ML19322E687
| ML19322E687 | |
| Person / Time | |
|---|---|
| Site: | Indian Point  |
| Issue date: | 02/06/1976 |
| From: | Pollard R Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML100150718 | List: |
| References | |
| NUDOCS 8004020115 | |
| Download: ML19322E687 (11) | |
Text
_
ATTACHMENT 5 l
0 1
s l
?
2 REPORT ON THE UUCLEAR REGULATORY COMMISSION REACTOR SAFETY REVIEW PROCESS l
1 I
J i
J By Robert D. Pollard Project Manager Division of Project Management U. S. Nuclear Regulatory Commission 7
j February 6, 1976 a
L SMWb
-g_
ILLUSTP.ATIVE SAFETY PROBLEMS I.
CONTAINMENT ISOLATION The General Design Criteria set forth in Appendix A to 10 CFR Part 50 establish the " minimum requirements for the princi-pal design criteria for water-cooled nuclear power plants".
General Design Criteria 54, 55, 56 and 57 establish minimum requirements concerning isolation of piping systems that penetrate the reactor containment.
Criterion 55 and Criterion 56 specify four containment isolation valve ar-rangements.
Each isolation valve arrangement involves a combi-nation of locked closed isolation valves and/or automatic iso-lation valves to prevent the release of radioactive material.
These criteria specify that one of the four valve arrangements "shall be provided -- unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis".
In contrast to these specific requirements, the s ta f f is aware that many of the lines at the Indian Point 3 plant do not have isolation va1ve arrangements which correspond to any of the arrangements specified by Criterion 55 and Criterion 56.
Further-more, neither tha staf f nor the licensee has identified a " specific class of lines" that need not utilize the specified arrangements.
Nor has either the staff or licensee identified "some other de-fined basis" on which the Indian Point 3 isolation valve arrange-i ment can be demonstrated to be acceptable.
i
)
l t
. Rather than adhere to the requirements of the General Design Criteria, the licensee has proposed technical specifications which would permit plant operatica with containment isclation valves (which have no provision for automatic closure) in their open positipns.
The licensee states that reliance on the reactor operator to manually initiate closure of such valve is dequate."
The s taf f apparently gives tacit approval to this evasion of NRC regulations by stating the "We have reviewed th$~ isolation valve arrangements for conformance to General Design Critoria 54, 55, 56 and 57, and conclude that the design meets the intent of these criteria".
(Safety Evaluation of the Indian Point Nuclear Generating Unit No.
3, dated September 21, 1973).
i This is one of the safety problems I became aware of as pro-ject manager for Indian Point 3.
The pressure to issue a license on a schedule compatible with the applicant's desires notwith-s tanding, I questioned those staff personnel with specific exper-tise i.1 the reactor containment area about their bases for ac-cepting the Indian Point 3 design.
Their responses indicated that:
a) it was known that the design did not meet the General Design Criteria, b) the design was not different than o ther li-consed nuclear power plants, and c) it was too late to require design changes to the plant.
These experts stated that they saw d
. no reason to change their previous conclusions as stated in the Indian Point 3 Safety Evaluation Report and referenced above.
The bases for these conclusions remain obscure if not non-existent.
The staff's Safety Evaluation Report mentions the " double barrier protection -- provided so that no single valve or piping failure can result in loss of containment integrity".
Also described briefly are the two groups of, containment isolation valves which are closed automatically by the safety injection signal and the actuation of containment spray.
No mention is made of the non-automatic containment isolation valves, the criteria used to judge the acceptability of reliance on manual operator ac tion,
or the specific " closed system" which is purported to constitute one of the barriers to escape of radioactive materials.
I believe that the provisions for containment isolation fol-lowing an accident at Indian Point 3 should be. evaluated or re-evaluated.
If the present design and proposed technical specifi-cations are found acceptable, the NRC should state the specific technical bases for its conclusion that the design meets the NRC regulations.
Indian Point 2 should also be evaluated;in this regard.
It is likely that the situation there is the same as or more hica rdous than the situation at Indian Point 3.
The staff should have discussed the non-automatic containment isolation valves, the nature of the " closed sys tems upon which the " acceptability" was partially based, and the criteria used
. to judge the adequacy of manual operator action.
The Safety Evaluation Report, in discussing only those aspects of containment isolation which were not c problem and then stating the conclusion that the design meets the " intent" of the General Design Criteria, presented a more favorable picture of contain-ment isolation than the actual des 'qn warrants.
By presenting only the favorable aspects, the remainder of the licensing pro-
- cess, i.e.,
scrutiny by public, independent decisions by the licensing boards, was subverted and therefore less likely to be able to reach a sound decision based on all the facts.
II.
SUBMERGED VALVES During my assignment as project manager for the Indian Point 3 plant, the problem concerning submerged valves arose.
Basically, this problem is that following an accident, mu'ch.of the water from the reactor coolant system and from operation of the emer-gency core cooling sys tems collects in the containment.
- Recently, it has been discovered that many valves located inside the contain-mont, including some. valves intended to be used to mitigate the consequences of accidents, could become submerged and, thereby, l
rendered inoperable.
Why the vendor, applicant or staff did not discover this problem over the past years is a question worth ex-plaining for the future, with the aim of preventing similar funda-mental oversights.
For now, it is better to concentrate on deter-mining an acceptable solution to the problem.
. Con Ed has proposed a scheme to solve the problem.
Basically, their proposal is to elevate only a few of the valve motors (but not the valves) above the calculated water level which is ex-pected following an accident.
For most of the valves whose motors will be sacrified, Con Ed has expressed their conclusion that this will have no adverse ef fect on accident consequences.
Since not all the valve motors (which were previously to be relied upon to cope with the accident) will be elevated, it is necessary to modify equipment and to develop new operating procedures for the manual operator actions that are required soon after the accident.
Whether the new procedures and resulting core cooling system per-formance using these new procedures have been evaluated as thor-oughly as the original design by either the staff or the appli-cant is questionable.
Whether the plant operators have been adequately " debriefed" on the old procedures ahd. retrained.in the use of the new procedures is also questionable.
The deficiencies in the evaluation of the revised design and operating procedures are illustrated by the follow.ng ques-tions which have not been adequately analyzed:
a)
Do the platforms used to support the elevated motors have adequate capability to withstand an earthquake?
(Of course, until a decision concerning the magnitude of the earthquake that must be withstood is reached,
.the question of the seismic adequacy of the entire' plant remains unanswerable.)
. i b)-
Is there any circumstance under which the sub-merged valves might be needed to cope with an accident, especially if the accident sequence does not follow the predicted coquence?
c)
What "new" equipment will need to be relied on, e.g., core cooling sys tem flow ins trumen tation?
i i
IIas this equipment been designed, procured and ins talled in accordance with the regulations and standards applicable to safety equipment?
4 d)
What are the disadvantages (and what are their significance) of using operator's trained on Unit 2 to operate Unit 3 which has had subs tantive design changes compared to Unit 27 c)
What other equipment besides valv,es will become submerged following an accident?
Itas the effect on safety of submerging this equipment been evalu-4 ated?
More urgent from a public safety viewpoint than the review of Indian Point 3 is the question of the status of Indian Point 2 and other operating plants.
The mos t recent correspondence i
on this matter (Re fe rence 35) of which I am aware seems to in-dicate that nothing will be done to alter plant design or operating procedures prior to "the first refueling outage (which) is currently scheduled to commence April 1, 1976".
I consider I
e i
a
4
. this to be a totally irresponsible course of action.
The NRC should not allow continued operation of a plant when there is good cause to believe that an unresolved safety question exists and that the plant is not in compliance with the regulations.
In fact, the regulations would appear to require a completely different course of action (see 10 CFR 50.100).
Legal inter-protation of the regulations notwithstanding, the proper course for a purely regulatory agency to follow is to permit operation only when there are sound technical bases to demonstrate safety of operation rather than to permit operation until the licensee or public can provide the sound technical bases for requiring immediate shutdown of dhe plant.
III.
PUMP FLYWHEEL MISSILES GENERATED BY REACTOR COOLANT PUMP OVERSPEED References 37 through 50 are some of the documents which discuss this unresolved safety problem As a result of a reactor coolant sys tem pipe rupture and the blowdown of reactor coolant through the reactor coolant pump, "the pump impeller may act as a hydraulic turbine causing the pump, motor, and the flywheel to overspeed and become potential sources of missiles".
(Reference 38)
This is a significant problem because of the tremendous inertial energy of the missiles, especially flywheel parts, and the dif ficulty of predicting the course of these missiles.
Whether. containment integrity can be
, IV.
SEPARATION OF ELECTRICAL EQUIPMENT Much emphasis is placed on the single failure critorion in attempting to assure the public that nuclear plants are safe.
Much less emphasis is given to the underlying assumptions which must be satisfied in order that the single failure criterion be a valid criterion.
On,e of these basic assumptions is that failures will occur only in a random manner.
Stated another way, the assumption is that failure (or operation) of one system or component will not af fect the performance of its redundant counter-part.
One of the basic methods used to try to satisfy this assump-tion is to physically separate redundant equipment.
The separa-tion must be sufficient both to assure that failure of one safety system does not cause failure of the other and to assure that failures in non-safety systems do not cause failure of either safety system.
A more detailed explanation of this philosophy can be found in IEEE Std 379 and the NRC standard review plan Chapter 7.
Based on my knowledge of tne Indian Point 2 and 3 designs l
and the current separation criteria, I conclude that the physical 1
separation provisions at Indian Point 2 and 3 are not adequate for the health and safety of the public.
There is no adequate l
basis fue concluding that a common mode failure will not result in a very serious accident other than sheer good luck.
In fact,
- based on the documents in the NRC files, this conclusion appears to be almost identical to the conclusions other knowledgeable staf f members reached as early as 1969.
An ACRS Subcommittee meeting was held in April,1970 and the staff made a rather detailed presentation of the poorer design aspects related to the Indian Point 2 protection and ' electrical systems.
This included discus,sion of the single cable tunnel, the engineered safety feature manual actuation panel in the con-trol room without separation in the panel, the common diesel location in a sheet metal structure, cable separation, and cable penetrations at the containment.
"The Subcommittee was ' appalled' at the situation.
They asked if we did not have an oyster Creek si'tuation in hand and whether we should not have the applicant make an independent review of his work as we r,equired of Jersey Central."
(Reference 18)
By the time the Electrical Systens Branch provided its input (Reference 22) for use in preparing a report to ACRS the elec-trical items which did not meet present day criteria earlier in the review, had either been " accepted", " resolved", or " approved with some reluctance", or they remained " unresolved".
The two reports to the ACRS prepared by the staf f and classi-fied as " Official Use only" (Re fe rences 26 and 28) should be re-viewed by NRC to determine whether the previous bases for reluc-tantly accepting design deficiencies are adequate for protecting
. the health and safety of the public.
Based on those reports, it appears that many items were accepted solely because so many other areas of the plant were deficient that it wouldn't do much good to require upgrading only a few.
In other cases, it appears that a judgment was made that the cost in time and money needed to provide subs tantial additional protection for the public health and safety was too great.
The bases for this s taf f conclusion should be made public.
In the case of the separation between Unit 2 diesels, the apparent resolution is inconsistent in itself.
The applicant claimed that there was no history of diesel explosions tha t damaged the diesel's environs.
Neve r theles s, a concrete wall was installed to protect the common control panel but no similar protection was installed between the diesels.,
In sunmary, I consider the physical separation, or more ac-curately the lack cf adequate physical separation, to be one of the significant safety hazards at Indian Point 2 and 3 which should be re, considered.
Mua single electric cable tunnel,-*/
the cable spreading room, the containment electrical penetration area, the main control board, the safety injection pump and con-
[
tainment spray pump areas, and the auxiliary feedwater pump areas are among the vital areas that should be re-evaluated.
- /
The fact that Unit 3 has two cable tunnels is not significant Eecause the sys tem logic requires that two out of three sys tems be operable following an accident.
In addition, the problem of associated circuits was apparently not considered at all.