than those given for the same events in safety analysis reports where more con-servative evaluations are used.

The occurrences in Class 9 involve sequences of postulated successive failures more severe than those postulated for the design basis for protective systems and engineered safety features. Their consequences could be severe. However, the probability of their occurrence is so small that their environmental risk is extremely low. Defense in depth (multiple physical barriers), quality assurance for design, manufacture, and operation, continued surveillance and testing, and --

conservative design are all applied to provide and maintain

. the required high degree of assurance that potential accidents in this class are and will remain, sufficiently remote in probability that the environmental risk is extremely low. For these reasons, it is not necessary to discuss such events in applicants' (utility's) Environmental Reports.

31

Class 8 accidents ari plainly the design basis accidents, called "design-basis events," or those accidents which are analyzed in the official safety analysis reports to evaluate the adequacy of the reactor plant design with respect to the NRC's reactor plant safety regulations, particularly 10 CFR 50, including the General Design Criteria (10 CFR 50, 'App. A), and with respect to the Reactor Site Criteria, 10 CFR 100. In regard to the Class 9 accidents, the key parts of the annex are as follows:

(1) The Class 9 accidents involve* "sequences of postulated successive failures more severe" than the design basis accidents.

(2) "Their consequences could be severe .. However, the probability of their occurrence is so small that their environmental risk is extremely low."

(3) "(The) potential accidents in this class are, and will remain, sufficiently remote in probability that the environmental risk is extremely low."

It is plain that the annex distinguishes between a sequence of successive failures, which is the cause of a postulated accident, and the consequences of that accident-causing sequence. In the context of the annex, the term "consequences" refers to the "environmental consequences," or the predicted public's exposure to radiation resulting from the accident. (See the sixth paragraph of the annex.) This interpretation is consistent with the examples given in the annex of Class 8 accidents, where the term "conse-quences" refers to calculated contamination and public exposure 32

to radiation, given assum~d releases of radioactivity and meteor-logical parameters. The consequences need not be severe for an accident to be a Class 9 accident, only that they could be severe, given the fact that the sequence of postulated successive failures of an accident is apparently "more severe" than the design basis accidents. The annex specifies no criteria for determining whether a sequence of postulated successive failures (of reactor plant components and systems) would be "more severe" than the design basis accidents; and, therefore, we must rely on the words of the defining sentence and their context in the annex to establish the meaning of Class 9 accidents, that is, to establish the NRC's intended meaning. The key word is "success-ive"~ a sequence of postulated successive failures more severe than the "design basis events." Observe that the annex calls the Class 8 accidents "events," which implies that each Class 8 accident is defined basically by a single failure event; whereas the Class 9 definition refers to a sequence of postulated successive failures, which of course, means a chain of multiple failure events. The examples of Class 8 accidents given in the annex bears this out, such as a reactor coolant "pipe break" or a "rod ejection," meaning an ejection of a single reactor control rod. The design basis accidents in the safety analysis reports are basically single failure events. For example, B & W's Safety Anarysis Report-205 contains only two design basis accidents which bear any resemblance to the TMI-2 accident.* These are:

(1) "Loss of Normal Feedwater;" and (2) "An Inadvertent Opening

This safety analysis report is assumed to be practically the same as the TMI-2 safety analysis report, since the TMI reactors are B & W designs.

33

of Pressurizer Sa~ety or Relief Valve." These two accidents are among the postulated events for the design basis of the protective systems, ~uch as the scram system, and the engineered safety features, such as the containment system and emergency core cooling system. Design basis accidents may assume an additional failure in a safety system that is to control the accident, in accordance with the "single failu~e criterion" of the General Design Criteria (10 CFR SO, App. A) .. So* in this sense, design

. basis accidents could qe considered as a sequence *of two failures; but basically, they are single failure events, quite plainly, as an inspection of any saf~ty analysis report shows. But regard-less, the design-basis accidents are those failure events analyzed in the safety analysis reports (and the associated safety evalua-tion reports of the NRC).

To form a Class 9 accident~ then, we need only to postulate an additional failure or failures of equipment or components which would make up a sequence of successive failures--a design basis failure event plus one or more additivnal failures--which apparently would make the accident more severe than the related design-basis event. To illustrate: In the section qf the B &W safety analysis report-205 which analyzes the "loss of normal feedwater" design-basis accident, it is stated:

"The simultaneous loss of both main and auxiliary feedwater

, is not considered a credible occurrence since the auxiliary f eedwater system is designed as a completely separate and redundant feedwater backup system for decay heat removal.

24

Therefore, the auxitiary feedwater system is assumed to be available to remove the decay heat gcncr~tcd following reactor trip, and fuel and RC~"" system boundary damage will not occur." (B-SAR-205, Rev. 0, p.15.1.8-1).

"Normal" feedwater and "main" feedwater are synonymous. Clearly, the B & W report implies that if an additional postulate is made that the auxiliary feedwater system fails, the accident would be more severe W"ith respect to damage to the fuel and the reactor vessel and piping, or at least the reactor system heatup would be more severe. Observa also that the B & W report contends that the loss of main feedwater system plus a loss of the auxiliary f eedwater sys9em is a sequence that "is not cons'idered credible," which in effect means that B & W considers the probability of the sequence remote or extremely low. Similarly, the Reference Safety Analysis Report (RESAR) for the Westinghouse design of pressurized water reactors** treats the "loss of normal feedwater" accident as a design basis accident. This report states:

"If an alternative supply of feedwater were not supplied to the plant, residual heat following reactor trip would.

heat the primary sy$tem water to the point where water relief from the pressurizer occurs. Significant loss of water from the Reactor Coolant System could conceivably lead to core damage."~""*~'(

The report assumes for its design* basis event that the auxiliary*

system functions properly. The report states:

"The analysis shows that following a loss of normal feedwater, the auxiliary feedwater system is capable of removing the

, stored and residual heat thus preventing either overpres-surization of the Reactor Coolant System or loss of water from the reactor .core."

(RESAR, June 1072, p. 15.2-38).

RC = Reactor coolant.

- The Salem design.

- - In B & W reactors, "water relief" would occur even if the auxiliary feedwater were supplied.

35

Next, we consider th~ design-basis safety/relief valve opening accident~ This design-basis accident assumes that feedwater is not lost and. that, therefore, the ~team generators would remove. the* decay heat of the core. If one asstimes the* additional failures of the loss of both the main and auxiliary f eedwater systems, there would be no removal of heat from the reactor by the steam generators. Obviously, then, postulating these additional failures would make the accident more severe than the design-basis event. No analysis of this multiple failure sequence would be needed to conclude that the sequence would be mo re severe.

These illustrations show clearly the intent of the annex's defir-tition of the Class 9 .accidents with respect to the. method of judging whether a "sequence of postulted successive failures:"

is "more severe!' than the associated design-basis events. Again, the annex specifies no criteria, method,. or measure for judging relative severityy such as the percentage of zirconium fuel cladding that is oxidized or the magnitude of the release of particular fission product radioactivities; and so the criterion must be inferred from the defining sentence. Since Class 9 accidents would not be analyzed in the licensing safety analysis reports, there would be- no quantitative determination of the severity of such accidents; and so only qualitative determinations could be*made based on the nature of the postulated successive failures.

Therefore, one can evaluate whether a sequence of postulated 36

successive failures is "m~re severe" than the design basis events only on the basis of what is apparent when postulating failures that are in addition to the failures postulated for that design--

basis event (or events) which is.related ~o the sequence being evaluated. Clearly, therefore, the index to be used to assess whether a given sequence of postulated successive failures is "more severe" than the related design basis event(s) is that index which is obvious from the comparison: for example, whether the postulated sequence would apparently lead to less core cooling, higher core ~emperatures, greater coolant pressures, or greater coolant temperatures than the related design basis event. The annex, therefore, does not contemplate that the index for evaluating the severity of a sequence of postulated successive failures be the amount of fission product radioactivity release from the reactor or the containment; for that would require an analysis (computer simulation of the accident) to determine the radioactivity release and the ann.ex does not require such an analysis of Class 9 accidents. We must keep in mind that the annex is prospective; that is, it is not a criterion for assessing accidents which have happened but accident possibilities which have not happened.

Thus, to determine whether the TMI-2 accident is a Class 9 accident, one must identify the sequence of successive failures that caused the accident and compare that sequence with the design-basis accidents for TMI-2 using the before-mentioned qualitative standard for evaluating relative severity, without regard to the actual 37

consequences of the accid~t. Obviously, the TMI-2 accident was more severe than any of the design basis accidents with respect to core damage and hydrogen production and other things, but may not have been more severe in terms of the overall radio-activity release from the containment and the resultant public health effects. The annex does not specify whether the core damage or the overall health effect of the radioactivity release is to be the index for comparing severity, because the annex is prospective and because predictive analyses of Class 9 accidents are not required to be performed, which means that the index can only be that which is apparent from the knowledge only of the postulated additional failures beyond the related design-basis event;s.

Finally, the annex implicitly distinguished postulated failures and failures of .systems or structures that would or could be consequences of the postulated failures. For example, *.* 1 a sequence of postulated failures may cause a core melt down and. explosion which in turn is predicted to potentially rupture the reactor containment vessel. The containment failure would not be among the postulated failures which defines the Class 9 accident, but a failure that would be a possible result of the sequence of postulated failures that would have to be considered in evaluating the possible consequences of the accident.

38

B.

Maximum Hypothetical Accident v. Class Eight A6cidents The Reactor Site Criteria in 10 CFR 100 requires that a major accident be "hypothesized" or "postulated from consideration of possible accident events" that results in a fission product release from the core that has a "potential hazard" which is not exceeded by "any accident considered credible." the site criteria suggests the use of TID-14844, "Calculation of Distance Factors for Power and Test Reactor Site;S," AEC document, March 23, 1962 *. The site criteria ~hen.requires that the public radiation exposure be evaluated assuming expected containment leak rates and pertinent weather conditions given the assumed fission. product release from the core and into the containment. Presumably, the TMI-2 safety analysis report analyzes a "maximum hypothetical accident" (MHA) which assumes that 100% of the noble gas radio-activity, 50io of* the halogens, and 1io of the "sol ids" are released from the core and into the containment, in accordance with the TID-14844 assumptions, or an accident of similar hypothetical character. It is contended that the MHA is not a design-basis accident against which a sequence of postulated successive failures is to be compared to determine Class 9 status. In other words, the MHA is not a Class 8 accident.

The MHA is not a design-basis accident, since it is hypothe-sized, not for the purpose of establishing the performance require-mehfs of the safety systems and the.containment, but for the express purpose of determining the public "exclusion area, low population zone, and population center distance" for the reactor.

39

(The NRC licensing* board ~as ruled accordingly. They have distin-guished between the "design basis accidents c. .. ~, 1-tle even more severe hypothetical accident required to be postulated by 10 CFR 100 for the purpose of evaluating site suitability." See Farley, 7 AEC 98,103 (1974)). The MHA cannot be considered a "credible" accident because it is purely hypothetical, since it does not specify the deterministic or mechanistic path by which the release

. of the radioactivity occurs, and bec~use it is purely arbitra~y, since it presumes an acciden~

which must destroy the core and yet would not rupture the containment. Moreover, the 10 CFR 100.11 expressly distinguishes the "hypothesized" accident, namely the MHA, from "accidents considered cridible." Plainly, the "accidents considered credible" are the design basis accidents.

Thus, the MHA required by 10 CFR 100 appears only to be a way to put a bound on the potential consequences of the design-basis accidents. Furthermore, as is plainly implied in the definition of Class 9 accidents in the annex of appendix D of 10 CFR SO, the "design-basis events"--the Class 8 accidents-:-are to be

.sequences of postulated failures (Class 9 sequences are to be more severe). That is, the Class 8 accidents must be sequences of specific failures. The MHA is not a sequence of specific failures of equipment and components but merely an assumed release of radioactivity from the core. The magnitude of the fission product release hypothesized for the MHA, therefore, is not the criterion for assessing whether a sequence of failures is a Class 9 accident.

40

Again, the annex cla~sification of accidents is prospective.

There would be no way to evaluate a sequence of postulated. success-ive failures with respect to the MHA for relative severity except by analyzing the sequence to determine the potential magnitude of fission product release from the core and the containment, as the MHA is defined only in terms of fission product release from the core and the subsequent transport of the released fission products to the public. But the annex contemplates no analysis and report of Class 9 accidepts, which yet must be more severe than the Class 8, design-basis accidents. ~ence, the "more severe" requirement of the Class 9 definition could not have been intended that magnitude of fission product release be the index of severity.

Rath~r ,. an accident sequence would be more severe by the standards previously deduced, namely, those standards which are apparent when comparing the design-basis sequence of events with a sequence involving additional failure(s) without an analysis of the latter.

There are Other rea~ons why Class 9 accidents are not required to be analyzed by the NRC, and they are: (1) The mathematical problems of predicting the course of such accidents are intractable.

The processes of core overheating and crumbling and their effects are too complex to make any reliable theoretical prediction.

(2) The accident theory and predictions could not be verified experimentally, as that would require a great many full-scale rea~~or destructive experiments, which, of course, are not prac-tical. (3) There would he virtually an infinite number of different 41

Class 9 accidents to anal,ze, which makes it humanly impossible to analyze reliably the accidents in this class.

Incidentally, the TMI-2 accident exceeded the MHA, since the containment building was not* closed (isolated) for several hours during the accident, but the 10 CFR 100 assumptions assumes a closed containment except for the expected leakage. Also, TMI-2 accident released much more of one species of radioactivity (Xenon-133) than in the case of the MHA~ So in this sense too the TMI-2 accident exceeded the MHA. But it may turn out that the consequence of the TMI-2 accident in terms of overall public I

.I exposure to radiation were less than the MHA prediction. But *I this would be arguing consequences, and the annex does not require that.the consequences of a Class 9 accid~nt, should one occur, be necessarily severe.

VI. CLASSIFYING THE TMI-2 ACCIDENT The basic sequence of successive failures which caused the TMI-2 accident is as follows: Loss of main feedwater, stuck open relief valve, and failure of the auxiliary feedwater system to activate. Following this sequence, the operators attempted to control the accident to prevent core damage but were not successful because the sequence was too severe. To evaluate whether the TMI sequence is a "Class 9 occurrence," the1:efore, one ~must recall the design-basis accidents which relate to the TMI-2 sequence. These design-basis accidents again, are: (1)

Los~ of mah feedwater; and (2) Inadvertent opening of a relief 42

valve, which stays open. The loss-of-main-feedwater design-basis accident assumes that the relief valve re-closes after reliev~ng the pressure excursion, to limit the loss of coolant from the reactor, and assumes the auxiliary feedwater system activates to enable the steam generators to remove the core decay heat.

the opening-relief-valve design-basis accident on the other hand, assumes the feedwater* systems do not fail, so that the steam generators would con~inue to ~emove the bulk of the core decay heat while the emergen~y cooling system injects make-up water. In contrast, the TMI-2 sequence was a combination of the above two design-basis failure events plus a third failure in the failure of the auxiliary feedwater system. One need not perform a computer simulation of the TMI-2 sequence,. that is, calculate ahead of time the_ course the accident would take, in order to conclude that it would be "more severe" than either one of the related design basis accidents; for the reactor coolant '

heatup and loss of coolant would certainly be more severe than either of the related design basis accidents. Thus, the core heatup would have to be more severe. (This is certainly borne out by the accident.) Now, there are no other design-basis acci-dents which can be used to evaluate the severity of the TMI-2 sequ~nce relative to the design-basis events.

It may happen that the NRC will argue that the TMI-2 accident must be evaluated relative to the most severe design-basis acci-dent--that being the large pipe rupture loss-of-coolant accident--b~

43

comparing the overall rad~ation exposure hazard of the TMI-2 release of radioactivity to the atmosphere with that which was calculated for the design-basis, large pipe break, loss-of-coolant accident. However, as shown befo*re, the Class 9 definitiion is prospective. The TMi-2 accident sequence was never analyzed and reported before the accident occurred for the course the accident could take and its potential conseq~ences. Unless a postulated accident sequence is analyzed mathematically and compared with the design-bas~s, large pipe break, loss-of-coolant accident with respect to fuel heatup potential and the potential magnitude of radioactivity release, there would be no way to establish the relative severity of the two postulated accidents with.respect to predicted publi~ e~posure to radiation. Again, the annex intends no such analysis. So, since the TMI-2 sequence failure sequence is wholly different than the design-basis, large break loss-of-coolant accident, there could be no qualitative evaluation without first analyzing the design basis accident or accidents related to the TMI-2 failure sequence, then making intuitive or extrapolative judgments about the severity of the TMI-2 failure sequence relative to the related design-basis accidents, and, then, from those judgments assess (extrapolate) the sev~rity of the TMI-2 sequence with respect to the large pipe break design-basis accident. But this second extrapolation is .~enuous at best, since the TMI-2, and Class 9 accidents in general, would not be similar to the large pipe break design-basis accident. Clearly, therefore, the Class 9 definition contemplates.

44

comparison of sequences o~ postulated successive failures with respect to the related design-basis events.

We can conclude, therefore, that the TMI-2 accident was a Class 9 accident by a reasonable interpretation of the annex~

VII. NRC AND ATOMIC SAFETY AND LICENSING BOARD'S INTERPRETATIONS OF CLASS 9 ACCIDENTS The preceding interpretation of* the Class 9 accident definition has been the consistent and settled 'interpretation of the NRC and its Atomic Safety and Licens:lng Board. In several licensing hearings this author has submitted contentions and testimony which sought to persuade the NRC to investigate the full range of a~cident possibilities, which included the failure sequence which caused the TMI-2 accident. Consistently, the NRC staff and the boards pave held th~t the accideAt sequences I sought to discuss are incredible accidents, and, accordingly, were dismissed as Class 9 accidents (remote in probabilit.y). The NRC licensing proceedings concerned Black Fox and Erieo In the next sections, the Black Fox and Erie opinions arc discussedo In addition, the NRC staff opinion in the present Salem proceeding is critically examined.

A. Black Fox In the Black Fox reactor hearings, the NRC's licensing bo~rd held that an accident sequence composed of a design basis accident failure event "concommitant with scram failure or other independent failures" is not "credible" or "reaso.nably possible." --

45

The Board ruled such "multiple failure" accidents are Class 9 accidents and on this basis rejected this author's formal contentions (that were submitted to the board) that all such accidents should be analyzed an~ considered, in order to properly assess the safety *of the reactor. (Public Service Co. of Oklahoma, et. al., Docket No. 50-556,-557, Board order, May 25, 1977, p.3-6~) (The board made its ruling without seriously inve~tigating the likelihood of class nine accidents,. despite one of the conten~

tions that some or most past* reactor accidents and! near-accident incidents were multiple-failure events.*) Moreover, the board held that the multiple-failure accident sequences considered in the NRC's Reactor Safety Study (WASH-1400; otherwise known as the Rasmussen Report) are not "credible," as the board held that they too fail the "credibility criterion" of the NRC's regulations. (The Board had treated incredible accidents and Class 9 accidents synonymously.) The board thus held, in effect, that the TMI-2 accident sequence is a Class 9, incredible accident, since virtually the same TMI-2 accident sequence is listed in the Reactor Safety Study as one of the multiple failure sequence designated as "sequence TMLQ" (page I-87/88). The TMLQ sequence is as follows:

1. A transient initiating event: Turbine trip.

2. Successful reactor scram.

- 3. Failure of the power- conversion system, that is, failure of the main feedwater system.

And detailed written testimony by this author which was presented.

46

~

4. Failure of the auxiliary feedwater system.

5. Successful opening of the reactor coolant relief valve.

6. Failure of the relief valve to close when the excessive pressure is relieved.

The Reactor Safety Study assumes that this sequence would lead to a "core melt," even though no mathematical analysis was per-formed; whereas the design-basis sequence would be the sequence of events numbered 1, 2, 3 and 5 from the above listing (sequence TM of the Reactor Safety Study, 'p. I-87 /88), which the Study noted would not end in a core melt. Clearly the Reactor Safety Study regards the sequence TMLQ as ~ severe than the design-basi sequence TM.

B. The Erie Proceeding In the Erie proceedin~ (B & W reactor) this author has submitted a number of contentions which are practically the same as those in section 7(c), 7(e) and 7(f) of his Salem testimony of February 27, 1979. Basically, the contentions, which apply to pressurized water reactors, contended that all possible accident which are not treated in the safety analysis report--namely, multiple-~ailure accidents and spontaneous reactor vessel rupture-should be analyzed for their likelihood and potential consequences, in order to properly judge the overall safety of the proposed reactor. A number of examples were given,* and this author's book The Accident Hazards of Nuclear Power Plants was cited and copies given to the NRC, the board, and the utility applicant.

47

Thus, the NRC knew full w~ll what specific accident possibilities (failure sequences) were intended. The B &W safc~y analysis report treated~ for example, the loss-of-normal-feedwater accident, and mentioned that an accident involving a loss of normal feedwater.

plus the additional failure of the auxiliary feedwater system "is not considered credible." (B & W, SAR-205, p. 15.1.8-1)

Yet, this allegedly incredible accide~t sequence plus a third failure (stuck open relief valve) is' what occurred at TMI-2.

Thus, the contentions submitted in the Erie hearings concerned multiple-failure accidents which included the failure sequence which caused the TMI-2 accident. Moreover, contentions 16 and 17 of my Erie contentions alleged that the safety analysis reports do not give adequate consideration to the fnct that most past reactor accidents or near-accidents were due to multiple mal-functions and human error.

the NRC's response was that my contentions "concern Class 9 accidents." (NRC memo in the Erie procee.ding, June 30, 1977.)

the NRC further contended that "the chances of the occurrence of a Class 9 accident are so remote as to be incredible" (Id.),

and said.that "Class 9" is "a synonym for a noncredible accident."

(Erie Transcript, p. 104, July 28, 1977.) Therefore, it is clear that the NRC Staff regarded multiple failure accidents, including the TMI-2 type accident sequence, as Class 9 accidents.

~ C. Salem This author has submitted testimony in this present proceeding, "The Accident Hazards of Spent Fuel Storage, at the Salem Nuclear 48

~

Power Plant, February 27, 1977, which asserts the need to investi-gate reactor accidents more severe than the design basis accidents, which, I asserted, could cause the spent fuel pool to lose its water. My testimony covers multiple-failure accidents and cites my book Accident Hazards for "amplification," The book defines "worse possible accidents" as those worse than the design basis accidents and equates them with "multiple failure$." It lists "heat exchanger" accidents--loss-of-:,f eedwater for one--and failures of "r.el ief valves" that coulj:i worsen a heat-exchanger accident (pp. 32-33). This effectively includes the sequence of failures that caused the TMI-2 accident. The book refers to the Rasmussen Report for examples of such accident possiblilites, which includes the tMI-2 sequence, TMLQ, as mentioned earlier. In response to this testimony the NRG staff states that "The testimony

., .... discuss(es) Class 9 accidents." (NRC memorandum in Salem, June 29, 1979.) Indirec~ly, therefore, the NRC has again interpreted the TMI-2 accident sequence as a Class 9 accident.

However, the NRG staff in Salem has propounded a new definition of Class 9 accidents, which we may now anticipate will be applied by the NRG staff to contend that the TMI-2 accident was not a Class 9 accident. The NRG staff's memo of June 1, 1979 asserts that Class 9 accidents are those "combination(s) of failures which lead to core-melt and containment vessel failure. From this interpretation, we can anticipate the NRG staff's answer 49

> -~,.,

. *.j.!

~ *~~ ,\

~~.t~/~

- . ..-ti_. f ~

~

to the Board's question as follows: that the TMI-2 accident was not a Class 9 accident because there is evidence that the uranium dioxide fuel had not melted during the core heatup.

So, the NRC might argue that the accident did not contradict the NRC past assurance that Class 9 accidents are "remote in probability." However, as argued earlier, the annex definition of Class 9 is prospective, and, therefore, the facts which make a sequence of failurei which causes an ?Ctual accident, a Class 9 accident are: ( 1) Whether: the. sequence was, prior to the accident, considered more severe than the related design-basis accident (without an analysis having been done to determine the course of *the accident, such as whether a core melt down occu-ts or not); and (2) Whether the failure sequence was deemed by the NRC when approving the Safety Analysis Report to be incredi-ble, or remote in probability. The assurance given in the annex is that a Class 9 sequence of postulated successive failures--those failures which would cause the accident--is remote in probability, not that those accidents which would lead to core melting and a breach of containment are remote .

. D. The NRC Regulations Overall, With Respect To The Class Nine Issue The issue of Class 9 accidents has thus been discussed in various licensing hearings. A variety of different interpretations have been asserted by the NRC and the licensing boards, however some have said that a licensing board may consider Class 9 accidents

if such accidents can be shown to have a "sufficiently high probability," and other times it has been contended that the boards cannot consider Class 9 accidents. Some have said that the NRC regulations bar Class 9 accidents from being treated in the safety analysis reports, and some have said that Class 9 accidents are "not generally excluded." See the memoranda in: (1) Black Fox~ Docket No. STN 50-556, 557: Board Order of March 9, 1977, NRC Staff memo of Mar~h 24, 1977, applicants memo of March 28, 1977, and the boards order of May 25, 1977, plus the associated applicant and intervenor petitions and memor-anda.* (2) Erie, Docket Nos. STN 50-580, 581: NRC memo of June 30, 1977, board orders of August 18, 1977, and November 14th and associated applicant and intervenor petitions and memoranda, and the Erie Transcript, pp. 73-81; 100-118; and (3) This Salem proceeding: NRCmemo of June 1, 1979.

As a possible aid to resolving the varying interpretations, the following interpretation of the whole NRC regulations with respect to the Class 9 issue is offered. This should further help to settle the question whether TMI-2 was a Class 9 accident.

The NRC regulations for licensing reactors, 10 CFR 50, including the General Design Criteria (GDC) and the subject annex to appendix D, 10 CFR 50, and the Reactor Site Criteria, 10 CFR 100, do not completely define those failure sequences which are to be the design basis accident. The NRC regulations

And this author's "pre-hearing" testimony: "Testimony on the Safetyof the proposed Black Fox Nuclear Power Plant," January 4, 1977.

51

only set down the "minimum requirements" (GDC: 10 CFR 50, App. A, Intro.) Moreover, the regulations expressly state that the General Design Criteria are "not yet complete." .(Id. ) No where in the General Design Criteria are "accidents" defined. Repeatedly throughout the GDC the phrase "postulated accident" is used in specifying design criteria of various systems; but just what are to be the postulated accidents is left unanswered. The accep-tance cri~eria for the emergency co~e cpoling system (ECCS),

10 CFR 50.46, defines the lo~s o~_coolant accidents for setting the performance.requirements of the ECCS., but the defined loss-of--

coolant accidents are only part of an infinite number of reactor accident possibilities. The ECCS regulation merely defines the design criterion for the emergency core-cooling system, to provide protection for spontaneous coolant pipe ruptures (single failure events). The rule-making proceeding which made the ECCS regulation would not consider or hear test~mony on the credibility of multiple failure accidents which could result in a loss of c6olant, or of the spontaneous vessel rupture accident, as such accidents were ruled to be "outside the scope of the proceeding." Therefore, 10 CFR 50.46 was not -made to settle the definition of those accidents which are to be analyzed in the safety analysis reports or considered by the licensing boards for credibility.

The ultimate criteria for licensing reactors under the NRC-regulations are the Reactor Site Criteria, 10 CFR 100. This regulation contains the only definition of accidents that are 52

to be postulated in applying the General Design Criteria: namely, "any accident considered cred:'.ble" (10 CFR 100.11(a)). Of course, this definition is ambiguous, ~nd is not at all helped by the choice of the word "credible;" though from the annex of app.

D, 10 CFR 50, we learn that incredible means "remote in proba-bility, 11 not impossible. Therefore, it is simply left to the licensing proceeding to determine which accidents are "credible."

Thus, the licensing boards are not precluded from investigating

any multiple failure accidents for t.heir likelihood ("credibility")

and consequenc~s. Indeed, the boards in the Black Fox and Erie pr~ceedings did just that: they asked for and considered informa-tion on various multiple failure accident possibilities; particu-larly, "credible mechanisms" for causing such accidents .

The Blac~ Fox and Erie boards ruled in effect that multiple-failure accidents are not credible; but in the opinion of this author, the boards did not seriously investigate the likelihood of such accidents, as they would not enter into serious dialogue with th intervenors they would not receive testimony from the intervenors, and they would not require the NRC and the utility applicant to submit testimony and undergo cross-examination.

The boards simply made a subjective judgment that the probability of such accidents is extremely low. There, of course, are the other factors which are always present: they are, (a) most, if not all, postulated multiple failure accidents could not be shown by analysis using scientifically established mathematical theory to have consequences that would not be catastrophic or 53

~

would satisfy the 10 CFR 100 reactor siting criteria; and (b) most such accidents probably would be calculated to have catas-.

trophic potentials. So, if reactors are to be licensed, multiple--

failure accidents would have to be ruled "incredible." Of course, the reactor designers attempt to incorporate design features that, subjectively, make the probability of multiple-failure accidents low; and these features are what the boards rely on .

Unfortunately, the boards have not take~ seriously this author's contentions and references. t~at ~ctual experience of reactor accidents and near-accidents were the result of multiple failures; that is, the boards, in this author's opinion, have not adequately considered reactor experience.

Therefore,. we can conclude, based on the preceding analysis of the NRC regulations and supported by board practice, that it is the licensing proceeding, including all appeals that might be taken, which determines the accidents which are to be the "design-basis" accidents and thus analyzed in the safety analysis reports and NRC safety evaluation reports. The design basis accidents then become the Class 8 accidents; and those possible accidents--postulated failure sequences--which are more severe than the related design-basis accidents, but which the NRC in its licensing proceeding determines are not "credible" and thus are not required to be treated in the safety analysis reports, become the Class 9 accidents. (Again, a postulated failure sequence is judged "more severe" than the design basis events by what is apparent from consideration of additional or larger failures 54

over and above the desig~basis failure sequence, if no analysis is made of the postulated sequence to determine the potential consequences.) All that the annex of app. D, 10 CFR 50, does, then, is to exempt the "applicant" for a reactor licensee (the utility) from having to discuss the Class 9 accidents in their "environmental report" for the reactor.* It does not define the accidents which are to be deemed credible or incredible and it does not bar the licensing bo~rds from considering any accident possibility.

VIII. THE SECOND PART OF'THE BOARD'S QUESTION The second part of the board's question is: "Was the risk to health and safety and the environment 'remote in probability,'

or 'extremely low' at three Mile Island, as those terms are It is contended that the National Environmental* Policy Act requires that the NRC in its environmental impact statements for reactors discuss in detail the Class 9 accident possibilities and their potential consequendes. The Act expressly requires for "every ... proposal ... significantly affecting the quality of the human environment, a detailed statement ... on the environ~

mental impact of the proposed action." In the context of the Act, the term "environmental impact" denotes whatever it is about the nuclear plant that clashes with the "natural environment."

Since nuclear plant accident risks, including Class 9 accidents, are not a part of the natural environment, it follows that the Act requires a detailed statement on these risks. That this is the plain meaning of the Act is ev{dent from the section of the Act which sets forth the policy and objects of the Act, to wit: "That the Nation may ... attain the widest range of beneficial uses of the environment without degradation, risk to health and safety, or other undesirable and unintende<rconseguences."

~lnly, the Act requires that all serious accident possibilities be discussed in detail, including the Class 9 accidents. True, the courts have held that environmental impact means likely environmental effects. However, the court opinions simply overlook the policy and object of the Act which distinguishes likely effects from accident risks, as likely effects have to do with the goal of no "degradation" and accident possibilities have to do with "risks to health and safety." The Act does not say "likely risks." (emphasis added in quotes).

55

used in the annex?" This question presupposes that the Class 9 definition is retrospective: that the annex classifies accidents according to thei~ consequences; for example, whether the chances are nil that persons exposed to the radiation released by the accident will have their health impaired. However, as argued before, the Class 9 accident definition is prospective, and the term "remote in probability" has to do with the probability of a sequence of successive failures wh~ch cause an accident, not the chances of human inj~ry if such an accident occurred.

The annex clearly distinguishes the sequences of postulated failures from the consequences .. That the Class 9 definition is prospective is seen from statements and phrases in the annex defirUtion that (1) "Their consequences could be severe;" (2) "Po-tential accidents in this Class;" and (3) "Postulated successive failures." Again, the consequences of an accident, should it occur, need not be .severe, but only that, given a sequenc~ of added failures beyond a design-basis event, it is obvious or suspected that the consequences could be severe, which was known the case prior to the TMI accident. Indeed, the TMI-2 accident came to the brink of catastrophy and it is a very real possibility that various circumstances of the accident which were consequences of luck prevented a fuel melt down and catastrophic explosions (see this authors's TMI Accident Analysis). The assertion in the~annex that the environmental risk of Class 9 accidents is "extremely low" is based, quite clearly, on the assertion that the postulated failure sequence which cause an accident is "remote 56

~

in probability," so that even if the consequences were severe, the risk--the product of the probability and the consequences--would still have to be extremely low. This is the meaning of the annex concerning the environmental risk. Furthermore, the annex does not assert that the risk to health and safety and the environment is remote in probability, but that the "potentic'.11 accidents in this class" are "remote in probability." Here again, it is prospective, by the word "potential." Potential accidents refers to sequences of postulated successive failures whose consequences, if the accident actually occurred, may or may not be severe but could be.

TherBfore, in the context of the anriex, it is meaningless to a~k whether the TMI-2 accident caused risks to health and safety and the environment .that were remote in probability .

The proper and meaningful question should be whether the sequence of failures which caused the TMI-2 accident was regarded by the NRG-prior to the accident as remote in probability. This is the real significance of inquiring into the classification of the TMI-2 accident.

IX. CONCLUSION AND FINAL REMARKS The Three Mile Island accident was (is) a Class 9 accident.

The sequence of multiple failures which caused it was regarded by 'the NRC prior to .the accident and when the plant was licensed as "incredible" or remote in probability. The occurrence of the accident, therefore, disproves the NRC's assumption that 57

o( * !) I such accidents are incredible. This is the most important lesson to be learned from the accident; for the fundamental assumption behind the NRC's opinion (past and present) that reactors are safe is that multiple failure accident sequences worse than the design basis events are remote in probability. The Three Mile Island accident disproves this assumption, as does the Brown Ferry Fire, and the recent Oyster Creek near-accident, which apparently was a multiple failure. occurrence in which the core came close (one foo~) to being uncovered of coolant.

These incidents, plus the experience of other reactor mishaps, indicate that potentially* catastrophic accidents are likely to occur *.

rt would be erroneous and deceptive interpretation of its regulations and a dangerous_ mistake in policy for the NRC to classify the TMI-2 accident by comparing the TMI-2 accid~nt relative to the maximum hypothetical accident (MHA) postulated for 10 CFR 100 purposes, using as a comparative index the radiation release from the core, or the radiation dose received by the public, or some index which measures the total health hazard of the radioactivity release to the atmosphere, or by defining Class 9 accidents as those which lead to core-melt and a breach of containment~ Such erroneous interpretations of the annex would be a ruse to contend: (1) that the TMI-2 accident was noe'among those which the NRC has previously assured were incredi-ble; (2) that the NRC safety design requirements allowed for 58

serious accidents such as TMI-2; and (3) that the systems are designed to limit' such accidents to acceptable consequences.

For the fact is,~ the NRC and. the reactor designers had no a priori knowledge, proof, or even analysis that the TMI-2 failure sequence would not produce a catastrophy. Moreover, if the same accident were repeated, it is a real possibility that a core melt down and catastrophic explosion would occur. For example, the third pressurizer water level ga.uge. functioned for a month after- the other tiyo redundan~ ga~ges failed in the first day or two of the accident. The lucky operation of the third gauge allowed the main coolant pump to run for a month, and thus may have provided crucial cooling while the core heat decayed greatly.

Yet, *the third gauge could just as well have failed early in the accident, as the gauges_ were not designed for high radiation exposure or hydrogen explosions. Also, the core could have been older a~d, therefore, the fuel rods more brittle, when the accident occurred; meaning that the fuel rods would have more likely crumbled into an uncoolable pile of debris. Or, the fuel crumbling which evidently occurred, being a function of the haphazard variation in the regulation of the reactor pumps, relief valves, emergency coolant, etc., could, for all we know, have just as well happened in a way as to form uncoolable debris piles, ending in a fuel mel~down and explosive molten fuel/coolant interactions (steam explosions and zirconium steam reactions). (See this author's TMI Accident Analysis for these and other considerations.)

The fact is, there is no mechanistic theory capable of reliably 59

~

predicting the course of an accident, given the TMI~2 failure sequence. Furthermore, no experiments could be performed to develop and verify such a theory, as a great many full scale reactor destructive experiments would be needed, which, of course, is not practical or safe. And finally, no mathematical theory could be developed, due to the immense complexity of the reactor accident processes and their complex interactions and lack of basic data

Thus, if the NRC argues: that the TMI-2 accident was not a Class 9 accident by a no-core-melt argument oi a less-than-MHA argument, then they would be simply taking advantage of a lucky result that the accident. consequences were not a severe catastrophy, in order to make the public believe that core accident potentials are well enough understood and protected against, when in fact, the potential are unknown and indeterminable--the TMI~2 result being only a single piece of data of a single failure sequence, which is not even proven f?r repeatability.

On the other hand, th; NRC may concede that the TMI-2 accident was (is) a class 9 accident, but that its cause was a unique or isolated design error that can be corrected and that the accident does not at all cast doubt upon the official assurances that m~ltiple failure accidents--other Class 9 accidents--are incredible. Firstly, the TMI-2 core dete~ioration proces~ is not understood, so that one cannot conclude that the alleged corrective measures will significantly reduce the probability of a recurrence. Secondly, the measures would have to be tested 60

by causing a repeat of th~ accident in order to determine if the measures create other dangers, such as overpressure (such tests are, of course, not practical or safe), and by operating the reactors and gaining, experience, which forces the public to incur ill-defined risks, especially since a severe accident has already occurred. Finally, and most importantly, the TMI-2 accident sequence is only one out of an infinite number of possible accident failure sequences. It is the infinite number of accident possibilities--multiple failure sequences and spontaneous vessel rupture--that creates the high probability of ~ catastrophic accident occurring, not that any particular accident sequence has necessarily a high probability. Therefore, supposing that the ?robabili ty of a recurrence of the TMI-2 accide'nt sequence has be~n significantly reduced by revised operating requirements for reactors, tRe corrective measures would not significantly change the probability of catastrophic, multiple failure accidents~

which reactor experience to date, underscored by TMI~2 shows is h{gh~ The occurrences of multiple-failure accidents and near-accidents are occurring somewhat regularly in time (about four year intervals, until the Oyster Creek incident, which occu~red one month after TMI), and are having more and more severe conse-quences. This history is experience. It is experience which we must heed, for any claim of remote probability of Class 9 accidents is mere speculation and contradicts experience. In view of the extreme potential f6r harmful consequences of a 61

single Class 9 accident, the public cannot afford to take the risk and learn by further experience, whether reactors can be operated without catastrophic ac~idents.

In conclusion, the assurance of remote probability of Class

~accidents was mad~ nugatory by the Three Mile Island accident, and, therefore, the licensing board should undertake a serious and thorough review of the safety of nuclear power plants and spent fueL storage. As a bare minimum, the NRC should analyze each and every serious accident possibility for the potential consequences as best can be done, with allowances for scientific

. 1:

uncertainties, and publish the, analyses and results, to inform .

the public of the fµll extent of the risks to which they are being exposed by the operation of the reactors* and their spen~

fuel storage pools.

62

~l. -

r Av~il/ary Fe~dwafer sysfe r>1

Frct.Jw*e eJ1:-eq' l) va VJ/() 114 - {),K /tfe Fv el Pe //.e'~5

~/ 1 1"( o J.1/ 1.J ~

12 feet lvhe Page-64

1'art 50-J..iccn:iini: of Production and Utilization Facilities 674

~ The lollowi.nne.x to Appendix D is proposed.*. }'. 41*

.i.

ANNEX DISCUSSION OF ACClDEN"(.S IN APPLICANTS' ENVIRONMENTAL REPORT~: ASSUMPTIONS rn 7469J Thi~ Annex requirrs certain assumptions to be ma<lc in discussion of acC'idcnts in Environmental Reports submitted pun;uant to Appendix D by

- - - - .. 1 applic:ints for rnnstruction permits or operating licenses for nuclear power

rc:ictor 3. ~

Pustulatc1l :11.:d1.knt:; arc discussed in another context in applicants' safety analysi:; reports. TI1c principal line of defense is accident prevention through correct <lcsil{n, manufarturc, and operation, and a quality assurance prol{ram is used tn pro\'idc am! maintain the necessary high intq.~rity of the reactor system. Deviations that_ru; occur arc han<lled by protcc_fr~~c S}'.stems to place and l:~i_tl1~-P~~n_t i11 _~__s1fc .£Slt1<Jition. otw1thst;incflng nil tllls,--thc--c;c,i1scrva-ti\'1' posttihte 1s made that scriousaccirlcnts mig:ht ot*c11r,_in spite of the fact that tiH"y arc c:<trt*mdy unlil(Ciy, an<l cnginccrc<l safety features arc installed to rni.ti~;alc thc conse9uc11res o.f thcs~ unlikely postulated events.

In the ronsidt*ration nf the environmental risks associa t~tl with the pQst!!.-

l:i t t:ti a 1 *ri1~~fs.Jhc prolialiilitics of their occurrence and th~~£_ CO!l~~uenc~*s _

11ilistliillflhc taken intn acrt~unt. Since 1t is not prncfiCalilc tn consider all p1>sstlili!;ii.*-di"k11ls, the s1n*rtn1111 of accidents, ranging- in severity f rum trivial

to very snious, is divided into classes.

E;~l.~_1:l:ts'\ 1*an be rharac~cr~~~4_ Ly an occurrence ra~e and a s~~-::.of Clll!Sl'lf\:l'tll"CS. -- --- -

- - - - - - .. - * - * *4 Stanilardiz1*d 1*xampl1:s of dnsses of accidrnts to he ro11sidercd by appli-

\:lllls m*jlrt*pil1;ii1g- lfic-\1;-rtiori of Environmental Hcports dealing with acci-c11*11ts an* s1*1 1111t in tah11lar form 1>1*low. The spel'lrum of arrid<:nts, f rnm the

11111st tri\'ial 111 tlw 1110st snnc, is divided into nifa~ class1*s, sollle of which have snhd;1ss1*s.. Tho~ an:idcnls sl<itcd in each oC the cig-ht rlasses in Laliular form l>l'low :ire r12.P~~~*11tatiYe of the types of accidents that must he analyzr<l hy till* npp;irant i11 l*'.11Vlrn111111*11tal Hcports; however, other arritlcnt nssumplions m:l,\'.J.1.t'..Juurc ..suit;1lili:_fut_i11djvi1lunl C'ascs. \Vl1t*rc* assu111pl1n11s nre not spl'd~ /

lil'd, nr \\' hn\' Ihi *St' spl'r i linl arc 1kerncd u nsui tal1lc, ass um pt ious as realistic as the stall' 11f knmvktl~\' permits shall be usctl, taking into nccount the spl'i:ifa- desig-n and operational characteristics of the plant under consideration.

Fl>r t*arh class, e:<t'l'L~t Classes 1 nn<i 9, the ~jrt}n111ental conscquc11ccs sh:.11 Tit;-*c,;-afo:ifcd as ln<lirntl*d. Those clnsscs of accidents, other thnn Clnsscs

Th** i\ton11" En..ri:y C'ummls,111n ~RVI' notice 1 Prr\lmlnnry ~uldnncc ns to thr mntl'nt ot 111 ilu* l-'1*d1*rnl lk1:ls1t*r uf flr1*0*111l11*r l. l!l71 (:16 nppll1*11111~* fo:11vlrnnri11*11l11l ft,.11orl~ wn.~ 11r11vlll1*d F IL ~*~S.-11 l, lhnl II I,; <11n5ld,*1 Ill~ 1111' ulllllllnn 0

In 111<* lJrntL i\l*:c Gulde ln tho l'r1*1mratlnn ol u( " ,\11110*.>: lo App1*ndl.'t n.

l-~m*lronm1*11tnl Hi*ports for Nurll'rar Pnw1*r l'l1111ts 1 .-\ 1*1wn1ll'I! n to l'nrt ~ wn~ n*\ nk~'\I nn July dah*1l l*'1*h. l!l, 1!171, n do1*1111wnt nrn*lo~ nvnllnhlu

'"* 1~>i*I. <*rr, ..*1h-..* Aup111 1!!, 1!1~.1 t:l!> ~*. H. to the public ns well ns to the nppllc-nnt. Guld-

1.:.."";:l1. nn:I n*11l11N*1I hy !hi' tww Ill C'rR Pnrt 11111*1* rono~*rrilnK tho 1llsr11ssl1111 nr ll<'rhli*nts In

,1. Thi* n*,****ntt.111 or 1\11111*nlllx ll olhl nut nir1'\'l rnvlronm1*n!nl rt'llOrls wns pruvl*lt-tl lo a ppll-till* Slll(\ls ur thl' proposed Ann1*:1. 111 i\ppt*ndl" rnnls In tL St*pt. l, 19Tl, llnt*unient entitled 11 lo l'nrl ~,o whlt"h Is srlll umt.*r '"nsldl'rntlun S<'lllll' ot i\ppllrnnts' l*:nvlrunnwutnl Hi*porl!

1., 1111* ( "u111111l~slu11.-- t'l'l I.

wllh ltl'S('\'Cl to Trnnsportallon, 'l'rnnsmlsslun

'i\lth11u~:h this nmwx rd1*rs In nppllcnnts' I.lnl's . n111l ,\crl<lcnt.s," also mndc uvullnhlc to 1*11, lru11111<*11!11I !ll'pnrl.*. lh1* 1*11rr1*11t 11s~u11111t111111 lhc puhlk .

. \lul 11llh*r 11ru' l~luu5 llu*n,ot url* np1>ill'ublc, ex ..

1*1*pl ns lhl? onll~nl 1n;ry olhc*n\*lst* rC'qulre, to

,\ !*:\' iJrnfl 1111<1 llnal Ilo*tnll,*1! Slal*'llll'llls.

Nudc:ir H~gulation Reports !O CFR 50, App. D ~ 7469 Page 65

~'iff"!il~llfil~:~:~~i~i'.~~Hf~m:1~1tl~~H¥.filf.:~mmi~UUtl:ill~!hU:!UUtU!l!P.

.. : , .,. *~:-~.... . ... :\ m,i *~~: i.. : l:-: :.. * **...:.~~-~-,*.*-1'*~... '... J * -.~ .,. * * ~ I

-*.~--~.

' I

- ~~ ~---~ ;........~_..,... .....-::........:_______________________

J2 Rc:i;:ulatio11s-Nuclcar Regulatory Commission /j

/ f':b->-Anneo:c .ppeondix D is proposed. __ {l[a,u "2 - 21'

.-.*;,: :.1 9, fuurnl to have si~11iii(a11t a1\v-::~~1-vironmcnt;~l l'ffcl'ls 'di l>c _"'._yl- _

, !;:.i as to probauilitv, or fre\ ucn..: of occur *ru:e, to permit "<!sti.malcs to be

11;.,Jc of c11viro111111.*n1al ns

or cost arising from accidents of the ~ivcn class.

Class I en*11ls 111.Td 1101 lit* ronshlcre1l hl'tausc of their trivial co11sc-

u1*11c.:cs.

Class 8 ev~ts arc those considered in safct anal sis re orts and AEC ----

-! aff safcry~*aluatinns. 1: hey arc use , toge ter wit l 11g l y conservative

1ssumpt1on.s, a: :; the (ks1~n-lia~is 1.*vents to establish the {icrformance require-11\1*111s of l'n~inccn*<r sa .:ty katun:s. The highly conservative assumptions *ti.

1ml calculations usc1l in AEC safety evaluations are not suitable for environ*

e

,,,1*111;-il* risk t*valiiation, li\'r:111:--1* 1l11*ir use w011hl rC'sult in a substantial ovcr-t*:;ti111ate 0£ the environmental risk. For this reason, Class 8 events shall 1..

1*,*al~1at~*1\ -~l*~listi~~l!."'..* C'1111st*qucnccs predicted in thlS"Way\v.ill li-c far i.-..~ -.s'\'t't_c than tlwsc g1Vc11 fur the same events in safety analysis reports

,.:T.l*r..: more cullscr\'a ti ve cva lua t ions arc used.

Tli<' o.-rurn'llt*cs in Cla~s <) involve sequences of postulated s~~sive

.* ii u r~.s_ 1111*1 L* SL'\'cn: l ha11 those puslulatctl for the design basis for protcc ti vc

-:-::t,:n1s ;ind t*n~1nc1*n*rl saf1*ty katun:s. Their con~t'..!1~ll't'l'S~~>11l~Tl?~cr~.

i .. wevcr. the \!fllbt1liilitv of ** is so sma nnat U1e1r environ-*

,,,, nt:-il rlSK IS ex rcn1c a ow. Defense in depth (multiple phys1ca >arncrs '

1l:LT1ty assurance !or t es1g*n, manufacture, and operation, CQntinoe<l s_.r-

' ,*illa1l\'c a!ld tl'sting-, and 1*u11ss*rvativc desi~n nre nil nppli<-d to provide and 1n;,intain t11c required high 1legrcc of assurance that potential accidents in 1 liis class arc, and will remain, sufliciently rcmo.u;Jn probnhi!i!Y that the en*

-: 1.in mcu t:il risk i~; ext n*mcl v low. For tliC'SC" reasons, 1t 1s not necessary

* .t iscuss sud1 events i 11 appl i~*:111 Is' Environmental Reports. A Further11111n', it is n1it n1.*cessary to take into account those Class 8 acci- )~

.i.-111s for which tho.! applkaut l*a11 demonstrate that the prol1aliility ha!i lieen lu<l'll ;111d thnt'liy tlw t*ak11l:111*d risk to the t*nvirnnnH'nt madt* cq11ivak11t

. th:1t whirh might Iii.' hypolhcsiz\'ll for a Class 9 event.

\pplira11ts*111ay sul>stilult' 11tln*r :1t:cidcnt dass lin*akdowns a11d altt*rnative il11c:-- 11i 1*;11li11acti\'c m:itnial rt'kases ancl analytical assumptions, if such 1 *:--lituliu11 is justitil*d i11 the l*:11viro11111cntal l{eport. /

I1.

I I

I

\l Page 66

Part SO-Licensing of Production and Utilizati.on Facilities 8743

~ Annu ta Appc:ndiJC D is proposed.

AC,AENT ASSUMPTIONS TJll'LE OF CONTENTS A ccid,*11t 1.0 Tri\'ial incidents.

2.0 Small rclcaSl'S outsidl* containment.

j_() l{;i:fwa:;k syslcm failures.

3.1 Equipment lcak*q.~1* or malfunction.

J.2 Hckasc of waste g-as storilgc tank contents.

u l~1*lc;1s1* 1>i liquid waste storage tank contents.

-t.0 Fis!-iiu1i pro:! 11rts to primary system ( 13 WR).

U Fud dad1Jing- clcfcl*ts. F.

I

.J.2 OlT-dL"sign transirnts that induce fuel failures above those expectecl. I*

5.0 Fi~~*i,m products to primary and secondary systems (P\VR).

5.1 Fu1'I cladding- clcfrcts and steam generator leaks.

5.2 Off-1ll*sig-n transients that induce fuel failure above those expected and steam i;cnerator leak.

5.3 Steam gcncrator tul..ic rupture.

6.0 H.dueling accidl.'nts.

G.l Fud bundle drop.

ti.2 l:kayy objl'ct drop onto fuel in core.

i'.O Spt*nt fuel h:1n<lli11g- accident.

7. I Fut* I :-isscml.ily drop in fuel storage pool.

7.2 l kavy object drop onto fuel rack.

7.3 Fu1*I c1sk drup.

~.O :\rri1knt initiation cnnts considered Ill Jcsign l.iasis evaluation tn the s:ifrly analysis rqiort.

~. l Loss-of-coolant accidents.

~.l(a) Hrl'ak in instrumt*nt line from primary system that penetrates the containment.

K2(a) II J{ud cjcdiu11 at*ri1k11t (P\VR). I I.

X.2 ( h) l~Pd drop :ll'rid1*11t (H\VH).

8.3(a) Stcamlinc lircaks (l'\VRs outside containment).

K.l(li) ~ll'a111li11~~ l>rt*ak:; ( l\\VR).

ACCIDENT ASSUMPTIONS ACCIDENT-LO TRIVIAL INCIDENTS Tlll'~;l* i11riilrnt~ shall lil* i11cludc1L aml evaluated under routine releases 111 accurdani.:c wilh prupus1.*d :\l'J>l'tlllix !.'

ACCIDENT-2.0 SMALL RELEASE OUTSIDE CONTAINMENT Tlwse rckast*s shall inrludc such things as releases through steamline n*lid valves and small spills and leaks of radioactive materials outside con-tai11111ent. Th1.*sc rekast*s shall be included an1l evaluated under routine releases in aci.:ordancc with proposed Appendix I.

36 F. R. 11113. Junes. 1971.

Nuclear Rcgul11tion Reports 10 Cl"R 50. App. D ~ 7469 Page 67

Part SG-Lkcnsing of Production and Utilization Facilities 8747 7.3 Fut'/ casl.* drof'.

7;r->- A . to A.pp~ndiJt D i$ propos~d.

(a) Noble g-:is g-ap activity from one fully l~a~cd fuel cask (120 day

.:ooling) shall l>c ass1111wd to be released. ~ap act1v1ty shall be 1 percent of tulal activity in the pins).

( h) l\fetcoroloi:ry :i.ssumptions-x/Q values shall be 1/10 of those given in AEC Safety Guide No. 3 or4.

(c) Consequences should be ail~ulatet.l. bY'. weighti~g t~e effects in differ-ent tlin:ctiuns by the*frrqrn:11ry the wmd blows in each d1rect1011 *.

AC\.'IDE:-f'r-s.o' llCCIUl:"T IHITIATIOl'f ICVICNTS CON8ID1Ca1C1> IN DESIGN DABl8 EVALUATIU<'I IN Tin:

SAFETY ANALYSIS KEPORT II.I Loo1-o/-cClO/anC acd1knts.

Small pipe break (6~' or lea~) Large pipe break (a) Source term-Tho BVerage radloaetlvltf (a) Source torm-The avornge rndlo11ct1vlty 1nvr11Lory In the primary coolnnt *hall be Inventory In the* primary coolnnt sh11ll be asimmed ('I111s Inventory sh&ll be ba.aed A811Umed (Thia lnvcntory.ehnll be ba.~ on 011 opor11t1011 will\ 0.6 pcn*ouL !Ailed fuel). operation with O.tl percent !alled tucl) ,

plus release Into the eool,nt or:*

For prcuurtzed water reactor.s-2 pe1*ccnt of the core Inventory.or halogens*and noble KM!l'll,

For IJ011t11g water reactor,,.__O,~ percent ot the core* lnvent.ory oC hBlogen& and noble KM<'tt.

l ll) >'liter l'mt'l1mclcs 1lmll be U5 percent tor (b) Jl'tltor emctencles ahall bo. 05 percent. tor*

lnlc1*1110J t\tlers and. 00 perccmL. for .utortl&I lnternlll filters and 09 percent Cor externnl Ill W-ra, ftlters. *

(c) liO p1>rce11t. bulldlnc mixing: fur* bolling (o) 60 porcent building mixing tor bolling water reactun l'hnll be a&S\llll<'tl. water reactors ahatl be ll8311med, (d) f'or the rtrt>cta of Plateout, Sprays, De* (d) For the elTects oC Plntcout, Contolnment

<'ontamtnallo11 Fl\('tor In Pool, and Core Sprays; Core Spray1 (vlllues* based* on 0.5 Sprnys the.tull .. wtng reduction 11\ctors 11hall percent. ot halogens In organic torm) the*

be assumed:

following rt'ductton rnctors ahBll be M-aumed:

Fnf 7iri:n11rf:rd u*attr rrartori-0.0,., with For preuurl;:rd ll'atl'r r~artorJ-0,0~ with

'hl'll\ll'Rl nddlllves Ill 1.prnys, o.~ Cur 110 chemlcnl additives In eprnys, 0.2 tor nu cl\emlc11t addlllves; chemlcnt additives.

Fo* bolling. waf1*r reactor.!-0.1. For boWng water reactor.s-0.2.

(e) A rt*nllsllc b11ll1t111g lt'ok ra.te 118 a tune*

\ t1on ot l lm1>* 8hall be as>1umro:

(e) A* realbtle building le11k r11Lo o.s a func-tion. ot thne and Including de:itgn leakage*

ot stenmllne valves 111 DWRll sholl bo assumed.

(fl Alelt"nrolngy AM11mpl1011,,--~/Q valUOI* (l) Meteorology AMumptlons-x/Q vo.Jues shall he 1/10 ot those ghen In AEC Slllety aha.II be I/ 10 ol thO>Se given In AEC Safety Oulrle No. 3 or 4. 011lde No. 3 or i, (g) C:o11r.11'1uencr5 &hould* be <'nlculated by (g) Conooquencca should be c11JculBtcd by w"lghttng U11> "!Teets In ditT1*rent directions Wl."lghllng the etTects In dttTerent direc-by the frl'qurncy lhe wind bh>ws In each dire<' Lion. tions by the frequency the wind blow11 In each direction.

~.I (a) lln*ak in i11sln1111c11t /i11i: from primciry system that penetrates the r1mta11w1c11t (lines not pro,*idc1l with isolation capability insi<lc contamment).

(a) Tl11: primary cr11ilant invcnlory of nuule gases an<l halogens shall be

!1:1:-;l'd 011 "l1n;1tio11 with (l.5 pl*rcent failc<l fuel.

Nuclear Regulation Rqiorts 10 era so, .H.pp. D 11 7469 Page 68

11 )o-Anae.r to6'endiz D is proposed.

11:

<Ii) Release rate thruug-h fail~line shall be assumcu constant for i1<;ur duration of tile. accident.

(c) Charcoal tilter efficiency shall be 99 percent..,

tl'e**;i*

~.

(cl) Retluction factor from combined plateout and buil<ling- mixing

.. di !it* 0.1.

( c) l\1ctcorolngy :issumptions-.r/Q values shall be 1/10 of those given

\EC Safety Guide No. J.

( f) Cons1.*qm*m*l*s shall lie \akulatcd by weighting the effects in <li!Tercnt

? vrt ions by the frequem*y the wini.l blows in each <lircction.

8.2(a) R1.'d 1*ji:l"tiv" m:cii./i:11t ( prcssuri:ed water reactor).

(a) 0.2 1wrrrnt of the c1m* inventory of noble g-ases and halog-ens shall

...~,;umetl to be rekasc<l into the primary coolant plus the average inventory

, tli. primary rnobnt basctl 011 011cration with O.S percent failed fuel.

, !') L.1ss-of-r11nl:rn t accidcll t Pc curs with break size cciuivalent to diameter

' ,,,,:housing- (Sec assumptions fur Acci<lcnt 8.1).

..!(Ii) J\ocl drot ucc

i1fr11t (boiling watL*r reactor).

f1'i1;.lioacti111* 11wtc*ri11l rcfrascd.

(a) 0.025 percent of the core inventory of noble gases and 0.025 percent t In: ..:urc inventory of halogens shall be assumed to be released into the

. *bllt.

( 11) 1 pcn:cnt of the halog-1:ns in the reactor coob.11.t shall .be assumc<l to 1 l'kased into the condenser.

( r) ThL* mechanical \"acuum pump shall be assumed to be automatically L *\

.l,,1nl by high radiali11n signal nn the stcamline. ~

1d) Radio:1ctivity shall he assumed to carry over to the condenser where

""r"l'llt of the h:du~l*ns shall !Jc assumed to be avail;:iblc for leakage from

' , "n' knscr to the l'm*ironmcnt at O.S percent/day for the course of the 1ii:11t {2*t hours) ..

, l'.l l\frt<"orolug-y assumptiolls-.r/Q values shall be 1/10 of those given in

l. ~:ifl'ly G1~ide No. 3.

f) CunSl'IJUCnces should lie r:ilculatc1l by wcig-hling the c!Teds in <lif-

n: din*l'liuns hy the frequency t~1c wind blows in c:ich direction.

11 J t*) Suamllrw: llretikJ (pre13url:1*d waler rtactor1-0ut3tdc containment).

l!r1*a.;; size rc1i.ol Co ar~a o/ lG/dy t*ul11e Chroat.

Small brt"ak Large break nl PrlmATY co.111\nt &ethtty shall l>e blU>tl<1 (a) Pnmary coollmt l\Ctlvlty ohn.11 be bMe<J

"" 01111n1Uon wllh on l'errrnt fn.11<"<1 r""'* on opemtlon with 0.0 percent failed fuel.

lie primary eystrm conlrlbullu11 durlug The primary system contribution during I ilt" C(lllfSO ur U10 l\C('\ckut *hall lie lm~d the course oC the n.cclclent llhn.11 be hciucd

"'I " JO i:ILl.1111\)' tulin l1!11k. on o. :10 gaJ./dn.y tubo lel\k.

11; 011r111ic lh11 ruur'" <*C the n.cc*\1lr.ut o. (b) A hnlogr.11 reduction factor oC O.li Khn.II I .i1lul(rll rt'<lll*!th*n rn..:tor of 0.1 *lmll ho be l\pplled to the prlmnry coolant source "Pl'll~ tu the pr\ml\ry cool1u1t soun*c whe11 during the courne or the o.cclrlcnt.

t11r ete11m ,.::cn11rl\lur tubes a.re covered: a lncLOr o! O.li shnll be Ulitod when the tubes nre uncoverN.

.-) Seeond<Lr}' cooltrnt aptem radloncllvlty (c) Se<: ondnry coolnnt *r*tem rnlllonr.tlvlty 1*rlor to th\l 11-~c\dent shall be b11.st"d on: prior to the nccltlnnt uhnll \Jo l1n.,C<1 011:

(a) :JO gu.l\0110 per dl\)' prlmnry-to- (a) :10 gnllons pc~ dny prlmnry-to-

~ondo.ry lcmk. aecondnry lci\k.

\ b) Dlowdowo oC IO g.p.m. (b) Dlowdown of 10 g.p.m.

,469 10 CFR 50, llpp. D <D 1975, Commerco Clearing House, Inc. I

~~,~~~~.~~~

.- ~ili~M~H;Hi~~1~fo~~1ijil~FU:~if.'i:~~

.::::rm.H~b~;1...~t...~~-~~;~-.~....*:::}t:t~~i!ii'f'~~~~'1'll!Jii1~HfifF!'!':t,~1";1;'illlifi;f;l{f,~~~~ll~JfJ:;L~i!~:t~

Page 69

REFERENCES

1. See the *author's forthc.oming report on the Three* Mile Is land Accident, which discusses the theory of cooling a bed of fuel particles.

2. Batelle report, "Core Meltdown Evaluation,"

BMI-1910, Appendix C.

3. Id.

4. Id. See also Battelle letter td Mr: Mark Cunningham, NRC from R. S. Denning, May- 22, 1979, forwarding "MARCH/CORRAL Analyses of Hypothetical Meltdown Scenarios* for Contingency Planning (for Three Mile Island)."

5. NRC memo Preliminary Estimates of Radioactivity R~leases from. Three Mile island," L. H. Barrett, April 12, 1979.

NRC memo- from L .* Barrett to D. Bunch, May 11, 1979: "Board Notification--TMI Release."

6.. B & W Safety Analysis Report, B-SAR-205, p~ 15.1.8-1. The same applies to TMI-2; See NUREG-0560 (See Ref. 8 below),

Appendix T.

7. Ibid;, p. 15.1.33-1,2.

8. Sources for brief description of TMI-2 accident:

a. NUREG-0-55T, "Evaluation of Long Term Post-Accident Core Cooling of Three Mile Island Unit 2, April/May 1974.

b. NUREG-0560, "Generic Asse.ssment of Feedwater Transients in PWR' s designed by B & W," May 1979. *

c. PNO's issued by NRC on TMI.

d. Personal discussion with NRC officials including a meeting with Roger Mattson and Carl Berlinger on

Apri 1 26, 1976.

9 .. NUREG-0557, p. A-12.

Page 70

10. 10 CFR 50.46 ..

11. NUREG-0557, p. A-44*.

12. Ref. 2 above.

13. See Appendix of NUREG-0557 on "Core Damage Assessment."

14. See "Accident 8.1 Loss-Of-Coolant," "Large Pipe Break,"

"Source Term" of the Annex's "Standardized Examples" of "Accident Assumptions." .

15. Salem Spent Fuel Storage Hearings, J.uly 11, 1979.

16. NUREG-0557.

17. Id.

18. See Ref .. 6 and 7 above.

19~ NUREG-0560, p *. 1-7~ Also, NRC testimony in Salem he~ring~,

"July 11, 1979*.

20. NUREG-0557, Appendix B.

21.. Meeting with .Roger Mattson and Carl Berlinger of NRC, April 26, 1979.

22

See Ref. 5 *

23. Id.

24. Id.

Page 71

ML18079B046

Text

Navigation menu

Search