Text

Part 2,proposed Findings of Fact & Conclusions of Law on Plant Design & Procedures Issues in Form of Partial Initial Decision
	ML19346A330
Person / Time
Site:	Crane
Issue date:	06/12/1981
From:	Baxter G; METROPOLITAN EDISON CO., SHAW, PITTMAN, POTTS & TROWBRIDGE
To:	;
Shared Package
ML19346A329	List: ML19346A328; ML19346A330;
References
	NUDOCS 8106190146
	Download: ML19346A330 (155)
	v • d • e

.

LIC 6/12/81 i

UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING BOARD In the Matter of

)

METROPOLITAN EDISON COMPANY

)

Docket No. 50-289

)

(Restart)

(Three Mile Island Nuclear

)

Station, Unit No. 1)

)

PART TWO OF LICENSEE'S PROPOSED FINDINGS OF FACT c

AND CONCLUSIONS OF LAW ON PLANT DESIGN AND PROCEDURES ISSUES IN TLS FORM OF A PARTIAL INITIAL DECISION SHAW, PITTMAN, POTTS & TROWBRIDGE George F. Trowbridge Thomas A.

Baxter Delissa A.

Ridgway Counsel for Licensee

TABLE OF CONTENTS Page I.

INTRODUCTION 1

I L, FINDINGS OF FACT 6

A.

Natural and Forced Circulation....................

6 l

(UCS-1 and 2)

B.

Detection of Inadequate Core Cooling.............

19 (ANGRY-V(B))

C.

Abnormal Transient Operating Guidelines 66 (BQ 11)

D.

Safety System Bypass and Ove tide................

70 (UCS-10; Sholly-3)

E.

Pressurizer Heaters..............................

95 (UCS-3)

F.

Connection of Pressurizer Heaters to Diesels...................................... 100 (UCS-4)

G.

Valves........................................... 113 (UCS-5)

H.

Integrated Control System........................ 125 (Sholly-6a)

L I.

Containment Isolation............................ 147 (Sholly-1)

J.

Filters.......................................... 151 (Lewis; ANGRY V(D))

K.

Computer......................................... 161 (Sholly-13; ECdP-la)

L.

In-Plant Instrument Ranges....................... 170 (Shol?.y-5; ECNP-ld)

M.

Safety System Status Panel....................... 184 (BQ UCS-9; ECNP-lc)

~ _ _ _

N.

Control Room Design-Human Factors Engineering..................................... 197 (Sholly-15; ANGRY V(C))

O.

Additional LOCA Analysis......................... 223 (BQ UCS-8; ECNP-le)

P.

Systems Classification and Interaction........... 241 (UCS-14)

Q.

Emergency Feedwater Reliability.................. 255 (BQ 6)

R.

Valve Testing.................................... 313 (BQ UCS-6)

S.

Accident Design Ba; 1........................... 322 (BQ UCS-13)

T.

Staff Review and Recommendations................. 349 (BQ-1, 2, 3, 5, 7)

U.

Equipment Qualification...........................

(BQ UCS-12)

V.

Concluding Findings of Fact III.

C ON C LU S IO N S O F LAW...................................

4 4

m

-iii-

O.

Additional LCCA Analysis Board Cuestion/UCS Contention No. 8:

10 CFR 50.46 requires analysis of ECCS performance "for a number of postulated loss-of-coolant accidents of different sizes, locations, and other properties sufficient to provide assurance that the entire spectrum of postulated loss-of-coolant accidents is covered."

For the spectrum of LCCA's, specific parameters are not to be exceeded.

At TMI, certain of these were exceeded.

For example, the peak cladding temperature exceeded 2200* fahrenheit (50.46(b)(1)), and more than 1% of the cladding reacted with water or steam to produce hydrogen (50.46(b)(3)).

The measures proposed by the staf f address primarily the very specific case of a stuck-open power operated relief valve.

However, any other small LOCA could lead to the same consequences.

Additional analyses to show that there is adequate protection for the entire spectrum of small break locations have not been performed.

Therefore, there is no basis for finding compliance with 10 CFR 50.46 and GDC 35.

None of the corrective actions to date have fully add cceed the demonstrated inadequacy of protection against small LCCA's.104 Board Guestion Regarding UCS Contention 8:

The board directs the staff and the licensee to present experts and the 104 ECNP Contention 1(e) was accepted by the Board to the extent tha t it relates to a further analysis of the spectrum of small-break LOCAs, and ECNP was permitted to adopt UCS Centention 8.

First Special Prehearing Conference Order, LBP-79-34, 10 N.R.C.

828, 844 (1979).

Consequently, the ECNP contention was not addressed separately in the hearing and it is not quoted here.

See Board Memorandum and Order, September 8, 1980, at 3.

We note that ECNP did not appear to participate in any of the evidentiary sessions at which this issue was heard.

-223-

fundamental documents involved in the small break LCCA analysis, and to have very complete testimony on this subject.

The recommendations of NUREG-0565 and NUREG-0623 should be addressed.

It appears from the small break LCCA analysis that there is a large amount of reliance upon operator action and on non-safety-grade equipment.

The board wants that issue explored by testimony, including why such reliance is proper.

333.

The TMI-2 accident was equivalent to e -mall-break, loss-of-coolant accident.

UCS Contention 8, which was not objected. to and was admitted by the Board without limita-tion, challenged the adequacy of the analyses performed to identify appropriate corrective actions for the entire spectrum of small-break LCCAs.

Yet, on July 31, 1980, in " Union of Concerned Scientists' Review of Contentions," UCS withdrew its Contention 8, but asked the Board to pursue it.

The Board not only adopted UCS Contention 8, but added its own questions (quoted above) on the contention.

Consequently, the entire record we are about to address in this section of the Initial Decision was developed only because the Board, in its discre-tion, elected to explore the issue of small-break LOCA analyses.

334.

In response to the Board's interest in the additional small-break LOCA analyses pe'rformed since the TMI-2 accident, a very complete and extensive record has been

-224-

compiled.

The record includes the testimony for Licensee of a Supervisory Engineer of B&W's ECCS Analysis Unit (Jones) and of GPU's Control and Safety Analysis Manager (Broughton),

describing the purposes, assumptions and results of the small-break analyses for TMI-l conducted both before and after the TMI-2 accident, and the development of operator guidelines and procedures for small-break LCCA mitigation on the basis of these analyses.

Mr. Jones has performed both large and small break ECCS analyses under AEC and NRC regulatory criteria and is responsible, within B&W, for the calculation of large and small break ECCS evaluations, evaluations of mass and energy releases to the containment during a LOCA, and the performance of best-estimate pre-test predictions of LOCA experiments.

He has also been personally involved in the preparation of B&W operator guidelines for small-break LOCAs and inadequate core cooling mitigation.

Jones and aroughton, ff. Tr. 5038 (at-tached statement of qualifications, Robert C. Jones, Jr.).

335.

The record includes, as well, the fundamental documentation of the results of Licensee's small-break LOCA analyses, which was thus available for the close scrutiny of the Board and the parties.

Licensee Exhibits 3 and 4 con-stitute the spectrum of small break analyses submitted prior to the i.-u-2 accident to demonstrate compliance with the requirements of 10 C.F.R.

S 50.46 and Appendix K to 10 C.F.R.

Part 50.

Licensee Exhibits 5 through 9 and 13 consist of additional analyses of plant response to various small-break

-225-

scenarios, which were performed in response to specific NRC directives, orders and requests following the TMI-2 accident.

Licensee Exhibit 12 is the B&W "Small Break Operating Guide-lines," developed to provide guidance for operator actions based upon the results of the small-break analyses.

Licensee Exhibits 47 and 48 are the TMI-l emergency procedures for small-break LCCAs, which implement the B&W guidelines.105 Licensee Exhibits 10 and 11 were performed in response to NRC IE Bulletin 79-05C, and address the need for, and the con-sequences of, a prompt reactor coolant pump trip upon receipt of a low pressure (1600 psig) Engineered Safety Features Actuation System ("ESFAS") signal.

336.

Licensee also presented testimony in response to each of the recommendation r, applicable to licensees, in NUREG-0565, " Generic Evaluation of Small Break Loss-of-Coolant Accident Behavior in Babcock & Wilcox Designed 177-FA Operating Plants" (January 1980), and in NUREG-0623, " Generic Assessment of Delayed Reactor Coolant Pump Trip during Small Break Loss-of-Coolant Accidents in Pressurized Water Reactors" (November 1979).

Jones and Broughton, ff. Tr. 5039.

337.

The NRC Staf f provided for the record docu-mentation on the results of its review of the B&W small-break LOCA analyses performed in response to NRC direction and 105 These revise,

supercede earlier versions of these procedures, UCS Ex.

8 and 6, respectively.

-226-

,,.-*7-

requests following the TMI-2 accident, including the Staf f's own audit calculations used in the review.

See NUREG-0565 (Board Ex. 4); Tr. 5006-07 (Jensen).

Short-term action 1(d) of the Commission's Order and Notice of Hearing (10 N.R.C. at 144) stated that Licensee shall "[c]omplete analyses for potential small breaks and develop and implement operating instructions to define operator action."

The Staff's review of Licensee's compliance with this action is documented in the record in Staff Ex. I at Cl-12 to Cl-16.

See also, Staff Ex. 1 at C2-16 (IE Bulletin 79-05C short-term action on small-break LCCA analyses); Staff Ex. 1 at C8-48 and Staff Ex. 14 at 43-44 (NUREG-0578 recommendation 2.1.9.a on analysis, emergency procedures and training to substantially improve operator performance during a small-break LOCA).

Long-term action 2 of the Commission's Order and Notice of Hearing (10 N.R.C. at 145) recommended that Licensee should be required to "give continued attention to transient analysis and procedures for management of small breaks by a formal program set up to assure timely action of these matters."

The Staf f 's review finding that Licensee has made reasonable progress toward the satisfactory completion of this action is documented in Staff Ex. 1 at D2-1, and in Staff Ex. 14 at 50.

338.

The Staff also presented testimony on its reaction to Licensee's responses to the recommendations made in NUREG-0565 and NUREG-0623 (see paragraph 336, supra), and on the relationship of the implementation of those recommendations

-227-

with other TMI-talated riquirements imposed or recommended by the Staff.

Ross and Capr,a, ff. Tr. 15,806.

339.

The Commission has established, by regulation, the standards to be applied in evaluating loss-of-coolant

. accidents for the purpose of specifying the design of the emergency' core cooling system.

See 10 C.F.R.

5 50.46 (accep-p tance ' criteria for emergency core cooling systems for light water nuclear-power reactors), and Appendix K to 10 C.F.R. Part 50 (ECCS evaluation models).

a 340.

Prior to the TMI-2 accident, small-break LOCA evaluations had been performed to verify conformance of TMI-1 to 10.C.F.R. S 50.46.

In order to perform these analyses, the break location which imposes the most severe requirements on the ECCS was identified.

As a result of this identification, an analysis was performed of the core flood line break, which results in only one core flood tank and one high pressure injection train available to mitigate the accident under the worst single failure assumption.

An analysis of a spectrum of breaks in the reactor coolant pump discharge piping was also performed, since a break at that location results in the loss of a portion of the HPI fluid.

These analyses were performed i

using the B&h ECCS evaluation model which has been approved by the NRC as meeting the requirements of Appendix K to 10 C.F.R.

Part 50.

For_ the worst-case break, the peak cladding tempera-ture was found to be less than 1100*F, and no metal-water reaction nor cladding rupture were calculated to occur.

-228-J

Therefore, conformance to 10 C.F.R. S 50.46 was demonstrated.

Jones and Broughton, ff. Tr. 5038, at 2, 3 and 12; Lic. Exs. 3 and 4, and oral summary at Tr. 5047-64 (Jones); Jensen, ff. Tr.

5496, at 4-6.

TMI-1 continues to be in compliance with 10 C.F.R. S 50.46.

Jensen, ff. Tr. 15,808, at 3; Tr. 5023 (Jensen); Tr. 5196 (Jones).

A principal finding of the Staff's generic review is that the original LOCA analyse's for TMI-1 remain valid.

Staff Ex. 1 at Cl-13.

341.

The analyses performed prior to the TMI-2 accident assumed the use of only safety-grade equipment for accident mitigation, except that emergency feedwater was assumed to be available.106 These analyses assumed no mitigat-ing operator actions within ten minutes of the initiating i

event, except that operator action to cross-connect the HPI system was determined to be required in the event of a small break in the reactor coolant pump dischart piping and the postulated failure of the HPI train which discharges into the unbroken coolant loop.

Subsequent modifications to the HPI lines have been made, however, to add cross connections and flow-limiting devices to ensure sufficient flow without operator action.

Jones and Broughton, ff. Tr. 5038, at 3, 4; Jensen, ff. Tr. 5496, at 7; Tr. 5605 (Jensen).

106 See Section II.Q, supra, for the Board's findings on the reliability of the emergency feedwater system.

In the event of a loss of all feedwater, however, the feed-and-bleed mode of emergency cooling is available for LOCA mitigation.

Jones and Broughton, ff. Tr. 5038, at 4.

-229-

342.

We now turn to the additional small-breck LOCA analyses performed since the TMI-2 accident, which are the subject of the Board's questions on the former UCS Contention 8.

First, however, it is imperative to understand why these additional analyses were performed.

Because the severity of the TIII-2 accident was aggravated by operator actions, these analyses were performed for the purpose of providing an improved analytical basis for plant emargency operating procedures for responding to small-break LOCAs.

Jones and Broughton, ff. Tr. 5038, at 4, 5; Board Ex. 4 at 1-1.

This purpose is evident from the language of the Commission itself in short-term action 1(d).

See paragraph 337, sucra.

These analyses performed after the TMI-2 accident were not done to demonstrate compliance with 10 C.F.R.

5 50.46.

Jones and Broughton, ff. Tr. 5038, at 5; Tr. 5131, 5194 (Jones).

Indeed, in an effort to develop an improved set of operator cuidelines, these analyses go beyond the scope of Appendix K to 10 C.F.R.

Part 50 (for example, in the types and numbers of failures assumed).

Tr. 5194-95 (Jones).

343.

The small-break LOCA analyses performed after the TMI-2 accident included an extension of the lower end of the break spectrum previously analyzed, an assessment of the effect of failures in the main and emergency feedwater systems, and an assessment of small-break LCCAs with a delayed reactor coolant pump trip.

Jones and Broughton, ff. Tr. 5038, at 5.

344.

The generic analyses performed oy B&W are applicable to TMI-1.

Jones and Broughton, ff. Tr. 5038, at 9, I

-230-

10.

In fact, the analyses generally assumed, however, less HPI flow than the TMI-l system, as modified, will provide.

Tr.

5062, 5127 (Jones).

The HPI system at TMI-l will produce roughly.10% more flow than was assumed in the analysis.

Tr.

5143 (Jones).

345.

The first case examined in the additional LOCA analyses is a loss of all feedwater.without a small-break LCCA.

In this scenario, it is assumed that:

loss of main feedwater occurs; the anticipatory trip on loss of main feedwater fails and the reactor trips on high reactor coolant system pressure; l

loss of off-site power occurs coincident with the reactor trip; emergency feedwater is not provided to the steam generators; i

while reactor coolant system pressure continues to increase, the PORV does not open and the pressurizer safety valves open; there is a single failure in the HPI system.

The results of this analysis, which also assumed a core decay heat value of 1.0 times the ANS standard value,107 are that operatcr action within 20 minutes either to establish emergency feedwater or tc i

actuate manually the BPI system is sufficient to assure 107 Appendix K modeling assumptions call for the use of a core decay heat value of 1.2 times the standard ANS value.

The number of failures assumed in this evaluation, however, and in the one other case where this departure was made, justifies the use of the more realistic 1.0 times the standard ANS 'value.

Tr. 5072-73 (Jones).

It should also be noted that a substantial number of investigations, including core decay heat experiments, have demonstrated that the 1971 ANS value used in ApLandix K is conservative, so that a core decay heat value of n 0 times the ANS standard value is adequate, for a realistic determination, to define properly the core decay heat.

Tr. 5208 (Jones).

-231-

adequate core cooling.

Jones and Broughton, ff. Tr. 5038, at 5 and 13 (Table 2); Lic. Ex.

9, and oral summary at Tr. 5064-73 (Jones).

346.

The recond case examined is a small-break LOCA with the loss of all feedwater.

In this scenario, it is assumed that:

a small-break LCCA occurs; the reactor t ips on low reactor coolant system pressure; there is a loss of off-site power and a loss of main feedwater coincid".ar with the reactor trip; emergency feedwater is not provided to the steam generators; core decay heat is 1.2 times the ANS standard value; and both HPI trains function.108 The results of the analysis show that for break sizes greater than 0.01 f t2, emergency core cooling is initiated automatically and no operator action is required to assure adequate core cooling.

2 For break. sizes equal to or less than 0.01 f t the setpoint for automatic HPI actuation is not reached.

Operator action within 20 minutes to initiate emergency feedwater (which, in turn, will subsequently result in high pressure injection) or to initiate HPI will astsure adequate core cooling.

Jones and 108 Two EPI pumps are calculated to be required during only portions of the transient and only for a certain range of break sizes below 0.02 square feet and at specific locations.

Tr.

4776-77, 4834 (Jones).

The number of failures assumed in this evaluation, however, and in the one other case where this assumption is made, leads the Board not to be concerned with this result.

The analysis assumes not only a LCCA and the loss of off-site power, but also the unavailability of all main and emergency feedwater.

As we _ind below, the TMI-l emergency feedwater system is safety-grade for a LOCA.

See section II.C, paragraph 406, infra.

-232-

Broughton, ff. Tr. 5038, at 5, 6 and 14 (Table 3); Lic. Exs. 5 and 8, and the oral summary at Tr. 5074-85 (Jenes).

347.

The third case evaluated is a loss of main feedwater event with a pressurizer PORV failure.

This basi-cally represents the TMI-2 accident.

In this scenario, it was assumed that:

a loss of main feedwater occurs; the anticipa-tory reactor trip on loss of main feedwater fails and reactor coolant system pressure increases; the PORV opens and does not close (an equivalent break area of 0.007 ft2); reactor trip occurs on high reactor coolant system pressure; emergency feedwater is provided to the steam generators; core decay heat is 1.2 times the ANS standard value; and a single failure occurs in the HPI system.

The results of the analysis show that automatic actuation of HPI provides sufficient reactor coolant system inventory to assure adequate core cooling.

Jones and Broughton, ff. Tr. 5038, at 6 and 15 (Table 4); Lic.

Ex. 5, and the oral summary at Tr. 5087-90 (Jones).

348.

The fourth case considered is a pressurizer PORV failure followed by a loss of all feedwater.

In this scenario, it is assumed that:

the PORV fails open and does not close; the reactor trips on low reactor coolant system pres-sure; of'-site power and main feedwater are lost coincident with the reactor trip; emergency feedwater is not provided to the steam generators; core decay heat is 1.0 times the standard ANS value;109 and a single failure occurs in the HPI system.

109 See n.107, supra.

-233-

The results of the analysis show that automatic actuation of HPI provides sufficient reactor coolant inventory to assure

. adequate core cooling.

Jones and Broughton, ff. Tr. 5038, at 6 and 16 (Table 5); Lic. Exs. 6 and 7, and the oral summary at Tr. 5090-94 (Jones).

349.

The fifth case is a very small-break LOCA with a loss of main feedwater.

In this case it is assumed that:

a very small-break LOCA (0.005 to 0.01 ft2) occurs;.the reactor trips on low reactor coolant system pressure; off-site power and main feedwater are lost coincident with the reactor trip; emergency feedwater is provided to the steam generators: core decay heat is 1.2 times the ANS standard value; and a single failure occurs in the HPI system.

For breaks of this size, which cause a loss of coolant inventory at a rate in excess of the capacity of HPI, the steam generators would normally be used to remove a portion of the energy added to the primary system by core decay heat.

The analysis shows that during the transition from natural circulation to the boiler-condenser mode of cooling (i.e., from single-phase to two-phase natural circulation), an interruption of the energy removal process from the primary system will occur due to void formation in the t

l l

hot legs, and primary system pressure will increase.

However, i

the subsequent establishment of steam condensation by the steam i

i

}

generators as a heat removal mechanism controls the repres-surization, and automatic actuation of HPI provides sufficient 1

reactor coolant inventory to assure adequate core cooling.

_{

l

-234-l

Jones and Broughton, ff. Tr. 5038, at 6, 7 and 17 (Table 6);

Lic. Ex. 5, and the oral summary at Tr. 5C94-97 (Jones).

350.

The next case examined is a small-break LOCA with a delayed reactor ecolant pump trip.

Analyses have shown that if the reactor coolant pumps operate continuously throughout the LCCA, or are tripped promptly upon receipt of a low reactor coolant system pressure signal, adequate core cooling is provided for all break sizes.

For certain break sizes (between 0.025 and 0.2 ft2), however, adequate core cooling has not been demonstrated if the reactor coolant pumps remain in operation and are subsequently tripped at certain times in the transient.

The system behavior which' leads to this result is that while continued pump operation provides forced circulation cooling of the core, it also causes, for certain break sizes, more fluid inventory to be discharged through the break than would otherwise occur.

As a result of this increased loss of inventory, the fluid in the reactor coolant system will evolve to a high void fraction.

If the pumps are tripped after a high void fraction is reached, the available liquid in the reactor coolant system would not be sufficient to keep the core covered, and the ECCS may not provide reflooding of the core at a rate which assures that cladding temperatures are maintained within the criteria of 10 C.F.R.

S 50.46.

Jones and Broughton, ff. Tr. 5038, at 7-9 and 18 (Table 7); Lic. Exs. 10 and 11, and the oral summary at Tr.

5098-5103 (Jones); Jensen, ff. Tr. 15,808, at 3; Ross and Capra, ff. Tr. 15,806, at 51, 52.

-235-V

351.

Since all analyses have confirmed that the plant can be maintained in a safe condition (as defined by 10 C.F.R.

S 50.46) during a small-break LOCA without the reactor coolant pumps operating during the transient, provision for prompt tripping of the pumps upon indication of a LOCA110 (receipt of a low reactor coolant system pressure safety injection signal) assures that adequate core cooling is provided.

Jones and Broughton, ff. Tr. 5038, at 9.

Conse-quently, the NRC Staf f issued IE Bulletin 79-05C to all licensees which, among other things, required the imple-mentation of plant operating procedures directing that all operating reactor coolant pumps be immediately tripped upon reactor trip and initiation of HPI caused by low reactor coolant system pressure.

The bulletin also required an additional operator to be in the control room to perform this action.

Jensen, ff. Tr. 15,808, at 3; Staff Ex. 1 at C2-16; Ross and Capra, ff. Tr. 15,806, at 52.

While other, non-LCCA events may lead to a 1cw pressure safety signal, tripping of the reactor coolant pumps for these events still allows adequate core cooling to be provided.

Jones and Broughton, ff.

Tr. 5038, at 9.

352.

The Staf f, Licensee and the rest of the nuclear industry, however, are investigating the design and installa-tion of a system to trip the reactor coolant pumps 110 The analysis shows that the earliest of the range of re-quired trip times is on the order of 3 minutes.

Tr. 5189 (Jones).

-236-

automatically.

Staff Ex. 1 at C2-18; Jensen, ff. Tr. 15,808, at 4; Jones and Broughton, ff. Tr. 5039, at 13 (citing Lic. Ex.

1, supplement 1, Part 3, response to Question 11) and 26; Ross and Capra, ff. Tr. 15,806 at 52-56.

The pursuit of this issue, including a schedule for its resolution, has been incorporated into the Commission's TMI Action Plan.

Ross and Capra, ff. Tr. 15,806, at 55, 56.

353.

The lace case examined in these post-TMI accident analyses is a small-break LOCA with a loss of all feedwater and a subsequent PORV failure.

In this scenario, it was assumed that :

a very small-break LOCA (0.01 ft2) occurs; the reactor trips on low reactor coolant system pressure; off-site power and main feedwater are lost coincident with the reactor trip; emergency feedwater is not provided to the steam generators; core decay heat is 1.2 times the ANS standard value; both HPI trains function 111; reactor coolant system repressurization results in the pressurizer PORV opening and failing to close.

The results of the analysis show that operator action within 20 minutes to initiate emergency feedwater (which will subsequently result in high pressure injection) or to actuate EPI provides sufficient reactor coolant inventory to assure adequate core cooling.

Jones and Broughton, ff. Tr. 5038, at 8 and 19 (Table 8); Lic. Ex. 13, and the oral summary at Tr. 5103-04 (Jones).

1 111 See n.108, supra.

-237-

354.

It is clear from these extensive analyses that multiple failures must occur before a loss-of-coolant accident can result in a challenge to the criteria of 10 C.F.R.

S 50.46, and that small-break LCCAs can be mitigated within those criteria.

Jones and Broughton, ff. Tr. 5038, at 5 and 11.

Further, the assumption that the operator manually trips the reactor coolant pumps immediately following a small-break LCCA is the only reliance on non-safety-grade equipment and the only short-term operator action assumed in these analyses of small-break LCCAs.ll2 Tr. 5204 (Jones); Jensen, ff. Tr.

The operators will be traidhd to perform this 15,808, at 4.

action (tripping the reactor coolant pumps), which is clearly indicated and requires no diagnosis.

Tr. 5204-06 (Jones); Tr.

5302-03 (Broughton); Jensen, ff. Tr. 15,808, at 4; Staff Ex. 1 at Cl-16.

Operational experience to date indicates that operators are able to execute this action successfully.

Jensen, ff. Tr. 15,808, at 4; Tr. 5189 (Jones).

The Board finds that this reliance on operator action is acceptable.

355.

As we have previously noted, the results of the NRC Staff's review of the generic small-break LOCA analyses performed by B&N on behalf of operating plants with B&W 112 The need for manual HPI actuation in 20 minutes arises only for events which are beyond the design basis of the plant.

In any case, the operator has unambiguous indications upon which to take such action.

Tr. 4836-38, 4867-73 (Jones, Keaten).

See also, section II.B (Detection of Inadequate Core Cooling), supra.

-238-

systems, including TMI-1, are presented in Board Exhibit 4 (NUREG-0565).

The Staff's main conclusions are stated as follows:

B&W has performed a sufficient spectrum of small break LCCA analyses to identify the anticipated system performance for breaks in this range.

These analyses serve aa an adequate basis for developing improved operator guidelines for handling small break LCCAs.

In addition, these analyses provide an adequate basis for demon-Strating that proper operator action coupled with a combination of heat removal from the primary system through the break, the steam generators and with the HPI system, assure adequate core cooling.

Board Ex. 4 at 4-25.

356.

Based upon the analyses described above, B&W has developed operator guidelines for managing small-break LCCAs.

These guidelines contain two parts:

Part I provides the guidelines which define operator actions during a small-break LCCA; Part II prov' des a description of plant behavior during a small-break LCCA and discusses the effects of the operator actions given in Part I.

Lic. Ex. 12; Jones and Broughton, ff. Tr. 5038, at 10.

These guidelines include the immediate action to trip the reactor coolant pumps and the subsequent filling of the steam generators to a higher level following reactor coolant pump trip to enhance natural circula-tion.

Staff Ex. 1 at C2-17.

See also, zudans, ff. Tr. 8824, at 7.

482.

The Staff is sufficiently confident in the outcome of the EPRI tests that it believes restart of TMI-l

-320-

should be permitted before the tests cre completed.

Tr. 8838 (Zudans).

In addition to the fact that analysis of a stuck-open PORV shows that no fuel damage is predicted to occur, the Staff relies on the following:

improved FORV position indication; TMI-l procedures which require closure of the block valve early in a LCCA; the emergency power supplies for the PORV and block valve; and the generally upgraded TMI-l emergency procedures for small-break LOCAs.

Further, the setpoint changes and installation of anticipatory reactor trips will considerably lower the PORV challenge rate.

This has been verified by operating experience.

Zudans, ff. Tr. 8824, at 6, 7; Tr. 8838-39 (Zudans).

483.

Neither the Commission nor the Staff has ordered any pressurized water reactor shut down pending completion of the EPEI valve test program.

Tr. 8841 (Zudans).

The Board finds that, contrary to former UCS Contention No. 6, the TMI-l pressurizer relief and safety valves have been appropriately designed and tested.

In addition, actions are being taken to provide further assurance that the valves will function properly and reliably.

The Board also finds that recommendation 2.1.2 of NUREG-0578 is necessary and sufficient to provide reasonable assurance that TMI-l can be operated in the long-term without endangering the health and safety of the public, and that pending the completion of the tests called for by that recommendation there is reasonable assurance that the valves will perform in an accident environment.

-321-

l l

S.

Accident Design Bases Board Question /UCS Contention No. 13:

The design of TMI does not provide protection against so-called

" Class 9" accidents.

There is no basis for concluding that such accidents are not credible.

Indeed, the staff has conceded that the accident at Unit 2 falls within that classification.

Of the realm of possible accidents, the Staf f 's method of determining which fall within the design basis accidents and those for which no protection is required is faulty in that the design basis accidents for TMI do not bound the credible accidents which can occur.

Therefore, there is not reasonable assurance that TMI-1 can be operated without endangering the health,and safety of the public and resumption of operation should not be permitted.148 l

148 In addition to UCS Contention No.13, the Board admitted

" Class 9" accident contentions advanced by ECNP [ECNP-4(b) and

-4(c)] and by Mr. Sho11y [Sho11y-17), which identified particu-lar accident sequences with a nexus to the TMI-2 accident.

For reasons discussed in paragraph 19 of our general Introductory Findings, supra, we rejected other " Class 9" contentions advanced by UCS, ECNP, ANGRY, and CEA.

However, we permitted ECNP, ANGRY, and CEA each to adopt UCS Contention No.13 in place of their rejected contentions.

ECNP and CEA subsequently lost their rights to adopt UCS Contention No.13, upon def ault on Board orders.

Mr. Sholly withdrew his Contention No. 17 oy memo-randum dated December 23, 1980, and UCS, lead intervenor on its contention, withdrew its eponsorship of UCS Contention No.

13 by letter dated January 5, 1981.

The Board did not adopt Sholly Contention No. 17, or ECNP Contentions 4(b) and 4(c) on which ECNP had defaulted, Tr. 11,025-26, but retained UCS Contention No. 13.

ANGRY, the sole remaining intervenor with an interest in UCS Contention No. 13, conducted limited cross-examination of Licensee's witness and departed, and did not attend the evidentiary session at which the Staff presented its testimony on the issue.

Compare Tr. 11,088 and Tr. 11,103.

-322-

- 464.

UCS Contention No. 13 mounts a frontal attack on the Staff's methodology for determining which accidents, in the realm of possible accidents, fall within the design basis.

Pointing to the Staf f's determination that the TMI-2 accident was a " Class 9" accident, UCS asserts that there is no longer a basis for concluding that " Class 9" accidents are not credible.

UCS further asserts that the design of TMI-l does not provide protection against " Class 9" accidents, and that resumption of operation should not be permitted.149 485.

The Board begins by reviewing briefly the foundation of UCS Contention No.13 -- the Staf f's determina-tion that TMI-2 was a " Class 9" accident.

We then discuss UCS's allegation that the design of TMI-l does not provide protection against " Class 9" accidents.

We next consider the specific measures employed at TMI-l to provide protection against those events with a nexes to the TMI-2 accident.

Finally, the Board examines the methcdology used by the Staff to deters.ine whether a particular accident is characterized as

" credible" and included in the design basis envelope, or as "not credible" and excluded as " Class 9" accident.

486.

The term " Class 9" event is derived from a proposed rule published by the Atomic Energy Commission in 149 While UCS Contention No. 13 specificalAy refers to TMI-1, the Board has been presented with no evidence to suggest that TMI-l is unique, among pressurized water reactors, either in the manner in which the Staff determined the design basis of the plant, or in the plant's capability to provide protection against " Class 9" accidents.

l

-323-l

1971.

The proposed rule, which has now been withdrawn by the NRC, set forth a spectrum of accidents divided into nine classes ranging from the most trivial to the most severe, for purposes of evaluating environmental risk pursuant to the National Environmental Policy Act.

Class 8 events were characterized as:

those considered in safety analysis reports and AEC safety evaluations.

.-used, together with highly conservative assumptions, as the design-basis events to establish the performance requirements of engineered safety features.

Since the highly conservative assumptions and calculations used in safety evaluations would, if used in environmental evalua-tions, result in a substantial overestimate of environmental risk, the proposed rule provided that Class 8 events were to be evaluated realistically.

" Class 9" events were described as:

involv[ing] sequences of postulated successive failures more severe than those postulated for the design basis for protective systems and engineer'ed safety features.

Their consequences could be severe.

However, the probability of tneir occurrence is so small that their environmental risk is extremely low.

The rule provided that it was not necessary to discuss such events in applicants' Environmental Reports or in Staff envi-ronmental impact statements.

Rosenthal and Check, ff. Tr.

11,158, at 6, 7.

487.

The Class 1 through 9 classification scheme was formally used only in the evaluation of environmental risk.

-324-

For purposes of safety evaluation, events are determined to be either " credible" or "not credible."

Credible events are required to be considered in determining tne adequacy of the design of a facility; incredible events are not.

Tr. 11,196 (Rosen thal).

See generally, Tr. 11,127-28 (Levy).

"Incred ible events" under the safety classification scheme (i.e.,

those beyond the design basis 150) were thus, by definition, " Class 9" events in the terminology of the environmental classification system.

The term " Class 9" has come to be used generally to describe events beyond the design basis.

The Board so uses the term infra.

488.

In responding to'the inquiry of the licensing board in another proceeding, the Staf f reviewed the sequence of events in the TMI-2 accident, and determined that the TMI-2 accident " involved a sequence of successive failures (i.e.,

small break loss-of-coolant accident and failure of emergency core cooling system) more severe than those postulated for the design basis of the plant."

Considering that information in light of the definition of " Class 9" events in the proposed rule discussed supra, in paragraph 486, the Staff concluded that the TMI-2 accident was a " Class 9" accident.

Rosenthal and Check, ff. Tr. 11,158, at 8.

However, the off-site radiological consequences of the TMI-2 accident were inconsis-tent with the severe radiological consequences previously 150 The term "dosign basis" is defined in paragraph 437, footnote 138, in section II.Q, supra, and is further discussed in paragraphs 490 and 491, infra.

-325-

l

)

-generally assumed to be attendant to " Class 9" accidents.

The radioactive material actuclly released to the environment during the TMI-2 accident represented a minimal risk to public health and safety, with consequences far less severe than 10 C.F.R. Part 100 guidelines.

Tr. 11,195 (Rosenthal); Rosenthal and Check, ff. Tr. 11,158, at 8, 10.

The Staff's clas-sification of the TMI-2 accident as a " Class 9" accident was thus based solely on the number of equipment failures, and not on the severity of the consequences of the accident.

Tr.

11,237 (Rosenthal); Tr. 11,128 (Levy).

The classification was a difficult judgmental datermination, and was the subject of dissent within the Staf'f.

In fact, there are still a spectrum of opinions within the Staff.

Tr. 11,238-39 (Check).

While no party has as';ed the Board to reconsider the Staff's of ficial position on the matter, and we proceed below to examine the merits of UCS's allegations, we remain conscious of the rather equivocal nature of the Staff's classification of the TMI-2 accident, the sole asserted basis for former UCS Contention No.

13.

489.

The Board first assesses UCS's allegation that the design of TMI-1 does not provide protection against " Class 9" accidents.151 We initially note that UCS's simplistic 151 UCS does not seem to claim that TMI-1 is required to be de-signed against " Class 9" events.

Rather, the apparent thrust of the concention -- reading all the allegations together -- is that since the Staff's methodology for enveloping design basis events is " faulty," TMI-l should be designed against " Class 9" events.

)

-326-

reliance on the classification of the TMI-2 accident as a

" Class 9" accident as a basis for its contention does not support this particular allegation.

Since the of f-site radiological consequences of the TMI-2 accident were well below established 10 C.F.R. Part 100 guidelines (see, paragraph 488, supra), one can no more argue that the accident proved that the design of nuclear plants provides no protection against " Class 9" accidents than one can argue that the accident proved that the design of nuclear plants provides protection against all

" Class 9" accidents.

As the evidence.on the merits of UCS's allegation indicates, the truth lies somewhere between the two extremes.

See generally, Tr. 11,272-73 (Check).

490.

In the licensing process, a nuclear plant and its various safety systems are performance-tested to meet the criteria for design basis events, the set of prescribed antici-pated operational occurrences and accidents used to assess the responses of specific systems to upset conditions.152 Specific event sequences have been developed over the years to determine conservative requirements for various safety systems.153 Plant 152 Anticipated operational occurrences are events or con-ditions expected to occur one or more times during the life of a '

nuclear plant; accidents are events expected to occur less fre-quently, if at all.

Rosenthal and Check, ff. Tr. 11,158, at 4.

153 For example, uncontrolled rod withdrawal, moderator dilu-tion, and the ejected rod events represent a spectrum of events which challenge the reactivity control system.

Similarly, a spectrum of reactor coolant pipe breaks are postulated to specify the design requirements for the emergency core cooling system (ECCS).

We briefly discuss the development of the en-(continued next page)

-327-

response to the design basis events is assessed against the requirements of 10 C.F.R. Part 50 (e.g.,

Appendix A, General Design Criteria) and other regulatory standards (such as Regulatory Guides).

The potential radiological consequences of the design basis events are calculated to ensure conformance with the guidelines of 10 C.F.R.

Part 100.

Rosenthal and check, ff. Tr. 11,158, at 4, 5; Tr. 11,056-57 (Levy).

491.

Each of the design basis events, and particu-larly the design basis accidents, imposes severe performance demands (or loading conditions) on the various safety systems which must function in response to such events if the plant design is to meet regulatory requirements.

Rosenthal and Check, ff. Tr. 11,158, at 4-5, 8-9; Levy, ff. Tr. 11,049, at 2-4.

Moreover, each of the events is analyzed using conserva-tive assumptions regarding equipment availability and per-formance capability, as well as conservative values of process variables.

The plant is thus tested not only against a set of challenges to its safe operation, but also under additional conservative assumptions regarding plant conditions before and during those challenges.154 This results in a design (continued) velope of design basis events in paragraph 506, infra.

The design basis events for TMI-l are delineated in Chapter 14 of the FSAR, and include loss-of-coolant flow, steam-line break, ejected rod, and loss-of-coolant accidents.

Rosenthal and Check, ff. Tr.

11,158, at 4, 5; Levy, ff. Tr. 11,049, at 2-4.

154 A few of the many conservative assumptions employed are:

(1) the assumption of the worst or most limiting single f ailure in any safety-related system or function utilized in the (continued next page)

~

-328-l l

capability with multiple and redundant systems for coping with very severe performance demands (or loading conditions), and provides protection against unforeseen events, including multiple equipment failures and operator error.

Rosenthal and Check, ff. Tr. 11,158, at 9; Levy, ff. Tr. 11,049 at 4, 5.

492.

Further, design basis events do not establish the limits of a plant's performance.

For example, the pos-tulated steam-line break and the postulated loss-of-coolant accident are used to establish minimum requirements for the containment with respect to differential pressure.

The actual design pressure of the containment always exceeds the pressure required by the design basis analyses, to provide design margin.

Due to the conservative requirements of the ASME code, the failure pressure of the containment is well beyond the design pressure.

As a result, the Staff is finding that

, containments subjected to uniform static pressure loadings probably have ultimate capabilities of at least two-and-one-half times design pressure.

Rosenthal and Check, ff. Tr.

11,158, at 9; Levy, f f. Tr., 11,0 4 9, at 10.

493.

The inherent flexibility incorporated into many

, lant systems and the multiplicity of installed systems afford p

(continued) required analyses; Tr. 11,070 (Levy); (2) the assumption that whenever Depar.ture from Nucleate Boiling occurs, the fuel cladding fails; Tr. 11,067-69 (Levy); and (3) licensing calculation methods which overpredict by approximately 500* to 1000* F the temperatures measured at the Loss-of-Fluid Test facility during simulat'd loss-of-coolant accidents; Tr.

(LCFT) e 11,069 (Levy).

See generally, Levy, ff. Tr. 11,049, at 4, 5.

i

-329-j

~~

additional margin for overall safe response to unforeseen events.

Thus, the plant design can tolerate unforeseen event sequences through appropriate use of installed emergency safety features, as well as through other equipment not credited in the design baiis analyses.

(For example, alternative systems configurations -- i.e., valve line-ups, electrical interconnec-tions, etc. -- may be used, or equipment may be manually initiated if automatic logic circuits do not initiate action).

Rosenthal and Check, ff. Tr. 11,158, at 10.

494.

Finally, the source terms used in dose calcula-tions for TMI-l are cased on the assumptions that 100% of the core noble gases and.25% of the core iodines are released to the containment atmosphere.

However, analyses of containment air samples indicate that, during the TMI-2 accident, 60 to 70%

of the core noble gases but only 0.6% of the core iodines were present in the containment atmosphere (due to a number of chemical and physical attenuation phenomena which are not considered in current dose calculation assumptions.

See generally,.Levenson, ff. Tr. 19,525.

We discuss these phe-nomena further in the portion of this Initial Decision on emergency planning).

There is thus a spectrum of severe core damage scenarios for which adequate radiological protection has been provided, as long as containment integrity is maintained.

Rosenthal and Check, ff. Tr. 11,158, at 10; Levy, ff. Tr.

11,049, at 7, 9-10; Tr. 11,098-100 (Levy).

495.

In addition, Licensee's expert witness tes-tified extensively en the general theory of "de f ense-in-dep th "

-330-l

i in the design and licensing cf nuclear plants, which relies upon multiple physical barriers designed to prevent the release of radioactive fission products to the environment.

The first barrier-of defense-in-depth is the ceramic form of fuel and the fuel cladding employed, which limit the release of radioac-tivity from the fuel, even in extreme cases of fuel melt.

Any radioactivity which is released from the fuel is confined by the reactor coolant system piping and vessel, the second barrier, as long as they remain intact.

Finally, even if the reactor coolant system boundary is breached, the containment building is designed to confine any radioactivity escaping from the reactor coolant system, and so serves as a third barrier.155 Thus, defense-in-depth ensures further inherent 155 As Licensee's witness noted, the factors of defense-in-depth are sometimes listed as (1) the multiple physical barriers to the release of radiation, (2) siting, and (3) emergency planning.

These last two can be particularly important in mitigating the consequences of beyond design basis events.

Levy, ff. Tr. 11,049, n. at 9; Tr. 11,052 (Levy).

Licensee's witness did not attempt to quantify the protection afforded by either siting or emergency planning at TMI-1, but observed that the regulatory policy of siting nuclear plants in areas of relatively low population density per se reduces in some measure the consequences that might otherwise attend a release of radioactivity (if, for example, plants were sited in the middle of large metropolitan areas).

This is true for all licensed plants, including TMI-1, even though -- solely considering population density -- the TMI site does not provide

~

as great an advantage as that of the average operating reactor.

Tr. 11,052-53, 11,056-58, 11,064 (Levy).

Though Licensee's j

i witness was not conversant on the specifics of TMI-1 emergency planning, he was sufficiently f amiliar with emergency planning regulations to know that Licensee's compliance with those requirements would per se provide some measure of additional protection to the public in the event of an accidental release of radioactivity from TMI-1.

Tr. 11,051, 11-057-58, 11,060-61 (Levy).

We discuss emergency planning in great detail in a later portion of the Initial Decision.

i i

l

-331-

_ ~.... _ -

reserve design capability, since the integrity of at least one physical barrier is preserved and is available for protection following a design basis accident.

Levy, ff. Tr. 11,049, at 8-10, 12-13.

496.

The Board therefore rejects UCS's broad asser-tion that "[t]he design of TMI does not provide protection against

' Class 9' accidents."

We find, to the contrary, that, while no nuclear plant can provide protection against all possible " Class 9" accidents, the design of TMI-l -- particu-larly the combination of the use of conservative assumptions in design basis analyses; the difference with respect to equipment between design basis analysis requirements and actual design specifications, and the differences between design specifica-tions and ultimate capability; the inherent flexibility and multiplicity of plant systems; the conservatisms in dose calculations; and th.e underlying philosophy of defense-in-depth

-- provides prctection for a wide range of " Class 9" events.

Indeed, as we have discussed supra, at paragraph 488, the TMI-2 accident, a " Class 9" event, was mitigated with radiological consequences far less severe than 10 C.F.R. Part 100 guide-lines.

497.

Moreover, since the TMI-2 accident, many actions have been taken to reduce the likelihood of " Class 9" events.

Immediately following the TMI-2 accident, the Staff issued a number of bulletins and orders, which were followed by the formulation of a TMI Action Plan which included extensive recommendations related to operator training and procedures,

-332-

instrumentation, equipment reliability and hardware modifica-tions -. generally " lessons learned" from the TMI-2 accident.

Rosenthal and Check, ff. Tr. 11,158, at 11.

We generally review the sufficiency of these actions in our findings on Staff Review and Recommendations, in section II.T, infra.

498.

Further, the Staff constructed event trees for the anal sis of event sequences with a nexus to the TMI-2 accident, and correlated those events with the measures taken in response to various requirements related to the restart of TMI-1 which will reduce the probability of the occurrence of the identified sequences.. The Staf f also identified the actions taken to reduce the probability of occurrence of each functional failure, relating each functional requirement to systems performance and, in turn, to equipment performance.

In addition, the Staff prepared a list of actions taken which would mitigate the failures of functions shown on the event trees.

The Staff's analyses are documented in Staff Exhibit 3, TMI-l Potential Core Damage Accident Sequences and Preventive and Mitigative Measures.156 Rosenthal and Check, ff. Tr.

11,158, at 11.

156 In the Board's First Special Prehearing Conference Order, LBP-79-34, 10 N.R.C.

828, 835 (1979), we directed the Staff:

to inform this Board and the Commission whether or not (and the reasons therefor) l any specific accident sequence, which has a reasonable nexus to the TMI-2 accident and which heretofore may have been regarded as a Class 9 accident, should be considered in the analyses of the acceptability of

~

returning TMI Unit 1 to operation.

(footnote continued next page)

-333-

499.

Two event trees were considered.

Event Tree T has as its initiating event a loss of main feedwater (LMFW) transient; Event Tree S is assumed to be initiated by a loss-of-coolant accident (LOCA).

Given the two initiating events, the method presented in Appendix I to WASE-1400 was followed.

Thus, the Staff identified the functions which must be performed by systems and equipment following the initiating event in order to preclude core damage.

Each tree proceeds from lef t to right by the addition of branches corresponding to two alternatives:

successful performance of function (upper branch) and failure (lower branch).157 After Event Trees T and S were drawn, the Staff traced a path across each tree by choosing successive branches.

Each path corresponds to an accident-sequencu.

As indicated on Event Tree T, some se-quences initiated by LMFW transients result in LCCAs.

In those f

(continued)

Our March 31, 1980 Memorandum and order to NRC Staff Regarding Class 9 Accidents further directed the Staff to specify and describe each of the critical accident sequences that it would analyze in order to assure that the proposed short-and long-term actions necessary and sufficient to provide adequate protection to public health and safety have been taken.

Staff Exhibit 3 was compiled in response to the Board's orders.

157 The Staff identified the potential functional failures ralated to Event Tree T as:

loss of main feedwater, failure of emergency secondary heat removal, requirement for primary system pressure relief, failure of primary system pressure relief, and failure of primary system integrity.

The potential functional failures related to Event Tree S were identified as:

failure of emergency ecolant injection, failure of post-accident radioactivity removal, failure of post-accident heat removal from containment, and failure of emergency coolant i

recirculation.

i

-334-w--

e-aw-

,,--m,,,,s4..-

w-.-

caset; it is necessary to move from Event Tree T to Event Tree S to complete the accident sequence.

Staff Ex. 3 at 2-3, 6, 11, 13-14.

500.

The Staf f addressed each node in the event trees, to ensure that action has been taken at each step to reduce the likelihood of progressing beyond that node.

Tr.

11,250-51 (Check, Rosenthal); Tr. 11,252-53 (Rosenthal).

The specific bardware mooifications which the Staff identified which will improve the reliability of the emergency feedwater (EFW) system for Event Tree T include:

automatic initiation of EFW, modification of EFW control valves, automatic block loading of motor driven EFW pumps en diesels, indication of EFW to each steam generator, indication of EFW supply water, automatic termination of EFW flow to a depressurized steam generator with automatic supply to the intact steam generator, and planned separation of EFW from ICS.158 The modifications which will reduce challenges to the pressure relief valve for Event Tree T include raising the relief valve setpoint and reducing the high-pressure reactor trip setpoint, and the installation of anticipatory trips for loss-of-feedwater and turbine trip.

The mi nifications which will improve the reliability of the pressure relief valves and increase the probability of maintaining primary system integrity for Event

$f6 We have examined the modifications to the TMI-l EFW system la detail in section II.Q, supra.

-335-y

Tree T include testing of relief and safety valves, the installation of direct indication of valve position, and the provision of emergency power to relief and block valves and associated instrumentation control.

Rosenthal and Check, ff.

Tr. 11,158, at 13-15; Staff Ex. 3 at 42, 51-52, 54, 56.

501.

The specific hardware modifications related to Event Tree S which the Staf f identified which w211 provide the operator with enhanced information for proper initiation and termination of emergency core coolant injection systems, and which will also enhance availchility of emergency coolant recirculation, include the installation of a subcooling meter and instrumentation to detect inadequate core cooling (to be implemented on a schedule consistent with requirements of other operating reactors).

Rosenthal and Check, ff. Tr. 11,158, at 15; Staff Ex. 3 at 61-62, 75-76.

502.

In addition to these specific hardware modifications, the Staff identified many other modifications and improvements.(e.g., procedural changes) which it related to specific nodes of the event trees.

Rosenthal and Check, ff.

Tr. 11,158, at 12; Staff Ex. 3, Tables 7-15.

The Staff further identified a number of measures taken which are generally applicable to all nodes on Event Trees T and S, including requirements for licensee review of operating experience, operational quality assurance, verification of management and technical capability, verification of capability for safety review and operational guidance, training of operators, review L

-336-

of facility procedsrce, review of plant maintenance e fability, requirements for shift turnover procedures, requirements related to shif t manning, requirements for an onsite safety engineering group, systematic assessment of licensee safety, and requirements for a shift technical advisor.

Rosenthal and Check, ff. Tr. 11,158, at 13; Staff Ex. 3 at 77, Table 16.

The effect of these changes is, first, to enhance the maintenance and operation of the systems involved in each step of the identified event sequences, thus diminishing the probability of malfunction of the various components of these systems; and second, to upgrade significantly the ability of the operators and the operating organization to recognize and to take the proper remedial action to cope with malfunction should it occur.

There is a combined effect from improvement in both these aspects on each and every step in the event sequences.

Thus, the cumulative effect of both of these aspects is a substantial increase in the overall likelihood of successful safe termination of the initiating events.

Rosenthal and Check, ff. Tr. 11,158, at 13.

503.

As discussed in paragraph 509, infra, the Staff of ten uses quantitative probability assessments to focus its attention on weak systems (i.e., those with dominant contribu-tions to total risk).

However, in analyzing events with a nexus to the TMI-2 accident, as presented in Event Trees T and S, the Staff did not limit its attention to a perceived dominant sequence but rather took a " broad brush" approach and 4

-337-

proposed remedial actions which affect many systems involved in the entire chain, from initiating event to potential core melt.

The Staff's comprehensive approach to these nexus events obviated the need for a probabilistic assessment screening to focus attention on particular sequences.

Rosenthal and Check, ff. Tr. 11,158, at 16; Tr. 11,263-65 (Rosenthal).

(While the Staff did not quantitatively evaluate the nexus events and corresponding remedial actions, Licensee's witness generated a quantitative estimate -- based on his professional engineering judgment and experience -- of the increase in the margin of safety, achieved by specific modifications, in typical accident sequences with a nexus to the TMI-2 accident.

Though the Board believes the Staf f 's comprehensive approach to be a suf ficient.

basis for the findings here, we note that Licensee's witness concluded, for example, (1) that certain identified actions provide for an overall improvement factor of approximately two to three orders of magnitude for a TMI-2 type accident initiated by a LMFW; (2) that similar substantial improvements hav'e been made for other overpressure transients involving relief valves; and (3) overall, substantial action has been taken to ensure that event sequences with a nexus to the TMI-2 accident will be terminated long before the core reaches a degraded condition.

Levy, ff. Tr. 11,049, at 14-18.)

504.

The Staff believes that Licensee's imple-mentation of the identified measures reduces the analyzed event sequences from " dominant contributors to total risk" to a level

-338-

of risk " consistent with other contributory risks of the facility as a whole."

Thus, the Staf f concludes, the probabil-ity of the event sequences with a nexus to the TMI-2 accident occurring and leading to a core melt, with concurrent or consequential containment failure such that 10 C.F.R.

Part 100 quidelines are exceeded, is sufficiently low that the event sequences may be considered not " credible," and there exists reasonable assurance that TMI-1 can be operated withott endangering the health and safety of the public.

Rosenthal and Check, ff. Tr. 11,158, at 16.

Moreover, the Staf f 's qualita-tive evaluation of the post-TMI-2 " fixes" indicates that they result in an overall improvement in plant safety, beyond events with a nexus to the TMI-2 accident.

Tr. 11,218 (Rosenthal).

Cf., Tr. 11,094 (Levy).

Finally, al rhough the Staff 's Event Trees T and S only follow sequences to the stage where either severe core damage or core melt is indicated, the Staff has also identified extensive measures, both short-term and long-term, which are being implemented by the Staff and by Licensee and which will result in an enhanced ability to deal with and mitigate the consequences of degraded core conditions, as well as situations involving inadequate core cooling.

Staff Ex. 3 at 83, Table 17; Tr. 11,270-74 (Rosenthal).

505.

The Board therefore finds tha t the Staff has identified and analyzed -- through detailed event tree proce-dures -- those critical event sequences with a reasonable nexus to the TMI-2 accident.

Based on the Staf f 's analyses of these

-339-

event trees, and the corresponding preventive and mitigative measures prescribed by the Staff and implemented by Licensee to address potential failures at each node of the event trees, the Board concludes that the event sequences with a nexus to the TMI-2 accident represent risks consistent with other contribu-tory risks of. the facility as a whole.

506.

Finally, the Board examines UCS's allegation that the Staff's methodology for determining which events fall within the design envelope and which do not is "f aulty in that the design basis accidents for TMI do not bound the credible accidents which can occur."

Reactor regulation is necessarily an evolving process, with new information and techniques incorporated into the process as they are developed and verified.. Historically, in the early days of reactor safety assessmentc, the accidents against which plants were designed were determined through group assessment of potential failures.

Efforts focused on bounding those events that might reasonably be expected to occur -- the " credible" events -- by postulating the failure of each major system in tusn, and requiring that the plant mitigate the consequences, te ensure that predicted off-site doses were within 10 C.F.R.

Part 100 guidelines.

The process of identifying the bounding conditions frequently took the form of extended discussion, and debate -- both oral and written -- among the S taf f, the Advisory Committee on Reactor Safeguards (ACRS), and nuclear industry experts.

Increasingly sophisticated saf ety assessments, refined by continuing

-340-

analyses and experience, were performed through the 1960s and early 1970s.

By the mid-1970s, the Staff had developed the basic set of design basis events (anticipated operational occurrences and accidents) now used by the Staff in all case reviews to assess the overall adequacy of the design of a plant.

Rosenthal and Check, ff. Tr. 11,158, at 17, 18.

507.

The Staff's fundamental methodology for determining whether a particular sequence is " credible" or

" incredible" for design review purposes is thus based primarily on engineering judgment, informed by engineering assessment of the performance characteristics of the various reactor systems and components, and by engineering evaluation of the system and component failures that may occur.

The judgment as to whether a given sequence is " credible" or " incredible" does not rest upon the application of a specified numerical criterion er a particular definition.

Rather, the Staff's approach, generally charucterized as a mechanistic" or " deterministic" approach, relies upon the composite of the engineering experience and technical expertise of the Staff, supplemented by that of the ACRS, with substantial contribution from the experience and expertise of the designers, builders and operators of nuclear power reactors.

Rosenthal and Check, ff. Tr.11,158, at 17; Tr. 11,180-81 (Check); Tr. 11,203 (Rosenthal, Check); Tr.

11,247-48 (Check); Levy, ff. Tr. 11,049, at 2.

508.

However, though the Staff's accident clas-sification methodology can be generally characterized as a

-341-

~

" mechanistic" or " deterministic" approach, elements of "3robabilistic" analysis have historically been included.

Tr.

11,201, 11,253 (Check).

The most comprehensive use of risk assessment to date appears in the Reactor Safety Study, WASE-1400.159 Rosenthal and Check, ff. Tr. 11,158, at 25.

In the development of the envelope of design basis events, the probability associated with calculated sequences was given limited (generdily quantitative) consideration, and some elements of probability were reflected, primarily in the selection of event sequences to be analyzed.

Rosenthal and Check, ff. Tr. 11,1~9, at 20.

Other examples of Staff use of quantitative probabilistic technique include: (a) the development of a numerical probability criterion (described in Section 2.2.3 of the Standard Review Plan) for the assessment of consequences of accidents arising from external hazards to a plant; (b) the preparation of an analysis of pressure vessel reliability; (c) the assessment of probabilities associated 159 Af ter the issuance of the " Lewis Report," the Commission issued a polic;< statement accepting the Lewis Committee's major findings and disulaiming endorsement of the Executive Summary of WASH-1400.

Tha policy statement provided, inter alia, that the NASH-1400 absolute values of risk should not be used un-critically in the regulatory process, but that the Staff should use components of NASH-1400 where the data base is adequate and analytical techniques permit.

See, Florida Power & Light Co.

(St. Lucie Nuclear Power Plant, Unit No. 2), ALAB-603, 12 N.R.C.

30, 47 n.60 (1980).

Cf., Tr. 11,124-25, 11,173 (Smith);

Tr. 11,153 (Smith, Baxter); Rosenthal and Check, ff. Tr.

11,158, at 24, 25.

The use of WASH-1400 by the witnesses of Staff and Licensee was consistent with this guidance.

Tr.

11,146, 11,172-74 (Levy); Tr. 11,160-61 (Check. nnsenth:1).

l

-342-

with BWR rod drop events; and (d) the consideration of the Anticipated Transients Without Scram (ATWS) issue.

Rosenthal and Check, ff. Tr. 11,158, at 21-25; Tr. 11,249 (Check). See generally, Tr. 11,205-12 (Rosenthal, Check).

509.

Moreover, there has been a gradual, continuing increase in the employment of probabilistic risk analysis techniques to augment the Staff's traditional deterministic methodology.

Tr. 11,175 (Rosenthal)'; Tr. 11,177 (Check).

For example, the Staff now often uses quantitative probabilistic assessment to identify areas of relative strength and weakness (i.e.,

relative contributions to total risk), and to focus ret;urces and attention on areas which should be subject to detailed engineering review.

Rosenthal and Check, ff. Tr.

11,158, at 17, 20; Tr. 11,182 (Rosenthal).

In addition, Staff engineers are making ir.areasing use of event and fault tree methodology in specific analyses, particularly in examining isolated elements of larger problems.

In this context, probabilistic risk assessment serves as a systematic construct for studying plants and understanding plant behavior.

Tr.

11,175, 11,183 (Rosenthal).

Quantitative probabilistic assessment techniques were also used in the recent Staff evaluations of certain alleged "high risk" sites -- Indian Point, Dresden and Limerick.

Tr. 11,183 (Check).

510.

Further, the Staff plans to broaden its use of quantitative risk assecsment techniques in the future.

As indicated in the TMI Action Plan (NUREG-0660,Section II.C.2),

l

-343-

~

--nr

a wide-ranging National Reliability Evaluation Program (NREP) is planned.

The initial stage (the first four planc eval-uations), known as the Integrated Reliability Evaluation Program (IREP), is underway, and steps are being taken to broaden the study.160 NREP is designed to include all plants (including TMI-1), using common data bases, recognized tech-niques, peer review process, and comparable methodology (i.e.,

event tree and f ault tree methodology).

Rosenthal and Check, ff. Tr. 11,158, at 27; Tr. 11,259 (Rosenthal).

Finally, although the Commission does not presently have a numerical safety goal, it recently approved a document entitled Plan For Developing Safety Goal (NUREG-0735).

The safety goal itself is a socio-political, economic decision which will not involve employment of quantitative probabilistic assessment techniques.-

However, the development of such a goal may have a great effect on the regulatory process as a whole, including the use of probabilistic techniques.

Rosenthal and Check, ff. Tr. 11,158, at 27; Tr. 11,178 (Check); Tr. 11,193 (Rosenthal).

511.

With the increasing use of risk assessment, and with a perception of event sequences as a continuum of probabilities with an associated continuum of consequences, the 160 IREP is designed to provide information to allow the Commission to make sound judgments on the value and scope of planned subsequent phases of comprehensive reliability assessment programs.

Tr. 11,190, 11,259 (Rosenthal); Tr.

11,261 (Check).

We discuss IREP further in section II.T, infra.

-344-

l Staff has recently begun to extend its consideration of failure sequences, to include events which have not previous 1v been considered to be design basis events.

Thus, the Staff now explicitly considers a much wider range of event sequences than were considered prior to the TMI-2 accident, some involving multiple failures and some involving systems not traditionally considered safety systems.

Rosenthal and Check, ff. Tr.

11,158, at 18, 19; Tr. 11,196-98, 11,246-47 (Rosenthal); Tr.

11,248 (Check).

512.

The Staff addresses those event sequences designated as design basis events primarily by reque, tg installation of engineered safety features, though administra-tive controls have also been employed in some cases.

Event sequences not designated as design basis events are " fixed" through a variety of requirements, including increased surveil-lance and testing of existing equipment, procedural modifica-tions, and improved operator training, as well as some equip-ment modifications.

In addressing sequences not designated as design casis events, the Staff focuses on modificationa which eliminate the initiating event or improve the capability of some other systems to compensate for or cope with the initial malfunction, as well as on improvements in mitigating system characteristics.

These " fixes" are designed to diminish the likelihood of the particular sequence to a low level relative to other potential reactor safety system malfunctions, or to reduce the potential consequences of such an event to a level

-345-1

[

less severe than those associated with analyzed design basis events.

Rosenthal and Check, ff. Tr.11,158, at 18,19.

513.

Though the Staff believes that probabilistic risk assessment techniques can be employed profitably to augment. the more traditional deterministic techniques used by the Staff, the Staff believes it would be ill-advised at this time to rely solely upon probabilistic techniques as a basis for regulatory decisions.

Tr. 11,177, 11,181-82, 11,201-02, 11,253 (Check).

Licensee's expert witness agrees.

Tr.

11,090-91 (Levy).

The Staff's reservations about the exclusive use of probabilistic techniques reflect three basis concerns.

First, due to a lack of suf ficient failure-rate data and difficulties in developing complete system models, compre-hensive assessments which have been adequately tested are rare

( though the available data base is improving ).

Cf., Tr. 11,164 (Check); Tr. 11,168, 11,176-77, 11,182-83, 11,190, 11,235 (Rosenthal); Tr. 11,240-43 (Check).

Second, the Staf f pre-sently has no numerical probability goal against which to assess compliance; moreover, any such numerical goal would be difficult to apply given the range of uncertainty in cal-culating probabilities.

Cf., Rosenthal and Check, ff. Tr.

11,158, at 26, 27; Tr. 11,178 (Check); Tr. 11,193-95, 11,198-99 (Rosenthal).

And, finally, the Staff believes its current approach -- which utilizes composite engineering experience and l

judgment,- as well as probabilistic techniques -- provides a sound, ccmprehensive basis for its decisions.

Cf., Tr.

-346-

11,180-81, 11,247-49 (Check).

See generally, Rosenthal and Check, ff. Tr. 11,158, at 20.

514.

The Board haard no evidence whatsoever -- other than a discussion of the Staff's equivocal classification of the TMI-2 accident as a " Class 9" accident, which we reviewed supra, at paragraph 488 -- which would suggest that the methodology used by the Staff to determine the envelope of design basis accidents is " faulty" as alleged by UCS.

Rather, the totality of the record on the issue leads us to conclude that the Staff has historically engaged the nuclear community

-- including industry experts and the ACRS -- in a continuing dialogue designed to systematically identify, through methodical analysis and the evaluation of operating experience, those accident sequences that might reasonably be expected to occur.

Moreover, since the TMI-2 accident, the Staff has expanded its reviews to include consideration of certain-sequences traditionally considered to be beyond design basis events.

Further, while the Staff's methodology is primarily based on composite engineering experience and technical expertise, the Staff has in the past incorporated probabilistic risk assessment techniques into its methodology, and plans to make increasing use of probabilistic assessment in the future.

The Board believes that there is great utility in probabilistic risk assessment, and encourages the Staf f to continue to incorporate such techniques into the regulatory process wherever appropriate.

However, in light of the present lack of

-347-

an adequate data base, appropriate models, and a numerical safety-goal, the wholesale substitution of probabilistic risk assessment for professional engineering judgment (including use of probabilistic techniqu'es) would be at best premature at this time.

We nevertheless note that the Commission's overall safety goal, now being developed, may have far-reaching liplications on the use of probabilistic techniques in the regulatory process.

515.

In summary, then, the Board rejects the broad implication of UCS Contention No.13 -- that the Staff 's equivocal classification of the TMI-2 accident as a " Class 9" accident in and of itself undermines the Staff's methodology

+

'for enveloping design basis accidents.

We similarly reject UCS 's allegation that the design of TMI-1 does not provide protection against " Class 9" accidents and find, to the contrary, that the TMI-1 /arign provides protection for a wide range of " Class 9" events.

We further find that, based on the Staff's analyses of the event sequences with a nexus to the TMI-2 accident, as well as the corresponding preventive and mitigative measures being implemented to address each potential failure in each sequence, the risks represented by the nexus sequences are not dominant contributors to the total risk but, rather, represent risks consistent with other contributory risks of the facility as a whole.

Finally, we reject as without basis UCS's allegation that the Staff's methodology for enveloping design basis accidents is " faulty."

he believe

-348-

there is great value in probabilistic risk assessment techniques, however, and encourage the Staff to continue to incorporate them into the regulatory process as appropriate.

T.

Staff Review and Recommendations Board Question No. 1:

Prior to the opening of the evidentiary hearing, the staff should inform the t 'ard as to when the staff will take a position on the applicability to this proceeding of NUREG-0694, "TMI-Related Requirements for New Cperating Licenses".

The following items in NUREG-0694 and/or NUREG-0660,

" Action Plans for Implementing Recommendations of the President's Commission and Other Studies of TMI-2 Accidebt", are of particular interest to th/. board :

a.

I.D.1 -- Control Room Design (following a human factors analysis),

b.

II.E.1.1 -- Auxiliary Feedwater System (reliability evaluation using event-tree logic).

c.

II.B.8 -- Rulemaking proceeding on degraded core accidents.

d.

II.B.7 -- Analysis of response of containment structures to hydrogen explosions.

Do the proposals for hydrogen control for Sequoyah, which include " spark plugs", have any applicability to TMI-l?

Board Question No. 2:

The board istated its concern with having an adequate record on the cufficiency of the proposed short-term and long-tai.m actions to protect the health and safety of the public.

Without further explanation the question may appear to invite conclu-

~

sionary testimony on the ultimate

-349-

/

factual issues to be decided by the board. (Commission's August 9, 1979 order, 10 NRC 141, 148.)

This is not what the board has in mind as a response to the question.

Our concerns were expressed in part in the June 23, 1980 memorandum on the staff's report on TMI-1 accident sequences.

To explain further: We assume that the staff and licensee may present evidence that each Category A and each Category B recommendation in Table B-1 of NUREG-0578 (order items ST 8 and LT 3), and that each preven-tative and mitigative measure identified with respect to a given accident sequence in the staff 's TMI-1 Core Damage Accident Sequence Report will be, at least, sufficient to resolve the related safety problem or accident sequence.

However, nowhere have we seen in the Restart Report, SER, the accident sequence report, or elsewhere, an explanation as to how the staff or licensee has determined that all of the necessary TMI-2 related recommendations have been identified and that all the appropri-ate accident sequences have been addressed.

The board wants testimony or other evidence which explains, if such be the case, how the licensee and the staf f have concluded that the NUREG-0578 short and long-term recommendations, other subsequent safety recommendations, and the identified accident sequences (with their respective preventative or mitigative measures) are in their totality sufficient to provice reasonable assurance that TMI-1 can be operated without endangering the health and safety of the public.

The question is not intended to enlarge the scope of the hearing.

The response may be limited to considera-tion of accidents following a loss-of-feed-water transient.

Board Question No. 3:

The results of the Interim Reliability

~

Evaluation Plan (IREP), as applied

-350-i

to Crystal River, was scheduled for completion in July 1980.

(The board wants to receive a copy of this report.)

a.

When will the IREP be applied to TMI-l?

b.

Does the IREP address the adequacy of the proposed actions for B&W plants?

Board Cuestion No. 5:

When does the staff plan to report on its review of NUREG-0660 as applied to TMI-1?

(The board and the parties should be kept informed as quickly as the staff has identified any addi-tional action plans that should be required for implementation, either before any proposed restart or for the long-term.)

Board Cuestion No. 7:

Following the investigation of the Crystal River incident, the staff issued NUREG-0667, " Transient Response of Babcock & Wilcox-Designed Reactors".

Which of the recom-mendations in Table 2.1 of that report does the staff believe should be implemented for TMI-1 prior to start-up, which should be included in the long-term actions, and which, if any, are not needed for TMI-l and why not?

516.

The Beard views these questions, which we propounced during tne prehearing conference of August 12-13, 1980, as inquiring generally into the sufficiency of the actions. recoramended by the Staf f in the wake of the TMI-2 accident and, specifically, as to the sufficiency of the

-351-

1 actions recommended (both short and long-term) for TMI-1.

In this portion of the Initial Decision, the Board will first address the mechanisms employed by the Staff to determine what actions are necessary in order to adequately protect the public health and safety, the criteria used to determine whether these actions are required prior to the restart of TMI-l and, for those actions which the Staff concluded are not required prior to restart, the criteria by which the Staff found that the actions taken by Licensee constituted " reasonable progress".

Finally, the Board will examine the necessity and suf ficiency of the individual actions ref erenced in our questions.161 517.

In the af termath of the THI-2 accident, a number of independent groups, as well as separate groups within the hRC Staf f, conducted investigations into the causes of the accident and recommended actions to be taken by all licensees in order to prevent or mitigate the consequences of a similar event.

The recommendations of each of these groups were collected, assessed and consolidated into one discrete set of 161 The Board has previously made findings of necessity, suf-ficiency and reasonable progress on a number of items which were litigated by the parties.

Board questions as to certain specific recommended actions are addressed elsewhere in this decision, along with closely-related issues raised (at least once-) by the intervenors, or in the case of Board Cuestion 6 (Emergency Feedwater Reliability), where no party has challenged a system of interest to the Board.

We do not repeat these individual findings here.

Additionally, the l

Board has addressed the matter of the suf ficiency of the accident sequences examined (as raised in Board Cuestion No. 2) in Section II.S, supra.

l l

-352-

recommendations and published by the Staff as NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident" (the

" Action Plan") in May, 1980.162 Prior to its publication,

- draf ts of the Action Plan were reviewed by the Commissioners, the ACRS, the NRC Executive Director for Operations and the directors of NRC's program offices.

The Staff believes that the recommendations contained in the Action Plan,16 in view of their promulgation and assessment by persons having expert knowledge over a broad range of technical disciplines, provide reasonable assurance that the causes of the TMI-2 accident and their associated corrective measures have be2n completely and adequately identified.

Ross, ff. Tr. 15,555, at 3'-5; Tr.

15,622-23 (D. Ross).

The Board agrees that the inclusion in' the Action Plan of the recommendations of the various inves-tigatory groups, in combination with the ongoing Staff review efforts (see paragraph 522, infra), provides adequate assurance that all important TMI-related recommendations have been identified.

162 Investigations of the TMI-2 accident which the Staf f considered in formulating the Action Plan include those per-formed by: the President's Commission on the Accident at Three Mile Island; Congress; the General Accounting Office; the NRC Special Inquiry Group; the Advisory Committee on Reactor Safeguards (ACRS); the Staf f 's Lessons Learned Task Force; the Bulletin and Orders Task Force; and, the Office.of Inspection and Enforcement's Special Review Group.

Ross, ff. Tr. 15,555, at 3, 4.

163 Fif ty-four of the Action Plan recommendations are encompassed within the scope of the long-and short-term actions contained in the Commission's Order and Notice of Hearing of August 9, 1979.

Ross, ff. Tr. 15,555, at 8 and Table 2.

-353-l-

i

~

518.

In concert with the publication of the Action Plan, the Staff undertook an assessment of these recom-mendations to identify those that were known to have signifi-cant safety improvement potential and required that these items be implemented by applicants prior to the issuance of a new operating license.164 Those Action Plan items which the Staff identified as required for NTOLs were subsequently officially Published as NUREG-0694, "TMI-Related Requirements for New Operating Licenses."

Earlier in this proceeding, the Staff had taken the position that TMI-l was to be treated as an NTOL and would be required to comply with the requirements of NUREG-0694 on a schedule consistent with that of other NTOLs (i.e., the

" fuel-load" or " full-power" requirements of NUREG-0694 were to be met prior to restart or prior to exceeding 5% power).

Ross, ff. Tr. 15,555, at 8, 9; Tr. 10,525-26 (Ramirez); Tr. 15,647, 15,656-57 (D. Ross).

519.

Of the forty-eight requirements contained in NUREG-0694 which the Staff believed were applicable to TMI-1, thirty were encompassed by the requirements contained in the Commission's Order and Notice of Hearing of August 9, 1979.

It was the Staf f's position that the remaining eighteen items should L, completed prior to the restart of TMI-1.165

Ross, ff. Tr. 15,555, at 9, 10.

164 These items have commonly been referred to throughout the course of this hearing as the "ATOL (near-term operating license) requirements."

165 Of these eighteen items, all but three have been required to be completed by all operating rea: tors, albeit on a different (continueo next page)

-354-

520.

The Commission, in its Order of March 23, 1981 (CLI-81-3), stated that it believed that TMI-l "should be grouped with reactors which have received operating licenses, rather than with the units with pending operating license applications" except where the Board finds to the contrary when the record so dictates.

13 N.R.C.

, CLI-81-3, slip op. at 7.

Pursuant to this directive from the Commission, the Staff reassessed its previous position that Licensee should be required to comply with all NTOL requirements outside the scope of the Commission's Order and Notice of Hearing.

The Staff reviewed these eighteen NTOL requirements and concluded, based upon the safety significance of the requirements, that five of the NTOL items should remain as prerequisites for the restart of TMI-1.

The Staff is now of the position that the remaining items should be implemented on the same schedule as other operating reactors, as set forth in NUREG-0737.

Tr. 21,325-29 (Jacobs, Silver); Staff Ex. 11.

The Staff has reviewed Licensee's actions taken in response to these five additional pre-restart requirements derived from NUREG-0694 and has concluded that the requirements of these items have been or will be met prior to restart.

Jd.; see also, paragraph 538, infra.

521.

The Staff believes that the combination of the short-term Order items and the five NUREG-0694 recommendations (continued) l schedule (see, for example, Tr. 15,650-51 (D. Ross, Capra)).

Ross, ff. Tr. 15,555 at 9.

-355-

provide the most significant improvements in safety, and thus is proposing that these actions be implemented at TMI-1 prior to restart.

Ross, ff. Tr. 15,555, at 12; Tr. 21,327-30 (Silver).

Further, the Staf f has reviewed Licensee's actions taken pursuant to the short-term Order items and the applicable NUREG-0694 items and has concluded that Licensee has completed the actions called for by these items (or will complete these actions prior to restart).

Since those actions which are vital to safety will be completed prior to restart, the Staff has concluded that there is reasonable assurance that TMI-1 can be restarted without posing a threat to the public health and safety.

Ross, ff. Tr. 15,555, at 6; Tr. 21,045, 21,118-19 (Silver); Staff Ex. 14 at 3; Staff Ex. 11.

522.

The Staff anticipates that, as part of its on-going review of the Action Plan and its continual efforts to improve plant safety, additional requirements will be issued to all licensees, including TMI-1.

Such was the case with NUREG-0737, " Clarification of TMI Action Plan Requirements,"

issued by the staff in October,1980.

NUREG-0737 provides a preliminary clarification of all Action Plan recommendations which have been approved for implementation by the Commission; modifications to the scope and/or schedule of several previous-ly issued Action Plan and long-term 0,rder items are included in NUREG-0737.166 The Staff has stated that these modifications 166 The Board notes that many of these items are outgrowths of NUREG-0578 recommendations and IE Bulletin requirements and have

~

been the subject of previou's clarifications issued by the Staff.

1

-356-F r

y

- ' r

will now be binding on applicants and licensees, and supersede the requirements of its predecessor documents.

NUREG-0737 has also imposed an additional eleven TMI-related requirements for TMI-1.

Ross, ff. Tr. 15,555, at 10, 11; Staff Ex. 14 at 3.

523.

The Staff, pursuant to the Commission's guidance to treat TMI-l as an operating reactor, has stated that TMI-l will be required to implement the additional NUREG-0737 requirements on the same schedule as other operating reactors.

Several of the implementation dates for NUREG-0737 items f all due before the earliest estimated restart of TMI-l (October, 1981); the Staf f, therefore, has taken the position that these items should be completed prior to restart.167 Ross, ff. Tr. 15,555, at 11; Tr. 21,049 (Silver); see generally, Staff Ex. 12.

The Board notes that these NUREG-0737 items are not being required by the Staff prior to restart because of their safety significance, but simply because the proposed implementation dates f all due prior to the estimated time of restart.168 Tr. 21,048-49, 21,323-24 (Silver).

524.

The last group of restart requirements which e been proposed by the Staf f are those recommended by the 167 te paragraphs 526 through 528, infra, for the Board's l

findit s on several of these items.

168 NUK 1-0737 implementation dates af ter June 30, 1981, have not yet been reviewed by the Staff, and are subject to being amended generically.

If the dates for those NUREG-0737 items which the Staff has identified as prerequisites for restart are extended past the estimated restart date, the Staff would no longer consider these items to be restart requirements.

Tr. 21,049, 21,136-38 (Silver); Staff Ex. 14 at 12, n.(1).

i 1

-357-i t

Division of Human Factors Safety of the Office of Nuclear Reactor. Regulation, as documented in NUREG-0752 and Supplement No.1 thereto (Staff Exhibits 2 and 15, respectively).

Based upon its review of the TMI-1 control room and the control room / human factors documentation submitted by Licensee (see Section-II.N, supra, for a complete examination of this issue),

the Staff has recommended that certain modifications be implemented by Licensee prior to restart, prior to escalation beyond 54 power or as long-term modifications.

The Staff believes the modifications which it has recommended to be implemented prior to restart and prior to escalation above 5%

power will sufficiently reduce the potential for operatot error leading to serious consequences due to human factors defi-ciencies to permit restart of TMI-1.169 Staff Ex. 15 at 12, 13.

525.

The Board, upon review of the Staff's proposed restart requirements, agrees generally with the Staff's view that the combination of the short-term Order items with certain 4

of the additional pre-restart items derived from NUREG-0694 and NUREG-0752 comprise that subset of post-TMI requirements which i

are of sufficient importance to require that they be satis-factorily completed prior to restart of TMI-1.

We do, however, 169 At the time that Staf f Exhibit 15 was published, Licensee had not yet committed to implement all of the recommended modi-fications; however, at the May 14, 1981 hearing session, Licensee's counsel committed, on behalf of Licensee, to implement the modifi-cations in accordance with the schedule set out at page 13 of Staff Exhibit 15.

Tr. 21,431-32.

-358-

l question the basis for the Staff's imposition of certain other recommendations, as discussed more fully below.

To the extent that any of the Staff's proposed pre-restart requirements are not addressed below and, subject to the limitations expressed in n.168, supra (i.e., that the implementation dates of several of the NUREG-0737 pre-restart items are subject to being generically extended), the Board finds that these actions are necessary and sufficient to provide reasonable assurance that TMI-1 can be restarted without endangering the public health and safety, and therefore finds that Licensee must implement these items prior to restart.

i 526.

Staff Exhibit 12 documents the Staff's eval-uation of Licensee's compliance with those items in NUREG-0737 whose current implementation date falls due prior to October 1, 1981 (see n.168, supra).

The Board initially notes that the Staff has not made a great deal of progress in evaluating the responses of other operating reactors, i.e.,

while the Staff has reviewed Licensee's compliance with all NUREG-0737 items due for implementation prior to October,1981, only a fey of those items have been evaluated for any other operating reactor.

Further, Staff witness Jacobs knew of no instance in 4

which the Staff had imposed any of the NUREG-0737 items as license conditions for any other operating reactor.

Tr.

21,433-34 (Jacobs).

527.

NUREG-0737 items II.K.,2.14/II.K.3.7 required all B&W licensees to pr. ovide analyses documenting that the PCRV

-359-l

will open in less than 5% of all anticipated overpressure transients.

Licensee submitted the requested analysis (per-formed generically oy B&W for all B&W licensees); however, as documented in Staff Exhibit 12, the Staff has requested that Licensee provide, prior to restart, additional information in order to respond to Staff. concerns regarding the data base utilized in the analysis.

Staff witnesses Jacobs and Silver testified that no other B&W operating reactors have been reviewed for compliance with this item, nor has the Staff communicated its concerns about the analysis to any other B&W licensees, nor has any enforcement action been taken against any other B&W licensee with respect to this item.

Tr.

21,436-37 (Jacobs, Silver); Staff Ex. 12 at II.K.2.14-1 through

-3.

On this basis alone, the Board could find that the Staff has discriminated against TMI-1 (in light of the Commission's Order, CLI-81-3) by requiring that Licensee submit this additional information before it would be allowed to restart, while at the same time allowing similar B&W plants to remain in operation.

The Board further notes, however, tha t the Staff witnesses testified tha t the submission of this additional information will not affect the safe operation of the plant and that, if the same criteria were being used to evaluate TMI-l as were being applied to other plants, the submission of the initial analysis would constitute reasonable progress toward completion of this item., Tr. 21,438 (Silver), 21,441 (Jacobs).

For these reasons, then, the Board finds that completion of l

-360-

this item is not required. in order to provide reasonable assurance that TMI-l can be restarted without endangering the public health and that safety, and that therefore Licensee need not be required to complete this item prior to restart.

528.

A situation similar to that described in paragraph 527, supra, exists with respect to NUREG-0737 item II.K.3.2, which required the submission by all licensees of an analysis of the probability of a small break loss-of-coolant accident caused by a stuck-open PORV and of safety-valve failure rates.

The identical set of facts is involved with this item as with item II.K.2.14 (i.e.,

the B&W report sub-mitted by Licensee caused the Staff to request additional information; the Staf f has not reviewed other B&W licensees for compliance, nor initiated any type of enforcement action; and, the Staff witnesses do not believe that the submittal of the requested additional information prior to restart will have an impact upon the public health and safety).

Tr. 21,438-41 (Jacobs); Staff Ex. 12 at II.K.3.2-1 through

-4.

Therefore, the Board finds that the completion of this item prior to restart is not necessary in order to reasonably assure that the public health and safety is not endangered.170 170 NUREG-0737 iten II.K.3.1 calls for the submittal of design documentation for an automatic PCRV block valve closure system by July 1, 1981, if such a system is found to be necessary based upon the analysis conducted pursuant to item II.K.3.2.

Staff Ex. 12 at II.K.3.1-1.

In that the Board has found that item II.K.3.2 need not be completed prior to restart, it follows then that item II.K.3.1 also need not be completed prior to restart.

-361-

529.

The Commission's August 9, 1979 Order and Notice of Mcaring included both short-term and long-term recommended actions.

In addition to these long-term Order Jacommendations, the Staff has proposed a number of other long-term TMI-2 related recommendations.171 The long-term actions are not as narrowly defined, specific or urgent in nature as C.;e pre-restart requirements.

Certain of these items will require detailed and complex engineering analyses prior to identifying any additional modifications to plant systems or components which may be necessary; others require procurement-of components or systems which are still in the developmental stage; still others require research studies er rulemaking cn the part of the NRC.

It is the Staff's belief that such long-term items need not be completed prior to restart in light of the enhanced margin of safety provided by the short-term requirements.

Further, the,ts if relieves that deliberate, planned improvements wot tc is sf erable to imposing short-term a

actions that have not been well theyqht out.

Ross, ff. Tr.

15,555, at 6; see, e.g., paragraph 541, infra, and Tr. 15,587 (D. Ross).

The completion of these longer-t',5m actions will result in a gradually increasing improvement in safety as they are completed and the initi-1, short-term modifications are 171 These recommendations are documented in the Action Plan and NUREG-0737.

A number of the long-term actions contained in the Commission's Order and Notice of Hearing of August 9, 1979, are incorporated within the scope of these additiccal Action Plan items (see Ross, ff. Tr. 15,555, Table 2).

-362-1

replaced or supplemented by long-term, more durable improve-ments.

Ross, ff. Tr. 15,555, at 6.

530.

With respect to those long-term actions which are included in the Commission's August 9,1979 Order and Notice of Hearing, the Board notes that the completion dates for some of these actions have changed since the Commission's Order.

As originally recommended, the completion dates for certain Category B items in Table B-1 of NUREG-0578 would have become due prior to the estimated restart of TMI-1.

The completion dates now recommended by the NRC Staff for these items are those established by NUREG-0737 fer other operating reactors, many of which fall due well after the expected date of restart.

Completion of these items would be recommended prior to restart only if restart occurs af ter the completion dates 'specified in NUREG-0737.

Ross, ff. Tr. 15,555, at 11; see also n.168, supra.

In light of the Commission's Order of March 23, 1981 (CLI-81-3), which expressed the Commission's intention that NUREG-0737 implementation schedules be the same for TMI-l as other operating reactors, the Board accepts the Staff's preecnt recommendations for implementation of these items.

l 531.

The Staff has assessed, in its safety eval-untion reports and supplements, whether Licensee has demon-strated " reasonable progress" towards completion of the recommended long-term actions.

The concept of what constitutes reasonable progress and the criteria utilized by the Staff in i

-363-

determining whether Licensee has made reasonable progress has been the subject of extended examination by the Board and parties in this hearing.

See, e.g., Tr. 10,880-83; 15,594, 15,970-79; 15,985-87; 16,019-31; 21,042-50; 21,207-09; 21,434-35.

The Staff, in Supplement 3 to NUREG-0680, has stated that "[t]easonable progress toward completion of the long-term actions required by the Order for TMI-1 will be considered to be a degree of progress consistent with that of the other operating reactors, except as noted in individual evaluations, so tha t the re is reasonable assurance that the action will be completed on the NUREG-0737 schedule as it may be amended. "

Staff Ex. 14 at 3; Tr. 21,042-44 (Silver).

532.

As the Commission held in its Order of March 23, 1981 (CLI-81-3), TMI-1 is to be treated the same as other operating reactors with respect to the NUREG-0737 imple-mentation schedules (unless the record dictates to the con-trary).

Further, the Commission stated that it intended to retain its flexibility with regard to these implementation dates, where developments occur which could affect the ability of Licensee to comply with the requirements recommended by this Board or imposed by the Commission.

CLI-81-3, slip op. at 7, 8.

Based upon this guidance by the Commission, with which the Board concurs, the Board views the criteria expressed by the Staff (see paragraph 531, supra) as an appropriate means by which to judge whether Licensee has made reasonable progress toward the completion of the long-term Crder items.1 2 172 The Staff has not followed this general definition of reasonable progrest in one case.

See section II.B (Detection of Inadequate Core Cooling), supra.

-364-

533.

In conjunction with the examination conducted

.by the parties with respect to the Staff's findings of reason-able progress and reasonable assurance that TMI-1 is suffi-ciently safe to allow restart, questions were raised regarding the Staff's reliance on Licensee's " commitments," the enforce-ability of those commitments and the need for license condi-tions to assure that these commitments are carried out.

See, e.g., Tr. 21,145-53, 21,282-92 and 21,350-56.

534.

Initially, the Board would note that, with respect to any concerns the parties may have regarding Licensee's commitments to implement any of the short-term items contained in the Commission's Grder and Notice of Hearing, the Order itself requires that the Director of Nuclear Reactor Regulation must certify to the Commission that all short-term actions have been satisfactorily completed.

CLI-79-8, 10 N.R.C.

141, 148-149 (1979).

535.

It is with respect to the long-term actions committed to by Licensee that the question of enforceability is of more concern.

The Staff has stated that it will assure that all licensee commitments made in response to the NUREG-0737 requirements are appropriately enforceable and will, as needed, issue Confirmatory or Show Cause Orders to enforce these items.

Ross, ff. Tr. 15,555, at 10.

Further, the Staff's project manager for TMI-l assures us that, to the extent that the Staff's conclusions concerning the operation of TMI-l are based upon Licensee's commitments, where any changes to those

-365-1

commitments would cause a concommitant change to the Staff's conclusion, the Staff would "most definitely" take appropriate enforcemwnt action to assure that the Staff's conclusions could be substantiated.

Tr. 21,168-89 (Silver).

536.

The Commission's August 9, 1979 Order and Notice of Hearing expressly granted this Board the authority, similar to that provided in 10 C.F.R. 550.57(b), to impose such

-limitations or conditions on the restart of TMI-1, with respect to any uncompleted items, as it believes necessary to protect the public health and safety.

CLI-79-8, 10 N.R.C.

141, 148-149 (1979).

The Board does not believe it necessary, however, to impose as license conditions the requirement that specific long-term modifications must be completed by a date certain.

Our reasons for this position are two-fold: (1) the Staff has provided adequate assurance that the commitments to implement the required long-term modifications will be enforced (see paragraph 535, supra); (2) the Commission's Order of March 23, 1981, left to the Commission itself the flexibility to con-sider, on a case-by-case basis, any developments which impact Licensee's ability to comply with the implementation dates imposed by the NUREG-0737 requirements.

CLI-81-3, slip op, at 7, 8.

Therefore, the Board rejects the proposition that dates certain for the completion of these actions should be imposed as license conditions.

537.

The Board turns now to consideration of the specific individual actions which are referenced in Board Questions 1, 3 and 7.

-366-

538.

Board Question No. 1 requested the Staff to provide its position as to the applicability of NUREG-0694 and NUREG-0660 to TMI-1.

This subject is discussed generally in paragraphs 517 through 523, supra.

The Board also indicated its particular interest in the status and applicability of the following four Action Plan items.

Item I.D.1 in NUREG-0694 calls for NTOLs to perform a preliminary control room design review in order to identify significant human factors and instrumentation problems and establish a schedule for correct-ing these deficiencies.173 Licensee has conducted a control room / human factors review (see section II.N, supra), which the Board believes meets the requirements of this item.

ML19346A330

Text

Navigation menu

Search