Text

',

0f rheg

?

hg UNITED STATES g

NUCLEAR REGULATORY COMMISSION E

W ASHING TON, D. C. 20555 s

i

%,.,,, /

MAY 131980 MEMORANDUM FOR:

R. F. Fraley, Executive Director, Advisory Comittee on Reactor Safeguards FROM:

Harold R. Denton, Director, Office of Nuclear Reactor Regulation

SUBJECT:

RESPONSE TO DR. C0 HEN'S CONCERNS REGARDING LOSS OF THE WATER SUPPLY FROM THE REFUELING WATER STORAGE TANK This is in response to your letter of April 18, 1980.

Your letter forwarded a letter from Dr. Bernard Cohen that expressed a concern for the potential consequences of loss of the refueling water storage tank (RWST) water supply.

The accident scenarios we consider for the design basis of the systems needed to mitigate a loss-of-coolant accident do not include passive failure of the RWST. As described in Dr. Cohen's draf t paper, the sequence of events leading to core meltdown would require a LOCA and total loss of water from the RWST at essentially the same time. We consider this very unlikely because of the design provisions and operational security measures described below.

Our design requirements on the tank are quite stringent.

It is safety grade equipment, designed to meet the requirements of ASME Code Section III, Class 2, and to meet appropriate earthquake, flood, fire, and tornado design criteria, as well as to meet a number of mechanical and electrical design criteria appli-cable to the tank's connected piping and electrical instrumentation. Our quality assurance criteria, based on 10 CFR 50 Appendix A, control the design, materials, manufacture, test, operation, and maintenance of critical components and systems, which include the RWST.

The design basis for the RWST, and in fact all plant equipment necessary for safe shutdown of the plant, assumes a single active failure coincident with the accident initiating event. Given a LOCA (initiating event), we require that a plant be capable of safe shutdown even given the additional random loss of any single active component, (pump, valve, relay, etc.).

This requirement has lead of course to redundancy and diversity in the ECCS equipment, including power supplies and control equipment. However, we have net required an assumption of major passive failures (other than the initiating event) to be considered as a safety criterion in the design.

Our rationale considers random active failures, severe natural phenomena, and sabotage. A random passive failure (such as the pressure boundary rupture of the RWST) simultaneous with a LOCA is obviously an extremely low probability event.

Since both the reactor coolant system and accident mitigating systems, including the RWST, arc designed to withstand severe earthquakes, tornadoes, etc., the probability of such natural phenomena both causing the accident and rendering the mitigating systems inoperative is low.

,8006300p 7

T

,R. F. Fraley MAY 2 31980 The regulation that specifies the design basis for comprehensive protection against sabotage is 10 CFR 73, " Physical Protection of Plants and Materials."

Specifically,10 CFR 73.55 specifies requirements for the physical security organization, physical barriers, access controls, detection aids, comunica-tions capability, testing and maintenance, and security organization response capability. We believe that the programs developed and in place at all operating nuclear power plants today, in compliance with these regulations, are capable of meeting challenges to the physical security of these plants such that the probability of successful sabotage to cause a LOCA and concur-rently fail the RWST is acceptably low.

Notwithstanding our belief that the current requirements for the RWST result in acceptably low risk, the events of the past year have caused a re-examination of our licensing bases in many respects.

The most recent descriptions of plans to pursue this objective are contained in NUREG-0660, "NRC Action Plans Developed as a Result of the TMI-2 Accident," May 1980.

The actions proposed by this plan include:

i 1.

Tasks II.C.1 and II.C l.2, Interim Reliability Assessment Program (IREP) -

An effort to employ event-tree analysis to develop an ordered series of accident sequences suitable for qualitative analysis and for use in prob-abilistic analyses of core-melt accidents.

The reliability analyses will include single active and passive and multiple active failures, unavail-ability due to testing and maintenance, and operator errors associated with standby status, testing, and maintenance. Such studies will eventually be performed for all operating reactors.

2.

Task II.C.4, Reliability Engineering - Specifications will be developed by NRR for acceptable reliability assurance programs to be implemented by operating license holders and future licensees.

The role of probabilistic safety or reliability analysis in future safety analysis will be defined in this program.

3.

Task II.B.8, Rulemaking Proceeding - The NRC will conduct a rulemaking on censideration of degraded or melted cores in safety reviews.

The objective, as well as the characteristics and effectiveness of possible design features will be examined for preventing and mitigating the consequences of these kinds of accidents.

4.

Task II.E.3.3, Decay Heat Removal; Coordinated Study of Shutdown Heat Removal Requirements - This effort will be a comprehensive system requirements evalu-ation that will assess the desirability of and possible requirement for a diverse heatremoval path. NRC staff will work with the recently established ACRS Ad Hoc Subcommittee on this matter to develop a mutually acceptable overall study program.

~

e e

4

,f R".

F. Fraley MAY 2 31980 5.

Task IV.E.1, Expand Research on Quantification of Safety Decision-Making -

An effort to proceed toward better quantification of safety objectives, including safety-cost tradeoffs.

This task will examine the possible appli-cation of formal decision-making techniques to the regulatory environment.

Future programs will build on the risk assessment and systems reliability work currently under way and incorporate a better assessment of common-mode and human failures.

In closing, I would like to compliment Dr. Cohen on his comprehensive and use-ful examination of ECCS failure consequences. We are interested in staying apprised of further work that he may do in this area and would appreciate your contacting us with any further results.

For my part, I would like to assure you and Dr. Cohen that we will continue to consider the importance of RWST water in our future efforts to identify and prioritize nuclear plant accident sequences.

Sincerely, AtsYb m

Harold R. Denton, Director Office of Nuclear Reactor Regulation

._-- -.