ML19337A842
| ML19337A842 | |
| Person / Time | |
|---|---|
| Site: | Three Mile Island  |
| Issue date: | 09/25/1980 |
| From: | Pollard R UNION OF CONCERNED SCIENTISTS |
| To: | |
| Shared Package | |
| ML19337A840 | List: |
| References | |
| NUDOCS 8009300422 | |
| Download: ML19337A842 (25) | |
Text
I
. M m l
% l p DD USNR"~
UNITED STATES OF AMERICA
~
j SEP g g $'
NUCLEAR REGULATORY COMMISSION t- 0 A' 11 BEFORE THE ATOMIC SAFETY AND LICENSING BOARD q g;lIf[Me' g7,n N* E N -
)
In the Matter of )
)
METROPOLITAN EDISON ) Docket No. 50-289 COMPANY, et al., )
)
(Three Mile Island )
Nuclear Station, Unit )
No. 1) )
)
DIRECT TESTIMONY OF ROBERT D. POLLARD ON BEHALF OF THE UNION OF CONCERNED SCIENTISTS REGARDING UCS CONTENTION NO.10 y 4- ., .,
~ ~
September 25, 1980 ,'
I 8009300%hk .
0 6
. ROBER P D. POLLARD OUALIFICATIONS Mr. Pollard is presently employed as a nuclear safety expert with the - Union of Concerned Scientis ts , a non-profit coalition of scientists, engineers and other orofessionals supported by over 80,000 public sponsors.
Mr. Pollard's formal education in nuclear design began in May, 1959, when he was selected to serve as an electronics technician in the nuclear power program of the U.S. Navy.
After completing the required training , he became an instruc-tor responsible for teaching naval personnel both the theore-tical and practical aspects of operation, maintenance and repair for nuclear propulsion plants. From February, 1964 to April, 1965, he served as senior reactor operator, supervis-ing the reactor control division of the U.S.S. Sargo, a nuclear-powered submarine.
After his honorable discharge in 1965, Mr. Pollard attended Syracuse University, where he received the degree of Bachelor of Science magna cum laude in Electrical Engi-neering in June , 1969.
In July, 1969, Mr. Pollard was hired by the Atomic Energy Commission (AEC), and continued as a technical exoert with the AEC and its successor the United States Nuclear Regulatory Commission (NRC) until February, 1976. After joining the AEC, he studied advanced electrical and nuclear engineering at the Graduate School of the University of New Mexico in Albuquerque. He subsequently advanced to the oositions of Reactor Engineer (Ins trumenta tion ) and Project Manager with AEC/NRC.
- d. ~
.- As a Reactor Engineer , . Mr. Pollard was primarily respon-sible for performing detailed technical reviews analyzing and evaluating the adequacy of the design of reactor protec-tion sys tems, control systems and emergency electrical power systems in prqposed nuclear facilities. In September 19 74, he was promoted to the ' position of Project Manager and became responsible for planning and coordinating all aspects
, ( -
of the design and safoty reviews of applications for licenses n-to construct and operate several commercial nuclear power pl a n t s . He served as Project Manager for the review of a
, number of nuclear power plants including: Indian Point, .
Unit 3, Coman'che Peak, Units 1 and 2, and Catawba, Units .
1 and-2. While with tiRC , Mr. Pollard also served on the standards 1 group, participating in developing standards and safety guides, and as a member of IEEE Commit tees .
e
OUTLINE - DIRECT TESTIMONY ON UCS CONTENTION NO. 10 The testimony begins by discussing the ways in which operator action during the TMI-2 accident prevented the completion of automatically-initiated safety functions, contributing substantially to the severity of the accident.
i In UCS's view, a design such as TMI-1, which permits premature termination of safety functicns, is a violation of NRC reg-ulations as properly interpreted and is unsafe. This is demonstrated through a discussion of the purpose of IEEE Standard 279, the history of its development, the continuing work of IEEE standards committees, the Commission's past policy and practice in applying the standard and the lessons which should be learned from the TMI-2 accident. The testi-mony suggests the type of design changes that could be implemented at TMI-2 to prevent premature termination of ECCS, auxiliary feedwater and containment isolation. It concludes that, at present, the TMI-l design is unsafe and, therefore, TMI-1 should not be permitted to resume operation.
O s m -
r
6 UCS CONTENTION NO.10 The design of the safety systems at TMI is such that the operator can prevent the completion of a safety function which is initiated automatically; to wit: the operator can (and did) shut off the emergency core cooling system pre-maturely. This violates 54.16 of IEEE 279 as incorporated in 10 CFR 50. 55a (h) which states:
The protection system shall be so designed that, once initiated, a protection system action shall go to completion.
The design must be modified so that no operator action can prevent the completion of a rafety function once initiated.
During the TMI-2 accident, the operator prevented a safety system from performing a safety function that the protection system had automatically initiated. The operator, in violation of emergency procedures, terminated full flow from the high pressure injection system to the reactor coolant system. This reduction in emergency cooling water flow significantly contributed to the damage sustained by the TMI-2 reactor. In addition, the operator may have terminated all emergency feedwater to both steam generators by ; closing It is not known whether the valves were closed before or during the accident. In any evenc, the capability for the operator to ;
close'both valves and terminate auxiliary feedwater existed. l
10-2 two valves.
GDC-20, " Protection System Functions", requires that
"[t]he protection system shall be designed. . .to sense accident conditions and to initiate the operation of systems and components important to safety." Section 4.16, " Completion of Protective Action Once It Is Initiated," of IEEE Std 279 requires that "[t]he protection system shall be so designed that, once initiated, a protection system action shall go to completion." In addition, Section 4.12, " Operating Bypasses,"
of IEEE Std 279 requires that " [w]here operating requirements necessitate automatic or manual bypass of a protective function, the design shall be such that the bypass will be removed automatically whenever permissive conditions are not met.
Devices used to achieve automatic removal of the bypass of a protective function are part of the protection system and must be designed in accordance with these Criteria", i.e.,
the criteria set forth in IEEE Std 279.
In contrast to these requirements of the Commission's regulation, TMI-1 (like TMI-2) is designed such that the reactor operator can prevent or prematurely terminate the protective or safety functions provided by the emergency core cooling, auxiliary feedwater and containment isolation systems.
Incorporated in 10 CFR 50.55a.
,4 %
10-3 6
4 In other words, the reactor operator can prevent the completion of a safety function despite the iact that plant conditions are such that the safety function is needed.
Neither Met Ed nor the Staff have disclosed any signigicant disagreement with the above statements on UCS Contention 10.
Both apparently disagree, however, with my conclusion that TMI-l must be modified so that no operator action can prevent the completion of a safety function once initiated. Their argu-ments fall into two categories: 11 the requirements of IEEE Std 279 do not apply to the emergency core cooling, auxiliary feedwater and containment isolation systems because these systems are not part of the protections system as defined in IEEE Std 279, and 2) the health and safety of the public is better protected by the present TMI-l design than by a design which prevents the operator from defeating a safety function until it is completed. I will now address these arguments and explain why I conclude that they are not supportable.
Met Ed and die Staff take the position that because of the definition of " protection system" in IEEE Std 279, the "For purposes of these Criteria, the nuclear power plant pro-tection system encompasses all electric and mechanical devices .
and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function." (IEEE Std 279, " Scope").
. . . . - . . ~ . - - - - . . . . . . .
10-4 emergency core cooling, auxiliary feedwater and containment isolation systems are not part of the protection system.
Therefore, they arg.ue , none of the requirements of IEEE Std 279 apply to these latter systems.
While that argument has a patina of validity, it is primarily a simplistic, legalistic argument that lacks any evidence of rational technical input. The Staff and Met Ed ignore the purpose of IEEE Std 279, the history of its development, the continuing work of IEEE standards committees, the Commission's past policy and practice in applying the standard, and the lessons to be learned from the TMI-2 accident.
The Purpose of IEEE Std 279 In relying on the definition of protection system, Met Ed and the Staff ignore the purpose of the standard which is to " establish minimum requirements for the safety-related functional performance and reliability of protection systems. . . . "
(IEEE Std 279, " Scope"). One of the " safety-related functional performance requirements" of IEEE Std 279 is that, once initiated, a protection system action shall go to completion.
But Met Ed and the Staff take the position that conformance with this requirement can be determined without considering whether the actuated system (such as emergency core cooling) .
actually performs its safety function.
1 I
l l
I
10-5 For example, Met Ed and the Staff argue that " sealing in" the electrical signal used to initiate operation of the emergency core cooling system is all that is required by IEEE Std 279. Whether that signal actually turns on the emer-gency core cooling system and whether the operator can turn it off before it is no longer needed are irrevelant, they say, to meeting the requirement of Section 4.16 of IEEE Std 279.
My view is that this is not a correct interpretation of the purpose of the requirement. The purpose is to ensure that when the protection system (a redundant, diverse, testable, environmentally and seismically qualified, reliable system which meets the single failure criterion) determines that a safety function is needed, that function will be initiated and go to completion. The Staff and Met Ed arguments amount to saying that the Commission has imposed a requirement that has no purpose - that as long as the protection system attemots to initiate operation of a system that could perform the needed safety function, it matters not whether the safety function i is actually accomplished.
I will give one example to illustrate the illogic of the position taken by Met Ed and the Staff. Applying the Staff and Met Ed's position yields the following: If the operator can prevent a protection system action by interrupting the signal into the " actuation device input terminals," the design violates 1
10-6 IEEE Std 279. In contrast, the operator can prevent a protection system action and the design will comply (according to Met Ed and the Staff) with IEEE Std 279 if the signal is interrupted after the " actuation device input terminals." It is obvious that if such a minor design variation as interrupting an electrical signal on one side or the other of a set of terminals can determine whether the design violates or complies with the Commission's regulations, the interpretation of the require-ment is without merit. The Staff and Met Ed fail to recognize that either design affects the fu.~.ctional performance of the protection system in the same way and, therefore, each violates the Commission's regulation.
~'
The History of the Development of IEEE Std 279 The Staff and Met Ed, in relying upon the specific
- language of the definition of the protection system rather than considering the purpose of the functional performance requirement, ignore the history of the development of IEEE Std 279. Work on the document began in 1964 when the AEC was licensing nuclear plants without, for example, emergency core cooling systems. Tht.s, r ost experience in design and regulation applied to reactor shutdown systams rather than engineered safety features like emergency core cooling. The .
specific choice of words used in IEEE Std 279, therefore, i
10-7 was heavily influenced by the experience with reactor shutdown systems. Since reactor shutdown is accomplished by inserting the control rods in a few seconds, there was little concern about the operator preventing the complation of that protection system action once initiated. Rather, the concern was that some input signals to the protection system used to indicate the need for a reactor shutdown could be removed before the control rods were fully inserted.
For example, if a reactor shutdown was initiated by high power level, shortly after the control rods began inserting, the power level coulu decrease below the setpoint. This could cause the shutdown to terminate before the rods were fully inserted. Situations like this resulted in the choice of words "once initiated, a protection system action shall go to complation"- in IEEE Std 279-1968.
The common method of implementing this requirement was to design the protection system such that once an electrical signal indicating the need for a protection system action was generated, the signal would remain " sealed in" even if the monitored plant variable subsequen ./ changed. This design approach was also adopted for protection system signals used to initiate engineered safety features. For example, if high containment pressure initiates operation of the emergency core cooling and containment cooling system, the signal will remain
10-8
" sealed in" even after operation of those systems reduces containment pressure below the initiation set point. However, unlike the reactor shutdown system, the safety function of engineered safety features is not completed in a few seconds, as was demonstrated by the TMI-2 accident. Premature termination of the operation of these systems (or, in the case of contain-ment isolation, reopening the valves) , renders them useless in providing the protection for which they were designed. There-fore, I conclude that by placing undue emphasis on the defin-ition of protection system rather than considering the functional performance requirements, Met Ed and the Staff ignore the historical reasons for the choice of specific language in IEEE Std 279-1968.
The Continuing Work of IEEE Standards Committees The preceeding discussion of the development of IEEE Std 279 is supported by the continuing work of.the IEEE in which the Staff has participated. IEEE Std 603-1977, " Criteria for Safety Systems for Nuclear Power Generating Stations,"
was published as a trial use standard in March 1977. As a member. of the Staff, I served as the NRC representative on the IDEE standards committee thr.t developed IEEE Std 603. The purpose of developing IEEE Std 603 was to apply the requirements .
of IEEE Std 279-1971 to the systems actuated by the protection I IEEE Std 279-1971 is the " full" standard version of the )
" proposed" IEEE Std 279-1968.
1 l
10-9 system. The intent was to have IEEE Std 603 replace IEEE Std 279 after two years of trial use, i.e. in March, 1979.
The development of IEEE Std 603 involved a conscious attempt to state the requirements of IEEE Std 279 in language broad enough t: apply explicitly and unambiguously to both the protection system and systems actuated by it, but with sufficient specificity to be clearly applied by the user. When the characteristics of the protection system or the " protective action system" (the new name for systems actuated by the pro- ,
tection system) were such that a requirement could not be generalized without losing this objective, separate requirements containing the desired degree of specificity were established
. . for each system. The requirements of IEEE Std 603 corresponding to the pertinent requirements of IEEE Std 279 applicable to operator interference with protective functions are:
- 1) Section 4.4, " Completion of Protection Action."
"The safety syst'm e shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions at the system level shall continue until completion. Deliberate operator action shall be required to return the safety system to normal. This requirement shall not preclude the use of equipment protective devices or the provision for those deliberate operator interventions which are identified in Section 3
(.10 ) of the design basis."
- 2) Section 4.10, " Operating Bypasses" "Whenever the applicable permissive conditions are not met, the safety system shall automatically accomplish l
I j .
1 I
10-10 one of the following:
L1) prevent the activation of an operating bypass; (2) remove any actio'n operating bypass; (3) obtain or retain the permissive conditions for the operating bypass.- or (4 ) initiate the protective function."
The related definitions in IEEE Std 603 are:
- 1) " SAFETY SYSTEM - The collection of systems required to minimize the probability and magnitude of release of radioactive material to the environment by main-taining plant conditions within the allowable limits established for each design basis event.
NOTE The safety system is the aggregate of one or more protection systems, and one or more pro-tective action systems. It includes the engineered safety features, the reactor trip system and the auxiliary supporting features."
- 2) " PROTECTIVE ACTION SYSTEM - The electrical and mechan-ical equipment (from the protection system output to and including the actuated equipment-to process coupling) that performs a protective action when it receives a signal from the protection system.
NOTE Examples of protective action systems are: control rods, and their trip mechanisms; isolation valves, their operators and their contactors; and emergency service water pumps and associated valves, their motors and circuit breakers.
In some instances protective actions may be performed by protective action system equipment that responds directly to the process conditions (e.g., check valves, self-actuating relief valves)."
- 3) " PROTECTIVE FUNCTION - The completion of those protective actions at the system level required to maintain plant -
conditions within the allowable limits established for a design basis event (for example, reduce power,
10-11 isolate containment, cr cool the core) . "
- 4) " OPERATING BYPASS - Inhibition of the capability to accomplish a protective function that could otherwise occur in response to a particular set of generating station conditions.
NOTE An operating bypass is not the same as a main-tenance bypass. Different modes of plant oper-ation may necessitate an automatic or manual bypass of a protective function. Operating bypasses are used to permit mode changes (for example prevention of initiation of safety injection during the cold shutdown mode)."
I address later the portion of Section 4.4 of IEEE Std 603 concerning "the provision for those deliberate operator interventions which are identified in Section 3(10) of the design basis" in connection with the lessons to be learned from the TMI-2 accident. I have included the requirmnents of Section 4.10, " Operating Bypasses" of IEEE Std 603 at this point in my testimony to illustrate the widespread technical support'for the position that if the protection system determines there is a need for a protective function,, every effort should be made to ensure it will be accomplished. In other words, the plant should be designed so that if there is a need for emergency core cooling, the core is adequately cooled, not just that the ECCS actuation signal is sealed in. Furthermore, whether the operator bypasses a protective function before an accident (a situation addressed by Section 4.10) or after
~ . . . . .. .
10-12 an accident (a situation that occurred at TMI-2) is immaterial.
The functional performance requirement is that when plant conditions are such that a protective function or safety function is needed, the safety system is required to be designed such that the operator can not prevent the initiation and completion of that function.
,The Commission's Past Policy and Practice The position of Met Ed and the Staff on the TMI-l design is also unsupportable because it conflicts with past commission policy and practice in applying IEEE Std 279. In essence, Met Ed and the Staff argue that the requirements of IEEE Std 279 apply only to equipment within the " protection system," i.e.,
"from sensors to actuation device input terminals." Apparently they chose to ignore the numerous instances where the requirements e
of IEEE Std 279 have been consistently applied to equipment not strictly part of the " protection system." Several examples are:
- 1. Section 7.3, " Engineered Safety Features," of the Standard Review Plan discusses how the requirements of IEEE Std 279should be applied in the review of the 4 Engineered Safety Feature Actuation System (ESFAS) and the essential auxiliary supporting systems instru- .
mentation and controls. The ESPAS is a part of
i I
l 10-13 the protection system and is used to actuate engineered safety feature systems such as emergency core cooling, auxiliary feedwater, and containment isolation. Section 7.3 of the Standard Review Plan states: "It is not sufficient to judge the adequacy of the ESFAS [i.e.,
the protection system] only on the basis of the design meeting the specific requirements of IEEE Std 279. It is also necessary to judge the functional relationship between the ESFAS and the ESF systems themselves."
This supports my position that the requirements of IEEE 279 can not be applied to the protection system in a vacuum. The Staff rccognizes that to determine whether
- - - - - the minimum functional performance requirements of IEEE Std 279 are met, it is not sufficient to examine only the design of the " protection system." It is necessary to also consider the design of the engineered safety i feature systems actuated by the protection system.
- 2. In some early designc, the protection system did not control the isolation valves in the discharge pipes of the accumulators or core flooding tanks, which are part of the emergency core cooling systems. The Staff concluded that those valves had to be considered as
" operating bypasses" within the meaning of the require-ment of IEEE Std 279. Therefore, in order to meet the
10-14
" intent" of IEEE Std 279, the Staff required the design to include provisions to automatically open the discharge valves whenever plant conditions are such that emergency core cooling is or could be required.
This Staff Position, developed before January, 1973, was set forth in Branch Technical Position ICSB 4 of Appendix 7-A to the Standard Review Plan. The isolation valves are clearly not part of the " protection system,"
as Met Ed and the Staff define it in this case, but the Staff correctly applied the requirements of IEEE Std 279 to them by observing that closed valves could prevent a safety function just as surely as bypassing the protection system itself. I
- 3. In Regulatory Guide 1.22, " Periodic Testing of Protection System Actuation Functions," which was issued in February, 1972, the Staff takes the position that
"[t]he protective system _should be designed to permit periodic testing to extend to and include the actuation devices and acutated equipment." (Emphasis added).
The basis for the position is the recognition that "the ability of the protection system to initiate -
the operation of safety systems depends on the proper performance of actuation devices...." Here again, the Staff acknowledges that a Commission requirement l
l l
10-15 to test the protection system cannot be applied only up to the actuation device input terminals.
Therefore, the requirements of the, Commission's regulations applicable to periodic testing of the protection system were extended to include equipment not literally a part of the " protection system."
I recognize that Regulatory Guide 1.22 is ex- 1 plicitly based on the requirements of GDC-20, " Pro-tection System Functions" and GDC-21, " Protection System Reliability and Testability," rather than the requirements of IEEE Std 279. However, the requirements of Sections 4.1 and 4.10 of IEEE Std - - - - - - 279 parallel those of GDC-20 and 21. The primary reason why Regulatory Guide 1.22 is not also explicitly based on IEEE Std 279 is that, as a member of the Staff with responsibility both for developing and applying the G'uide, I wanted to avoid'the problem now being faced in this proceeding. I had been assigned the responsibility for developing Regulatory Guide 1.22 and I anticipated that reference to IEEE Std 279 would initiate protests from the industry that since the definition of protection system excluded the actuation devices and the actuated equipment, NRC could not require testing of these m - 9 W
R 10-16
~
components. To avoid that difficulty and instead allow valid engineering principles to be applied, I referenced only the pertinent GDC rather than both the GDC and IEEE Std 279 as the basis for the Staff's position.
I was also aware of the work then underway to revise IEEE Std 279 to specifically include systems and equipment actuated by the protection system.
Although it has taken much longer than I expected, the result of that work is IEEE Std 60) which I discussed earlier. In any event, Regulatory Guide 1.22 is an example of the Staf f's past recognition that the requirements of IEEE Std 279 can be and should be applied to equipment not strictly part of the " protection system."
The Lessons Learned from the TMI-2 Accident The final way in which Met Ed and the Staff's position is unsupportable is it fails to take into' consideration the lessons to be learned from the TMI-2 accident. The termination of high pressure injection when the reactor was still in a
~
condition requiring emergency core cooling and the closure of both auxiliary feedwater valves (which may have occurred ,
prior to the accident,'in which case the situation was effectively l
! an " operating bypass") were both cases of the operator
0 10-17 preventing the initiation and/or completion of a safety function. The response to these deficiencies has been the development of new procedures or design changes at TMI-1.
For example, new emergency procedures have been developed and the operators have been instructed not to shut off high pressure injection prematurely, i.e. until the protective function has been completed. For example, if the high pressure injection system has been automatically started because of low pressure in the reactor coolant system, it should remain
, in operation until 1): the low pressure injection system is in operation and pumping 1000 gpm in each line and the sit-uation has been stable for 20 minutes, or 2): all hot and cold leg temperatures are at least 50*F below the saturation temperature, the hot leg temperature is less than 50*F above the secondary side saturation temperature, and termination is necessary to prevent indicated pressurizer level from going off-scale high.
The above set of conditions constitutes the definition of completion of the safety function provided by the high pressure injection system. These conditions are precisely the type of conditions envisioned in Section 4.4 of IEEE Std 603, which I discussed earlier. Section 4.4 permits
" provisions for those deliberate operator interventions which
10-18 are identified in Section 3 (10) of the design basis." The pertinent part of Section 3 (10) of IEEE Std 603states that the design basis shall document "the conditions after which a deliberate operator intervention may prevent the completion of protective action at the system level, and the point in time, or plant cc ditions, which define completion of the protective action a t the system level." Therefore, TMI-l should be designed such that, until the set of conditions specified above is met, the operator can not interfere with operation of the high pressure injection system. That is supposed to be a lesson learned from the TMI-2 accident.
However, the TMI-l desian is the same as it was prior to the accident - the operator can, but has been instructed not to, shut off the high pressure injection system even though its safety function has not been completed. I conclude that this design is unsafe and is not in conformance with the proper interpretation of the Commission's regulations in IEEE Std 279 which require that protection systems be designed so that, once initiated, a protection system action shall go to completion. To meet this requirement, the TMI-l design must be modified so that the operator can not prevent init-iation or completion of the safety function provided by the high pressure injection system.
This could be accomplished, for example, by interlocking
10-19 the operator's controls for the high pressure injection system with the signals from low pressure injection flow, a 20 minute timer and the saturation meters such that the controls would be ineffective in stopping high pressure injection until the conditions specified above were met. The same type of design changes need to be undertaken for the auxiliary feedwater system and the containment isolation system. Met Ed must define complation of the safety function for each system and then design the plant so that the operator can not stop the auxiliary feedwater system or open containment isolation valves until it is safe to' do so. Defining completion of the protective function to be initiation of the function and simply sealing in the protection system initiation signal is clearly not an acceptable definitio: of completion of the safety functions provided by these systems.
I will now address the second category of arguments advanced by Met Ed and the Staff. In effect, their arguments are that the present design of TMI-l better protects public health and safety than a design which meets the requirement of IEEE Std 279 that, once initiated, a protection system action shall go to completion. In essence, the argument is This is only an example and is not intended as an endorsement.
The requirement to use signals that are direct measures of the desired variable is applicable. See my testimony on UCS Contention 7.
i i
)
10-20 that the safety advantages of a design which prevents the operator from interfering with completion of a safety function must be weighed against the potentially adverse effects on safety of continued operation of the system performing the needed safety function. In an abstract sense, I agree with that proposition. That is, dissociated from any specific example of a safety system that is itself a hazard to safety when operated, the argument appears reasonable. However, considering the specific design of TMI-1, the examples cited by Met Ed and the Staff, and my knowledge of the principles of reactor safety system design and the provisions of the Commission's regulations, I conclude the argument is invalid.
Both the Staff and Met Ed postulate a failure of an ECCS component that could aggravate an accident unless it was shut off. For example, the loss of physical integrity of an ECCS pump, valve, or injection line could require termination of that ECCS system to prevent further coolant loss through that rupture. The reason that I reject this example is that the Commission's regulations and past practice do not permit postulation of such a failure. As noted in the " Definitions and Explanations" section of Appendix A -
to 10 CFR Part 50, "[t]he conditions under which a single failure of a passive component in a fluid system should be
10-21 considered in designing the system against a single failure are under development." Although the Commission has had those conditions "under development" since before 1971, the practice has been not to postulate or consider failures of the pressure boundary of safety system components. Since the Staff and Met Ed are fully aware of this practice, I consider it disingenous for them to advance such a failure as justification for a design that permits the operator to improperly interfere with safety functions. However if such failures are to be considered, I would observe that neither TMI-1 nor any other nuclear plant operating in the United States meets the Commission's regulations.
The other argument I infer from the position held by the Staff and Met Ed is that continued operation of a safety system may be a hazard. For example, continued operation of the ECCS may fill the pressurizer and result in exceeding the allowable For example, the majority of pipes penetrating the contain-ment building have only two safety grade isolation valves.
This design meets the single failure criterion under the current interpretation of the Commission's regulations. If, however, a passive failure is to be considered, the design does not meet the single failure criterion. A rupture of the body of one valve (the accident) and failure of the other valve in the same pipe (the single failure) , would prevent containment isolation. Another example involves the main steam isolation valves. If the isolation valve in one steam line ruptures ( a steamline break accident) and the isolation ',
valve in the other steamline fails to close or ruptures (the single failure), both steam generators would blow down, an accident not considered in the design basis of the plant.
10-22 pressure / temperature relationship applicable to the reactor pressure vessel. Continued operation of auxiliary feedwater may result in overcooling the reactor coolant system. First of all, if completion of the safety function is properly determined, such conditions generally should not arise until after the safety function is completed. Second, if such conditions pose an undue risk to public health and safety, the protection system should be designed to automatically prevent them from occurring. In other words, poor engineering on one aspect of the design can not be used as the basis to violate the Commission's regulations on another aspect of the design.
In summary, I conclude that the TMI-1 design is unsafe and that it violates the Commission's regulations in that the protection system is not designed in accordance with Section 4.16 of IEEE Std 279. The operator can prevent the initiation and completion of the safety functions provided by the emergency core cooling, auxiliary feedwater, and containment isolation systems. The Staff and Met Ed's position is inconsistent with the basic purpose of the pertinent Commission requirements, the history of their devel-opment and the lessons learned from the TMI-2 accident.
This is the design of TMI-l in the case of auxiliary feedwater:
flow is automatically terminated to a depressurized steam generator. (See Restart Report, Supplement 1, Part 1, Question 10g).
I