ML19207A597
| ML19207A597 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 04/09/1973 |
| From: | Denning R, Miller N, Plummer A Battelle Memorial Institute, COLUMBUS LABORATORIES |
| To: | |
| Shared Package | |
| ML19207A596 | List: |
| References | |
| NUDOCS 7908210193 | |
| Download: ML19207A597 (76) | |
Text
9 BMI-X-647
- d. PORT on MONITORING POSTAct'TMFTP CONDITIONS IN POWER REACTORS to U. S. ATOMIC ENERGY COMMISSION April 9, 1973 by R. S. Denning, N. E. Miller, and A. M. Plummer BAT"'EI.LE r
Colu= bus Laboratories 505 King Avenue D, p, 4 <pJ-Columbus, Chio 43201 l'-
I l
l 7 90 821 OWN '
+
4eenM&M 193
TABLE OF CONTENTS Page I.
INTRODUCTION.
1 II.
INFORMATION NEEDS F01ULCO'BEIT-TJRVEILLANCE.
5 A.
Protective Responsibilities of the Operator...........
5 B.
Accident Surveillance.
7 C.
Accident Spectrum.
11 D.
Plant Stabilization.
13 E.
Operator Limitations.
13 III. GUIDELINES FOR THE DEVELOPMENT OF ACCIDENT MONIIORING SYSTIMS.
15 A.
System Development.
15 B.
Flow Diagrams for Accident Sequences.
16 C.
Principal Variables for Accident Monitoring Systems.
20 D.
Instrementation Requirements and Qualificat ion.
24 E.
Display Requirements.
26 F.
Use of the Ccmputer....................... 27 References.
28 APPENDIX A POSTULATED AENOFF.AL OPERATICNAL TRANSIENTS AND ACCIDENTS IN POWER REACTORS..
. A-1 APPENDIX B IMPORTANT PLANT SYSTEMS.
. B-1 APPENDIX C SAFETY RELATED INCIDENTS IN LIGHT-WATER PO'JER REACTORS.
. C-1 "fDf.Lt$g
- n
REPORT on MONITORING POSTACCIDENT CCNDITIONS IN PCWER REACTORS to U. S. ATOMIC ENERGY COMMISSION from BATTELI.E Columbus Laboratories by R. S. Denning, N. E. Miller, and A. M. Plu=ner April 9,1973 I.
INTRODUCTION The objective of this report is to aid in the development of a basis'for designing the instrument systems in light-water power reactors that provide infor=ation to the operator during the course of an accident. Although it is not current practice to group this instrumentation under a single system, in this report this instru=entation will be referred to as the accident monitoring system.
The investigation of accident monitoring requirements which was performed at battelle's Colu= bus 1.aboratories was divided into two phases. In the first phase of the study postulated accidents were reviewed and the infor=ation needs of the operator for accident surveillance were determined. The primary references used were safety analysis reports of a number of nuclear power plants. An approach to the design of accident monitoring systems was also developed.
- he results of the Phase I study were submitted to the Directorate of Regulatory Standards as the initial draft of this report.
The Phase II investigations were centered around discussions with persennel f rom reactor vendors and utilities. Each of the ligh t-wa t e r-r e a c tor vendors was visited. A trip was also =ade to a utilit/ to gain their viewpoing.<;.1 y
vu t J s.
- WPAa,
2 At each location roundtable discussions were held with half-a-dozen to a de:en participants from a variety of specializations. We also had an opportunity te visit two power plant control room sbnulators.
The purpose of the discussions was to obtain the opinions of the participants as to the proper role of the operator in controlling accidents, the information required by the operator in performing this function, the value of the computer as an aid in monitoring accidents,and the appropriate design criteria for accident monitoring instrumentation. The results of these discussions and discussions with representative of DRS were f actored into the final report.
As used in this report n -eni*or is an elece-cal c4aca o f ec"4 rrent con s i s_t ing o f a_ s en s o r,_. lead s,_a._;1ower_suppis and_.an. 4 m d 4 "
- c-thae w-44=
,tbg._ opera tor with an_ indication _o f.f.!Le_ val"a Mn ' l e =' ^ 1 e. The accident monitoring system is the set of monitors that is used by the operator to monitor key variables in the critical period af ter the initiation of the accident until the plant is returned to a stabilized ccadition. In this report both boiling water reactors (3WR) and pressuri:ed water reactors (FWR) of current design for the generation of electrical power are considered. Although design variations between the different generations of plants of a single vendor and design dif ferences between each of the vendors ( ~'} would affect the design of an accident monitoring system, for the purposes of this report it was adequate to treat the two basic types of light water reactors generically.
In general, there-fore, discussions of important plant systems and accident sequences will be ref erred to as representative of a BWR or FRR despite the variations that may exist between plants or vendors.
Chapter II of this report describes the information needs of the operator in monitoring accidents. Much of this chapter is directed at understanding philosophical questions about the function of the operator in the control of accidents.
In our conversations with people frem dif f erent disciplines in the nuclear cc== unity we found divergent opinions of the role of the operator.
Although assignment of the proper role of the operator is outside the charter of U(;U d < %s.'}
r" ~ n k
3 our program, the quantity and quality of instrumentation required by the operator in =onitoring accidents is / direct function of the extent of his responsibility in accident control. Dif ferent conclusions about eSe function of the operator would lead to dif ferent guidelines for the design of accident monitoring systems than the ones we suggest. In this chapter we discuss the information require-ments of the operator for tracking accidents and how instrument signals can be correlated with accident events. The ability of the operator to determine if accidents are departing from a predicted sequence and to identify the need for extraordinary action are also considered.
In Chapter III a systematic approach to the design of accident monitoring
~
systems is described. Because of design differences, it is necessary to develop a system for monitoring accidents for each plant. The approach is based upon the selection of a limited set of principal plant variables which provide essential infor=ation to the operator. The instruments that monitor these principal plant variables form the accident monitoring system and are the focus of attention of the operator in an accident. Appropriate criteria for the design of the instrumenta-tion of the accident monitoring system are discussed which would be more stringent than the criteria for operational monitors. Suggestions are made with regards to control rocm layout and indicator design. Finally, the use of computer assistance in accident monitoring is discussed.
In Appendix A of this report various accidents are considered for which the accident monitoring system would be designed. The accidents range in severity from minor incidents that are expected to occur in the lif etime of a reactor to the = ore serious low-probability accidents. The sequence of events that would occur in each accident is described in order to identify the variables that characterite the accident and to establish which safety features or operator actions are required in order to control the accident and to stabilize the system.
Appendix 3 provides a brief description of Laportant plant syste=s.
The reactor shutdown system and the engineered saf ety f eatures are clearly i=portant to the saf ety of the plant. The safety i=plications of a nc=ber of other systemt may not be as obvious but the need for their perfor=ance can be just as great. The operation of many of these systems must be =cnitored during an accident.
'5
.5
=
S 4
Appendix C to this report contains a description of a few of the abnornal events which have occurred in light-water power reactors. The nature of the events, the consequences which resulted, and the actions taken by the operator are described.
bb~s10b
=.m,,--,
5 II.
INFORMATION NEEDS FOR ACCIDENT SURVEILLANCE A.
Protective Reseensibilities of the Oeerster The amount and quality of the information that must be provided to an operator during the course of an accident depends to a great extent on the degree of protective responsibility that is placed in him.
It is well recognized that during the first few minutes of an accident the operator is incapable of' responding to control the transient. For this reason the engineered safety features are designed to perform completely automatically during the initial stages of the accident. Af ter the initial period, however, positive actions may be required of the operator to bring the plant to a stabili:ed condition.
Because of his ingenuity the operator has the capacity to protect the public in the event of unanticipated occurrences or ecmbinations of events for which autematic f eatures have not been designed. In contrast, the operator can also be the weak link in the system. Operator error can not only be the cause of some accidents but also during the course of an accident an operator could act improperly. Either as the result of poor information, misinterpretation of accident events, or lack of understanding of the system, the operator may interf ere with a protective functica or perfor= an action that otherwise jeopardizes the system. Because of his potential to be either em hero or the villain, there are diverse opinions as to the proper role for the operator during the course of an accident.
At the ene extreme it is felt that the operator should act only as a monitor of the perfor=ance of automatic safety features. Cc=petent engineers have spent =any years designing systems that can best cope with an accident, j[1 is considered unlikely that an operator with his linited kncwledge would choose a be tter a l t a-n a *4"a course of actien than s*c"dded b" deqign. The cniv-responsibilitanof_the,oge,qtor.,darg;fis.g;},t;,,,no u l,d_b,e_t o_me ni.e e -_th e c e e ra t ien 0f_the _en dp.e.ered saferi feat 1 as.
If a cemoonent of the sy_st am f ai' ed to r'd_-
- action to st u t_the comgenent_or operate up,ca de=.an.d.,;he,.ogar3e a-switch to_ a redundan _q_c=p_cnent.
Clearly under this phi'osophy it wouid not be ne$essary to provide a great deal of instru=entation for the operator. He would have to be informed when a safety system was not operating properly. He =ight y - c -, n q vm v r MS SC?.t3y
4 6
also require infor=ation on some plant variables to know when a safety actuation signal should have occurred and when a safety system should be operating.
~
Consistent with this philosophy, the operator would be discouraged from acting in an accident and might actually be prohibited from taking certain acticas as, for exemple, interrupting die perfor=ance of a safety f eature or locking out a component.
It has even been suggested to us that it might be saf er to intentionally limit the informaeton to the operator in order to avoid te=pting him to take a unique course of action. This premise cannot be seriously considered. Kh e _o_qi-g w%s poses the diseM;hlt. eat.to 9
-- EW meem nea At the other extreme, the operator is considered to be the principal means of protection. He would be given ecmplete flexibility to control the accident in such a manner as to minimize plant damage and economic loss as well as protect the public. The operator would even be relied upon to perform actions that are essential to the operation of engineered safety features. For example in some PRR's the cperator must realign the suction of the emergency core coeling system to the contatraent su=p during the course of a LOCA. With this type of operator philosophy, the requirements for accident monitoring instrumentation are more extensive.
If the operator is expected or required to act in an emergency, he must be well informed.
It is to be expected that the reactor vendors who have designed the autematic protective systems for the plants tend in philosophy toward relying more on the autematic systems and less on the operator. In contrast the utilities
=ight be expected to have a se=ewhat different view.
It is necessary to differentiate at this point between public protection and plant protection. From the standpoint of the public, activation of the saf ety systems always appears to lead er a safer system, e.g., shutting the reactor down, cooling it, or isolating it.
Frem the standpoint of plant protection or plant economics, activation of a safety function is often not desirabic. For example in a EWR, injection of berated water Dr.co the reactor or actuation of the containment spray system leads to a safer condition for the public but involves expense to the utility.
Since the operator can prevent damage to expensive equip =ent, avoid expensive cleanup situations, c
=erely keep the power plant on-line, the utilities prefer to allow the operator broad flexibility in his actions. A utility also loses faith in aute=atic safety features because these systems :an f requently interfere with the utility's atte=pt to keep the plant operating.
C3(,I t'.Stib5 s.
k
7 It is our opinion that regardless of whether an operator is required or expected to perform safety functions in an accident, it uust be assumed that he will act in an emergency situation.
Acefdaa* avaa daa-s as illustrated in V
Appendix C demopse-1?a'
- ka" 4 -tha past. operators hav.e significantin aff.e_cted can?stor be orevided the..ccursa cf 2:cidents. ILis charafe-a naca==a-~ *k a t
'n with adecuara
>.e lic.bi: info rme+2 err.,
B.
Accident Surveillance Accident Tracking. The operator can follow the transien; behavior of important plant variables during the course of an accident by observing the operational indicators that are available to him. _The cuantity zad cualit~ of fata-neel-Fe sc d'=a infor=ation provided to h4
==~nk14ekan his abit4*v
- a avalusta tha ranneroin,, whig:t.Jhe to determine,the.,**=~"= of saf.ptL.s"=*- = 'nd
- n There are diff erences of epinion with plant is resconding to sa'a~~
"--e regards to the degree of detail with which an operator must be a'ble to follow the course of an accident. It has been suggested to us by reactor designers that ones seven critical plant conditions (reactor shutdown, tore cooling, containment cooling, fisefen eroduct isolardca - contair-eat.oressure cont:al, primarv nres surm
') have been established, protection 42nIIol, and a_ h,est ~~sns'a- -a-h ta 1
'a' of the public has been assured. Following this line of reasoning, it is not necessary to provide the operator with special grade instru=entatien for the purpose of tracking the course of an accident. It is only necessary to provide protective grade monitoring instru=entation to assure that these seven conditions have been established. Any other actions taken by the operator in securing the plant should be considered in the category of operational functions rather than protective functions.
In the opposing viewpoint, it is felt that protection of the public is more complex. Many of the plant systems (see Appendix B) are directly or indirectly related to safety. In order to be able to assure that the seven critical conditions will not degenerate through unexpected channels or as the result of operator error, the operator must have a cceplete understanding of the nature of the accident and the status of the plant. If this philosophy were carried to the ext rme, all of the operational =enitoring ecuipment in the plant would have to be designed to the criteria of protec~ive systems.
b J 4.
sb (.2
b 8
A decision to upgrade the design criteria, frem,that of operational instrumentation to protective instrementation for most of the monitoring equipment in the control roem would be resisted by the reaccor vendors and utilities on economic grounds. Of more significance, however, is the question of whether or not widely increasing the amount of instrumentation available to the operator or upgrading the design criteria of instrementation will enhance the safety of the system. Later in thic chapter we discuss seme of the limitations of the operator in receiving and interpreting infor=ation.
It is qpr coinion ek**
- h*
coa-stor s
can be confronted with too many ind_icatgr.s._and that the e=phasis should le placed ob upplying him with i=portant and reliable information. Unless monitoring instrumentation can be of some value to the operator in determining a course of action, its presence can not be justified.
Expected Actions. There are two types of actions that' the operator =ay perform: expected actions and extraordinary actions. An example of an expected action occurs in the FVR steam-generator tube rupture accident in which the operator is expected to isolate the affected steam generator. In this case it is very bsportant that the operator be able to properly diagnose the accident frem available =cnitoring instre=entation. Three major FWR accidents appear very stnilar in the early stages of the accident. A steam-generator tube rupture, a prt=ary pipe break, and a steamline break are characterized by falling pressurizer pressure and level. The operator can differentiate between the three accidents by observing eehavior of the steam-generator pressure, containment pressure, containment radiation =enitors, containment semp level, and condenset air ejector radiatien monitor.
If the pressure drcps in one of the steam generators, a break has accurred in the secondary system. Increases in containment pressure, radiation level, and sc=p water level indicate a pri=ary loss-of-coolant accident.
Increase in the radiatica level at the air ejector monitor of the condenser indicates a steam-generator tube rupture. The =cnitors of the plant variables that are used by the operator to recognize that an expected a: tion =ust be taken should be designed to special criteria because of the requirement for operator action.
b$b t.dll()
W-
9 Extraordinarv Accions. The ability to choose alternative or extraordinary measures in dealing with an accident depends upon the quality of infornation provided by the accident monitoring system and upon the inherent flexibility of the engineered safety features to permit alternative action. The oce" "- '"
- ka slant's final defense aasinst unanticipated condiefems mad his seriens en wave,e disastrous
.g.on s ec u en c e s. There is a broad spectrum of actions which may be considered extra-ordinary. One may speculate that with a given set of conditions an operator might conceive a novel approach to controlling abnor=al pit.nt conditions such as cooling the containment by spraying the exterior walls with a fir-hose. Unfortunately the actions of the operator can make the situation worse.
It is our opinion that novel or improvised actions by the operator should be discouraged if not prohibited.
Extraordinary actions should be limited to those for which procedures have been established. An example of a more co on extraordinary action is the manual starting of a pu=p which has f ailed to operate automatically. A more unusual extraordinary action would be the manual operation of valves to supply service water to the emergency cooling pumps when primary water is being lost froca the containment and. cannot be recirculated.
To be able to identify the need for extraordinary action, the operator not only must be able to follow the transient behavior of the plant variables and recognize the nature of the accident, he must also be capable of evaluating the performance of the auto =atic safety features in controlling the accident. A determination of whether or not the safety features are operating can easily be made from valve positions, flows in lines, amperages, etc.
Establishing that the saf ety features are performing their design functions is =uch more difficult, how ev e r.
Abiliev to der
'-a ~ 9
-k a ~ 'daneJ t ar ha hgg ra-a-N -^-- cLlad e 4 -k er reeuire s_kaM dge.cf hov._:;heav:Lt c:Lw a t._intard: J... ape-> *_
aam-r-en--
th a t _ia dj.qn gJ g gragaz_.c on d i_t io n s.
Cc earison with e edicted Secuences.
Because of the spectrum of accident conditions that can occur, it is not possible to provide the operator wi:5 a quantitative predictica of an acciden: against which to ec= pare actual accident response. yor exa=ple, a predicted plot of upper plenum te=perature as a func-ion of :i=e for a primary pipe rupture in a F:G would not be of =uch value to an operator as a reference against which to judge the performance of his emergency core cooling system.
F.e would not know :he si:e of break or precise e6}&UY 607141
10 location of the break in his plant. He might have already taken actions to change the course o8 the accident from the predicted transient. Even if a wide variety of accident analyses were perfor=ed, it would not be possible to present the information to the operator in a format that he could e= ploy in th'e time scale of the accident. The value in performing quantitative accident analyses is in the design of the accident monitoring systems as described in Chapter 3.
The qualitative behavior of plant variables is important to the operator, however, as a means of accident recognition. In his training period the operator is taught the characteristic behavior of different types of accidents.
Usual?y the actions of the operator are a direct respense to an instantaneous abnormal condition and do not require an understanding of the cause of the abnor=ality. For example, if the pressurizer level in a FVR is low, the operator responds by activating a charging pcmp without having to establish a cause for low pressurizer level. In some cases, however, as in the steam-generator tube rupture accident described earlier, it is essential that the operator _b_e_able_to 4*
- -c,othe,ac.ciden s_
_ider.tify the nature.o f_ tha. accident-and.dif f erentist a In,3e g al the_ operator is better ab.le_to coee with an accident and less likely to ma h rIqn.,_in controlling the_ac.cident the more comolete his understandi_ng of_the ace! dent.
Correlatien of Inst u=ent si2nals with Accident Events. Although we do not feel that it is practical to attempt to quantitatively ec= pare actual accident behavior with predicted sequences during the course of the accident, it is possible to recogni:e when plant variables exceed their predicted ranges.
It is also possible for the operator te racognize that the system is degrading by correlating instrument signals with accident events. Ultimately, =aintenance of contair;=ent relies on ability to cool the fuel elements.
In turn cooling the fuel depends upon maintaining core geometry, providing an adequate supply of water to the fuel and dc= ping the energy generated to a heat sink. During a loss-of-coolant accident or other accident that through a combination of ci -
ccmstances leads to uncovering of the core, the geometry of the core can be threatened. If the core recains uncovered for a sufficient pericd of time the fuel elements will heat up, passing through stages of cladding distortion, clacding failure, cladding =elting, and major redistribution of molten fuel within :he sonda
11 primary system. There is no instrumentation presently available by which direct in-core measure =ents can be made of fuel and cladding conditiens of this nature during an accident. However, it may be possible to infer the state of the core indirectly. The release of large quantities of fission products from the core is an indication of the on-set of significant fuel failure. Hydrogen generated in the zirconium-water reaction signals high cladding temperatures. In order to be able to correlate instrument readings with accident conditions it would be necessary to perform a spectrum of analytical studies.
Although it would be possible to measure plant variables that indicate degraded core conditions, it is our opinion that the advantages of the instru-
=entation provided for this purpose would be outweighted by the disadvantages.
Unless the operator can make use of this information to determine a course of action the instrumentation is of little value. We feel that there is probably very little that an operator could do in a situation of this type other than attempting to make an engineered safety feature operable that is for some reason not working. We reiterate that operators should be discouraged frem taking extra-ordinary actions that are not Lacl'tded in written emergency procedures for a plant.
C.
Accident Soeetrum The potential spectrum of accidents that can occur in a nuclear power plant is quite broad. Minor incidents and operational transients can be expected to occur during the lifetime of the plant which =ay be costly to the owners but which have little eff ect on the public. Lass likely events may involve the release of radioactivity or require the actuation of engineered safety features to protect the public. A number of accidents that are considered in the safety analysis reports for FWR's and 3WR's are described in Appendix A.
There are a nu=ber of methods of categorizing these accidents according to the mode or severity of accident.
In the " Standard Format and Centent of Safety Analysis Reports for Nuclear Power Plants"(5) prepared by the Regulacory Staff three classes of accident are recogni:ed.
& is. c - ; 0. ',e <3kt/
~
s.
12 Class 1 - Events Leading to No Radioactive Release at Exclusion Ra dius Class 2 - Events Leading to Small to Moderate Radioactive Releases at Exclusien Rt.dius Class 3 - Design Basis Accidents.
Class 3 events in this categorization clearly threaten the safety of the public and must be considered in the design of an accident monitoring system.
The implication to public safety of Class 2 and Class 1 eventa is less clear.
As analy:ed La safety analysis reports, the consequences of these incidents are quite Ibnited. Some Class 1 incidents are probably more appropriately ref erred to as operational transients rather than accidents. What classes of accidents must be considered in the design of accident monitoring syste=s? 3elew what level can an incident be considered to have a negligible effect on the public safety?
In this respect we would suggest a very conservative approach.
In the design of an accident monitoring system the entire spectrum of accidents up to and including design basis accidents should be considered. Although the Clara 1 and Class 2 accidents, as analyzed, do not have significant consequences, accidents act differently in reality than they do in theory. Although the single-f ailure criterion may be an excellent design concept, in actual accidents multiple failures, related and unrelated, can occur. The potential for minor events to propagate into more serious accidents through unanticipated channels increases the operator's burden of responsibility for the public safety as well as for plant protection.
At the other end of the accident spectrum is the question of whether or not to provide monitoring instrumentation to cover accidents that extend beyond Class 3 events into degraded conditions. As discussed earlier, we feel that menitors specifically designed to signal degraded conditions are not warranted because of the limited value of the informatica to the operator in determining an appropriate course of action.
However, some plants offer nonauto=atic safety systems which are to be used only if so=e automatic syscems do not function properly, such as the containment spray or borated water injection systems in SUR's.
In these cases, where there are establishedprocedures :c the operator to take action during degrading conditions,he must be provided with the reliable information to allow hi= to properly perforn this function.
gg{'7l{/(q(
==
13 D.
Plant Stabilization It is difficult to establish a specific time in an accident at which the plant can be said to have returned to a safe condition. At seme point the operator will have regained control of the transient behavior of the plant, but the plant variables vill continue to change as the plant is brought towards a shutdown configuration and the decay power decreases.
In this period of cLne it also becomes more difficult to diff erentiate between protective actions of the operator and operational actions. Indeed the steps taken by the operator may be the routine steps of a nor=al shutdown. The plant also becomes more insensitive in this period of time to operator errors.
For the purpose of being specific, we will defiae the plant as being stabili:ed when the seven key conditions of reactor shutdown, core cooling, contaicsent cooling, fission product isolation, containment pressure control, primary pressure control, and a heat transf er path to a heat sink are assured.
This approximate point La etse would then be considered the end of the accident and subsequent actions related to recovery would be operational. The accident monitoring system would be required to provide the information en plant conditions that the operatoc needs to bring the plant to the stabill:ed condition.
E.
Ooerster Limitations The accident monitoring system must be designed to satisfy the information needs of the operator and to conform to his linitations. The operator can only absorb a given quantity of information.
If insufficient inst cmentation is pro-
~
vided, he will not be able to evaluate the status of the plant.
If he is confronted with :co many dials and accosted by too =any signals, he may not be able to interpre t the information that is provided.
In revizwing the status of accident monitoring capabilities, it appeared
- o us that :co little attention is paid to hu=an engineering for accident conditions.
The feeling was frequently expressed to us that every operator is unique, would respond differently,and have different requirements in an accident situa tion.
'4e do not believe that this is the case. Operators may in f act be quita si=ila gTO. d '.s E
9 14 in temperament and capability. Until resca.:ch is perfor=ed in this area it is very difficult to establish the constraints on the design of accident monitoring systems that result from operator limitations.
At present the design of control rooms and control panels involves a merging of responsibilities of the reactor vender and the architect-engineer, with both ce= promising to meet the desires of the utility. Human engineering is considered in the design of monitors and in the layout of panels to facilitate the normal operation of the plant. To the extent that the needs of the operator under normal conditions and under accident conditions overlap, the hu=an f actor is included in the design. It is also likely that there is some feedback to control panel design frem the training of operators in the behavior of accidents using control room st=ulators.
In the absence of hard data on operator ILmitations under accident j
conditions, we would suggest the following constraint on accident monitoring eke"1d
'a identified thac are_of systems. A,*ew orincioal clant variables m accident upon which the_ operator c_an conyncrate his gima n concem 4,
attention. Although a wide variety of indicators of plent variables would,also be available to the operator, these f ew key variables would.b_q__th.e _ basis of the accident =enitoring system.
In Chapter III methods are suggested for determining which variables to incluce as principal variables.
Na'.(/kke M
P
15 III.
CUIDELINES FOR THE DEVELOP' TNT OF ACCIDENT 5!CNITORING SYSTE}!S A.
Svsten Develorment The development of an accident monitoring system involves first deter-mining a set of variables that will satisfy the information needs of the operator and then designing the equipment to provide this information. By examining pre-dicted accident sequences it is possible to identify the variables that characterize the course of a given accident or diff erentiate one accident f ro= ano ther. A set of principal plant variables should be identified frem these studies which provides adequate information for evaluating the status of a broad spectres of potential accidents but which conforms to the Ibnited ability of the operator to accept and interpret infor=a tion. This instrzmentation would be the basis of the accident monitoring system and would be the focus of attention of the operator in an accident.
The next step in the development of an accident monitoring system is the design of the instrumentation that senses, displays, and records the principal plant variables. Because of the relationship of this instrumentation to protective functions, it must be designed to special criteria. Finally the operating rocm and panel layouts are developed in order to display these variables preminently.
It is. essential that a systematic approach is taken in the design of the accident =onitoring system. In our discussions with the reactor vendors, it was apparent that lines of responsibility are drawn between the nuclear steam supply system of the vendor and the balance of plant of the architect-engineer.
The utility, of course, has the ultimate responsibility for the integrated plant.
Of the three members involved the reactor vendor is orobably t_he only one that has demonstrated the capabili ~ te daef-a
- unified aggidgat_ gni;cxin system hrtheplant.
If this resconsibilitv is frap_ejtei.alen;,, ::sditional lines
- $3
-'a cccident menitoring diere is concern that integration o f the,;wo
-^---1ca e system might not be ecmolete_.
It should also be recogni:ed that in monitering and centrolling an accident an operator may make reference to a much larger set of instrementation than the monitors of the principal plant variables. This broader instrc=entatica
$7 4.7 gggsy8**
16 which is used in the not=al operation of the plant does not require continual monitoring in an accident. The operator turns to these instru=ents when he is seeking the source of a problem or is taking remedial action. Because these instruments have less protective significance, the criteria for their design would not have to be as stringent as for the principal plant variables. The response of this inscrc=entation under accident conditions should be considered, however.
B.
Flow Diaerams for Accident Secuences In order to design the accident monitoring system for a plant, it is necessary to predict the type and sequences of accidents that might occur during c6 1 lifetime of the plant. The conceivable accidents for a plant are in actuality a continuum of potential events rather than a finite set of precisely defined accident sequences. For example, a continuous range of pipe break size is con-ceivable. Investigation of accident sequences by flow diagrams involves repre-sentation of this uncountable infinity of accidents by a finite set of accident stages. A particular stage in a flow diagram can be considered an integratien over a band of the accident spectrum. The predicted magnitudes of the system variables at a given stage of the accident must therefore involve a range of values.
Representation of accident sequences by flow diagrams has obvious ibnitations. The course of an accident can take a wide variety of paths. Even if syste=s are assumed to act in a binary f ashion (go, no-go), the number of branches that can occur in an accident is large. The possibility for partial functicning of systems or for the operator to influence the accident sequences further increases the complexity. As a practical matter the analyst must limit the complexity of the accident sequence. For example, within the accident sequence the analyst may include a branch which results frem the f ailure of a single compenent but reject branching further down the tree which would result from additional failures.
The purpose for develop' a cemprehensive set of accident sequences is to dettraine the i=portant variables that must be made available to the operator to permit the proper interpretation of events and to provide a 'casis 8071/8 1
k
17 for operator decisions. The information provided by the flow diagrams must therefore include:
the magnitude and behavior of key variables, the occurrence of warning signals or initiating signals, the start-up and cut-of f of systems and the actions of the operator.
In developing accident sequences it is essential to include the abnormal conditions associated with startup, shutdown, refueling, and maintenance as well as with steady state operation.
In fact, in the design of protective systems as well as accident monitoring systems special attention should be given to these infrequent states of the system as opposed to the normal operating state. A large fraction of accidents, disproportionate to the cine spent in the diff erent modes, are initiated when the reactor is outside of the steady state operating = ode.
A very simple example of a flow diagram for a steam-generator tube rupture in a FKR is illustrated in Figure 1.
The rectangular boxes refer to important events in the accident sequence. Each of these boxes corresponds by letter to the accident sequence for a steam-generator tube rupture givea in Appendix A.
The octagonal boxes are used to represent the conditions that would be monitored by the operator during different stages of the accident. The trends of monitored variables are described by accident stage in the accompanying chart, Table 1.
Intercomparison of tables of this type is used to identify the manner in which accidents can be dif ferentiated. Although this example has been greatly simplified in that no branching is considered, it demonstrates some of the ec=plexities of diagramming accident sequences. In the development of flow diagrams for a specific plant, ranges for the key variables should be tabulated as well as their trends. The flow diagrams and associated tables are then used in the design of the accident monitoring system. This informacien indicates which are the key variables which must be monitored in the accident and establishes the range, response, and sensitivity required for the associated instrementation.
The environment that should be used in qualification testing of inst==entation can also be determined f cm these analyses.
8.07149 M
+
+
18
=
== :
- 3. e E>
2.
d 1:
~
=.
\\.
=
t."
.xC weo U<
- r..2
.~,
- s.
t t
- Dc:
rr:
=2 3
h*
a:
i C
s
-.~.3 g
_ :.,b
~
~
~
m Q. -
A c
$. * ~
Z 9s t-v:
cc 6
Z
-c<
m W.
N
_3
- F ef.e u,
-m 35
~o
- I:.,
~n
=.
,,_,5 5
~
m
.V-a W
5.i3.2 O&
3 bu ' 90 an, Y@.
m n,, -
i t
TABLE 1.
PRit.CIPAL VARI A11LES IN STEAtt CENERA~IOR TUBE PUI'lllRE ACCIDENT
= _. --. - _.... _. _... - -. _.
Stage vartable 1
2 3
4 5
6 7
Ptimary pressure Decrease Decrease Decrease Rapid decrease Increase Nominal Nominal Pr itua r y liquid level Hapid Decrease Decrease Out of Increase Nominal Nominal decrease pressurizer llamage.1 SG pressure Increase Increase Decrease Nominal Nominal Nominal Nominal Isamaged SG level increase Increase liigher liigher liigher Iligher Iligher Condenser radiation Nominal Nominal Increase liigh liigh liigh Decrease SG blowdown radiation Increase liigh Illgh Illgh liigh liigh liigii l'eedwater flou fluminal Ramped down Set low Set low Set low Set low Set low Priu ary temperat ure Decrease Decrease Decrease Decrease Decrease Decrease Decrease Conta ol roil posi tion tiominal Tripped Inserted Inserted Inserted Inserted Inserted Reactor power (11nx)
Nominal Decrease Low Low 1.ow 1.ow I.ow Salety injection flow ilone None None None liigh pressure liigh pressure Iligh pressure Sately injection valv s closed Closed Closed Closed llP Open llP Open llP Open 15oron concentration tiominal Nominal Nominal Nominal Nominal Increase Increase Charging pump speed lucrease liigh liigh liigh fligh liigh liigh Containment pressure tiominal Nominal flominal tiominal Nominal Nominal Houinal containment radiation Nominal Nominal flominal Nominal flominal Nominal Nomiaal O<
n.
rm w.
4<
g
20 C.
Princioal Variables for Accident Monitorinn_e items _
x
~
Using flow diagrams and accident analyses for a broad spectres of accidents, a set of principal plant variables should be defined which would be the basis of the accident =enitoring system. The constraint on the number of variables in this set is determined by the ability of the operator to receive and. interpret Lafor=ation in an accident situation.
Some guidelines to determine which variables should be included as principal variables can be stated.
(1) If the information from a variable is used by the operator in performing a required action it should be a principal variable.
(2) The principal variables should include indications of the seven vital conditions:
(a) Reactor shutdown (b) Core cooling (c) Containment cooling (d) Isola tion (e) A heat transfer path to a heat sink (f) Pri=ary pressure (g) Cont tinment pressure.
(3) The princ: pal variables should permit early recognition of accident conc.tions and allow identification and dUferentiation between accidents.
(4) The principal variables should provide warning of the need for extraordinary actions.
(5) The principal variables should moniter the operation of engineered safety features.
Although the principal variables should include an indication of the operation of engineered saf ety f eatures, it is not necessary to indicate the operation of the various ccmponents of the saf ety f eatures. For example, it is adequate to show flew in an emergency core cooling injection line without indicating which redundant pumps are operating or valves are open.
If there is no flow in the line when there should be, the operator is warned and can ref er to the indicators that show more specific detail.
<smete.
21 A number of plcat variables that should be considered as candidate principal variables are listed and briefly discussed.
Primarv Svstem Pressort. A rapid drop in pri=ary system pressure is an Sign of a num'oer of serious accidents in SWR's and PWR's including the eat los -of-coolant, sceauline break and stes=-generator tube rupture accidents.
Power (neutron flux). Over-power conditions in the reactor can lead to fuel failure through boiling crisis or, in the event of a rapid powar rise, to
= ore direct forms of f uel f ailure.
In any serious accident the reactor should be tripped as soon as possible to mini =ize the amount of heat that =ust be re=oved frem the core.
Primarv Svstem Coolant Level.
Changes in pri=ary system coolant level are early signs of a uu=ber of serious accidents including the loss-ot-coolant and stes=line break accidents in FWR's and BWR's, a steam-generator caba rupture accident in a PWA and a feedwater mcifunction in a EWR. Continued kn:wlsdge of the pri=ary syste= coulant level is of particular i=portance to the o9erator.
Incidents in operating plants have de=onstrated that control of the watt level in a BWR can be difficult to maintain under accident conditions. At the present not F7R' s. The time liquid level is measured in the primary vessels of SWR's but liqcid level is measured in the pressuri:er of a FWR; when the liquid f alls below the pressurizer elevation its level is unknown.
Containment Pressure.
increase in containment pressure in a F7R or drywell pressure in a 3WR is an ind'. cation of a loss-of-coolant accident.
Engineered saf ety features are rovided to prevent contain=ent pressure frem exceedin; design ltrits. High pressure in the centainment not only threatens the integrity of the containment but also increases the driving force for the leakage of fission products to the environ =ent.
~
Em e r2 an ce Cooline s'ater Storace Tank
- evel.
Emergency core ccoling water fer pumped injection is stored in a tank that =sy have the duplicate function of storing water for f eedwatar or refueling. The operator must be aware cf the level of liquid in the tank if he is expected to switch suction to the con-tai==ent su=p or suppression pool.
"; ; 00 r-4.1 g
22 Radiation Level in Contair. ment.
Increased radiation level in the containment exhaust is an indication of a loss-of-coolant accident.
In order to protect the environment the cer tainment may be isolated or the exhaust redirected through filters.
Containment Su=o or Sueoression Pool Level. Water in the containment sump of a PWR indicates a loss-of-coolant accident. The operator =ust check the level of water in the su=p before attempting to draw suction from the sump for core teflooding or containment spray. A water level measure =ent in the contain-ment su=p or suppression pool would be an indication for long term cooling that water is not being lost frem the system.
Stere-Generster Pressure (FWRT. A decrease in secondary side pressures in the steam generators can indicate a steamline break or an excessive load increase.
Pressurer in the steam generators can also be useful in locating a stea=line break. The operator may control secondary pressure during a loss-of-coolant accident.
Level in Steam Generator (PURT. This level is an important link in the nor=al heat transfer path frem the fuel to the heat sink. Changes in the water level in the steam generator can result from malfunc: ion in the feedwater ' system or from a steamline break. The steam generator water level is also used to identify the af f ected reeam geierator in the event of a tube rupture.
Feedwater Flow.
In a FWR, feedwater flow must be controlled to provide suffic: enc water to enable heat to be transferred from the primary system but ro:
to spill over into 'the steam line. In a BWR, feedwater flow is an important aspect of =aintaining primary water inventory.
Control Rod Po s i tion Indicators. Control rod position indica: ors can be used :o identify a rod runout accident.
Centinued red insertion could indica:e a boron dilution accident in a ?WR.
In the event of a major accident the control rc - position indicators are a positive indication to the operator thae : rip has occurred.
If seme rods are stuck in the withdrawn positten they will _a identified u$pt'l"e.Q' ]if r
to the operater.
st
23 v
l Radiation Level in Condenser Air Eiector. In a PWR an increase in radiation level in the condenser air ejector or vacuum pe=p indicates a steam-generator tube rupture. In a BWR an increase in radiation level would be representative of fuel failure.
Status of Power Sueolies. The availability of power supplies affects the ttme required for the operation of engineered safety features.
Hvdrocen Concentration in Containment. Means are supplied for hydrogen recombination. Failure of this systen to prevent accemulation of explosive mixtures of hydrogen might have to be countered by purging the contaic=ent. A rapid increase of hydrogen concentration might be used as a sign of metal-water reaction and an indication of inadequate function of the e=ergency core ccoling system.
Primarv Coolant Temocrature (PWR).
High coolant temperature is an indication of a mismatch between the turbine demand and core power.
Containment Temeerature. Centainment sprays and air cooling systems are provided to cool the containment in a loss-of-coolant accident.
In seme plants the operator can divert water and cooling capability frem the spray system to the emergency core :coling system if additional containment cooling is not required.
Main Ster =line Flow Rate (EUR).
High steam flow in a main steamline, measured indirectly by pressure difference across a restriction, is an indication of a steamline break.
Temeerature of Scace in vicinit.- of vital Eouiement. High air temperature in the space near the main steamlines, f eedwater pe=ps, or other vital equipment
=ay indicate. a liquid or steamline break.
Some high environ = ental te=peratures may mean inadequate ventilation or ecuip=ent malf unction which can lead to an accident.
807.i55
24 Radiation Level in Main Steamlines (BNRi.
High radiation levels in the main s camlines are indicative of fuel failure and call for vessel and containment isolation.
Pemo S o e ed s.
Pump speed indicates whether or not a pu=p is operating.
Pcmps supply the motive force for nearly all of the functions of the engineered safety features.
Eoren Concentration (PWR).
Boron concentration in conjunction with rod position indicates to the operator the shutdown margin or suberiticality of the reactor.
Area Radiation Levels in Auxiliarv Euildin2s. Radiation levels in auxiliary buildings can indicate accidents related with fuel handling, liquid radioactive waste or gaseous radioactive waste.
In a SWR high radiation level in the accendary containment building is characteristic of a steamline break.
NJ,
Off; Site Radiation. Means must be provided for recognizing accidents I
tha t involve radioactive releases external to plan: buildings or to receiving water bodies.
valve positions. There are hundreds of valves in a nuclear power plant that serve either operational or safety f unctions. The operator =ust have access to valve position indicators to know the actual configuraticn of the alping network.
Valve positions for the engineered safety features, pri=ary piping, isolation valves, and relief valves are particularly important.
D.
Instrumentatien Recuirements and Oualifica tion The variables to be included in the accident monitoring system are identified through the investigation of accident sequences.
Ieer umentation cust be selec:3d o.r_ % i ~ d -M s orevides a me a sur_e_cLe,ach_v.aniable eith the recuired ag e in~
'~= :-
11d res case.
E
25 The instrumentation may make a direct measurement of the variable or it may provide related data from which the variable can be inf erred. For example, under certain conditions it is possible to measure water level by means of pressure differential.
In developing instrementat%qn_fnv scridaae -c
- daardng, it. La_r_ecce= ended to use A4-ar* -ar c ur:::n t - techniqc:: ere"cr r^--4k1a.
Conditions of the accident can frequently change the relationship between measured and inferred variables.
Because of its relation to protective functions, the instrwnentation in the accident monitoring system must be designed to special criteria.(0)
In our discussions with the reactor vendors one topic was the applicability of IEEE Std 279, " Criteria for Protection Systems for Nuclear Power Generating Stations"( }
to monitoring systems. In general it was felt that IEEE Std 279 is an appropriate standard for the design of actuating systems but was _not intended
'c d--*4mq systems. Although IEEE Std 279 c_an be loose.lv__aeelied _tnhese s,ys tems, a moLre acerc-3,te s2d,> ucuid be e-aderahia.
The extreme ec-ditions thn* may necur in_ ne-f dena s _ emphasize _certain. _
design recuirementi_for monitoring equipment. The range, response, and aern-sev orovidet.must ba_ adequate to enec~a m necident t2ansients d T'a %
properties are determined for each variable from the accident analyses described earlier. Since a degree of uncertainty is associated with a variable, an over-range allowance must be included above the predicted maximum value. The amount of over-range required is a functica of the sensitivity of the variable. For example the radiation level in an area of the contain=ent might be very sensitive to the mechanics of the accident and assu=ptions made about the transport of fission products. An appropriate over-range for this type of =enitor might be a decade.
In contrast an over-range for a level-indicator in a tank might be meaningless.
Other cri:eria for monitoring systems relate to the reliability and survivability of :he instrumentation. The reliability of instrenen:ation that
~
is used only for accident =enitoring is dif ficult to assure because of the infrequence of accident conditions.
ie carabilitr_for_-a-iodie :estin: is c;;tn_tia l. The reliability of =any of :he accident monitors required for the principal variables can be enhanced by using the same ecuipment to monitor operating ecnditions. Although dual use of this ins::2=entation violates :he d
~
p%
5,'
- r rf 4
o bj'. W.;% w) 9
(*
O
26 general rule of a separatica of operational and protective instrumentatien, the advantages in this instance outweigh the disadvantages. It is not clear whether redundancy should be required for accident monitoring instrumentation.
As a general rulg however, it is not necessary to put redundant monitors in the channels of redundant components of the engineered safety features. Diversity in measurement and channel independence should be design goals for the monitoring system. C siification testing in the predict,ed accident environment _4=
==**"*'al
===u*f-e survivi rility of the_conitoring instru=entation.
to Although it is not necessary to apply the strict criteria used in the design of the instru=entation for the principal variables to the bulk of the operational instrusentation in the plant, it is appropriate to make a detailed survey of the response of this instrumentation to predicted accident conditions.
Where necessary the range of this instrumentation should be extended to include accident conditions.
E.
Disclav Recuirements The method of display and location of indicators have a =ajor ef f ect on the number of variables that can be successfully =enitored by the qperator.
There appear to be two logical locations for the indicators for the principal plant variables. These indicators could be placed with the indicators of related systems. For example, if a principal variable is ECC flow the indicator wculd be placed on the engineered safety features panel. If an ancmaly were observed in ICC flow the operator would adjust his attention to the other instrumentation en this panel. The other option would be to group the indicators of the oringigal p lan t..vn ' a s_khge:hgr. This grcuping =akes it easier for the operator to conitor all of the principal variables and would tend to focus his attention on these important parameters. We favor the latter approach. It is also possible to duplicate this instrumentatien in the two locatiens as is presently done ;ith some indicators in the centrol roc =.
It is desirable.
k--aea-
-'er the indiqa_:or
-...ic a tor :ha t is used in the normal _t;er_stien, ind monitored in an accident be -he same of tha -1*-r with which the coerator is famil.iar.
~-
- ~.
Regardless of :he locatien of :he indicators f or the principal variables,
- hey should be designed to stand out frem their surroundings al: hough the colcr AE $.
b
27 and display for=at for these indicators should be consistent with that of the other indicators in the control room. The special significance of these variables and the increased reliability of information assured by the design criteria for this instrumentation might be in scme manner identified on :he indicator.
It is essential that the display of these variables be si=ple and easily understood.
Audible alarms can be helpful to the operator in alerting him of approach to unsafe conditions. The psychological effects of alarms must also be con' idered, however. A rapid succession of harsh alarms could be distracting or s
unnerving to the operator at a time in the accident when calm evaluation is required.
In addition to instantaneous information it =ay be important for the operator to inspect the trends of some of the principal plant variables. For these variables tse records should be provided as part of the accident monitoring instrumentation. Time records of many variables will also be required for the retrospective review of the accident. These records should be considered as separate frem the accident monitoring system, however.
F.
Use of the Comeuter Use of the computer in accident monitoring is considered separately as an unresolved issue. A computer can be used as a versatile tool to expand the monitoring it=ications of the operator in an accident situation. A ce=puter can evercome space limitations by displaying the output of a large nc=ber of variables upon request. It can also take over seme of the logical decisions frem the operator. For example, the computer might be used to identify enly those variables that lie outside preset ranges.
It could also provide a diagnosis of :he accident situation frem the monitored variables and suggest alternative courses of action for the operator. The ce=puter could be used to store and display updated diagrams of the plant piping systems and could check the logic of proposec re:overy operations.
In some present plants, :he capability exists for the operator :o obtain fr~m the ce=puter the behavior of a number of variables just prier to :he beginning of :he accident. He may also reques variables to be fisplayed at the console : hat are available en other indicators.
Ability :o use :he ccmputer as an aid :o the cperator in an accicent varies widely frem plan: :o plant. Many incividuals with whem we discussed 807159
2S accident =enitorin; felt that the computer would not be much use to the operator during the time-span of the accident. We f eel, however, that it should be possible to request and receive information from the computer in a matter of seconds. Perhaps a more valid criticism of the computer is that the operator
=ust learn to use the cemputer for it to be of value to him.
Se=e operators will beceme f amiliar with the functions of the computer and will be able to call on it in an emergency but other operators won' t.
From the standpoint of system reliability it would probably not be acceptable to depend entirely on a ce=puter-based accident monitoring system without a backup system. The concept of a redundant computer system is abhorrent to the reactor vendors. There is also the feeling that if " credit" cannot be given for accident menitoring using the computer that there is no advantage in developing this type of system.
It is our opinion that the computer can be of value in expanding the capabilities of the operator to monitor accidents.
Increased use of the cemputer for this purpose should be encouraged.
References (1) " Fort Calhoun Station - Unit No. 1, Final Saf ety Analysis Report",
Docket No. 50-285.
(2) "Three Mile Island Nuclear Station Unit 1, Final Saf ety Analysis Report",
Docket No. 50-289.
(3) "Surry Power Station Units 1 and 2, Final Safety Analysis Report",
Docket No. 50-280.
(4)
"Wm. H. Zimmer Nuclear Power Station, Preli=inary Safety Analysis Repott",
Docket No. 50-358.
(5) " Standard Format and Content of Saf ety Analysis Reports for Nuclear Power Plants", February, 1972.
(5)
S. M. Hanauer and C. S. Walker, " Design Prine ples of Reactor Protection Instru=ent S igna l s", O Fl"u-NSIC-51, 19 68.
(7) " Criteria for Protec tion Syste=s for Nuclear Power Gene ratin; Stations",
IEEE Std 279, 1971.
-r
- . q
)
I.S J
APPENDIX A POSTUT ATED AENCO%L OPERATICNAL TRANSIn'TS AND ACCIDENTS I" POWER PEACTCRS gis M*
(9 d f bO71f5)
APPENDIX A POSTUIATED ABNORMAL OPEFATIONAL TPANSIENTS AhT ACCIDENTS IN pCh*ER REACTORS The accidents which are described in this appendix range in severity frco major occurrences of low probability to abnormal operationa'. transients or incidents that might be reasonably expected to occur within the lif etime of a plant. The principal sources of infor=ation from which these general accident descriptions have been developed are safety analysis reports of the four vendors.
Although Bb'R plants and WR plants are treated generically, dif f erences between plants of a single vendor and dif f erences in designs between the vendors do af f ect the accident sequences. The response of a specific plant to an accident may differ somewhat from the general description provided in this appendix.
Bb'R Accidents 1.
Loss-of-Coolant Accident This accident results in the release of fission products from the fuel rods to the primary containment.
The extreme case of a double-ended break in a pipe in a recirculation icop is considered the =axi=um credible accident. In this event the nuclear steam system blows down to :he primary containment :hrough the pipe break. The liquid flashes to steam as it emerges frem the break and transfers most of the coolant's latent heat to the drywell. The condensation of steam in :he suppression pool absorbs much of the released energy and controls the pressure in the drywell. High drywell pressure or low coolant level initiates a reactor trip.
"'he emergency core cooling system =ust reflood :he core and =aintain coolant level to centrol the temperature o f the fuel rods.
Isolation of the primary containment must be ef f ee:ed to retain released fission products within the pri=ary cen:sinment and to limi: the release rate to the environ =en: te :he leak ra:e of :he containment.
'f9Y 807 lei 2
A-2 For smaller pipe breaks where rapid depressurization does not occur the relief valves are used to vent the steam pressure to the suppression pool while the high pressure core spray provides makeup water. When the primary system pressure is reduced the lower pressure core spray or coolant injection systems control the coolant inventory.
The expected sequence is as follows.
(a) A break occurs in a recirculation line.
(b) The reactor vessel begins blowdown by forcing coolant out the pipe break.
(c) The reactor starts to shut down i= mediately f cm void vole =e increase during depressurization.
(d) A signal of high pressure in the drywell initiates reactor trip, isolation of reactor vessel and primary containment, and emergency core cooling.
(e) The high pressure and low pressure emergency coolant pu=ps start.
(f) If offsite power '.s not available, the initiation of emergency core cooling also starts the standby diesel-generators; the core spray and coolant injection pu=ps start in sequence to prevent evericading the generators.
(g) The reactor vessel depressurizes by forcing coolant out through both ends of the pipe break.
(h) The high pressure core spray system begins i==ediately to pe=p e=ergency cooling water into the core from the condensate storage.
(i)
A= the vessel pressure drops, the low pressure core spray and coolant injection systems supply cooling water to the vessel from the suppression pool.
(j) The coolant expelled fro = the broken pipe flashes to steam in the drywell. The increase in drywell pressure causes a flow of steam and air into the suppression pool dcuncemers, and through the wars;, where the steam is condensed.
(k) As steam pressure drops in the reactor vessel, the turbine-k3b$ [ '
driven f eedwater pc=ps stop operating.
.r-s e
UW
A-3 (1) At the end of the blowdown, the water level may have fallen below the reactor core.
(m) Core spray and coolant injection reflood the core and raise the water level so that the excess flows out the broken recirculation loop.
(n) Af ter core reflooding, one of the coolant injection pu=ps is diverted to circulate water frem the suppression pool through a heat exchanger, which begins to cool the supression pool and remove the heat load from the prtaary containment.
(o) At the operator's discretion, a coolant injection pu=p may be used to feed the drywell spray to assist in reducing the drywell pressure.
(p) Fission products frem any failed fuel rods and the coolant would be retained in the pri=ary containment and their release to the environs would be limited by the leak rate of the primary contain=ent and the secondary containment.
The break of a reactor coolant recirculation line results in the most rapid loss of coolant with the highest vessel depressuri:ation rate and places the greatest burden of heat load and pressure suppression on the primary con-ca ir;nent. As the si:e of the break decreases, the et=e scale of the accident is expanded. For small liquid-line breaks the rate of coolant loss and the rate of depressurization beccme so low that the accident takes on a character different from that of large breaks. For loss of coolant f rom small line breaks, the following sequence of events =ay be expected.
(a) The coolant frem the break flashes to stea= and increases the pressure in the drywell.
(b) High drywell pressure initiates isolation of the reactor vessel and pri=ary containment, causes the reactor to trip, and starts the pu=ps in the e=ergency core cooling system.
(c) The high pressure core spray begins injecting water into the reactor.
'Mb DY d.
A-4 (d) After a time delay, safety / relief vales in the aute=atic depressurization system open to accelerate the rate of depressurization of the vessel.
(e) As the vessel pressure drops to a lower level, the low-pressure high-volume coolant injection and core spray systems supply water to the vessel as required.
(f) With small breaks, the depressurization with assistance from the auto =atic depressurization system is complete before blowdown occurs through the core, and the coolant level stays above the core.
(g) Inter =ittant operation of the relief valves dissipates decay heat until the heat load can be handled by the residual heat re= oval sycte=.
(h) No excessive system stresses are predicted from the blowdown, nor are excessive f uel rod temperatures expected since the core re=ains covered. Any fission products in the coolant would be released to the primary contain=en: through the pipe break and the saf ety/ relief valves.
/21 Control Rod Dron The control red drop accident is considered to be the =axi=um accidental positive reactivi:y insertion and could result in the release of radioactive fission products from the fuel to the environs via the off-gas system without an acce=panying failure of the nuclear system, pri=ary contain-
=ent, or the secondary containment.
The accident is postulated to occur when a control rod becomes detached from 1:s drive syste=.
While the drive is being fully retracted the rod sticks in a fully inserted position. Then the rod suddenly drops to the fully withdrawn position. This positive reactivi:y insertion results in a localized power excursien which can cause the f ailure of a number of fuel rods.
Any fission gas released f:c= failed rods would be carried by the stess :o the condenser where, dur ng startup, the ::echanical vacue= pe=p can release 1: to
.. c r
.UY
A-5 the off-gas system. During normal operation, fission products would be released frem the condenser to the off-gas system by the air ejector. The expected sequence is as follows.
(a) A control rod-to-drive coupling fails.
(b) As that drive is withdrawn the control red sticks in the fully inserted position.
(c) It is assumed that the operator fails to notice the lack of response in the neutron monitors as the control rod drive continues to be withdrawn.
(d) The control rod drops from fully inserted to fully withdrawn position.
(e) A power excursion occurs.
(f) The power excursion is limited by ct.e Doppler effect in the fuel.
(g) A neutron monitor high-flux trip initiates a reactor trip.
(h) Excessive fuel rod temperatures cause 71 adding failure; the nu=ber of f ailures depends on the worth of the rod and the power and temperature esnJitions of the reactor.
(i) Fission products are released to the coolant; gases are carried by steam through the turbine to the condenser.
(j) Fission gases can be released to the environs pri=arily by three routes:
(1) During normal operation, the condenser air ejector discharges fission gases to the gaseous radioactive waste system which, depending on its capability, will it:it the quantity of radioactivity released to the stack.
(ii) Ducing star up conditions, the condenser vacuu= pc=p releases fission gases directly to the of f-gas exhaust until the vacuum pc=p is isolated.
(iii)
'.ihen the condenser is isolated, the release ;f fission gases is limited to leakage fre= the condenser, which then is carried by the building vent to the environs. MRNk bc 's.a, ldj ie
A-6 (k) High radiation level in the main steamlines signals for isolation of the reactor vessel. The main steamline isolation valves should close in ncminally 10 seconds, stopping transport of fission gases to the condenser and cempleting isolation of the reactor vessel.
(3 ) Steamline Break Outside of the Priearv Containment This ateident is a situation where fission products in the nuclear steem systen are accidentally vented to the secondary ontainment, whien in turn is ruptured. The extre=e case is a double-ended steak of a main steamline.
In this event che sudden increase in steam flow is restricted only by the flow limiters in each main steamline. Stera is vented directly from the vessel through the line in the normal direction through the break.
In addition, steam is vented from the line upstream of the break by flow from the other three main steamlines. Closure of the main steamline isolation valves halts the loss of steam frem the break and initiates a reactor trip. Further depress;ri:ation to dissipate system energy and control the vessel pressure is carried out by venting steam through the relief valves to the suppression pool. The coolant inventory must be maintained by the emergency core cooling system. The initial pressuri:ation of the secondary containment by the vented steam would be expected to blow out sore wall panels in the building and release a cloud containing some radioactive products to the environ =ent.
The expected sequer.ce is:
(a) A break occurs in a main steamline.
(b) Steam flow frem the upstream side of the break is ILnited by the flow restrictor in the broken line. The maximum flow fre= the downstream side of the break is 1Lnited by the flow restrictors in the ccher three steamlines.
(c) The depressuriraef e, causes increased void vole =e in the core which acts to shut down the reactor.
(d) Low pressure at the turbine inlet or high ficu through the flow restrictors are signals for closure of the main steam-line isolation valves.
OO d'.Wl hY
A-7 (e) Isolation valve position swi:ches initiate a reactor trip.
(f) The increased core "cid producticn raises the water level to the steam no::les so that liquid begins to be carried out the pipe break.
(g) As the steam pres ~ re drops, the turbine-driven feedwater pumps stop operating.
(h) If off site a.c. power is not available, all motor driven pumps stop; the reactor recirculation loops coast down.
(1) The steam e5 aping into the turbine building causes a sudden pressure increase which is relieved by wall panels blowing out of the building.
(j) A cloud of steam bearing radioactive fission gases escapes from the turbine building and rises in the atmosphere.
(k) Closure of the main steamline isolation valves stops the loss of coolant.
(1) The total loss cf coolant is predicted not to result in uncovering the core.
(m) Depressuri:ation secps and natural convection circulation of coolant is established in the core.
(n) No fuel rod f ailures are predicted to occur during the accident; the fission products released wculd be frem defecti.e rods which had failed prior to the accident.
(45 Refueline Accident This accident eculd involve the relesse of fission products f rrs the fuel directly to the secondary contain=ent. During refueling the drywell is open and the secondary contain=ent (the reactor building) serves as the pri=ary cen-
- ainment. The =csc severe :redible accident is considered to.be :he d:cpping of a spent f uel asse=bly on the top of the reactor cert with the resalting release of fission produe:s frem damaged f uel rods. The gaseous fissica products sculd be released to the building air and vented :o :he enviren=ea: through the gas tra: men: syst:m in the following sequence.
5:th$
80?.ws
A-8 (a) The primary containment is open and the reactor vessel head is removed for refueling.
(b) Some part of the lif ting mechanism f ails as a fuel asse=bly is being removed from the core; the fuel assembly f alls back onto the core.
(c) The energy from the fall is absorbed in the fallen assembly aci the assemblies struck in the fall causing the failure of a nu=ber of fuel rods.
(d) Fission gases escape from failed fuel rods through the ref ueling pool water to the reactor building.
(e) The high radiation level in the building would initiate iso-lation of the ventilation exhaust and actuation of the standby gas treatment system.
(f) The fission peses would be released through the gas treat =ent system to the environs at levels dependent on the efficiency of that system.
(5) Continuous Control Rod Withdrawal The expected sequence of this transient is (a) The operator overrides control red stepping sequence and continuously withdraws a control rod at maximuu speed.
(b) A 1cw level power transient occurs.
(c) The reactor is tripped by signals from the intermediate or power range neutron =enitors-(d) No core damage is predicte d (6T Turbine Trio The expected secuence of this transient is (a) A turbine stop valve rapidly closes.
(b)
Position switch on stop valve initiates reactor tri;,
or power set back,and opening of the turbine byparr valve.
A-9 (c)
Reactor vessel pressure rises to relief valve set points, opening relief valves.
(d) Relief valves close when the turbine bypass to the =ain condenser een accommodate steam production.
(e) Nuclear system pressure. peakc at less than design pressure then declines as system energy dissipates.
(f) If turbine bveass valves fail to oeen, the nuclear system pressure is relieved entirely by relief valves which transfer the energy of the nuclear system to the suppression pool.
The system pressure is predicted to peak at less than design lev el.
(g)
If the turbine stee valve trio is bveassed, which is possible at reduced power, a reactor trip is initiated by the inter-mediate or power range neutron monitor.
(7) Isolation valves Close Inadvertent 1v en Main Steamlines The expected sequence is (a) Valve positien switches initiate reactor trip.
(b) Reactor vessel pressure increases to relief valve set points.
(c) Relief valves actuate to relieve system pressure and dissipate energy in the suppression pool.
(d) The nuclear system pressure peaks at less than design pressure then declines as latent and decay heat are dissipated.
(ST Pressure Reeulator Tails in Oeen Posi: ion The expected sequence is (a) The nuclear system depressuri:es and cociant inventory 13
~
reduced as mass flow of steam exceeds the mass ficw of feedwater.
(b)
Depressuri:stica increases :co* ant void volume with attendant cociant level increese and reactor pcwer decrease.
(c) Reduced pressure at the turbine inlet : rips the = sin stescline isciation valves, halting depressurization.
blN.D()
A-10 (d) Isolatica valve closure initiates a reactor trip.
(e) The vessel pressure rises due to decay heat, and relief valves function to control pressure.
(f) No excessive fuel te=peratures or vessel pressures are predicted.
J,4) Sa fetv/ Relie f Valve Onens Inadvertentiv The expected sequence is (a) The nuclear syste= begins to depressuri:e with increased s t e am flow.
(b) The pressure regulator tends to =aintain constant pressure by throttling the turbine inlet valve.
(c) The recirculation flow controller (in auto =atic) inc.reases the flow to meet the apparent increase in load derand.
(d) The pressure regulator set point aute=atically decreases.
(e) The operator =ust take action to close the safety relief valve or shut down the reactor.
(f) The fuel or nuclear syste= is not subjected ec excessive conditions but discharge frc= the safety valve to the dry-well could cause centa=ination of the primary contain=ent and possible =iner da= age.
(103 partial Loss of Reactor Ccolant Flow: a Recirculatien pamo Sei:es The expected sequence is (a) A pump rotor stops.
(b) Coolant flew in the core decreases.
(c) The mini =c= critical heat flux ratic (MCHFR) approaches 1.0.
(d) The reactor power drops as the void volu=e increases.
(e) The pressure regulater tends to =aintain ccatrol of the pressure by turbine inlet valve operation.
(f)
Sc=e increase in ficw occurs in the jet pe=ps in the active recirculation loop.
8071.71
(
A-ll (g) As the surface heat flux in the core decreases, the MCHFR increases.
(h) The reactor stabilizes at a lower power condition.
(1) No excessive fuel te=peratures or vessel pressures are predicted.
(11) Loss of Of f site AC Power The expected sequence is (a) All pe=ps trip and coast down.
(b) Reactor power decreases as coolant flow decreases.
(c) Reactor trip and =ain stea=line isolation are initiated as power is lost due to coast down of moto;-generator sets La the reactor protection system.
(d) Loss of coolant flow in main condenser causes condenser vacucm loss which trips turbine stop valves.
(e)
Piessure in the isolated pressure vessel increases to the relief valve set point.
(f) Vessel pressure is controlled by intermittent relief valve action which dissipates decay heat until the residual heat removal syste= can be used.
(g) The reactor water level drops and trips the emergency cooling system to maintain coolant inventory.
(h) No excessive fuel temperatures or vessel pressures are predicted.
(12) Startue of Cold Recirculation Looe, or Inacverten: Fu= cine of Cold Water inro Reseter Vessel, or 73ilure of a 7eedwater Heater Any of these events causes a decrease in the te=perature of the reacter coolant, and results in the fellcwing sequence.
(a) The core power increases f c= the Doppler affect and decreased void volume.
m
,,, m l f *'
Gt.
A-12 (b) The incressd neutron flux =ay initiate a reactor trip (particularly on manual control) or it may stabilize just below the trip point.
(c) The recirculation flow controller reduces the core flow.
(d) If the reactor does not trip, corrective action must be ta!.en to reduce the reactor power f rom the newly established lev;1.
(e' No excessive fuel temperatures or reactor vessel pressures are predicted.
(13T Recirculation Flen Controller Failure. Increasine Flow The expected sequence is (a) The coolant teeperature rapidly decreases.
(b) Reactor power increases sharply frem void volu=e decrease.
(c) The reactor trips frem high neutron flux.
(d) System pressure continually declines and no excessive fuel te=peratures are predicted.
(la) Feedwater Centro 11er Fails in Der.and !!cde The expected sequence is (a) The vessel water level increases to the set point of turbine stop valve trip.
(b) The turbine stop valve closes.
(c) Reactor trip is initiated by stop valve closure.
(d) The turbine bypass valves open.
(e) The vessel pressu :e increases to relief valve set,oint.
(f) The vessel pressure is controlled by the relief valves and turbine bypass.
(3) Tne vessel water level continues to rise until the f eedwater pe=ps are tripped.
(h) So excessive fuel temperatures or vessel pressures are predicted.
8071.73
A-13 (15T Loss of Normal Feedwater Flow The expected sequence is (a) The feedwater pumps trip.
(b) An interlock reduces recirculation flow to low lev el.
(c) The reactor power reduces sharply from the void volume increase which accompanies reduced coolant flow.
(d) Continued steam flow causes reduced coolant inventory.
(e) Low water level in the vessel trips the high pressure core spray and initiates main steamline isolation.
(f) Af ter isolation, the vessel pressure is ccatrolled by the relief valves.
(g) No excessive fuel temperatures or vessel pressures are predicted.
PtIR Accidents (1) Loss-of-Coolant Accident A loss-of-ccclant accident is defined as a breach of the reactor coolant system boundary. The type of break, its location, and the size of pipe in which the break occurs significantly af fect the ebne scale and sequence of events in the accident.
Because of the magnitude of the potential consequences of a loss-of-coolant accident, engineered saf ety f eatures-designed to cope with this particular accident--have been included in the plant systems.
The loss of coolant frem leaks or r=all pipe breaks can be acce=nodated by :he charging pcmps, and in this event, system pressure can be maintained and a acr=al shu:dewn procedure followed. For larger breaks, cpera:ica of an e=ergency core ecoling system is required to preven: core damage due to high te=peratures. The limiting case with the worst censecuences wculd be the instantanecus double-ended rupture of a large cold-leg pipe.
The sequence of events that would occur in :his acciden are normally characteri:ed by three phases: blowdown, re ficod, and refill.
In additien :o recovering and cooling the core, it is essential in the loss-of-coolant acciden to prevent everpre s suri:s tion Of the containment. A contain=ent spray system and a cen:ainment air =coling syste= cach ac: to reduce containment :emperature and pressure.
p ) (y/q(
A-14 Control of a loss-of-coolant accident =ay require actions by the operator as well as the operation of a number of aute=atic systems. During the early stag'es of an accident involving a large break, the operator is essentially an observer. He can, however, during this period verify that the safety systems are responding as intended and, in many cases, can switch operation from defectiva equipment to alternate or redundant equipment. For a large break, the occurrence of a loss-of-coolant accident should be quickly apparent to the operator. For a snaller break, a longer time would be required for the operator to recogni:e that r_ accident situation exists. In the latter case, he would also have to Icek for sy=pto=s (such as water in the containment sump) that differentiate the loss-of-coolant accident from a steamline break or a steam-generator tube rupture.
The sequences of events is as follows.
(a) A break occurs in a primary system pipe.
(b) The primary system depressurizes rapidly as two-phase fluid flows out of the break.
(c) Reactor trip is initiated upon a signal of low pressure in the pressurizer.
(d) As the primary pressure continues to decrease and the containment pressure increases, a safety injection signal is' initiated.
(e) If on-site cower is available, the pumps for the high pressure safety injection system and containment spray system will start and safety injection will begin rapidly.
(f) If on-site cover is not available there will be a delay in injection of frem 20 to 30 secends while the emergency generators are started.
(g) As the pressure drops below the set point for the accu =ulators (non: ally either 6f0 psi or 200 psi depending upon the vendor), these tanks are autcmatically discharged to the primary system.
(h) Flow from a low pressure safety injection system begins.at icw primary pressur',
(i) At the end of ble- -wn little or no water remains in the primary system.
., mv
, [
s
A-15 (j) During the refill phase, e=ergency core cooling water refills the lower plenum. Since the core is uncevered, the fuel rods heat up rapdily.
(k) When the water level reaches the botto= of the core the reflood stage begins.
(1) As the water rises through the core, the fuel rods are cooled and eventually the rods are quenched.
I
~
(=)
The accumulator tanks have a li=ited supply of water, which is rapidly exhausted.
(n) The source of water for the high pressure and low pressure injection syste=s is initially the refueling
~
water tank. Eventually, this water supply is also depleted and it is necessary to switch suction for the safety injection syste= to the contain=ent su=p where the spilled water has accu =ulated.
For sc=e plant designs the operator must perfor= an action to convert the syste= to a-the recirculation mode.
(21 Steam-Generator Tube Ruoture The accident sequence which is described involves the double-ended rupture of a stea=-generator tube.
The leak rar e out of the primary syste= is greater for this accident than the charging pu=ps can maintain.
In this accident, noncendensable fission products would be released to :he at=osphere through the conde nser vacue= pe=ps.
The increase of radioactivity in the condenser is an early indication to the operator of the nature of the accider A more likely type of f ailure within the steam generator would be a r=all leak or split-type break.
!n these incidents, the charging pe=ps would be able to maintain primary liquid inventory and primary pressure. The opera:cr would be aware of the proble= because of the increased radioactivity in the w and feedwater condenser, and possibly because cf abnor=al charging pump f' flow. he could then ini:iate a controlled shutdown.
The speed with which the operator can identify and iscla:e a fcui:y
- cnerat0r directly affects the quantity of fission procucts released.
acea:
c3,.., - -,
LJl, d /L /kW
A-16 Since the operator is relied upon Oc =ake an important decisien in this accidant, it is essential that he 's provided with the information to =ake not only the right decision, but also a timely decision.
Although accident sequences involving ce=binations of unrelated failures are not ner= ally analyzed, some censideration should be given to the potential consequences of such failures in this accident because it involves a breach in the primary system, and delay or error in the auto =atic actions of the system or in operator activities could result in an increased release of fission products.
For exa=ple, if :urbine bypass to the condenser were inadequate to relieve pressure in the secendary syste=, safety valves would operate and release larger quantities of fission products. Further= ore, any accident which involves sene loss of control of primary water inventory has potentially serious consequences.
The expected sequence is as follows.
(a) A rupture occurs in a stea=-generator tube, and the pri=ary pressure and pressurizer water level decrease.
(b) Reactor trip occurs as the result of a low pressure signal. Reactor trip initiates closing of the turbine stop valve. Feedwater flow is reduced to a set fraction of full flow.
(c)
Steam is d=nped to the condenser by means of bypass valves.
(d) The liquid level in the pressurizer continues to drop; as the pressuri:er heaters are uncovered they are aute=atically de-energized and the primary pressure begins to drop more rapidly.
(e) The pressure f alls below the se: point for the safety injectica signal and the high pressure safety injection system is activated; letdown ficw is stopped.
(f) The flow of the high pressure injectica syste= is adequate
- o centrol the water level in the primary system, and eventually the pressuricer heaters are a;ain covered, and autcmatic repressuri:stien of the system begins.
(g) The water level in :he damaged s:eam genera:or rises more rapidly than in the c hcr(s). Radioactivity levels in the s: cam ;enerater bicudown lines will also indicate which s:ca= generator has fai.ed.
The operator diagnoses the
~
-ya L7 ' -('
-u
gf problem and isolates the affected s:ca= generator.
A-17 (h) The primary system continues to cool down by de= ping heat to the condenser until the temperature reaches approximately 300 F.
At this point the steam generators can be isolated and the shutdown cooling system can be used to cool down the system.
(3) Steamline Break The consequences of a steamline f ailure will vary as a function of initial power level, break size, and the location of the break relative to isolation valves. As in the loss-of-coolant accident, break size affects the time scale of the accident.
This accident involves a large insertion of reactivity. The positive reactivity additien =ay, in fact, be many times greater than for the control rod ejection accident. The timely initiation of reactor trip is therefore important to prevent core damage resulting frem a nuclear excursion.
The steam-generator tubing is designed to withstand the full primary system-to-atmospheric pressure dif f erential. The potential for a steam-generator tube rupture to compound a steamline break cannot be discounted, however.
The initial drop in primary system pressure and level in this accident is similar to that in the steam-generator tube rupture and the loss-of-coolant accidents. The rapid decrease in pressure in one of the steam generators would indicate to the operator the nature of the accident. The operator must be able to identify the af fected steamline in order to prevent the supply of auxiliary feedwater to the associated steam generator.
The following sequence is expected.
(a) A break occurs in a steamline.
(b) The pressure in the associated steam generator decreases.
(c) As the water in this stea= generator flashes, the cooling ef f ect of the steam generator on the primary system will be greatly increased and the reac:cr coolan: temperature wil'.
decrease.
(d) For a nega:ive moderator temperature coefficient, the reactivity of the reactor will increase and the power level will increase.
${QQ9,
A-18 (e) Reactor trip occurs as a result of low steam-generator pressure or high power level.
(f) The turbine stop valves close and the blowdown of the steam generator (s) associated with the other steamlines stops.
Depending upon the system design and the location of the break, the closure of isolation valves may also stop bicw-down oC the steam generator in the broken line.
(g) If the steam eec.erator is not iso?ated, it is necessary that the feedwater flow be stopped.
The affected steam generator will eventually dry out and will no longer represent a heat sink for the primary system.
(h) As the pri=ary system ecols, the water irrel drops out of the pressuri:er and the system pressure rapidly decreases.
(1) Saf ety injection is activated.
(j) Depending upon the system design, the net reactivity may return to supercritical when the increase in reactivity due to reactor cooldown has balanced the negative shutdown reactivity.
The power level would then again rise until the Doppler ef fect decreased reactivity. The borated water injected by the emergency core ecoling system helps to maintain the reactor subcritical.
(k) When the steam ' generator in the af fected line is dry or has been isolated, the decay heat being generated in the primary system is removed through the other heat ex-changer (s) and is dw: ped to the condenser through the turbine bypa<. valves.
(AT Centrol Red Eb :1on In the ontrol rod ejection accident, the control rod housing or no::le en the reactor vessel of a single control rod assembly is assumed to rupture circunferentially. The system pressure then acts upcn the assembly to eject it frca the primary ve s sel.
The subsequent nuclear excursion is gg7s.s.y
... e t
A-19 limited by the Doppler ef fect and is terminated by a reactor trip. Analyses indicate that the excursion is not of significant magnitude to damage the fuel.
~1e m'ected squence is (a) Rod ejection occurs.
(b) The power rises rapidly, peaks and drops as the result of Doppler feedback.
[
(c) Reactor trip is initiated on high flux or high flux race.
1 (d) The remainder of the accident is characteristic of a loss-of-coolant accident.
~
(5) Waste Gas or Waste Licuid Accident
'Jaste gas or weste liquid which is being held for either controlled discharge or shipment may be accidentally released. Radioactive gas might be directly released to the at=osphere through a rupture or leak in one of the tanks or the valving systems.
If a rupture or leak were to occur in a waste liquid tank, the radioactive liquids would probably remain on site. An accident can occur, however, in which excessive radioactivity would be released to a river or water body.
In general, this type of accident occurs as a single event. The operator has little control to prevent the accident frem running to ec=pletion, but the accident does not propagate to other failures.
Pro =pt' action by autematic systems or by the operator may be important, however, in centrolling release to the environment.
If the building in which the waste gas tanks are located has a contain=er-
- c..aoility, isolation can be initiated upon sensing a high radiatica level in area conitors.
Radiation monitors in lines lead 4 - ro_exte nal 3;qsies o_f water and in the receiving _ bodies are._ p.ar_ tic.ulady.m.dul_in recogg.i. zing accident conditions in the release of licuid waste.
(6T Tuel ~4andlint Accident Three accidental conditions are of ccacern in handling fuel.
criticality, overheating, and mechanical da= age leading to release of fission products.
In the accident that is acr= ally censidered in saf ety analyses, 607.WO
A-20 a fuel element is dropped frem the fuel handling device into either the reactor or the spent fuel storage pool.
In the drop, a c. umber of fuel pins are da= aged and their gap radioactivity is released. Because of the high boron content in the refueling water, the possibility of the accident resulting in a critical configuration is precluded. It is also assu=ed that the design of the vessels is such that a rupture or leak which would result in the uncovering of fuel cannot occur. If the accident occurs in the reactor vessel, isolation of the containment could be established. If the accident were to occur in the fuel handling pool, the operator might be required to direct air flow through filters before relaase.
Accidental criticality or loss of cooling to a fuel element as the result of a fuel handling accident would have much = ore serious consequences than an accident involving only mechanical damage. Criticality accidents in lattice configurations are usually self-limiting.
If an accident of dris type were to occur the deposition of heat in the fuel might lead to some additional fuel f ailure, but woule probably not result in a great deal of mechanical damage.
Loss of cooling to the fuel would have much more serious consequences, and it is essential that spent fuel is kept covered with water.
(7) Centrol Rod L'ithdrawal Acciden:
In this accident situation, a control rod group is accidentally withdraun from the core as the result of a fault condition in the reactor regulating systen or in the control element drive control system, or as the result of operator error. The accident could be initiated anywhere in the range fre=
hot standby to full power. The expected sequence is as follows.
(a) As the rods are withdrawn the power increases and the pressure increases.
(b) The extra heat load on the secondary leads to overpressuri:a-tien and pressure release of the stea= through safety valves.
(c) Steam generation outpaces feedwater flow; the liquid levels in the stea= 3enerators drop.
(d) Pressuricer spray activation opposes the pressure buildup in the primary syste=.
If the accident is not brought under control in :L:e, pressure relief valves in the primary system will operate.
t/c s' bbl
A-21 (e) Automatic reactor trip can occur as the result of a number of variables depending upcn the design of the reactor protec -
tive system. Trip may result frem high reactor neutron flux, high flux rate, high pressure, low steam generator water level or thermal margin (power / lead mismatch).
(8 ) Boron Dilution Accident Changing the boron concentration in the reactor is a nor=al procedure which is used to account for the reactivity changes associated with burnup, xenon buildup and decay, and plant cooldown. In the boren dilution accident it is assumed that unborated =akeup water is fed to the charging pu=ps, leading to dilution of the boren concentration in the primary vessel. The primary concern in this accident is that adequate shutdown margin is maintained. The following sequence is expected.
(a) Accidental dilution occurs.
(b) If the reactor control system is in the autcmatie mode, control rods will be centinuontly inserted to =atch the increase in reactivity which results frem baron dilution.
(c) When the minimum shutdown margin is reached an alarm sill sound a warning to the operator. The operator has many minutes available to take action preventing additional dilution before shutdown ability is lost.
(d)
If the reactor is being manuallv coersted cad the operator takes no corrective action the power levet coolant temperature and primary pressure will rise until a reactor trip is encountered.
/oT Centrol Red Orco The expected secuence is (a) A control rod is released frc= its drive mechanism and drcps into core.
(b) Reacter pover decreases rapidly.
D,.- ; ; 0"?
ce>
o a.1
A-22 (c) The protective system prohibits rod with/.rawal and initiates turbine setback to prevent full power eperation with a distorted power profile.
(10) Loss of Coolant Flow The expected sequence is (a) Mechanical failure, such as shaft seizure, occurs in a reactor coolant pu=p.
(b) Core flow decreases slowly; coolant te=perature rises.
(c) Reactor trip occurs on a low flow condition.
(11) Startue of Inactive Looo The expected sequence is (a) A pump in an idle loop is started accidentally while at power.
(b) Reactor coolant temperature decreases, reactivity increases, and power increases.
(c) Reactor trip occurs en a condition of high power level for the operation with reduced number of loops.
(13 Loss of Lead The expected sequence is (a) A rapid decrease in power demand occurs--as in the event of a turbine trip.
(b) The steam demp and bypass system diracts steam to the condenser.
(c) If necessary, pressurizer slief valves and pressuricer and steam generator saf ety valves operate to prevent exceeding design pressorss.
(d)
Reactor trip occurs en high pressuricer pressure.
80/18,3
A-23 (131 Loss of Feedwater Flow Auxiliary feedwater pu=ps are provided to prevent complete loss of feedwater to a steam generator.
Cc=plete loss of feedwater can occur, however, as a result of a break in a feedwater line. The expected sequence is as follows.
(a) A break occurs in a feedwater line.
(b) Check valves in the feedwater line close.
(c) If the break iw unstream of check valve, steam-generator blowdown is stopped.
(d). If the break is downstream of check valve,, blowdewn of a steam-generator occurs. This incident resembles a break of a main steamline.
(e) Reactor trip occurs on low steam generator water level, high pressuri:er pressure, or thernal mergin/lew pressure.
(143 Excessive Lead Increase A number of accidents can occur which result in a rapid increase of steam flow. In such accidents, reactor coolant temperature and pressure decrease (as in a ste:mline break) and the power increases. Reactor trip settings for high flux level, high rate o# flux, low steam-generator water level, low steam-generator pressure, and ther=al margin / low pressure provide protection against accidents of this type.
$671Ib'I
APPENDIX 3 IMPORTANT PLANT SYSTEMS
APPENDIX B IMPORTANT PU PT SYSTEMS The need to monitor the performance of engineered saf ety features during an accident is apparent. There are a number of other operational and protective systems whose performance during an accident =ay be just as critical, how ev er. Ability to protect the public from unacceptable accident consequences is to an extent determined by the weakest link in the system chain. For example, the ecm;cnent cooling system has no direct ef fect on controlling an accident, but failure of this system could degrade the performance of other essential systems.
A number of the =ajor systems in 3WR's and FWR's( ~
are briefly described in this appendix to illustrate the significance of each in accident con tro l.
Although these systems are described in generalities, it should be recognized that.ignificant differences do exist fer snese systems, reflecting the dif ferences among vendors, utilities, architect-engineers, and plant generations. Even the nemenclature for similar FWR systems varies among the three vendors.
BWR Svstems A.
Reacter Centainment Svstems (1) Primary Containment System The primary contain=ent for the reactor fission products and activated materials is cemprised of the drywell and pressure suppression pool.
These steel-lined concrete structures enclose the reactor vessel and coolant recirculation system, store water which provides an b=:ediate heat sink and coolant source in the event of a less-of-coolant accident, and retain any radioactive products during an accident.
(2)
Secondary Centain=ent System The primary containment structures, the reactor supper: equipment, and the turbine-generator system are housed in the reactor building W $kSG
3-2 which affords the secondary containment for radioactive products.
The objective of the secondary containment is to confine any leakage frem the primary containment and provide for a controlled, safe discharge. During those periods when the dryuell is opened, such as refueling, the reactor building serves as the primary contain= tat.
(3) Containment Isolation System All lines which penetrate the drywell have valves which can be operated automatically or manually to isolate a broken line and ibnit the loss of radioactive =aterials f cm the pri=ary containment. Those lines which penetrate the primary contain=ent and enter the nuclear steam system have two isolation valves, one inside and one outside the drywell. Those lines which penetrate the primary contain=ent but not the nuclear steam system have one isolation valve outside the drywell.
3.
Reactor Ccolant Svstem (1) Reactor Recirculation System The coolant recirculation loops provide the motive power to the jet pu=ps which circulate the cooling water through the reactor core. In addition to the vital role of cooling the fuel, the recirculation system provides a load following capability by regulating the core reactivity through controlling the void volume in the reactor. The recirculation flow control system works in conjunction with the pressure controllar under the easter power controller to accc=plish the aute=atic load f ollowing.
(2) Reacter Feedwater System The f eedwater system takes water frem the condensate storage tanks, heats it, and returns it to the reactor vessel.
Information on steam ficw and vessel water level is used by the feedwater control syste=
to =aintain an opti=um wata level relative to the level of the sesam separators for each pcuer level.
807187
3-3 (3 ) Reactor Core Isolation Cooling System The steam-turbine-driven pu=p in this system is available to supply makeup water to the vessel during normal shutdown periods if the feedwater system fails.
(4) Residual Heat Removal System This system provides for removal of decay heat frem '.he core during normal shutdown periods. After a loss-of-coolant eccident, the Residual Heat Removal System has cl e capability to restore and maintain coolant, cool the suppression pool, and provide containment spray.
(5) Core Standby Cooling System Four subsystems in the stanEoy cooling system work during a loss-of-coolant accident to prevent coolant loss below the core levek or to reflood and maintain coolant level, with the primary objective of providing core cooling to li=it maximum cladding temperatures and prevent core disarrangement. The High Pressure Core Spray Subsystem uses a high-pressure, low-volume pu=p to spray coolant on the core before the vessel pressure can be reduced. The Automatic Depressurization Suosystem vents steam frem the main steamlines to the suppression pool or drywell through automatic pressure relief valves to reduce the vessel pressure and dissipate energy from the system. The Low Pressure Core Spray Subsystem uses two or more high-volume low-pressure pumps to spray coolant on the core af ter the vessel pressure is reduced.
The Low Pressure Coolant Injection Subsystem, actually a part of the RHRS, uses two or more high-volume low-pressure pumps to inject water into the vessel for core reflooding or maintenance of coolant lev e l.
The coolant injection syste=s are supplied water from the condensate storage tanks or the suppression pool. The motor-driven pumps for these systems are started aute=atically upon signals frem icw vessel water level or high pressure in the drywell; either indicates a loss of coolant. The isclation valves which allcw coolant injection by these systems are operated automatically as permitted by the vessel pressure.
867188
B-4 C.
Control and Instrumentation Svstems (1) Reactor Protection System The objective of this system is to monitor plant variables and when established Itsics are exceeded, initiate a reactor trip to avoid damage to the fuel cladding or to the primary reactor system. In general, the Reactcr Protection System conitors chose conditions which cay cause excessive fuel temperature or excessive system pressure. To this end, the system initiates trips on the following signals: high neutron flux, high primary system pressure, low water level in the reactor vessel, closure of the turbine stop valve, fast closure of the turbine control valve, closure of the main steamline isolation valves, high radiation level in the main steam-lines, and high pressure in the pri=ary containment.
(2) Reactor Vessel and Primary Containment Isolatica Control System This system monitors variables and responds to out-of-limit conditions to initiate closure of isolation valves in lines from the reactor vessel and primary containment to limit a loss of coolant and contain fission products within the nuclear system and the prSnary contain=ent.
Generally, variables which indicate fuel damage or a break in the primary system ini'.iate isolation.
(3) Core Standby Cooling System This system monitors variables and controls the operation of the High Pressure Core Spray, the Automatic Depressurizaticn Syste=, the Low Pressure Core Spray, and the Lcw Pressure Coolant Injection System.
All four of these systems respond to signals of low reactor water level or high drywell pressure.
(a) Moderator-Void Ratio Control In a 3RR the stea= produced in the fuel element coolant channel displaces licuid coolant and thus reduces the amount of moderator in the core. The reactivity can be increased by increasing the relative For a fixed control amount of coderator in the core and vice versa.
SWs $.$
3-5 rod pattern, an increase in the coolant velocity decreases.he steam void volume, increases the moderator-void ratio and the core reactivitv.
This principle is utilized for automatic control of the reactor power to follow changes in the generator load without control rod position charges. The modcrator-void ratio is sensitive to both reactor pressure and acolant te=perature and is regulated by controlling the steam pressure and the coolant velocity.
(5) Recirculation Flow Control System This system controls the position of the flow control valve in each recirculation loop to effect a reactor power change by regulating the coolant velocity through the core. This control can be selected to occur by operator action or automatically by direction from the turbine speed-load control.
(6) Electrical Power Systems In the event of a loss of nor=al of f-site electrical power, standby e=ergency power systems are available to supply the needs to bring about a veactor shutdown.
A-C power is supplied by diesel-driven generators which start automatically upon the loss of of f-site power. The starting of large motors is usually sequenced to avoid overloading the generators.
D-C power is available from a bank of rechargeable batteries.
(7) Pressure Regulator and Turbine-Generator Controls The pressure regulator adjusts the position of the turbine control valves or bypass valves in erder to maintain constant nuclear system pressure and thereby to avoid reactivity changes from pressure-induced void changes. The turbine-;enerator control acts to maintain a constant turbine speed by adjusting the recirculation flow centro l and the pressure regulator setpoint. In the :s se o f a lo s s-o f-generator load the turbine-generater control avoids excessive turbine speed by rapid closure of the control valve with an acccmpanying opening of the bypass valves.
807150
B-6 (8) Digital Compuccr Many current Eh'R's have a process computer which is pregra=med to make various calculations to assist in evaluating the reactor operations and to store instrument signals to sequentially record the history of rapidly occurring nonscheduled events. Some operational functions and displays provided by the compute; ? e (a) Periodically displays of three-dimensional core power density fb) Monitors optimum core power level and provides alarm signals to aid the operator in staying within acceptable limits (c) Supplies isotopic concentration data on each fuel bundle on demand (d) Supplies input to Rod Block Monitor to enforce red manipulatiens (e) Supplies rod worth data to REM (f) Makes balance-of-plant calculations.
The computer also receives and stores input from reactor protection system instrumentation and prints out a record of system trips.
The first 80 events are recorded in chronological order.
D.
Refueline Svstem This system provides instru=entation to assist procedural methods used during refueling operatiens to prevent a criticality accident. Generally the system includes circuitry which senses the position of control rods and refueling such as the equipment and cause a rod block or prevents the movement of equipment refueling platform or hoist.
E.
Feedwater Sveten This system takes information free reactor vessel water level; main steamline ficw rate, and feedwater flow rate to regulate the reactor water level an optimc= level relative to the stea= separators.
at
@'[s'd.)f}).
B-7 F.
Auxiliarv Svstems There are a number of auxiliary systems which contribute i portant functions
'.o the plant but may or may not have a relation to accidents.
Sc=e of these are Fire Protection System Heating and Ventilating System Lighting System Instru=ent and Service Aib System Pocable and Sanitary Water Systems Equipment and Floor Drain Systems Communication System.
G.
Radioactive ~4aste Diseosal Svstem This system provides for the collection, treatment, storage, and handling of gaseous, liquid, and solid radioactive wastes. Malfunctions in this system have the potential for the release of concentrated fission products to the environment.
PJR Svstems A.
Reactor Centaim=ent Svstems (1) Containment System The containment system is in general a steel-lined concrete structure in which the prtnary system is housed. The steam generators are located within the containment building but steamlines penetrate the containment shell and the renainder of the secondary syste= is external to contain=ent.
In the event of a breach in the primary system the containuent prevents the release of fission products to the public.
It must therefore be designed to contain the energy release and pressure rise resulting from blowdcwn of the primary system.
Centain=ent designs vary widely and include such novel features k3[fsIk[)k$
B-8 as ice-condensers and subatmospheric centainments to circ =mvent the need to design for high internal pressures. The centainment building is also designed to protect the primary system from external threats such as earthquakes, hurricanes, tornados, and airplane crashes.
(2) Containment Isolation System The containment isolation system is intended to prevent the release of radioactivity frem the centainment in the event of an accident.
The containment has a large number of piping penetrations that are potential pathways for the release of fission products. Each penetration is supplied with isolation valves, usually one internal and one external to contain=ent, that can be closed under accident conditions.
(3) Contai= ment Spray System The containment spray system lbsits the pressure and te aperature rise in the centainment in the event of a less-of-coolant accident. The pu=ps for the system draw suction frem either the safety injection water storage tank or the containment su=p.
Cooling is supplied by the shutdown heat exchangers. The containment spray syr tem is usually initiated by the same ccnditions as t: e e=ergency core cooling system.
(4) Containment Air Recirculation, Cooling, and Iodine Removal System Depending upon plant design, the air recirculation system for the containment building =ay perfor= a redundant function to the con-tainment spray system by cooling and filtering the containment atmosphere.
3.
Reactor Ccolant Svstems (1) Reactor Coolant System The reactor coolant system is designed to remove heat from the core and interna's, and to transf er it to :he seconcary system :hreugh the kJ O t.hL* ho
($f
B-9 steam generators. The reactor coolant system consists of two to four loops connected ec the primary vessel; the design of the loops differs among the PWR vendors. A pressurizer is connected to one of the loops to control primary syst em pressure.
(2) Emergency Core Cooling System The ecmponents of emergency core cooling systems include accumulators, high and lo.s pressure safety injection pumps, a water storage tank, and piping and valves. The accumulator discharges water into the primary system automatically. The injection systems, in contrast, are pu=p operated. Emergency core ecoling water is injected into the cold legs, hot legs or pressure vessel downcocer depending upon plant design. Suction for the pu= ped systems initially ccces frem a large storage tank of borated water and is eventually shif ted to the contain-cent sump. Variables that are typically used to initiate injection
~
are low pressuriter pressure, low pressurizer level, high contain=ent
[-
pressure, steam'fne differential pressure, high steam flow, and I
steamline pressure.
r s
(3)
Shut;owas Cooling System The shutdcun cooling system is used to remove decay heat frc= the pri=ary system while the reactor is shut down. Cooling is provided by the shutdown heat exchangers. The shutdown cooling system includes sc=e piping and pu=os of the safety injection system.
C.
Centrol and Instrumentaeien Svstems (1) Reacter Procaction System The reactor prc ection sys:e= serves the function of rapidly shutting down the reactor when =cnitored system variables deviate frem prese:
ranges. The systa= =casists of the sensors, logic, and transducers required to =onitor :enditions, evaluate conditicas and initiate reacter trip. The v:Iriables used :o de: ermine :he need for reactor
. m.o,
W~j i $ +, '
3-10 t:4r ciffer both between the vendors and as a function of power level.
Typical variables that are used are: high rate-of-change of pouer, high power level, lou coolant flow, low steam-generator water level, low steam generator pressure, loss of load, and core AT/ low pressure.
(2) Electrical Systems Plant electrical systems are designed to provide energy demands during startup, operation at power, shutdown, and under emergency or accident conditions.
Potenti sources of power include off-site power, storage batteries and diesel generators. Engineered safety features are designed to function effectively under the condition of loss of of f-site power.
(3) Chemical and Volume Control Sys tem This system controls the volu=e of liquid in the pri=ary system and the chemical composition of the pri=ary coolant. Through letdown piping the pri=ary coolant is bled frem the primary system and fission product activity and corrosion products are removed.
Coolant borated to the desired level is added to the primary system through the charging system.
D.
Auxiliarv Cooline Svstems 4
The ce=ponent cooling system provides cooling water to componants that can come into contact with radioactive water and acts as a barrier to contac'.na-tion of the raw water system. The component ecoling systen is used for = cst of the heat excht-gers and pu=ps associated with the pri=ary system and fuel storage area as well as providing cooling to the engineered safety f eatures.
The raw water system provides for heat transfer beeseen the ccepenent cooling system and a water body.
The turbine plant cooling water system is used to ecol the conventional plant equipment The spent fuel pool cooling syste= provides for removal of decay heat in the spent fuel storage pool.
Nbd.bb
4 3-11 E.
Refuelint Svstem The refueling system provides for the saf e storage and handling of fresh or irradiated fuel, The system censists of a refueling machine, a re-fueling cavity that forms a pool above the core, storage pools for fuel storage and other fuel transfer equipment.
F.
Feedwater Svstem The feedwater system provides water to the steam generators for the production of steam. In order to decrease the probability of unavailability of feedwater, an auxiliary f eedwater system can be used to supply water to the steam generators.
G.
Fire Protection Svstem The purpose of this system is to detect, locate, elarm, and extinguish fires. The system includes conventional detection equipment, sprinklars, hoses, and fire extinguishers.
$$?Tl.(?$($
APPENDIX C SAFETY REIATED INCIDENTS IN 1.IC11T-tiATER FOriER ?BCT9RS
. <,+n gf,j, s,g.g pg
APPENDIX C SAFETY PT_ATED INCIDENTS I'1 I.IGFT-WATER DCTER PEACTCRS A review of the literature shcus an increase in the ne=ber of reports into service. A of abnormal occurrences as more power reactors are brought large nu=ber of these reports deal with equipment malfunctions which are discovered
~
as a result of routine tests and inspections. Fortunately, there have been no There have been reports of radioactivity releases above major nuclear accidents.
specified levels as a result of operator errors or system f ailures but none have Frem the viewpoint of evaluacing operator perfor=ance had serious consequences.
during accidents there is a sparsity of experience.
In this appendix six incidents are described which have occurred over the transien:
These examples were chosen because in each event the last few years.
behavior was relatively complex af fording an opportunity to gain seme insight The two secondary system pipe ruptures that are de-into operator performance.
scribed for FWRs occurred prior to powered operation of the fuel so that the Each of the SWR accidents potential consequences of the accidents were not great.
/
which involved significant coolant losses were the result of pre =ature safety relief valve operation.
(1) Occurrence:
Primary Contain=ent Pr es suri:s tion Reactor: Dresden Unit 2 Date: June 5, 1970
Reference:
Docket 30237-54 The reactor was operating at 75 percent power at near equilibrie=
At 21:25:t0 a spurious signal caused conditions in preparation for a pump tes:.
power and :he :urbin e
- he turbine centrol valve :o open from 75 :o 50 percent increased to 115 percent of rated bypass valves to open fully; the steam flew flow. During the first seccnd the turbine : ripped, the reactor : ripped, and h1;h steam ficw signals occurred mcmen:arily. Ecwever the high ficw signals were occur at this ti=e.
Ourin; si=ul:anecus in beta :hannels so isolation did not no:
seconc a generator lead rejection occurred.
the next SG'ains
C-2 The reactor water level dropped rapidly frem void collapse. The twe operating f eedwater pc=ps went into runout and tripped automatically; one pump restarted automatically. The water level started to rise in less than 20 seconds.
The turbine bypass valves closed aute=atically af ter 22 seconds. The reactor pressure dropped to the low pressure isclacion trip point (850 psig) and the main steamline isolatica valves started closing af ter 33 seconds.
As the cool feedwater caused additional void collapse the water level began to decline. After 50 seconds it began to rise again. The water level recorder stuck at an indicated 17 inches (the trend chart showed the level con-tinued to increase) and with this misinformation the operator increased the feedwater flow. The water level rose and flooded the main steamlines and the isolatica con-denser steamline.
The operator found the stuck recorder af ter 1-1/2 minutes and reduced the feedwater ficw to minimu=. As the vessel pressure increased the operator actuated the isolation condenser but it i=sediately tripped out.
Next he tried to open the main steamline isolation valves but they had not been reset frem their previous trip. At 3-3/4 minutes a relief valve was operated manually to reduce the vessel pressure frem 1050 to 960 psig.
Af ter about 5 =inutes a safety valve opened eccentarily and its discharge cocked the lif ting levers en two relief valves, holding those valves in a partially open position. The containment pressure rose frem the saf ety valve action and tripped the ECCS. The low pressure cooling pumps and the diesel generators started; the high pressure core spray was out of service.
The reactor pressure was centrolled by relief valve operation in conjunction with the isolation condenser which was successfully activated.
Subsequently, the main steamline isolation valves were opened and the =ain condenser was used to reduce the vessel pressure. During this time the neutron monitors showed errstic behavior which proved to result from cable damage. The drywell cooler was brought into service manually and in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> the drywell pressure "was back en scale at 2.2 psig".
Later, samples were taken for analysis of radiacion levels; the drywell was encared for inspection en June 7,1970.
N [r3. M
C-3 Co=ments: This incident resulted in damage to the olant and loss cf plant servic e but no abnormal radiation releases occurred so the public was not adversely affected. The transient is an example of a situation being worsened by the operator acting with approved procedures but with the wrong information. Believing that the water level was low as shown by the stuck recorder the operator overfilled the reactor vessel.
In addition one observes that the one equipment failure led to others; the jet blast f rem the =alf unctioning, =isdirected saf ety valve damaged two additional valves which added to the existing problem.
(2) Occurrence: Primary Containment Pressurization Reactor: Dresden Unit 3 Date: December 8, 1971
Reference:
Docket 50249-112 The reactor was being operated in a base-load condition at 2300 M2t.
At 14: 13 :08 a condensate booster pc=p tripped for reasons unknown.
In one second the two operating f eedwater pe=ps tripped en low suction pressure and in anotner second the standby feedwater pump started automatically. The reactor water level decreased rapidly and the reactor tripped after 13 seconds on low water level.
The reactor water level fell to -20 inches (ECCS initiation is at -59 inches) and started to ine: case. As the level rose the operator took the =anual actions prescribed by established procedures to control the water level. As the water level rose to cero inches the operator =anually initiated closure of the f eedwater isolation valve. Ecuever, at some tbne during its closure the valve stalled at 0
a flow of 2.3 x 10 lb/hr.
At 1 minute and 6 seconds the icw vessel pressure initiated closure of the main steamline 1 olatica valves; the pressure low point was 795 psig. At about 1 minute and 22 seccnds the water level reached 30 inches and started filling the =ain steaulines.
In a little over 4 minutes the vessel pressure rose to 1020 psig, a saf ety valve lif ted pre =aturely, and as the drywell pressure increased to 2 psig, the ICCS pumps and standby diesel generators started, the reactor recirculation pu=ps tripped, and the contain=ent isolated.
Itwas estimated that the saf ety valve re=ained cpen for 1-1/2 =inutes.
The d: well f
pressure peaked at 20 psig.
SG200
C-L The operator manually tripped the feedwater pc=p 13 minutes after the beginning of the incident. The water level had risen to 130 inches. The suppression chamber cooling was placed in operation; 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> later the drywell pressure was reduced to 4 psig.
Cc==ents: This incident did not jeopardize the safety of the public; it did result in plant da= age and the loss of power generating capacity during cleanup and corrective actions.
The feedwater control system was deficient.
Prior experience had shown the inability of the system to aute=atically control the water level below the high level trip point for main steamline isolation. This was the reason for having an established procedure for manual action by the operator. The operator response was in accordance with procedures throughout the incident with one significant exception, he did not trip the feedwater pump when the water level reached 60 inchea. F.ad he tripped tL: feedwater pu=p as required the excessive water level and contain=ent pressurization probably would have been avoided.
(3) Occurrence:
Primary Containment Pressurization Reactor: Dresden Unit 3 Date: May 4, 1972
Reference:
Docket 50249-138 The plant was being operated in a base-loaded condition at 2300 MWe with all conditions 2sentially normal. At 09:01:21 the reactor was tripped for unknown reasons. The reactor water level began decreasing due to void collapse tripping the low water level telays and causing the f eedwater pu=ps to increase th(fr output. Tne operator moved the =cde switch fre= "run" to
" refuel" position as per operating procedure.
The water level began to increase gradually af ter a minimu= of 1/2 in.
on the recorder scale, the low water level trips reset, one feedwater pu=p was manually tripped, and as the water level increased both feedwater pu=ps were automatically tripped. At & water icvel of LS in. isolation was nitiated and 5 minutes and 2 seconds after the reactor tripped the main stea=line i*so la tio n valves :losed. The water level peaked at 34.5 in.
yt[ glen-
C-5 The reactor pressure decreased rapidly af ter the reactor trip as a result of water level decrease and continued steam output to cae turbine. At 328 psig the pressure turned around and at 10 minutes af ter the reactor trip when the pressure reached 1060 psig an atte=pt was cade to use the isolation cendenser.
However the isolation condenser return valve would not open electrically and an operator was dispatched to open it manually.
I As the pressure reached 1100 psig the order to open an electre=atic relief valve was given by the shif t supervisor.
Before the order could be carried out an elactromatic relief valve operated autecatically at 25 psi less than its previous ;e point and reduced the vessel pressure to 1035 psig. The pressure was then naintained below 1100 ps43 by =anual operation of an electrc=arte relief valv e.
At about 14 minutes af ter the trip when the elect:c=atic relief valve operated autematically a safety valve opened me=entarily and prematurely causing the drywell pressure to increase to 2-1/2 psig. The "High Containment Pressure" alarm annunciated, and the ECCS systems, the HPCS, LFCS, and LPCI pumps, and the diesel generators, all started.
The drywell pressure alarm reset at 1-1/2 psig at 23 minutes and the pressure continued to decrease slowly. The drywell pressure was nor=al 40 minutes after the reactor trip. Af ter 25 minutes the isolation condenser return valve was opened manually allowing the isolation condenser to be used for redue:1on of the reactor pressure.
Cc=ments: No increase in release of radioactivity was detected so the public safety was not endangered. A postincident assessment of the operator's performance showed that he was aware of the situation and acted in accordance with the precedures es:ablished controlling the water level after a reactor trip. I: should be observed that during the course of the incident there were three unrelated valve malfunctions one of which resulted in the centainment pressurization.
There is some assurance :o be gained f m :he three containment pressuri-
- stien incidents described here. That is, that in each :sse the "high :ontain=en:
pressure" signal iniciated the s: art of :he e=ergency cooling pe=ps and the s:andby diesel generators.
b. /tf+\\ +ka h
C-6 (4) Cccurrence:
Steam Pipe Break Reactor:
H. B. Pobinson 2 Date: April 28, 1970
Reference:
Docket 50261, Letter June, 1970.
A section of pipe connecting a safety valve to a steamline failed.
The break was not isolable and the associated steam generator suffered a ec=plete b low down. At the time of the incident there was no fuel in the reactor an.t the system was undergoing het f unctional testing. As part of this testing, verifi-cation and adjust =ent of the saf ety valve set points were being perfor=ed t f.th the aid of a pneu=atic device. The f ailure occurred in the pipe leading to a valve that was undergoing testing. The rupture was signalled by a loud noise acccmpanied by a shower of steam and debris. The workmen in the neighborhood were either knocked to the floor or fell to the fleer to breathe. They escaped by crawling f rem the area.
In the control roem the operator heard the loud noise and observed a decrease in pressuriter level and pressure. The reactor coolant system terperature and the level in C steam generator also began to decrease rapidly. The operator secured all three operating reactor cooling pc=ps.
He activated two additional charging pu=ps and secured letdown flow. The pressuri:er heaters were all secured before the pressurizer level reached the set point for autematic shutoff. The pressurizer level fell of f scale but subsequent analysis indicated that it probably never dropped belcw the surge line.
Within a few minutes all available operators had reported to the centrol rocm. The loud noise rendered use of the plant intercem system undesirable. Two boric acid transf er punps were started to provide makeup to the charging pumps.
During the cool dcwn period in-plant checks were made of other possible piping problems. Steam generator C reached level ero within approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
The ecolant temperature decrease was 213 F.
A review was made of all plant temperature instruments including surf ace tenperatures on some equipment to be sure that proper cooling was occurring.
Debriefing of the operator indicated that the inf ormation available to him was adequate and that by observing available indicators he was able to re=ain fully ecgni: ant of plant conditions throughout the accident. '4ritten emergency tfC 's,~ \\)O
C-7 procedures were available to the operater in the control room, with which he was f amiliar. However, the operator did uct find it necessary to refer to these procedurer. during the accident. Dreailed system flow diagrams were also avail-able to which frequent reference was made in order to verify the logic of recovery.
Co=ments: Since fuel had not yet been loaded, the public safety was clearly never endangered. The response of the system might have been somewhat dif f erent if the heat source of the fuel had been present. It is quite likely that the rapid cooldown would have caused a return to criticality af ter the rods had been tripped. The accident does show that operator actions can significantly affect the transient behavior of an accident. In this case the timely actions of the operater prevented the pressure from dropping below the set point for safety injection.
(5) Occurrence:
Failure of Safety Valve Header Reactor: Turkey Point 3 Date: December 2, 1971
Reference:
Docket 50250-66 The reactor was in the hot functional test program,.n the primary system at 2235 psig and 547 F and the secondary at 990 psig when a safety valve header failed. The first indication to the operator was the loud noise of escaping steam.
Steam generator 3A was cempletely blowu down within three minutes.
The operator observed a rapid decrease in pressurizer level and pressure.
Rapid decreases were also observed in the hot leg, cold leg and average te=perature and in the water level in steam generator 3A.
Closure of the letdown valve and pressurizer heater trip occurred aute=atically.
The operator closed the feedwater valve to steam generator 3C (the caly one that had been operating) and closed the 33 and 3C atmospheric steam de ;
valves. The reactor ecolant pumps were also shut d own. The operator started a second char;ing pump and both operated at full speed.
Ecration, which had been started prior to the accident, was stopped and pri=ary water makeup was started to restore the volume control tank level.
D08,01
C-8 The pressuri:or level returned on-scale in 15 =inutes.
One charging pu=p was stopped and letdown was reestablished. At this point the plant had been stabilized. Af ter an inspection one of the reactor coolant pu=ps was re-started and temperatures within the prt=ary system were equilibrated.
In assessing the accident the utility concluded that the operators had responded capably to the accident.
(6) Occurrence: Failure of Main Steam Isolation Valve to Close Reactor:
R. E. Ginna Date: June 30,1971
Reference:
Docket 50244-73 While the reactor was at power, a f ailure led to emergency feed water being supplied directly to the main feedwater pu=p suction. Mixing of the cold emergency water with war = heater drain pu=p discharge caused severe vibrations in the two feedwater pumps. Damage to one of the pu=ps initiated a pu=p trip.
The second pu=p was tripped =anually to prevent damage to the pump. Turbine generator trip and reactor trip occurred as an automatic consequence of shutdown of the feedwater pu=ps.
During this time =ain stea= header pressure rose from 780 psig to 1005
- s ig. A flow orifice gasket in a reheater then failed allowing steam to escape into the turbine building.
The operator was instructed to close the =ain steam isolation valves.
One of the valves failed to operate as indicated by position lights. The shift fore =an wen:
.e
!.e location of the valve and =anually tripped it.
C~== ente-Although this incident would not be considered particularly serious, it does illustrate an i=portant aspect of accident mon _ - = ring. Accidents may very well involve a nu=ber or sequence of failures. The failures may be the resul: of abnor=al conditions produced in the accident, such as the nitial f eedwater ::1p and the gasket failure, or =ay be independent, such as the iso *ation valve failure.
The f ailure of the isolation valve to operate and the correct'ive actica
- aken de=enstrate that alternative actions are of ten available to the operator if he is =ade aware tha: a malfunc: ion exists.
, - r,1 - : -
Id a