ML20057E700
| ML20057E700 | |
| Person / Time | |
|---|---|
| Issue date: | 09/30/1993 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-1449, NUDOCS 9310130052 | |
| Download: ML20057E700 (200) | |
Text
\\
Shutdown anc Low-Power C'peration at Co.mmercial 5
Nuclear Power Plants in t:1e Lnitec States
(
1 Final Report I
U.S. Nuclear Regulatory Commission Office ef Nuclear Reactor Regulation September 1993 j#* "*%,,
//
s.
gjoigogg930930 1449 R PDR c--
_m 4
i f
f AVAILABILITY NOTICE l
)
Availability of Reference Materials Cited in NRC Publications
{
t Most documents cited in NRC publications will be available from one of the following j
sources:
1.
The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC
[
20555-0001 i
2.
The Superintendent of Documents, U.S. Government Printing Office, Mail Stop SSOP.
J Washington, DC 20402-9328 3.
The National Technical information Service, Springfield, VA 22161 Although the listing that follows represents tne majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memorarsda; NRC Office of inspection and Enforcement bulletins, circulars, information notices, inspection and investi-gation notices: Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceed-i ings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regula-tions in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
t Documents available from the National Technical Information Service include NUREG series i
reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
j Documents avai!able from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained l
from these libraries.
?
Documents such as theses, dissertations, foreign reports and translations, and non-NRC i
conference proceedings are available for purchase from the organization sponsoring the publication cited.
i Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of information Resources Management Distribution Section, U.S.
Nuclear Regulatory Commission Washington, DC 20555-0001.
Copies of industry codes and standards used in a substantive manner in the NRC regula*ory i
process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and l
are avaliable there for reference use by the public. Codes and standards are usua.ly copy-f righted and may be purchased from the originating organization or, if they are American
]
National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
I
NUREG-1449 Sautc own and Low-Power 0;pera~: ion a: Commercia~
Nue: ear Power Plants in ~:::le Unitec S~:ates Final Report U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 4
September 1993
- ~ %,,
l s.
e 78A 228R!! " "
1449 R PDR i
AVAILABillTY NOTICE Availabihty of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
1.
The NRC Public Document Room. 2120 L Street, NW, Lower Level, Washington, DC 20555-0001 2.
The Superintendent of Documents. U.S. Government Printing Office, Mail Stop SSOP, Washington, DC 20402-9328 3.
The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investi-gation notices: Licensee Event Reports; vendor reports and correspondence; Commission papers; and apphcant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sa'es Program; formal NRC staff and contractor reports, NRC-sponsored conference proceed-ings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regula-tions in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission, Documents available from public and special technical libraries include all open literature I
items, such as books, jourr,al and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these hbraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are availab;e free, to the extent of supply, upon written request to the Office of information Resources Management, Distribution Section, U.S.
Nuclear Regulatory Commission, Washington, DC 20555-0001.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are availabie there for reference use by the public. Codes and standards are usually copy-righted and may be purchased from the originating organization or, if they are American National Standards, from the Amencan National Standards Institute, 1430 Broadway, New York. NY 10018.
i 1
NUREG-1449 Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States Final Report
{
Date Published: September 1993 r
Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 p >'*a u, s
v t
E
\\...../
ABSTRACT The report contains the results of the NRC staff's evalu-plant is shut down. The report also documents the staff's ation of shutdown and low-power operations at commer-evaluations of a number of technical issues regarding cial nuclear power plants in the United States.The repon shutdown and low-power operations, including the prin-describes studies conducted by the staff in the following cipal findings and conclusions. Potential new regulatory areas: operating experience related to shutdown and low-requirements are discussed, as are potential changes in power operations, probabi;istic risk assessment of shut-NRC programs. This is a final repon. Comments on the down and low-power conditions, and utility programs for draft version of the repon are discussed in Appendix C of planning and conducting activities during periods the this repon, iii NUREG-1449 1
~
F CONTENTS Page Abstract iii l
xi i
Executive Summary 1 Background and Introduction..............
1-1 l
1.1 Scope of the Staff E' valuation.......
1-1 l
1-1 1.2 Organization.........
1-1 1.3 Summary of the Evaluation 2-1 2 Assessment of Operating Experience....
2.1 Retrospective Review of Events at Operating Reactors.
2-1 2-1 2.1.1 Loss of Shutdown Cooling.......................................
2-2 2.1.2 Loss of Reactor Coolant Inventory......
2-2 2.1.3 Breach of Containment Integrity 2-2 2.1.4 Loss of Electrical Power....
2.1.5 Overpressurization of Reactor Coolant System...
2-3 I
2-3 2.1.6 Flooding and Spills.....
2.1.7 Inadvertent Reactivity Addition...
2-3 2-3 2.1.8 Insights From the Review of Events.
2.2 Accident Sequence Precursor Analysis 2-4
?
2-4 2.2.1 Selecting Events for Analysis.
2.2.2 Analysis Approach 2-5 l
2.2.3 Results and Findings.......
2-7 2.2.3.1 Design and Operational Issues Important to Risk During Shutdown..........
2-9
(
2.23.2 Factors That Strongly influence the Significance of an Event................
2-10 3-1 3 Site Visits Tb Observe Shutdown Operations 3-1 3.1 Outage Programs 3.1.1 Safety Principles 3-1 3-1 3.1.2 Safety Practices......
3-2 3.1.3 Contingency Planning.
3-2 3.1.4 Outage Planning 3-2 3.1.5 Outage Duration 3-3 3.1.6 Outage Experience.....
3.2 Conduct of Outages 3-3 3-4 3.2.1 Operator Training..
3-4 3.2.2 Stress on Personnel 3-4 3.2.3 Technical Specifications...
33 Plant and liardware Configurations.
3-4 3-4 3.3.1 Fuel Offload.............
i v
CONTENTS (cont.)
Page 33.2 Midloop Operation in PWRs........
3-5 333 Venting in PWRs 3-5
..........................=...................
33.4 Nozzle Dams in PWRs 3-5 33.5 Electrical Equipment...
3-6 33.6 Onsite Sources of AC Power...
3-7 33.7 Containment Status..........................
3-7 33.8 Containment Equipment Hatches.............
3-7 33.9 Containment Control.........................
3-7 33.10 Debris in Containment 3-8 33.11 Temperature Inctrumentation 3-8 33.12 Water LevelInstrumentation 3-8 33.13 RCS Pressure Indication..
3-8 33.14 RHR System Status Indication....
3-8 33.15 Dedicated Shutdown Annunciators 3-9 4 Probabilistic Risk Assessments.............
4-1 4.1 NSAC-84.......................
4-1 4.2 NUREG/CR-5015 (Loss of RHR in PWRs)....
4-1 43 Seabrook PRA for Shutdown Operation......................................
4-1 4.4 Brunswick PRA for Loss of RHR (NSAC-83).
4-2 4.5 Sequoyah LOCA in Cold Shutdown............
4-2 4.6 International Studies 4-2 4.7 NRC Shutdown PRA for Grand Gulf (Coarse Screening and Detailed Study) 4-3 4.8 NRC Shutdown PRA f or Surry (Coarse Screening and Detailed Study).............
4-3 4.9 - Find ings..........................................
4-4 j
Regulatory Requirements for Shutdown and Low Power Operations........
5-1 5
I 5.1 Facilities in the United States...............
5-1 5.1.1 Technical Specifications 5-1 5.1.1.1 Reactivity Control............
5-1 5.1.1.2 Inventory Control..
5-1 5.1.13 Residual Heat Removal............
5-2 5.1.1.4 Containment Integrity...............
5-2 5.1.2 Other Regulatory Requirements or Policies 5-2 l
5.1.2.1 Training (Coverage of Shutdown Conditions on Simulators)...
5-2 l
5.1.2.2 Policy on Use of Overtime 5-2 5.1.23 Fire Protection 5-2 5.1.2.4 Reporting Requirements..............
5-3 NUREG-1449 vi
)
F I
b r
CONTENTS (cont.)
l l
lh e i
8 5-3 5.1.2.5 Onsite Emergency Planning 5.1.2.6 Fuel Handling and Heavy Loads 5-3 5-4 5.1.2.7 Plant Procedures........
5.13 Bulletins and Generic Letters 5-4 5-4 5.2 International Facilities.......
6-1 6 Tbchnical Findings and Conclusions 6.1 Overview 6-1 6-1 l
6.2 Outage Planning and Control 6-1 f
6.2.1 Industry Actions.
6-2 6.2.2 NRC Staff Findings..
j 6-2 63 Stress on Personnel and Programs..
6-2 6.4 OperatorTraining....
6-3 6.4.1 Examination of licactor Operators.
6-3 6.4.2 Training on Simulators...
6-3 6.5 Technical Specifications 6.5.1 Residual Heat Removal'Ibchnical Specifications.
6-3 6-4 6.5.2 Electrical Power Systems Technical Specifications 6-4 j
6.53 PWR Containment Technical Specifications.
6-4 6.6 Residual Heat Removal Capability.....
6-4 j
6.6.1 Pressurized. Water Reactors.
6-5 6.6.1.1 Effectiveness of GL 88-17 Actions 6-5 6.6.1.2 Alternate Residual Heat Removal Methods 6-6 6.6.2 Boiling-Water Reactors..
6-7 6.7 Temporary Reactor Coolant System Boundaries 6-8 6.7.1 Frecre Seals...
6-8 6.7.1.1 Operational Experience on Freeze Seal Failures.
6-9 6.7.1.2 Industry Reports on Use and Installation of Freeze Seals 6.7.13 NSAC-125," Industry Guidelines for 10 CFR 50.59 Safety Evaluations"....
6-9 6-9 6.7.1.4 Results and Findings.
6-9 l
6.7.2 Thimble ~1bbe Seals.
6-10 6.73 Intersystem Loss-of. Coolant Accidents in PWRs 6-11 6.8 Rapid Boron Dilution.
6-11 6.8.1 Accident Sequence Analysis 6-11 6.8.2 Thermal.llydraulic Analysis for the Event Sequence 6-12 6.83 Neutronics Analysis 6-12 6.8.4 Other Analyses..
6-12 6.9 Containment Capability....
vii NUREG-1449
6 1
I CONTENTS (cont.)
Page i
6.9.1 Need for Containment Integrity During Shutdown.................
6-12 6.9.2 Current Licensee Practice................................................
6-14 t
6.9.3 PWR and BWR Equipment Hatch Designs..............................
6-15 i
6.9.4 Containment Environment Considerations for Personnel Access.
6-15 3
6.9.4.1 Tbmperature Considerations....
6-15 6.9.4.2 Radiological Considerations........................................
6-15 6.9.5 Findings............................
6-17 i
6.10 Fire Protection During Shutdown and Refueling...
6-18 6.10.1 Adequacy of Current NRC Fire Protection Guidance for the Assurance of Residual lleat Removal Capability 6-18 6.10.2 Evaluation of Requirements for Cold Shutdown.......
6-19 l
1 6.10.3 Review of Plant Controls for Fire Prevention 6-20
{
6.10.4 Summary of Findings.
6-20 6.11 Fuel Handling and licavy Loads 6-20 6.11.1 Fuel Handling............
6-20 6.11.2 IIeavy Load Handling.
6-21 6.12 Onsite Emergeng Planning 6-22 6.12.1 Classification of Emergencies.............
6-22 6.12.2 Protection of Plant Workers..................
6-22 7 PotentialIndustry Actions Analysis 7-1 7.1 Introduction and Perspective.
7-1 7.2 Previous Actions....................................
7-1 7.3 Improvements in Shutdown and Low. Power Operations 7-2 7.3.1 Outage Planning, Outage Control, and Fire Prot ect ion.........................
7-2 73.2 'Ibchnical Specifications for Control of Safety-Related Equipment 7-2 7.3.3 Water. Level Instrumentation in PWRs.....................................
7-4 7.4 Other Action s Considered........................................
74 7.5 Conclusions..............
7-5 8 Potential NRC Staff Actions......
8-1 8.1 Advanced Light-Water. Reactor Reviews.....
8-1 8.2 Proposed Changes to the Inspection Program......
8-1 8.2.1 Assessment of the Inspection Program 8-1 8.2.2 'Ibam Inspection 8-1 8.2.3 Inspection of the Use of Freeze Seals 8-2 8.3 Operator Licensing Program........................
8-2 8.4 Analysis and Evaluation of Operational Data.................................
8-2 8.5 PRA Studies 8-3 NUREG-1449 viii
1 CONTENTS (cont.)
Page 8.6 Emergency Planning........
8-3 9 References........................
9-1 Appendices A Cold Shutdown Event Analyses I
B Details of Equipment Hatch Survey C
Staff Response to Comments Received on Draft NUREG-1449 D Abbreviations Figures
'I 2-9 2.1 Accident Sequence Precursor Results t
4-4 4.1 Summary of PRA Results 4
I 6.1 PWR Containment Temperature vs. Time...
6-16 6.2 PWR Equivalent Whole-Body Dose (Inhaled Iodine) 6-16 6.3 PWR Equivalent Whole-Body Dose (Noble Gases, Particulates)..........................
6-17 6.4 BWR Equivalent Whole. Body Dose (Inhaled Iodine).................................
6-17 6.5 BWR Equivalent Whole-Body Dose (Noble Gases, Particulates)...
6-17 Tables 2.1 Events Involving PWR Loss of Shutdown Cooling.....
2-1 I
2.2 Events Invohing BWR Loss of Shutdown Cooling.
2-2 2.3 Events Invohing PWR I.oss of Reactor Coolant....
2-2 2.4 Events Invohing BWR Loss of Reactor Coolant...............................
2-2 2.5 Events Invohing Loss of Electrical Power 2-3 2.6 Events Involving Inadvertent Reactivity Addition.......
2-4 2.7 Cold-Shutdown and Refueling Events Analyzed Using ASP Methods,by Docket /LER No.
2-6 2-7 2.8 Cold-Shutdown and Refueling Events Analyzed Using ASP Methods, by Vendor 2-8 2.9 Events Listed by Conditional Core. Melt Probability...............
5-4 5.1 Generic Communication-Generic Letters.
5.2 Generic Letter 88-17 Requirements and Recommendations.....
5-5 B.1 Details of Equipment $ latch Survey: BWRs...........
B-1 B.2 Details of Equipment Hatch Survey-PWRs.......
B-4 ix NUREG-1449
I i
1 i
EXECUTIVE
SUMMARY
The NRC staff's evaluation of shutdown and low. power sources Council (NUM ARC) to keep the industry in-operations at commercial nuclear power plants in the formed of NRC activities and to keep NRC abreast of the United States is presented here. The study was initiated industry's continuing initiatives. The staff met twice with by the NRC investigation of the loss during shutdown of the Advisory Committee on Reactor Safeguards (ACRS) all vital ac power on March 20,1990, at the Alvin W.Vogtle to report its progress. The staff also briefed the Commis-l nuclear plant. This evaluation assessed risk broadly dur-sion twice on the status of the evaluation and documented l
ing shutdown, refueling. and startup, addressing not only its progress in 1wo Commission papers (SECY 91-283 and l
issues raised by the Vogtle event. but also other issues SECY 92-067).
related to sht;tdown that were identified by foreign regu-i latory organizations as well as by the NRC, and any new On February 25,1992, the staff issued this report in a draft j
issues uncovered in the process.
form and requested public comment.De period for com-j menting ended on April 30, 1992. After the comment
+
The fundamental conclusion of this evaluation is that the period ended, the staff held five public meetings to discuss public health and safety have been adequately protected
!he large number of comments received from utilities and j
while plants were in shutdown conditions,but that numer-industry organizations. At these meetings were represen-ous and significant events have occurred indicating that tatives irom each of the nuclear steam supply system substantial safety improvements are possible and appear (NSSS) wners groups, representatives from individual warranted. The staff has also concluded, or perhaps re-utilities, representatives from NUMARC, and members confirmed, that reactor safety is the product of prudent, of the public. Ihe staff has considered the pubhc com-l thoughtful, and vigilant efforts and not the result of "in-ments and, although the comments did not change any herently safe" designs or " inherently safe" conditions.
principal findings and conclusions, the staff aid modify the The areas of weakness identified herein stem primarily rep rt to clarify it and correct inaccuracies. In addition, from the false premise that " shutdown" means " safe.-
the staff modtfied Chapter 7 of the draft report substan-The primary staff action resulting from this study must be, tially based on the results of its ongoing regulatory analy.
{
therefore, to recognize this fact and to resolve not to sis of shutdown issues. Staff responses to comments l
substitute complacency for appropriate safety programs
{ce ved on draft NUREG-1449 are provided m Appen-to deal with shutdown conditions.
{
The NRR had the major responsibility for conducting the The evaluation was conducted in three stages. First, the evaluation. Other Headquarters offices, such as the Of-NRC staff, with technical assistance from contractors, ficc of Nuclear Regulatory Research (RES), the Office for conducted technical studies to improve its understanding Analysis and Evaluation of Operational Data (AEOD),
j 4
of the issues, and learned how the internationalcommu-and regional offices gave strong support. Contractors as-nity was dealing with the risks of shutdown.
sisting the staff were llrookhaven National Laboratory (HNL), Idaho National Engineering Laboratory (INEL),
Then, the staff integrated the findings from the technical Science Applications International Corporation (SAIC),
studies to determine the most significant technical issues and Sandia National Laboratory (SNL).
associated with shutdown, refueling, and startup opera-tions,and to fmd topical arcas that required further st udy.
Technical Studies this process mcluded a 3-day interoffice meeting of NRC personnel and their cont ractors to present issues and find-The NRC staff and its contractors completed the follow-ings to date. followed by a peer assessment of the presen-ing studies as part of the evaluation:
tations conducted by the technical staff of the NRC Office systematically reviewed operating experience, in-of Nuclear Reactor Regulation (NRR).
e cluding reviewing reports of events at foreign and in the third stage of the evaluation, the NRR technical domestic operating reactors (AEOD) staff responsible for the specific areas focused on as!.ess-analyzed a spectrum of events at operating reactors e
ing each of the key issues and study topics identified to estimate the conditional probability of core dam-through the integration process Dese assessments have age using the accident sequence precursor (ASP)
)
yielded a number of potential regulatory actions to ad-analysis methodology (SAIC for NRR) dress the issues and the bases for those actions. as well as the bases for taking no action on some issues.
visited 11 plant sites to broaden staff understandmg of shutdown operations, including outage planning, 2
Throughout the course of the study, the NRC staff met outage management. and startup and shutdown ac-periodically with the Nuclear Management and Re-tivities (NRR) xi NUREG-1449
4 i
I reviewed and evaluated existing domestic and for-Extended loss of decay heat removal capability in e
e cign probabilistic risk assess nents (PRAs) that ad-PWRs can lead to a loss-of-coolant accident 4
dress shutdown conditions (NRR)
(LOCA) caused by failure of temporary pressure boundaries in the reactor coolant system (RCS) or completed a preliminary level 1 PRA of shutdown rupture of RHR system piping. In either case, the e
and low-power operating modes for a pressurized-containment may be open and emergency core cool-water reactor (PWR) and a boiling-water reactor ing system (ECCS) recirculation capability may not (11WR) to screen for important accident sequences be available.
Passive methods of decay heat removal can be very e
completed thermal-hydraulic scop;ng analyses to es-effective in delaying or preventing a severe accident e
timate the consequences of an extended loss of re.
in a PWR: however, there are no procedures or sidual heat removal (RHR)in PWRs, and evaluated training for such methods.
alternate methods of RHR (INEL for NRR)
All PWR and Mark 111 BWR primary containments e
completed an analysis to estimate the likelihood and are capable of providing significant protection under e
consequences of a rapid, non-homogeneous dilution severe core-damage conditions, provided that the of borated water in a PWR reactor core (BNL for containment is closed or can be closed quickly. How-NRR) ever, analyses have shown that the steam and radia-
~
tion environment in containment, which can result t
compiled and reviewed existing regulatory require-from an extended loss of RHR or LOCA, would e
ments for shutdown operation and important safety.
make it difficult to close the containment. Mark I related equipment (SAIC for NRR) and H BWR secondary containments offer little pro-tection, but this is offset by a significantly lower met with specialists from the Organization for Eco_
likelihood of core damage in BWRs.
e nomic Cooperation and Development / Nuclear En-ergy Agency to exchange information on current Generation of a dilute water slug m. the RCS of a e
regulatory approaches to the shutdown issues in PWR during startup is possible but very unlikely.
member countries and drafted a paper on the vari-The effect of such a slug moving through the core ous approaches (NRR) w uld be h,mited to a power excursion which could i
result in some fuel damage but not a breach of the reactor vessel.
The details and findings of these studies are discussed in Chapters 2. 3,4,5, and 6 of the report.
Potential Industry Actions Ucing The most significtmt technical findings from the evalu-Evaluated With Regulatory Analysis ation are the following:
In the draft version of NUREG-1449 issued for comment Outage planning is crucial to safety during shutdown in early 1992, the staff identified the following five areas e
conditions since it establishes if and when a licensee in which improvements in shutdown operations appeared will enter circumstances likely to challenge safety to be warranted:
functions, and the level of mitigation equipment available.
(1) outage planning and control The current NRC requirements in the area of fire (2) fire protection e
protection (i.e.,10 CFR Part 50, Appendix R)do not (3) operations, training, procedures, and other contin-apply to shutdown conditions. However, significant gency plans maintenance activities, which can increase the po-tential for fire, do occur during shutdown.
(4) technical specifications i
Well-trained and well-equipped plant operators can e
play a very significant role in accident mitigation for Since issuing that draft, the staff has been coriducting a i
shutdown events.
formal regulatory analysis to determine which, if any, improvements could be justified as backfits. In conducting All probabilistic risk assessments for shutdown con-its formal regulatory analysis, the staff performed qualita-ditions in PWRs find that accident sequencesinvolv-tive as well as quantitative evaluations of the five items ing loss of RHR during operation with a reduced above as a combined comprehensive program for con-inventory (e.g., midloop operation) are dominant ducting shutdown activities at either PWRs or BWRs.
contributors to the core-damage frequency.
Such a program would be governed by two main catego-NUREG-1449 xii
controls, which include (1) administrative controls for ac-(7) planning and controls that (a) maximize the avail-tivities related to organization, management, and proce-ability of existing instrumentation used to monitor dures and (2) limiting conditions for operationn CDs)for temperatut e, pressu re, and water level in the reactor controlling the availability of equipment needed to miti-vessel and (b) provide accurate guidelines for opera-gate an accident.The staff views programmaticand proce-tions when existing temperature indications may not dural actions related to items 2,3, and 5 (listed above) as accurately represent core conditions administrative controls incorporated into the process of planning and controlling outages. Item 4 above, i.e., tech.
(8) controlled information system to provide critical i
nical specifications, would include only LCOs on equip.
safety parameters and equipment status on a real-ment. Specific controls being evaluated by the staff are time basis dunng the outage listed below and in 1hble 1. In addition to the technical specifications controls, the staff is evaluating a hardware (9) contingency plans and bases, m.cluding those neces-improvement to enhance the capability for monitoring the sary to ensure that effective decay heat removal reactor vessel water level during operation with a reduced (DHR) durmg cold shutdown and refuelmg condi-inventory.
tions can be maintained in the event of a fire m any plant area Improvements in Planning and (10) realistic consideration of staffing needs and person.
nelc p bihtieswith emphasison conin>l nwn Ma#
Controlling Outages (PWR and BWR)
Licensees can improve their pregrams for planning and controlling outages by incorporating new and improved (12) feedback of shutdown experience into the planning administrative controls and LCOs. Licensees may be re-process quired to develop and use a program for planning and controlling outages that would include those elements listed below. In addition, licensees may be required to Improvements in Pwa adopt new technical specifications with LCOs similar to Instrumentation those in lhb!c 1.
Licensees of PWRs may be required to have an independ-
'Ihe staff considers Ihe programmatic guidelines in ent, diverse means of accurately monitoring reactor vessel NUMARC 91-06 to address those elements of an outage water level during midloop operation that provides con-program listed below with the notable exceptions being tinuous indication in the control room and an alarm to element 7 (instrumentation) and element 9 (specific con-alert operators to over-draining during an approach to a tingency plans for fire protection). Consequently, the mid!oop condition (e.g., ultrasonic or local pressure dif-staff believes that a licensee program that (1) fully imple-ferential measurements across the hot leg).
ments the guidelines in NUM ARC 91-06 and (2)incorpo-rates the features regarding fire protection and instru-mentation listed below would be consistent with the Staff Actions staff's assumptions regarding the administrative controls portion of this improvement.
During the course of the evaluation, the staff has taken a number of actions in response to concerns about shut-down operations. These actions include issuing informa-Elements for an Outage Program tion notices regarding shutdown operations, use of freeze seals, and the potential for boron dilution. In addition, the (1) clearly defm.ed and documented safety principles for staff issued a temporary instruction (TI) calling for in-outage plannmg and control creased inspection emphasis during outages that focused (2) clearly defined organizational roles and responsibili.
primarily on RIIR capability and activities involving elec-ties trical systems. To fully develop the TI, the staff has con-ducted pilot inspections at Oconce Unit 2. Indian Point (3) controlled procedure defining the outage planning Unit 3 Diablo Canyon Unit 1, Prairie lsland Units I and 2, process and Cooper station. The staff has also modified NRC standards for operator license exams to (1) place more (4) pre planning for all outages emphasis on shutdown operations and (2) review the li-(5) strong technical input based on safety analysis, risk censce's requalification exam test outline for coverage of insights.and defense in depth shutdown and low-power operations, consistent with the licensee's job task analysis and operating procedures. Fi-(6) independent safety review of the outage plan and nally, Headquarters staff advised regional staff that cur-subsequent modifications rent emergency plans should address protection of plant xiii NUR EG-1449 m
i i
l l
Table 1 Limiting Conditions for Operation During Cold Shutdown and Refueling l
Mode 5 Mode 6 Mode 6 Mode 4 Mode 5 Mode 5 System i Low I evel liigh Level Low Level liigh Level Residual heat removal 2 trains 1 train 2 trains 1 train
{
- OPERABLII*
OPERABIE*
j Emergency core cooling 2 trains Not required
- 2 trains Not required
- OPERABLE OPERABLF*
l OfTsite ac power 1 offsite source l' offsite source 1 offsite source 1 offsite source OPERABLE
- l Onsite ac Power 2 onsite sources 1 onsite source 2 onsite sources 1 onsite source
(
OPERABLE OPERABLE
- OPERABLE OPERABLE
- Primary containment Required when Not required
- Not required
- Not required
- l integrity decay heat rate is > [ J and RCS temperature is > [ ]
Service water 2 trains 1 train 2 trains 1 train
[
OPERABLE OPERABLE OPERABLE OPERABLE Equipment tooling 2 trains 1 train 2 trains 1 train water OPERABLE OPERABLE OPERABLE OPERABLE r
i
- Currently speedied in Standard Tecimical Spec;fications.
Develop and issue interim guidance for classifying workers in an emergency during shutdown operations.
The staff has also identified a number of potential actions accidents that occur during shutdown.
that are discussed in Chapter 8 of the report.They include
{
Incorporate findings from shutdown and low-power i
e evaluation into licensing reviews far advanced light-The staff has identified a number of safety issues impor-water reactors.
tant to shutdown and low-power operation. Resolving Continue level 3 and level 2 PRA studies of shut, these issues through new generic requirements could im-down and low-power operations at Grand Gulf and prove safety substantially.The staff bases this conclusion Suny.
on observations and inspections at a number of plants, 3
deterministic safety analysis, insights gained from proba-Continue evaluation of pilot team inspections for bilistic risk assessments, and some quantitative risk as-shutdown operations and report findings and rec-sessment. In accordance with the shutdown-risk program ommendations to the Commission.
plan and schedule, the staff is continuing to assess the
[
Develop a performance indicator for shutdown op-need for regulatory action on low-power and shutdown y
crations to monitor licensec performance in this issues, including analyses in accordance with the backfit area and incorporate the results in NUREG-1022.
rule,10 CFR 50.109.
r i
4 i
k s
NUREG-1449 xiv
I i
l 1 IIACKGROUND AND INTRODUCTION J
l Over the past several years, the Nuclear Regulatory Com-and events that do not involve Ihe previously identified mission (NRC) staff has become more concerned about systems.
the safety of operations during shutdown. The Diablo Canyon event of April 10,1987, highlighted the fact that the operation of a pressurized-water reactor (PWR)with 1.2 Organ.izat. ion a reduced inventory in the reactor coolant syr. tem pre-The Office of Nuclear Reactor Regulation (NRR) has the sented a particularly sensitive condition. From NRC's lead responsibility for conducting the evaluation. How-review of the event, the staffissued Generic Letter 88-17 ever, other Headquarters offices, such as the Office of I
on October 17,1988. The letter requested that licensees Nuclear Regulatory Research. (RES), the Office for i
address numerous generic deficiencies to improve safety Analysis and Evaluation of Operational Data (AEOD),
during operation at reduced inventory. More recently, the and regional offices have contributed strong support. A meident investigation team's report of the loss of ac group of senior managers representing these offices power at the Vogtle plant (NUREG-1410) emphastzed served as the steering committee for the evaluation.This the need for nsk management of shutdown operations.
group met periodically to be briefed on the progress of Furthermore, discussions with foreign regulatory organi-the evaluation and to provide guidance. Members of the zations (i.e., French and Swedish authoritics) about their steering committee included the following: William Rus-evaluations regarding shutdown nsk have reinforced pre-sell, Associate Director for Inspection and Technical As-vious NRC staff findmgs that the core-damage frequency sessment, NRR; Ashok Thadani, Director, Division of for shutdown operation can be a fairly substantial fraction Systems Technology. NR R; Brian Sheron, Director, Divi-of the total core-damage frequency. Uccause of these sion of Systems Research, RES (later replaced by Warren concerns regarding operational safety dunng shutdown, Minners, Director, Division of Safety Issue Resolution);
the staff began a caref ul, detailed evaluation of safety Samuel Collins, Director, Division of Reactor Projects, during shutdown and low. power operations.
Region IV; and Thomas Novak, Director, Division of Safety Programs, AEOD.
j On July 12,1990, the staff briefed the Advisory Commit-tce on Reactor Safeguards (ACRS) on its draft plan for a broad evaluation of risks during shutdown and low-power 1.3 Summary of the E, valuation operation. On October 22,1990, the staffissued the plan In its original plan, the staff divided work necessary to m the form of a memorandum from James M. Taylor, to complete the evaluation into six major elements cont'ain-the Commissioners, " Staff Plan for Evaluatmg Safety ing a number ofinterrelated tasks to be completed over Risks During Shutdown and low Power Operations."
18 months 'Ihe six major program elements are the fol-The staff briefed the ACRS on the status of the evalu-lowing-ation on June 5 and 6,1991, and on June 19,1991, the staff discussed the status of the evaluation in a public I.
Review and evaluate event experience and event meeting with the Commission. On September 9,1991, s'udies.
the staff issued a Commission paper (SECY 91-283) which reported progress to date on the evaluation and IL Study shutdown operations and activities.
providtd a detailed plan for addressing each of the techni-calissues identified.
HI. Conduct probabilistic risk assessment (PRA) activi-ties and engineering studies.
1.1 Scope of the Staff Evaluation IV. Integrate technical results to understand risk.
V.
Evaluate guidance and requirements affecting risk
)
In the staff's evaluation, shutdown and low-power op-management.
eration" encompasses operation when the reactor is in a subcritical state or is in transition between subtriticality VL Recommend new regulatory requirements as neces-and power operation up to 5 percent of rated power.The sary.
1 evaluatien addresses only conditions for which there is fuel in the reactor vessel (RV). The evaluation addresses Consistent with this program plan, the staff and its con-all aspects of the nuctcar steam supply system (NSSS), the tractors have completed the following studies which, as containment, and all systems that support operation of indicated, are fully discussed later in this report:
the NSSS and containment. However, the evaluation does not address events involving fuel handling outside of systematictdly reviewed operating experience, in-the containment, fuel storage in the fuel storage building, cluding reviewing reports of events at foreign and 1-1 N URiiG-1449
y r
i i.
I i
i domestic operating reactors, and documented the had been working on the shutdown and low-power evalu-findings in the AEOD engineering evaluation ation or had special expertise in the issue. During this (Chapter 2) meeting, held April 30 through May 2,1991, the staff identified five issues that are especially important for o
with assistance from the Science Applications Inter.
shutdown and a number of additional topics that warrant further evaluation. These issues are national Corporation (SAIC), analyzed a spectrum of events at operating reactors using the accident outage planning and control sequence precursor methodology (Chapter 2) e a
i stress on personnel and programs e
visited 11 plant sites to broaden staff understanding o
of shutdown operations, including outage planning, training and procedures outage management, and startup and shutdown at-e f
tivitics (Chapter 3) technical specifications
[
e o
reviewed, evaluated, and documented the few exist-PWR safety during midloop operation ing domestic and foreign PRAs that address shut-e i
down conditions (Chapter 4)
Tbpics identified for further evaluation included the fol-completed and documented a coarse level 1 PRA of lowing:
o shutdown and low-power operating modes for a loss of residual heat removal capability PWR and a boiling-w:.ter reactor (BWR) through e
RES contractors at Brookhaven National Labora-containment capability
{
tory and Sandia National Laboratory (Chapter 4) e rapid boron dilution o
with technical assistance from the Idaho National e
Engineering Laboratory, completed and docu-fire protection i
mented several thermal-hydraulic studies that ad-e dress the consequences of an extended loss of resid-ual heat removal (Chapter 6) e instrumentation emergency core cooling system recirculation capa-o with assistance from Brookhaven National Labora-e tory, completed and documented an analysis to esti-bility mate the likelihood and consequences of a rapid non-homogencous dilution of borated water in a effect of PWR upper internals e
PWR reactor core (Chapter 6) onsite emergency planning e
o with technical assistance from SAIC, compiled exist-ing regulatory requirements for shutdown operation fuel handling and heavy loads e
and important safety-related equipment (Chapter 5) potential for draining the BWR reactor vessel e
o coordinated a meeting with specialists from the Or-ganization for Economic Cooperation and Develop-reporting requirements for shutdown events
[
e ment / Nuclear Energy Agency to exchange informa-tion on current regulatory approaches to the need to strengthen inspection program e
shutdown issues in member countrics, including l
drafting a discussion paper on the various ap-The staff proposed an evaluation plan for each of the proaches (Chapter 5) issues and topics and documented the plans in a Commis-i i
sion paper issued September 9.1991 (SECY 91-283).The met periodically with the Nuclear Management and evaluations are now complete and the results form the o
l Resources Council to keep the industry informed of basis for the staff's technical findings and conclusions l
NRC activities and to stay abreast of the industry's given in Chapter 6. and recommended actions given in t
continuing initiatives Chapters 6,7, and 8 of this report. However, it should be noted that Chapters 7 and 8 have been revised substantial-To integrate its findings from these studies and to define ly from the earlier draft version of the report issued for important technical issues, the staff met for three days comment in February 1992. Comments on the draft ver-l with contractors from several national laboratorics who sion are listed and discussed in Appendix C.
NUREG-1449 l-2 l
l
t 2 ASSESSMENT OF OPERATING EXPERIENCE 2.1 Retrospective Review of Evenis at The results of the AEOD study are discussed in Sections Operating Reactors 2.1.1 through 2.1.7. Insights gained from the study are given in Section 2.1.8.
The staff reviewed operating experience to ensure that its evaluation encompassed the range of events encountered 2.1.1 Loss of Shutdown Cooling during shutdown and low-power operation: licensee The loss of shutdown cooling is one of the more serious I
event reports (LERs), st udies performed by the Office for event ty pes and can be initiated by the loss of flow in the Analysts and Evaluation of Operational Data (AEOD),
and various inspection reports to determine the types of residual heat removal (RllR) system or by loss of an intermediate or ultimate heat sink. Events involving loss events that take place during refueling, cold and hot shut-of cochng that occur shortly after plant shutdown may i
down, and low-power operation.
quickly Icad to bulk boiling and eventual fuel uncovery if The staff also reviewed events at foreign nuclear power plants using information found in the foreign events file The evaluation included 16 PWR and 11 BWR events maintained for AEOD at the Oak Ridge National labo-involving loss of shutdown cooling; these are listed in e
ratory. The AEOD compilation included the types of Tables 2.1 and 2.2.
events that applied to U.S. nuclear plants and those not found in a review of U.S. cxperience More than 60 percent of the PWR events arose from human error-administrative, other personnel, or proce-In performing this review, the sta" found that the more dural. Equipment problems accounted for 16 percent of 1
significant events for pressurized-water reactors (pWRs) the events. The types of incidents that caused the events
=
were the loss of residual heat removal, potential pressuri.
ranged from the RIIR pumn becoming air bound,
- zation, and boron dilution events. The more important through loss of power to the R1
. emp, to the malfunc-events for boiling-water reactors (llWRs) were the loss of tion of level indication in the wntrol room. Dese events coolant, the loss of cooling, and potential pressurization.
resulted in temperature rises ranging from 15' to 190' Generally, the majority of important events involved hu.
(on the Fahrenheit scalc) (-9.4* to 88* on the Celsius man error-administrative, other personnel, or proce, scale).
dural. In December 1990, the staff documented this re-i F.or the BWR events, approximately 60 percent were viewin the AEOD special report," Review of Operating 7
Events Occurring During Hot and Cold Shutdown and c:msed by human error-administrative. other personnel, Refueling," which is summarized below. In addition, the or procedural.
staff selected 10 events from the AEOD review for fur-T & M h b e h W 'R ther assessment as precursors to potential severe core-Loss of Shutdown Cooling damage accidents. nis assessment is discussed in Section 2.2.
Plant Event date ne AEOD special report encompassed events that had Millstone 2 12/09/81 occurred primarily between January 1,1988, and July 1, Salem 1 03/16/82 1990. An initial database was created which included 348 Catawba 1 04/22/85 events gathered primarily from the Sequence Coding and Zion 2 12/14/85 Search System and significant events that occurred before Crystal River 3 02/02/86 or after the target period. Of the 348 events, approxi-Waterford 3 07/14/86 mately 30 percent were considered more significant and Diablo Canyon 2 04/10/87 were explicitly discussed in the AEOD report.
Oconec 3 12/16/87 Oconce 3 09/11/88 The events were evaluated by plant type (i.e., PWR or Arkansas 1 10/26/88 liWR) and six major event categories: loss of shutdown McGuire 1 11/23/88 cooling, loss of electrical power, containment integrity Arkansas 1 12/19/88 problems, loss of reactor coolant, flooding and spills, and Braidwobd 2 01/23/89 overpressunzation of the reactor coolant system; for Salem 1 05/20/89 PWRs, boron problems were also included. Less fre-Arkansas 1 12/06/89 quently occurnng events, such as fires, were covered Vogtle 1 03/20/90 briefly.
1 2-1 NUREG-1449
~.
Table 2.2 Events involving BWR Table 2.3 Events Involving PWR j
Loss.of Shutdown Cooling Loss of Reactor Coolant
~
Plant Event date Plant Event date Brunswick 1&2 04/17/81 Haddam Neck 08/21/84 Susquehanna 1 03/21/84 Farley 2 10/27/87
[
Fermi 2 03/18/88 Surry 1 05/17/88 l
FitzPatrick 10/21/88 Sequoyah1 05/23/88 i
Susquehanna 1 01/07/89 San Onofre 2 06/22/88 River Bend 06/13/89 Byron 1 09/19/88
{
Pilgrim 12/09/89 Cook 2 02/16/89
{
Duane Arnold 01/09/90 Indian Point 2 03/25/89 i
FitzPatrick 01/20/90 Palisades 11/21/89 i
Suscquehanna 1 02/03/90 Braidwood 1 12/01/89 l
i 2.1.2 Loss of Reactor Coolant Inventory 2.1.4 Loss of Electrical Power The chance that reactor coolant will be lost from the The safety significance of the loss of electrical power
]-
reactor vessel can actually increase during shutdown depends on the part of the plant affected. Re loss could j
modes because large, low-pressure systems, such as range from complete loss of all ac power to the loss of a de l
RHR, are connected to the reactor coolant system.The safety significance of such loss is that it could lead t bus or an instrument bus.1 mss of electrical power gener-ally leads to other events, such as loss of shutdown cool-voiding in the core and eventual core damage.
ing.
ne evaluation included 22 events involving loss of reac-The events included in the AEOD evaluation are listed in tor coolant. The plants and dates of the events are listed in Tables 2.3 and 2.4.
Table 2.5.
The PWR events had various causes, such as opening of Of the 13 PWR events evaluated by AEOD, 7 were'
)
the RHR pump suction relief valve, power-operated re_
caused by human errors,5 were caused by maintenance, 1
lief valve (PORV) and block valves opening simultane-and I was caused by fire. Of the ongmal45 events found j
ously during PORV testing, and loss of pressure in the in the AEOD study, approximately 62 percent were j
reactor cavity seal ring allowing drainage from the cavity.
caused by human error and approximately 20 percent These events accounted for losses of reactor coolant in-were caused by eqmpment problems. De BWR statistics ventory of up to 67,000 gallons (254 kL).
were reversed: only 20 percent of the events were caused -
by human errors and 50 percent were caused by equip-Many of the BWR eventsincluded in the evaluation were ment problems.
caused by valve lineup errors and resulted in decreased j
levels of up to 72 inches (183 cm).
Table 2.4 Events Involving BWR Loss of Reactor Coolant j
Of the 10 PWR events reported in the AEOD evaluation, j
6 were caused by human errors and 4 were caused by Plant Event date equipment problems. Of the 12 BWR events included in
{
the evaluation,10 were caused by human errors and only Grand Gulf 04/03/83 2 were caused by equipment failure.
LaSalle 1 09/14/83 l
I2Salle 2 03/08/84 2.1.3 Ilreach of Containment Integrity Washington Nuc 2 08/23/84 Susquehanna 2 04/27/85 i
A breach of containment integrity in itself may not be of Hatch 2 05/10/85 t
great safety significance, buj this condition, coupled with Peach Bottom 2 09/24/85 postulated events, could substantially increase the sever-Fermi 2 03/13/87 ity of the event. Also, a breach of containment integrityin Washington Nuc 2 05/01/88 conjunction with fuel failure could cause the release of Pilgrim 12/03/88 radioactive material. Eight events involving breach.of Vermont Yankee 03/09/89 containment were included in the AEOD evaluation. All Limerick 04/07/89 were due to human error.
I NUREG-1449 2-2 j
I i
i
~ -
l F
Table 2.5 Esents Involving Imss of Electrical Power j
i PWR Event date Description of event
-j Turkey Point 3 05/77/S5 less of offsite power Fort Calhoun 03/21/87 Ioss of all ac offsite power i
McGuire 1 09/16/87 less of offsite power Harris 10/11/87 Loss of power to safety buses Wolf Creek 10/15/87 loss of 125-V de source i
Crystal River 3 10/16/87 less of power to one of two vital buses Indian Point 2 11/05/87 Iess of power to the 480-V ac bus i
Braidwood 2 01/31/88 Instrument bus deenergized Millstone 2 02/04/88 loss of power to vital 4160-V ac train l
Yankee Rowe 11/16/88 Irss of power to two emergency 480-V buses j
Oconee 3 09/11/88 less of ac power to shutdown cooling equipment Fort Calhoun 02/26/90 less of power to 4160-V safety buses l
Vogtle 1 03/20/90 less of offsite and onsite ac power sources BWR Pilgrim 11/12/87 less of offsite power Nine Mile 2 12/26/88 less of offsite power i
Millstone 1 04/29/89 Iess of normal power Washington Nuclear 2 05/14/89 less of offsite power i
River Bend 03/25/89 Division IIIdss of power Limerick 03/30/90 less of a power supply 2.1.5 Overpressurization of Reactor Coolant 2.1.7 Inadvertent Reactivity Addition System Both PWR and BWR plants had experienced inadvertent i
Both PWR and BWR overpressurization events have oc-criticalities, some of which resulted in reactor scrams.'Ihe curred during shutdown conditions. Such events are pre.
AEOD ' evaluation indicated that inadvertent reactivity cursors to exceeding the reactor vessel brittle fracture addition in PWRs was cimsed primarily by dilution while limits or the American Society of Mechanical Engineers the plant was shut down. Also boron dilution without the Boiler and Pressure Vessel Code (ASME Code) limits.
operator's knowledge was identified as a potentially se-The reactor coolant system (RCS) generally overpres.
vere event. In BWRs, inadvertent reactivity addition was surizes in one of three ways: operation with the RCS most often caused by human error (the operator selected t
completely full and experiencing pressure control prob-the wrong control) and feedwater transients.
lems, occurr ences of inadverten t safety injection, or pres-The events included in the evaluation are listed in Table surization of systems attached to the RCS.
2.6.
Of the significant events consideredin the AEOD evalu-2.1.8 Insights From the Review of Events ation, there were not enough to indicate a trend regarding The original database of shutdown events included 348 the cause of the events. Ilowever, the original database events, most of which had occurred since 1985. AEOD metuded 24 PWR pressurization evenis, and 66 percent of used experience and engineering judgment in selecting those events had been caused by human errors. Only those that were the more significant. Those 30 significant three BWR events were in the original database.
events were then categorized to help AEOD determine the cause and identify any trending.
2.1.6 Flood.mg and Spills Two major observations became apparent in the evalu-The safety significance of flooding or spills depends on ation whether using the original database of 348 or the the equipment affected by the spills. The AEOD evalu-narrowed database of 30 more significant events.'Ite first ation included 3 of the 29 PWR events in the original observation is that a greater percentage of the events database. Of the original 29 PWR events, more than 50 were caused by human errors than by equipment prob-percent were caused by human errors; 14 percent were lems. The second observation is that the events did not caused by equipment problems. There were only 7 BWR reveal new unanalyzed issuet but, instead, appeared to 4
flooding or spill events in the original database and the represent an accumulation of errors or equipment fail-i majority were caused by human errors.
ures or a combination of the two.
2-3 NUREG-1449 1
~--
l I
i l
Table 2.6 Events involving inadvertent Iteactivity Addition PWII Event date Description of event.
Surry 2 04/14-23/89 Boron concentration decreased by leak in RCP stand pipe niakeup valve l
I Turkey Point 3&4 05/28-Unable to borate Unit 3 volume control tank (VCF) because of nitrogen 06/03/87 gas binding of all boric acid transfer pumps
{
Arkansas 2 05/04/88 Gas binding of the charging pumps from inadvertent emptying of the VCr Foreign reactor 1990 Boron dilution from a cut steam generator tube thathad not been plugged l
)
r f
UWR i
Millstone 1 11/12/76 Withdrawal of the wrong control rod and a suspected high worth rod '
i Browns Ferry 2 02/22/84 Withdrawal of high worth rod j
i Ilatch 2 11/7/85 Feedwater transient i
e Peach Bottom 3 03/18/86 Incorrect rod withdrawn i
River Bend 07/14/86 Feedwater transient Oyster Creek 12/24/86 Feedwater transient 2.2 Accident Sequence Precursor cally (1) to develop insights into (a) the types of events l
And)' sis that have occurred during shutdown and (b) which charac-
)
teristics of these events are important to risk, and (2) to i
Using the accident sequenge precursor (ASP) method, develop methods that could be used in a continuing man-f the staff and its contractors, Oak Ridge National Labora, ner to analyze shutdown events. He staff did not intend tory and Science Applications International Corporation, to use this effort to make comparisons with analyses of l
culucted a samnle of 10 shutdown events that could be at-power events in the ASP program.
l sipifican;. TN. staff reviewed this sample to determine i
the u,nditional probability of core damage, that is, the ne following section describes how the 10 events that j
probability of core damage, given that the initiating event were analyzed were selected. Section 2.2.2 summarizes j
has already occurred, from each type of event selected in the development of core-damage models and the estima-order to help characterize the overall shutdown risk for tion of conditional probabilities. Finally, Section 2.2.3 l
U.S. nuclear power plants. As discussed in Section 2.2.1, describes the results of the analyses and overall findings.
the 10 selected events reasonably represented the reactor The complete detailed analysis for each event is docu-l l
population of BWRs, PWRs, and the various vendors.
mented in Appendix A.
l To date, the ASP program has been largely concerned 2.2.1 Selecting Events for Analysis with operational events that occurred at power or hot shutdown. Methods used in that program to identify op-The staff selected 10 cvents that had occurred during cold i
erhtional events considered precursors, plus the models shutdown and refueling for analysis. The staff chose these used to estimate risk significance, have been developed events after it had (1) reviewed the AEOD evaluation of over a number of years. In particular, the ASP core-dam-non-power events discussed in Section 2.1 and (2) per-age models have been improved over time to reflect in-formed confirmatory searches usin g the Sequence Coding sights from a variety of probabilistic risk assessment stud.
and Search System, a database of LER information main-l ies. In applying ASP methods to evaluate events during tained at Oak Ridge National Laboratory (ORNL).
cold shutdown and refueling, the same analytical ap-proach was used. Ilowever, accident sequence models Events chosen were considered representative of the i
describing failure combinations leading to core damage types of events that could impact shutdown risk and that had to be developed, with little earlier work as a basis.
could be analyzed using ASP methods.These events con-3 cerned loss of reactor inventory, loss of residual heat This analysis was exploratory in nature. Its intent was to removal, and loss of electric power. One event involved a
)
ensure that operating experience was assessed systemati-fk>od that had safety system impacts.The events chosen NUREG-1449 2-4
I i
I i
1 j
for analysis were considered potentially more serious tion, m the event trees for systems observed to have failed l
than the typical event observed at cold shutdown.
during the actual accident reflect only the lik.elihood of not recovering from the failure or fault that actually oc-livents were also chosen so that all four reactor vendors curred. Failure probabilitics for systems o'; served to have were represented in the analysis.This allowed the staff to degraded during the actual operational event were as-l explore modeling issues unique to different plant designs sumed equal to the conditional probability that the system and to develop models that could be applied at a later would fail (given that it was obsened degraded) and the
-(
]
date to a broad set of cold-shutdown and refueling events.
probability that it would not be recovered within the re-quired time period. The failure probabilities associated l
The 10 crents chosen for analysis are listed in Tabic 2.7.
with observed successes and with systems unchallenged The 10 events are sorted by date and by vendor in Table during the actual event were assumed equal to a failure j
2.S. The 1990 loss of ac power and shutdown cooling probability estimated by the usc of system success eriteria (SDC)at Vogtle 1 is not included in the list because it was and train and common-mode failure screening probabili-evaluated previously with the ASP methodology as dis-ties, with consideration of the potential for recovery.
r cussed in NUREG/CR-4674.
Event tree models were developed to describe potential l
core-damage sequences associated with each event. For i
2.2.2 Analys. Approach the purposes of simplifying this analysis, core damage was j
is l
conservatively assumed to occur when RPV water level
.The staff analyzed each of tlye events listed in. Fable 2.7.
decreased to below the top of active fuel. Choice of this I
Dus analysis included a review of avadable mforraation damage criterion allowed the use of simplified cidcula-concernmg each event and plant to determine system tions to estimate the time to an unacceptable end state.
lineups, equipment out of senice, water levels and reac-Core damage was also assumed to occur if s combination i
tor pressure vessel (RP\\ ) inventories, time to boil and to of systems, as specified on the event tree, failed to per-core uncovery. vessel status, and so on. "Dus mvolved form at a minimum acceptable level and could not be j
review of final safety analysis reports, augmented inspec-recovered.
tion team reports, operating procedures, and supplemen-tal material in order to understand the system interac-The event tree model used to analyze an event was devel-4 i
tions that occuried during the event, the recovery actions oped on the basis of procedures that existed then.'Ihese and alternate strategies that could be employed. and the procedures were c<msidered the primary source of mfor-procedures available to the operators.
mation available to the operators concerning the steps to be taken to recover from the event or to irnplement an-i Once the event had been characterized and its effect on other strategy for cooling the core. Since procedures var.
l the plant was understood, event significance was esti-ied greatly among plants, the event trees developed to mated based on methods used in the ASP program.
quantify an event were typically plant and event specific.
Quantification of event significance im olves determining Event trees applicable to each analysis are described in a conditional probability of subsequent core damage Appendix A.
given the failures that occurred. (See Section 2.23 for1he in developing branch probability estimates for the cold-current limitations in this approach.) The conditional shutdown models, the probability of not recovering a probability estimated for each event is important because faulted branch before boiling or core uncovery occurred conditional probability provides an estimate of the meas-frequently had to be estimated. Applicable time periods ure of protection remaining against core damage once the were often 6 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
observed failures have taken place. Conditional prob-abilities were estimated by mapping failures observed
'Ihere are no operator response models (especially mod-during the event onto event trees that depict potential els out of the control room) or equipment repair models paths to severe core damage and by calculating a condi-for these time periods. For the purposes of this analysis, tional probability of core damage through the use of event the probability of crew failure as a function of time for tree branch probabilities modified to reflect the event.
non-proceduralized actions was developed by skewing i
The effect of an event on event tree branches was as-applicable curves for knowledge-based action in the c(m-sessed by reviewing the operational event specifics trol room by 20 minutes to account for recovery time 4
against system design information and translating the re-outside the control room. A minimum (truncated) failure suits of the review into a r evised conditional probability of probability of lx10 4 was also specified. For long-term branch failure given the operational event.
proceduralized actions. recovery was assumed to be domi-i nated by equipment failure, and operator failure was not in the ASPanalysis, only sequential events that can occur addressed. The probability of failing to repair a faulted after the failures that act ually occurred in the accident ar e system before boiling or core uncovery occurred was esti-i modeled. Consequently, in the quantification pr, cess, mated using an exponential repair model with the ob-
" failure" probabihties, i.e.. those in the downward direc-served repair time as the median.
i 1
2-5 NUREG-1449
i i
I Table 2.7 Cold. Shutdown and Refueling Events Analyzed Using ASP Methods, by Docket /LER No.
Conditional f
Docket /
core damage LER No.
Description of event (date) probability
- 271/89-013 10,000 gal of reactor vessel inventory was transferred to the torus 1x10 8 at Vermont Yankee when maintenance stroked-tested the SDC valves in the but-of-service loop of RHR dth the minimum flow valve already
[
open. More than 45 m required to locate and isolate the leak. (3/9/89)
{
85/904)06 Loss of offsite power with the emergency diesel generators not imme-4x10 4
[
diately available at Fort Calhoun. Breaker failure relay operated to strip i
loads, but EDG design feature prevented auto loading. (2/26/90) l 287/88-005 Loss of ac power and loss of RHR during midloop operation with 2x10_s j
vessel head on at Oconee 3. Testing errots caused a loss of power to feeder buses resulting in loss of SDC with no accompanying reactor temperature l
or levelindication. (9/11/88) t i
302/86-003 R11R pump shaft broke during midloop operation at Crystal River 3.
1x10 8 Pump had been in continuous operation for about 30 days. A tripped circuit breaker delayed placing the second train on line. (2/2/86) 323/87-005 less of RHR at Diablo Canyon 2 while at midloop operation. RCS 5x10 5 l
inventory lost through a leaking valve and air entrainment in both RHR l
l pumps caused loss of SDC. Extended boiling occurred. (4/10/87) 382/86-015 Imss of RHR during midloop operation at Waterford 3. Complications 2x104 in restoring RHR due to steam binding and RHR pump suction line design. Extended boiling occurred. (7/14/86) t 387/40-005 Extended loss of RHR at Susquehanna 1. An electrical fault caused 3x10 5 I
isolation of SDC suction supply to RHR system. Alternate RHR pro-vided using the suppression pool. (2/3/90) 397/88-011 less of reactor vessel inventory at Washington Nuclear Plant 2 (WNP-2).
5x10 5 l
q The RHR suppression pool suction and SDC suction valves were open l
simultaneously, and approximately 10,000 gal of reactor water was trans-
{
ferred to the suppression pool. (5/1/88) l 456/89-016 RCS inventory loss at Braidwood 1. An RHR suction relief valve stuck 1x10 8 open and drained approximately 64,000 gal of water from the RCS l
before being isolated. (12/1/89) i 458/89-020 15.000 gal (57.8 kL) of service water flooded the auxiliary building when 1x10 5 i
a freeze seal failed at River llend. One RHR train, normal spent fuel pool i
cooling, and auxiliary and reactor building building lighting lost. (4/19/89)
{
- See Sectam 2.23 for the limitations to this appmach.
NURiiG-1449 2-6 l
- - ~.
Table 2.8 Cold. Shutdown and Refueling Events Analyzed Using ASP Methods, by Vendor Docket /
Conditional LER No.
Description of event (date) core-damage probability
- GENERAL ELECTRIC (BMTI) 271/89-013 10,000 gal (37.9 kL) of reactor vessel inventory was transferred to the 1x10 8 torus at Vermont Yankee. (3/9/89) i 387/90-005 Extended loss of RHR at Susquehanna 1. (2/3/90) 3x10 5
)
f 397/88-011 Ioss of reactor vessel inventoty at WNP-2. (5/1/88) 5x10 5 i
1 458/89-020 15.000 gal (5LS kL) of service water flooded the auxiliary building when 1x10_e a freeze seal failed at River Bend. (4/19/89) l IIABCOCK AND MILCOX (PWR)
(
287/88-005 Irss of ac power and loss of RHR during midloop operation with vessel 2x10 8 head on at Oconee 3. (9/11/88) 302/86-003 RHR pump shaft broke durin;; midloop operation at Crystal River 3. (2/2/86) 1x10S I
COMBUSTION ENGINEERING (PMTI)
I i
285/90-006 Imss of offsite power (LOOP) with the emergency diesel generators (EDGs) 4x104 i
not immediately available at Fort Calhoun. (2/26/90) 382/86-015 less of RHR during midloop operation at Waterford 3. (7/14/86) 2x108 i
t I
WESTINGHOUSE (PWR) 323/87-005 less of RHR at Diablo Canyon 2 while in midloop operation. (4/10/87) 5x10.s l
456/S9-016 RCS inventory loss at Braidwood 1. (12/1/89) 1x10 8 i
- Sec Section 2.2.3 for the limitatkms to this approach.
n Probability values estimated using these approaches are Operator response is probably the most important issue very uncertain. Unfortunately, these same probabilities determining the significance of an event in shutdown, and significantly influence the conditional core-damage prob-until it is better understood, the relative importance of abilities estimated for the two more signific:mt events shutdown events compared to events at power cannot be and, therefore, those conditional probabilities are also reliably estimated, uncertain.
]
2.2.3 Results and Findings i
The impact of long-term recovery assumptions is illus-The c(mditional core-damage probabilities estimated for i
j trated below. Changes in conditional probabilities result-each event are listed in Table 2.7 and illustrated in Figure j
ing from a factor-of-three change in the non-recovery 2.1. 'nie calculated probabilities are strongly influenced estimates are listed for the Susquehanna and Waterford by estimates of the likelihood of failing to recoverinitially events. As can be seen, within the range shown, the condi-faulted systems over time periods of 6 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Very j
tional probability for both events was very strongly related little information exists concerning such actions; hence, to assumptions concerning long-term recovery.
the conditional probability estimated for an event i
2-7 NUREG-1449
]
w n
..a.~
w n n
-+
.w,
-x e
, e x
2 a
- n.
i l
l involved substantial uncertainty. Additionally, some con-tainty, and hence the overall core damage probabil-ditional probabilities were strongly influenced by assump-ity estimated for the event also involves substantial
. tions concerning (1) the plant staff's ability to implement uncertainty.
l
'non-proceduralized short-term actions, (2) the actual plant status at the time of the event, and (3) the potential (2) Loss ofResidua/ Heat Removal (RHR) During Mid!oop for the event to have occurred under different plant con.
Operation at Warcrford 3 on July 14,19S6. In this i
ditions. He distribution of events as a function of condi, event, a non-proceduralized drain path was not iso-l tional probability is shown in Table 2.9. The result for the lated once the reactor coolant system (RCS) level 1990 loss of ac power and SDC at Voctle 1 is also included was reduced to midloop. Draining continued and i
for completeness. He analysis performed for the Vogtle resulted in cavitation of the operating RHR pump.
l 1 event is documented in N UREG/CR-4674, Volume 14.
Restoration of shutdown cooling (SDC) took 3 Events with conditional probabilitics below 1x10
- are hours, during which time boiling occurred in the core considered minor with respect to risk of core damage.
region. Iloth RHR pump suction lines from the RCS Conditional probabilities above this value are indicative were steam bound (most likcly a result of the suction of a more serious event.
loop seal design feature). RCS inventory was re-stored using one of the low-pressure safetyinjection Excluding the Vogtle loss-of-all-ac-power event, the two (LPSI) pumps (these are the same as the RHR events with conditional probabilitics above 10 4 are:
pumps on this plant) taking suction from the refuel-mg water storage pool.
i (1) Loss of Offsite Power With an EDG Out of Service at Fort Calhoun on Febmary 26,1990. During a refuel.
Shutdown cooling was eventually restored by using ing outage, a spurious relay actuation resuhed in the pump warmup lines in conjunction with isolation of offsite power supplies to Fort Calhoun.
repeated pump jogging-a non-proceduralized ac-l One diesel generator (DG) was out of service for tion. De method specified in the procedure to re-j maintenance, the other started but was prevented store RHR pump suction (use a vacuum priming
[
from connecting to its engineered safety features system to evacuate the loop scal) would not have (ESF) bus by a shutdown cooling pump interk>ck.
been effective since hot-leg temperature exceeded l
Operators identified and corrected the problem, and 212 'F (100 *C).
the DG was aligned to restore power to the plant.
He conditional probability of core damage esti.
De domiriant core-damage sequence for this event mated for this event is 3.6x10 d. He dominant se-(which includes the observed failures plus additiona!
quence involves failure to recover ac power.
p stulated failures, beyond the operational event, required for core damage) included an assumed fail-The calculated probability is strongly influenced by ure to recover RHR, in combination with an as-estimates of failing to recover ac power in the long sumed unavailability of the steam generators as an term. Rese estimates involve substantial uncer-alternative means of removing decay heat.
Table 2.9 Events Listed by Conditional Core. Melt Probability Conditional probability range Description of event t
10 3 less of all ac power at Vogtle (NUREG-1410) i 10 4 to 10 3 less of offsite power with EDG out of service at Fort Calhoun (LER 285/90-006)
Ioss of RCS inventory and SDC during midloop operation at Waterford 3 (LER 382/86-015) 10 5 to 10 4 Irss of RCS inventory and SDC during midloop operation at Diablo Canyon 2
{
RHR isolation of Susquehanna 1 (LER 387/90-005) loss of RPV inventory at WNP-2 (LER 397/88-011) 10 8 to 10 5 2 cvents considered rninor with respect to risk of core damage i
10 8 3 cvents considered minor with respect to risk of core damage l
l NUREG-1449 2-8 i
l i
1.coE + Do Cg
- 1. cot.os 2o
{C 1.0c E.02 w
E y s.on t :
g 2
e w
e g i.coE.oe u
e e
O l
N 1.conos 9
s-35 e
g
.coE.oo g
u
)
i
- 1. doe-o?
)
2 2
E E
E E
5 E
a 5
E 1
8 t
I I
E S
S 5
i O
O o
o o
a a
o av, an 8
8 5
E R
d s
s s
s 3
g E
E g
i e
a I.
a a
a u
EVENT Figure 2.1 Accident sequence precursor results i
One significant common factor that resulted in the higher Contempomry procedures offer much greater guidance conditional probability estimates for these events was the and flexibility, both in the number of substitute systems inability to passively drain water from the refueling water that erm provide RHR and in information to help chamc-storage tank to the reactor vessel because there was no terize an event. For example, Crystal River 3 now has a elevation head. Key factors that impacted risk estimates procedure specifically directing the operators to use five for many of the events treated in this study are discussed different systems for makeup water, whereas in 1986 below, along with other analysis findings.
(when the event analyzed in this study occurred), the procedures listed only two such systems. The current loss-of-RHR procedure for Braidwood lists seven other 2.2.3.1 Design and Operational Issues important to methods to reestablish core cooling, gives tabular guid-Risk During Shutdowns ance regarding which methods are effective for different operating stat es, and provides graphs as a function of time since shutdown for RCS heatup required vent paths and flant Procedures. Procedures in use at the time of the required makeup flow for RHR.
event had a significant effect on the analysis of the event, since what operators knew about alternative recovery If events similar to those analyzed in this report occurred strategies was assumed to derive primarily from the pro-now, many would be considered less significant from the cedures. Ad hoc actions were postulated in some cases, standpoint of risk of core damage because of the addi-but were considered much less reliable than procedural-tional guidance and flexibility now included in the proce-ized actions. Detailed guidance was limited in early proce-dures.
dures, and what did exist offered lit tle iriformation on how to recognize an event or implement a correct recovery Operator Recovery Actions. Differences between operator course. Some procedures did direct operators to substi-actions associated with recognizing that an event was in tute systems if RHR could not be recovered, but informa-progress, detecting the cause of a problem, and imp!c-tion needed for determining when such systems would be menting recovery actions are apparent in the descriptions effective (such as the minimum time after shutdown be-of many of the 10 events. Several events were taking place fore the system could adequately remove decay heat) was for some time before someone either recognized there not given.
was a prob!cm or was able to identify its exact nature. For 2-9 NUREG-1449
P i.
example, during the Vermont Yank. event, operators Many of the new procedures identify diverse methods for took 15 minutes to recogaize that the water level in the RHR. For example, the Braidwood procedure regarding reactor vessel was decreasing and then they spent the next loss of RHR identifies the following alternate core cool-30 minutes determining the source of the leak. Once it ing methods:
was found, the source of the leak was quickly isolated.
[
For the event at Braidwood, operators quickly concluded drains and normal charging that an RHR suction relief valve had lifted. However, steaming intact /non-isolated steam generators l
e 2-1/2 hours were required to locate the valve that had i
lifted (it was on a non-operating train).
bleed and feed using pressurizer power-operated e
relief valves For both the Vermont Yankee and Braidwood events, i
refuel cavity to fuel pool cooling e
SDC was not lost and a lot of time was available to detect and correct the problem before core cooling would have been affected. 'lhis was important, because it gave the safety injection pump hot-leg injection e
operators time to deliberately and systematically address accumulatorinjection e
each event. Availability of a long time period before the onset of boiling or core uncovery was reflected in lower inventory addition via the refueling water storage e
probabilities for failure to recover a faulted system or tank.
t implement actions away from 2e control room.
Not all of these methods are applicable at all times; how-l On the other hand, in the Waterford event (which hap-ever, they offer a significantly greater flexibility than a pened when SDC was lost during midloop operation),
procedure in which just one alternative method is speci-l boiling initiated approximaMy 45 minutes after SDC was fied in addition to recovery of the fauhed RHR system.
j lost. 'lhis is a short period of time to reliably implement i
recovery actions out of the contro! room. For the loss of 2.2.3.2 Factors That Strongly influence the Signifi.
SDC at Waterford, information concerning RHR pump cance of an Event.
restart (use of the vacuum priming system to evacuate the Analysis of the 10 events confirms the influence of a suction imes) was not correct for the RCS condition that number of factors on significance. These factors are de-existed dunng the event. SDC was eventually restored by scribed below.
repeated pump joggmg and the use of pump warmup lines to return some flow to the pump suctions-High DecayHear Load. A high decay heat load significantly i
reduces the time available for SDC recovery before boil-Design Features That Complicate Recovery ofRHR. The loss ing or core u ncovery. 'Ihis, in turn, increases the probabil-of SDC at Waterford illustrates a design feature that ity of failing to recover SDC or implementing alternate significantly affected recovery of SDC. At Waterford, cooling strategies, and may also increase the stress level loop seals exist in both the RHR suction and discharge associated with the event. The number of alternate sys-i lines. 'Ihe loop seals are more elevated than the RCS tems that can effectively remove decay heat is also fewer i
loops and the top of the refueling water storage pool than at low decay heat loads; that may further complicate l
(RWSP). During the 1986 event, SDC suction flow could recovery.
t not be quickly restored, because of steam in the shutdown cooling syste'm. For that event, the procedure for re-RCS Imrntory. Having the tcfueling cavity filled with sponding to loss of SDC did not adequately address ajj water to a level [23] feet with upper internal equipment
}
RCS conditions that could be expected following a loss of removed increases the time available for SDC recovery i
SDC, nor did it provide information on plant features that significantly with a similar impact on the reliability of coald complicate recovery. (Although not important in operator actions. In contrast, midloop operation in a l
the recovery of the 19S6 event, the loop seals would also PWR is performed with minimal RCS inventory, and by prevent the use of gravity feed from the RWSP for RCS its very nature decreases the reliability of the RHR sys-makeup.)
tem.
4 Status ofReactor l'esselHead. Events that occur when the Diverse Shutdown Cooling Strategies. 'Ihc availability of head is removed are typically less significant than those i
diverse SDC recovery strategies can play a significant role that occur with the head on, since R PV mak eup combined in reducing the signific mce of events. Use of a diverse with core region boiling will provide RHR.
system to recover SDC would not require the recovery or repair of an initially fault ed system, and presumably could Availability ofDirerse Systemsfor SDC. The availability of 1
be implemented more quickly in many cases.
diverse systems that can operate independently of l
NURIiG-1449 2--10
l,'
components in the RHR system reduces the risk associ-Adequate Procedures. Procedures that give detailed infor-ated with a loss of SDC, since availability of these systems mation concerning response to a loss of RPV inventory or does not depend on recove'y of the RHR system.
S DC, and alternat e strategies for recovery, are imponant.
r
-1 f
1 l
1 I
i 2-11 NUREG-1449
i 3 SITE VISITS TO OBSERVE SHUTDOWN OPERATIONS Small :amsof NRCpersonnel,each compnsingfrom 2to Often, principles were " understood" in contrast to being 4 technical people, observed low-power / shutdown opera-clearly defined in a documented management directive.
tions at 11 nuclear power plant sites during 1991. The teams' main objectives were to obsene plant operations Some licensees emphasized safety in outage planning and during shutdown and learn about the policies, practices, during outage meetings. Dey posted critical safety and procedures used to plan outage activities and conduct boundaries at key locations and identified and tracked them ufely. The teams' observations, supplemented by critical safety equipment with as much emphasis as given data obtained from recent NRC inspections at six other to critical path. Some pressurized-water-reactor (PWR) sites, are presented in this chapter. At the 17 sites,29 units licensees were particularly sensitive to midic.op and re-were operating-4 Itabcock and Wilcox,5 Combustion duced inventory operation. One site presented the follow-Engineering,6 General Electric, and 14 Westinghouse.
ing good safety principles in its program:
Minimize time at reduced inventory.
On the average, a team spent about a week at a site durir.g an outage. During that period, the team interviewed all levels of utility personnel and observed activities taking Maximize pathways for adding water to the reactor e
place m the areas of operations, management, and engi-coolant system (RCS).
neering, including daily meetings of the plant staff to Maximize availability of important support systems.
e assess progress and problems concerning the outage work m progress.
Minimize activities requiring midloop operation.
Maximize time with no fuel in the reactor vessel 3.1 Outage Programs (ny;.
Programs for < onducting outages varied widely among the Some sites visited gave in-depth consideration to such sites visited.
safety areas as criticality, containment, instrument air, electric power, gravity feed, steam generator (SG) avail-Susquehanna's program for conducting outages was ability (in case of RCS boiling), use of firewater, and other among the best. It included (1) prudent, practical, and areas. Others relied upon an ad hoc approach should well-documented safety principles and practices; (2) an problems arise.
organization dedicated to updcting and improving the program as well as monitoring its use; (3) strong technical 3.1,2 Safety Practices input to the program from the onsite nuclear safety review group; (4) a controlled program manual concurred in by A wide variety of safety practices was noted. Some utilities line management and famihar to anpropriate personnel; adhered to a " train outage" concept, removing an entire and (5) training on the program ar.d the program manual.
train, including c'ectrical equipment, pumps, controls, and valves, from service.The other train was " protected,"
l Another site that was visited had no comparable program no work was allowed on it. Stated benefits were avoidance and was prly prepared and poorly organized, which was of train swaps, minimization of mistakes, and simplifica-reflected by failure to complete planned work in.past tion of the operator's job. A block," approach was also outages, long outages, and by the team's other observa.
used in which a boundary was established and work was tions of work in progress. At several plants, licensees had allowed within that boundary as long as no water was neither documentation nor plans to provide any. Two moved. Other utilities practiced different approaches that plants made exceptional efforts to keep outages short. At may allow more flexibility, but placed greater dependence one of these two plants, the team noted examples of less on their personnel to avoid conflicts. Other safety prac-prudent operation than at other plants it visited. He tices observed by the team included the following:
other plant had a greater number of recent shutdown-Provide sufficient equipment that no single failure of l
related events than any plant visited.
an active component will result in loss of residual 3.1.1 Safety Principles Add one injection system or train to that required by Well-founded safety principles play a significant role in an technical specifications (TS).
outage program. Sites visited vaned widely in this are i. A high priority was seldom placed on such principles, md Provide multiple power supplies, batteries, charging e
sometimes safety was based upon individual philosophes.
pumps, and such.
3-1 NUREG-1449
In smaller, less-complicated plants, highly crperi-o Always have one emergency core cooling system o
(ECCS) available.
enced licensee staffs could conduct apparently well-coordinated refueling outages with only a few o
Comply with TS: these are sufficient to ensure months of planning. Key contributing factors ap-safety.
Peared to be having few inexperienced people, hav-l ing the experience of many refueling outages, havmg a good plan that was prepared quickly, and anticipat-3.1.3 Contingency Planning ing material needs we'l in advance of preparing the plan. Some other licensees, both experienced and Some licensees provided in-depth preparstion for backup relatively inexperienced, had what were judged as cooling, whereas others placed more reliance on ad hoc relatively poor plans, and their outages appeared to approaches. Backup cooling includes such techm, ques as be in some disarray. I'inally, some licensees with few gravity feed, allowing RCS boiling in PWRs with conden-refueling outages were able to conduct outages on.
sation in SGs, and use of firewater. Again, there were schedule when they had good plans.
many variations in both capability and planning. Some PWR licensees planned SG availability; others did not.
Some who planned for the use of firewater and staged 3.1.5 Outage Durat. ion spool pieces had procedures; others did not. Most PWRs SMety criteria and implementation effectiveness ap-had some gravity feed capability dunng some aspects of peared to be more important to safety than outage dura-
^
shutdown operation; others did not.Those that did may or tion. Refueling outage durations beyond roughly two may not have had good coverage m procedures. No sit months did not appear to increase safety. Conversely, a i
visited had planned ECCS accumulator usage. All of less-prudent safety approach may be m.strumental m.
these capabilities are potentially important and could ef-shortening outages. However, outage duration was also a fectively terminate many events.
function of plant type, the work to be done, plannmg. and implementation. A short outage was not necessarily an 3.1.4 Outage Planning outage in which safety has been reduced to shorten the outage, although shortness was an indicator, that one Planning ranged from initiating werk uew months before should look closely to see how the short schedule was an outage was scheduled to having plans that covered the achieved.
l life of the plant, including anticipated license extensions.
l There was evidence that good planning, including experi-The teams observed that severallicensees felt pressured l
ence, averted many outage difficulties. Conversely, poor to reduce outage time further than the team judged to be planning appeared to be a cause of such outage difficulties prudent. Reasons given included being rated by others on as extended schedules and failure to complete work.
the basis of a short outage time and being driven toward a fuel critical path to shorten outage time.
The following items provide additional perspective re-garding planning adequacy and effectiveness:
Numerous approaches to planning affected outage time, including the following.
o Well-planned and tightly cre < ~' outage plans allowed for increase in l'.- aopt i number of (1) Do not reduce refueling outap time below a some-i unanticipated activities ti-seM.m exceeded 10 to what judgmental minimum because safety might be 20 percent. Conversely, & ans,40 percent and jeopardized (several licensees). 'Iypically, these li-more than 100 percent co...a with outages that censees applied safety criteria throughout the out-i lasted longer than planned, that were poorly man-age and these critcria sometimes determined critical i
aged, and that sometimes resulted in a return to
- path, power with significant work unaccomplished.
(2) Define.one critical path, such as the refueling floor, o
Some licensees could enter an unscheduled outage and normally force everything else to fit.
and have a complete outage plan within hours. Oth.
ers had no bases and worked only on the item causing (3) Allow critical paths to float depending upon the i-the shutdown. In one case, a licensee entcred a refu-work schedule. Safety considerations may influence cling outage a month early but accomplished little critical path. (Often, items 1 and 3 were followed work before the originally scheduled start date. An-simultaneously.)
other licensee entered a refueling outage a inonth e
early, moved the completion date up, and completed (4) Describe the work and suggest schedules to "corte-the outage in the original time allotted (a month rate headquarters." Receive or negotiate an allow-early when compared to the original plan).
able outage time.
{
NUREG-1449 3-2
i 3.L6 Outage Experience experienced in previous outages at that facility considered such experience to be a significant benefit. Among advan-All licensees incorporated outage experience into plan-tages cited were famdiarity with the plant, less training, ning and found feedback useful. Most provided for feed-higher quality, shorter outages, and bett er motivated peo-back during an outage. Some conducted team meetings ple.
immediately after completing significant tasks; others met following the outage. Most compiled outage reports and Some licensees used task forces and 'high impact teams" used these in planning the next outage. Typical results for critical-path' and near-critical-path tasks. These mcluded the following:
groups were composed of experienced personnel who had 4
performed the same function in past outages.
o Place personnel with operations backgrounds into i
key positions and areas for planning and conducting Contractors were used to various depths by different li.
I utages.
censees. Their capabilities, licensee supervision, and in-fluence on outages varied widely. Licensees who worked l
o Locate the outage control location (" war room")
closely with their contractors and supervised them closely i
close to the control room (CR) to facilitate commu-appeared to get better results than those who neither meation.
carefully trained nor supervised their contractors. Previ-ous contractor experience at the site was often stated tobe o
Assign a senior reactor operator who is adjacent to an advantage and licensees often tried to use the same i
the C71, but not actually in it, to handle the work contractor from outage to outage.
orders.
i Interestingly, a large plant staff did not translate into an
- ff'C'i"* "' 8* " ' did ^ S* "c' S'^ff ^t "S" "' P "*
3.2 Conduct of Outages translate into an ineffective outage. Staff size also did not Typically, outages, vere conducted with a licensed person necessarily correlate with safe operating practices, al-though the teams did encounter areas that were weak j
who controlled tagouts and approved each work package before initiating day-to-day work. The daily (and other) because they lacked manpower. Those plants judged to outage meetings also provided an opportunity for identi-have the most effective safety programs were adequately fying issues. Beyond this, various approaches were used, staffed m areas directly related to safety, were well organ-
?
j ranging from individuals who had their own criteria to ized overall, and appeared to conduct effective outages.
various depths of written and unwritten guidance or crite-
-l ria.
All utilities conducted periodic reviews during outages, i
Typically, these involved overviewed specialized meetings Some licensees were protective of critical equipment and that were held once or twice a day and involved alllevels made sure everyone was sensitive to such issues. For ex.
of plant personnel and all disciplines. All utilities pro-ample, one licensee protected the operable train of safety vided computer-generated outage schedules in several equipment by roping off the areas and by identifying the formats and updated some of these every day (or more operable train on every daily plan. Similar approaches to often). Schedules typically covered a day,3 days,7 days, the protected train (including identifying it in the daily and the complete outage, and provided a breakdown rang-meetings) were found at several plants. Other techniques ing from an overview through complete scheduling of all included providing critical plant parameters in the con trol activities. Critical-path scheduling was seen often. Some utilities noted safety information prominently on their
- room, schedules; others did not.
l Licensees often changed their organizations for an out-age, although some operated by incorporating shutdown Most daily meetings appeared well focused and to the features into the organization used for power operation point. Achievement appeared to vary widely. Most expec-and made few actual organization changes. There was a tations were routinely met at some plants, but at others j
general trend to emphasize operations experience for the outage appeared to be in disarray.
outage positions at all levels. Licensees who had empha-sized such experience considered it to be very beneficial in A commonly applied test for a satisfactory outage was conducting a satisfactory outage.
meeting or bettering the outage schedule. Corollary tests were: (1) meeting ALARA (as low as reasonably achiev-Significant variations existed among sites visited in the able) goais, (2) avoiding person n el inju ries, (3) completing ratio between utility manpower and total manpower, arid planned work, (4) not having to repeat work during power in the percentage of personnelinvolved in the previous operation (because it was done well during the outage),
outage. Utilities that had a high percentage of people and (5) not having reportable events.
3-3 NUREG-1449 1
l
3.2.1 Operator Training work load was high or very high. Operators also said they met the schedule with difficulty, Ihat they sometimes took Licensees often conducted extensive training immedi-on more work than they could handic, that they had to cut ately before a scheduled outage, a practice judged neces-corners to stay on schedule and then had to make repairs sary by most licensees because of the specialized nature later, that they wrote procedures at the last minute in the of, and the lack of everyday exposure to, low-power and CR, operated without some. procedures, and had poor shutdown (LPS) operation. This was not always done, procedures for shutdown; all of the seven operators inter-however, and minimal training was evident at some sites.
viewed said they were poorly trained or that they had significamt rescrvations regarding training. There were Some operators and instructors said they thought LPS many other similar comments. All seven operators said operation was important, but that the NRC had implied stress was self-generated and six also identified stress otherwise by not emphasizing it more in exams and evalu-caused by pressure from non-operations personnel. Four ations. Others felt that strong NRC interest in training operators said stress was severe enough to be a problem.
was reflected in Generic Letter (GL) 88-17 inspections These operators were working four 12-hour shifts fol-and independent resident inspector followup. Although lowed by a break. No operator stated working hours were GL 88-17 coverage was limited, licensees have applied too long or that workmg hours contributed to a problem.
[
the information to a wider range of PWR plant conjitions.
This plant was judged to have significant operator stress t
LPS operations training was often specialized. Some ti, problems that were reflected in numerous mistakes.
j censees gave ccmcentrated study in unique aspects of the 3.2.3 Technical Specifications outage to the operating shift expected to handle those aspects of the outage.1 raining often involved specific NOTS were applicable during much of a refueling outage equipment, such as valves, reactor coolant pump seals, at one site as long as temperature measured at the resid-and steam generator (SG) manways. Capabilities such as a ual heat removal (RH R) pump remained below 140 *I-(60 l
control rod handling machine mockup for a boiling. water "C)or 200
- F(93 "C), depending upon the interpretation.
l reactor (HWR), SG plena mockups, valves, pumps, and an (Note that this temperature is unlikely to increase if the emergency dicsci generator (EDG) model for maintenan_
RiiR pump is not running.) Another site had no TS on
{
ce training were observed.
EDGs, batteries, and service water during shutdown op-eration. No plant visited had complete TS coverage.
As in many other areas, the quality and scope of training were varied, and ranced from Most of the mdustry stated that TS did not fully address I PS operations. The smgle exception reported that it
[
Outage training is completed before the outage.
planned outages on the basis of TS, and this was sufficient Training for power operation with simulator up_
to ensure safety. Many personnel commented that exist-grades is conducted before leaving the outage. Spc.
mg I'S were more appropriate topower operations than to cial tests are addresse'd as are evolutions, primary LPS conditions.
manway and nonic dam work, level indication prob-Similarly, licensees were concerned with TS that caused lems, procedures, and consequences of what can extra work, resulted in extra dose, and sent an undesirable happen. Procedure changes, including background, message to plant personnel. One exampic cited was the l
are covered before crews take the watch.
requirement for an operational pressuriter code safety i
valve although large openings existed in the RCS. T5e licensee estimated several hours of work and 500 mrem I
(5 mSv) of dose were involved to unnecessarily install and Many plant operators have not had overall systems then remove the valve.
traming for several 3 cars and have had no formal outage-specific training since the initial response to 3.3 Plant and Hardware Configurations l
3.2.2 Stress on Personnel The teams observed that configurations of plant sys! cms I
and components used by licensees during outages varied I
Although the teams considered stress in general, it was widely among plants visited. During the visits, the teams l
investigated in depth at only one plant.1his licensee examined configurations of equipment throughout the i
emphasized short outages, and operators perceived their plants, including regions outside the protected area.'lhe achievement as related to outage time. Four operators (of teams' observations in selected areas are presented be-i seven interviewed in depth) said the outages were too low.
I short. Much of the direct outage coordination was con-ducted from the CR, which was smaller than many multi.
3.3.1 I.uel Offload ple-unit CRs. In many instances, such aethities appeared The fuel at some units was tegularly offloaded; at some, to affect plant operation. Further, all operators said the fuel may or may not be offloaded.The fuel at other units NUREG-1449 3-4 f
i m.--_
.z...
l i
l 4
l would be of00aded only if there was no reasonable alter-tion when the RV water level is lower than 3 feet below native.
the RV flange.
An often-cited safety advantage for offloading was flexi-3.3.3 Venting in PWRs i
bility available because no fuel was in the RV, and the j
associated decrease of mistakes leading to a fuel cooling RCS vents were sometimes of insufficient size, being j
concern. Other considerations included loss of fuel pool smaller than planned and smaller than required by licen-cooling, flexibility in providing fuel cooling if syst ems were see procedures. Licensee personnel who recognized the lost, fuel storage volume heatup rate upon loss of cooling, implications were often unaware of these conditions.
i criticality, reduced operator stress due to avoidance of
(
such eonditions as midloop operation, and the potential to Some licensees provided an RCS vent by removing onc or damage fuel during handling. Fuel offload had a signifi-more safety valves from the pressurizer. Others removed
[
cant advantage in that an early midloop operation, and a pressurizer manway, if boiling develops, significant i
sometimes all midloops, can be avoided, although not all backpressure can occur from friction in the surge pipe, licensees who offloaded also avoided an early midkop water traps. and the elevation head of the water held up in operation.
the pressurizer. Licensee pers<mnel did not always recog-nize these phenomena.
I Several licensees performed an incore fuel shuffle and l
reported they encountered no problems with moving fuel Licensee personnel usually used covers or screens to keep within the core. They said that a complete core offload foreign ma.crid from falling into pressurizer openings.
would lengthen their outages. Conversely, several licen.
These were often makeshift installations that could cause i
sees (both PWRs and HWRs) routinely performed a com.
additional backpressure. Most licensee personnel inter-plete core offload, which they said was safer and previded viewed by the team were unaware of the covers or screens.
more Dexibility. Several licensees reported the officad i
path was faster than, or at Icast as fast as, an incore The staff has identified some licensees who re'y on lifting i
shuffle. Others offloaded or not on the basis of the of the reactor pressure vessel (RPV) head on detensioned j
planned outage work. Some decisions were based upon bolts for vent capacity during operation with a reduced l
such considerations as the configuration (offload ap.
inventory. In this approach, water is s Mied from the l
peared to be difficult in Mark III 13WRs), fuel distortion refueling water storage tank (RWST) at
. v rate suffi.
history, gains achievable with no fuel in the RV and the cient to support subcooled decay heat rencal and to lift j
reliability of the fuel handling ~ machine.
the reactor vessel head less 1 han an inch, allowing water to i
spill over the vessel flange. The flow of water into the l
vessel is throttled with a flow control valve to prevent the 33.2 Midloop Operah.on m PWRs*
head from lifting off the upperinternals of the core.This Concerns about midk>op operation appear to have influ, is important because as long as the head rests on the upper l
i enced outage planning at many sites, but not at others.
mternals. the internals alignment pms wdl prevent it j
The team observed licensees who fmm cocking. This method works only when the decay j
heat k>ad is low enough so that subcooled decay heat do not enter midloop operation under any circum.
removal can be accomplished without lifting the head off
)
e stances.
the upper internals. Subcooled decay heat removalis nec-j essary because venting steam past the vessel head can do not permit early midk>op operation and defueling result in nonuniform head lift (cocking)and damage to the i
o before installing nonle dams, head due to cyclical impact loads. De acceptability of i
using the " head-lift" method for venting during operation l
e apply special midloop criteria to refueling outages, with a reduced inventory depends on a number of plant-but deviate for an unscheduled outage specific factors which should be thoroughly evaluated with appropriate analysis in the areas of thermal-hydrau-o routinely enter midkop within a few days to a week lies and engineering mechanics.
of power operation.
33.4 Nozzle Dams
- in PWRs Some h.censees required an additional operator in the control room for midksop operation. Another, uhose Some PWR plants use nonle dams and some do not.The hardware was particularly sensitive, required three addi-recent trend in llabcock and Wilcox nuclear steam supply tional operators who had specific responsibilities in the syst ems has been lo use them, whereas a fewyears ago this conduct of reduced. inventory operations: that is, opera-was seldom done. One licensee attributed outage savings
- Noule dams are temporary seals mstalled in RCS primary piping that Mate components such as steam generators from reactor vruci and
' A midioop cundition custs whenever RCS w ater level is below the 1({i reactor cavity waier so that work can be done on the comynents.
l of the flow area of the bot legs at thejuncton with the reactor vessc 3-5 NURI G-1449
of close to a week to the use of nozzle dams, whereas required to be operable. In practice, one of the another had them but did not use them and typically spent sources has to be an EDG.
3 to 14 days at midloop. Others indicated they might be at midloop for close to a month without them.
Additional variations include switchyard restnctions, re-stricting work on, or access to, vital areas such as near an One licensee indicated there was no analysis to cover operable EDG or operable electrical equipment, infor-midloop operation with both nozzle dams and the RV mation requirements, administrative procedures, and head installed and such operation would not be permitted whether variations are permitted and what level of man-until Ihe analysis was completed.The team noted Ihat t his agement is necessary to approve such variations.
observation was similar to others regarding incomp!cte-EDG maintenance and associated testing are usually per-ness of analyses of shutdown operation.
formed during shutdown, although some licensees were performing this work at power. Also observed was re-3.3.5 Electrical Equipment moval of an EDG from service via entering Action state-ments immediately before shutdown.
An outage typically represents times when equipment unavailability is high, unusual electrical lineups exist, and Concerns also involved whether to have EDGs operating the likelihood of an electrical perturbation is increased by or onerabic. Potential decreases in EDG reliability due to maintenance activities. De teams identified several grid' disturbances and other perturbations, extensive test-events that could lead to electrical component damage or ing, and running with a small electrical load were identi-loss at some facilities, and concluded that almost all of fied as potential problems with having EDGs operating.
those identified events could be casily eliminated. The team also found that protection and control of offsite Most plants had transformers and often breakers within electrical power systems varied.
the site's protected area. Switchyards were kicated nearby, but usually in whole or in part outside the pro-Approaches to provide ac power included the following:
tected area. These switchyards may contain a few trans-formers, but often contained only breakers and switches.
Allow cooling via a system pow cred by a non-safety-They were usually fenced if outside the protected area, e
related bus with rio procedures for providing safety-and usually had a locked gate. Often there was a control related power to that bus-building within the switchyard, with attendant vehicle traffic. This building was seldom located adjacent to a Provide one EDG and one source of offsite power.
switchyard entrance gate.
e Provide one less source of power during shutdown 1o Th e teams did not observe any evidence of vehicle impacts allow maintenance on one source at a time.
within switchyards. However, they did find such evidence on both transformers and supports located within un-Always have three sources of power, one of which is fenced areas within site-protect ed areas; they also found a e
an EDG. (The site that advocated this did not have number of damaged fences. In one case, the source of an EDG for about 2 weeks with fuel off-loaded, but it safety-related offsite power entered the turbine building had a temporary diesel available.)
roughly 1 foot from where heag trucks and trailers were sometimes parked, and was protected only by an ordinary Have both EDGs operable when in midloop opera-chainlink fence. Fire hydrants at all sites were protected e
tion. (One licensee stated it did not consider it pru-by a profusion of concrete-filled pipes, but at many sites dent to stay at midloop conditions with only one important transformers within a few feet of the hydrants EDG and would leave midkiop operation if the sec-were unprotected. Switchyards were typically full of tow-ond EDG could not be made operable quickly.)
ers and bus supports. Some of the weakest supports were located in the corners and typically supported ring Allow both EDGs to be out of service when the fuel buses-loss of which could cause a loss of offsite power.
is offloaded.
These corner towers were often the towers most exposed to traffic within the switchyard, yet they were unpro-For midkiop operation, normally have two EDGs tected.
and two offsite sources and allow nobattery work, no reserve auxiliary transformer outage, no work that Some sites maintained CR control over switchyards out-affects safeguards buses, or anything that affects the side the site's protected area. Other switchyards could be RCS. Otherwise, always require two off site and one entered by anyone who had a key to the padlock; often, a on site.
utility staff member not assigned to the nuclear facility had a key, and sometimes someone who was not even an Make at least three separate ac power sources avail-employ ec of the same utility had a key. Sometimes cont rol e
able to Ihe vital buses any time two RHR pumps are was provided if the plant was in a sensitive cond tion. such NUREG-1449 34 l
as a PWR in midloop operation, but at other sites swuch-3.3.8 Containmeni Equipment Hatches yard work could proceed with httle or no consideration of the nuclear plant status. At one plant, the team found the A majority of the equipment hatches seen at PWR sites switchvard gate open and no one monitoring traffic at the can be replaced without electrical power. See Section gate. This switchyard was in an uncontrolled area.
6A3 for a full discussion of equipment hatch design and
~
operation. It appeared that many licensees failed to check for adequa*.e closure as addressed in GL M-17.
3.3.6 Onsite S,ources of AC Power The team learned that Arkansas Nuclear One had a re-Onsite sources of electric power that were obsened in-quirement that an equipment hatch be capable of closure cluded diesel generators, hydro units, and portable power within approximately 15 minutes of a loss of RHR. Re-supplies. The most common source of safety-related sponsibilities were established for such actions as notifica-power was EDGs.
tion of loss of RHR, containment evacuation, closure Many variations in EDGs and configurations were seen.
operations. and verifications. 'lbols were kept in a closed Size ranged from a fraction of a megawatt to 8 MW. One box at the hatch and were clearly labeled "for emergency
~
two. unit plant had two EDGs and routinely performed m only Un nnotmced closure exercises had been con-maintenance on one EDG while one unit was at im-per-ducted. Few other sites visited were as well prepared.
cent power and the other was in a refueling outage.That A common weakness was failure to check for adequate site planned to add two more dicscis. In contrast, the closure. GL 88-17 specified "no gaps." not the "four Susquehanna two-unit plant had five EDGs. The fifth gig commonly observed. The four-bolt specification could be used as a complete replacement for any of the appeared to be insufficient at some plants with inside other four with no difference in CR indication and plant hatches (hatches that would be forced closed by contain-operation. Susquehanna also provided a portable diesel ment pressunzation).
for battery charging and other uses should all ac pow er be lost for an extended time.
Oconce provided a small standby generator in case ac power was lost. This could be immediately used to power Roughly a third of the plants visited had the capability to the winches that normally raise and lower the hatch.This resupply the EDG starting air tanks without ac power.
appeared to be an excellent approach to one of the prob-The dominant method was a single-cylinder, diesel-pow" lems of loss of ac power.
ered compressor; but instrument air, a cross-connect with another EDG's air supply, and changing the drive belt 3.3.9 Containment Control Irom the electric motor to a oneglinder engine w cre also obsen ed.
Some licensees carefully controlled containment pene-trations during LPS operation. Others were concerned 3.3.7 Containment Status only with TS requirements regarding fuel movement and reduced inventory /midloop commitments in their re-Some PWR licensees closed the containments for condi-sponse to GL 88-17. Provisions were found to bring serv-tions other than refueling; others did not, unless they ices such as hoses and electrical wires into the contain-entered a condition as described in GL 8S-17. Some did ment via unused containment penetrations at several not remose their equipment hatches during routine refu-si es. Such provisions made it easier to close the equip-t cling outages; others did. Some provided containment ment and personnel hatches. Some licensees simply re-closure capability that would withstand roughly the con-moved a blind flange and passed wires or hoses through tainment capability; others could lose containment integ-the opening. Others provided a manifold arrangement nty at roughly 1 psi. Some had proven containment integ-that may effectively eliminate most of the open penetra-rity; others did not, and may not have attained an integral tions. Occasionally, a permanent connection or an adapta-containtnent that meets GL M-17 recommendations.
tion of a penetration such as was used for containment pressurization was found for introducing temporary utili-HWR secondary containments were judged unlikely to ties. U-pipes filled with water were observed in use as a present an early release following imtiation of boiling containment penetration seal.These were judged to be of with an open RCS or during potential severe-core-dam-little yalue in protecting against an accident involving age scenarios. Among the HWRs, only the Mark 111 pn-significant steam production or a core melt.
mary containment appeared potentially capable of pre-ventmg an early release without hardware modifications A number of licensees planned to initiate ecmtainment i
durmg such events. See Section 6.9 for a more complete closure immediately upon loss of RilR. Others were less assessment of containment capabihty. In general, no plans stringent, including such possibihties as initiating closure j
were found in BWRs for containment closure or for deal.
if temperature exceeds 2W *F (93 C). 7at approach is j
ing with conditions under which the containment may be hkely to allow boiling before containmQt closure, and c hallenged, boihng may make it impossib!c to contind closure opera-
{
3-7 NUREG-1449
~
i tions. In one case, the licensee assumed personnel could separator.This was often unrecognized, and HWRs have work inside the containment in a IfC "F(71 *C) environ-encountered significant heatup with no indication of in-ment while closing the equipment hatch. More detail on creasing temperature provided to the operators.
this topic is given in Section 6.9.4.
Knowledge of what must be closed and providing the resources to actually close the openings and/or penetra-IlWRs were equipped with multiple water level indica-tions under realistic conditions were often overlooked.
tions that were on scale during both power and shutdown i
Tracking openings, providing procedures, and conducting operation. PWRs were often operated with all of the walkthroughs that accounted for reasonably anticipated
" permanent" level indications off scale or inoperative conditions were seldom fou,nd.
during shutdown. PWR licensees have added level instru-mentation to cover shutdown operation in response to GL l
3.3.10 Debris in Containment 88-17. As observed, instrumentation in the BWRs was generally superior to instrumentation in the PWRs. The Blocking a PWR containment sump with debris from out-team often found many damaged and/or incorrectly in-age work may prevent effective recirculation of reactor stalled instrument tubes inside PWR containments. Only coolant following an accident during shutdown. For exam-one short t ube section with an incorrect slope was found in plc, PWR emergency core cooling (ECC) sump screens a HWR. Many personnel described problems with main-t were removed during refueling outages at some sites, and taining accurate level indication in PWRs. No one de-j at others the screens were covered with heavy plastic scribed this problem in BWRs.
shecting. In one plant, one screen was removed and the other was 10-percent uncovered to allow a recirculation HWR level systems typically used a condensing pot to I
capability. In another, one sump was open and the other ensure that connecting pipes remain full, yet no conden-was closed. Similar conditions were seen in plants with sate is generated during shutdown. No one indicated this ECCconnectionsin the bottom of the containmentswith-has led to level indication error, nor did anyone identify out a sump. In one, both filters were removed to expose this as a potential problem.
the pipe opening, in another, the filters were in place.
Actual and potential debris existed at all of these sites, but PWR level indications have significantly improved in the was seldom considered with respect to recirculation capa-last 3 years. All PWRs now indicate level on the control i
bility during shutdown.
board. In-containment installations often (but not always) j showed evidence of professional installation that was i
3.3.11 Temperature Instrumentation missing several years ago. Much less reliance was being l
placed on temporary tubing runs. Several licensees were Core temperature during shutdown in PWRs was ob-still working to meet GL 88-17 recommendations.
j tained by measuring water temperature just above the i
j core by means of thermocouples. Other temperature indi.
Some PWRs were equipped with ultrasonic hot-leg and
~
cations required an operating RHR system for accurate cold-leg level indications. A few have been in operation i
indication of meaningful RCS and core temperaturc over for years, and this indication has been used in foreign a wide span of RCS conditions. Although this was ad-plants for some time. Most licensees appeared satisfied j
dressed in GL 88-17, many operators were still unaware with indication accuracy and reliability, although prob-j of the potential error associated with lack of flow. In lems were reported with equipment obtained from one numerous PWR heatup events, no temperature indica-vendor.
i tion was available, although the frequency is decreasing as licensees implement the recommendations of GL 88-17.
3.3.13 RCS Pressure Indication liowever, the team often observed poor application of the
.i temperature coverage recommendation, principally in-RCS pressure indications were generally wide range and volving not providing temperature indications for ex-not appropriate for monitoring shutdown operation. A tended periods of time, restricting the indication to re-n umber of operations perstmnel stated that the computer duced inventory conditions, and failure to provide provided monitoring and cathode-ray tube indications suitable alarms. Licensees who emphasized temperature that were more sensitive.
-l indication generally provided measurements while the head was on the RV, except for the 30 minutes to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 3.3.14 RIIR System Status Indication i
just prior to removing the head.
GL 88--17 identified pump motor current, RHR pump HWR coolant temperature was obtained by measuring the noise. or RHR pump suction pressure for monitoring RV wall temperature and assuming natural circulation in RHR operation in PWRs. Although many licensees have the RV. The natural circulation assumption is not valid if followed the recommendations in GL 88-17, some re-water IcVel is lower than the circulation paths in the steam sponses have been minimal. Among the weaknesses ob-NUREG-1449 3-8
i i
served were failure to provide a sensitive means to moni-during shutdown conditions. Arkansas Nuclear One had tor R11R pump operation, failure o consider sampling installed an annunciator board that addressed major shut-l rate when monitoring parameters, failure to provide down parameters and was making it operational-the trending information, too wide a pressure range to permit only such panel observed. Several operators indicated observation of behavior, and R11R systems operating with that even grouping existing parameters into an easily rec-temperature off-scale low, ognized pattem would be better than what they have.
Others said they were familiar with the lit annunciators 3.3.15 Ded.icated Shutdown Annunc. tors and had no difficulty recognizing an unusual pattern.
ia 5
Numerous control room annunciators were typically lit f
i 4
f i
e 1
a 3-9 NUREG-1449
i 4 PROHAlllLISTIC RISK ASSESSMENTS Risks associated with shutdown and refueling conditions was the initiating event in the other two sequences, 6
have not been extensively studied and are not as well totaling 6 percent of the total CDE understood as are those associated with power operation.
Few studics address the full scopc of understanding about 4*2 NUREG/CR-5015 (Loss of RIIR in shutdown risk ia pressurized-water reactors (I WRs) and fewer address such risk in boiling-water reactors (llWRs).
PWRs)
Several probabilistic risk assessments (PRAs), including the ongoing NRC sponsored Grand Gulf and Surry shut-NUREG/CR-5015 was issued in response to G,encn.c j
issue 99 conec ning the loss of RIIR in PWRs during cold down studies (currently at a preliminary level I stage), are shutdown. Th[s study used the NSAC-84 methodology i
summarized here to identify significant issues and insights associated with activities at nuclear power plants during (based on the Zion plant configuration) with several modifications which mcluded the consideration ofloss-of-E shutdown and refucimg outages.
offsite-power (LOOP) events using a separate event tree and the use of generic event frequencies from PWR expe-t 4.1 NSAC-84 rience over a 10-year period from 1976 to 1986.
NSAC-84 was an extension of the Zion Probabilistic Findings Safety Study completed in 1981. Procedural event trees were developed to account for changes in plant conditions
'Ihe mean CDF at shutdown was estimated to be 5.2x10 5 -
during shutdown. Iluman errors and equipment failures per reactor-year, with the following breakdown by initiat-unrelated to procedures were also considered. The initiat-ing event:
ing events studied were loss of residual heat removal (RHR) cooling, loss-of-coolant accidents (LOCAs), and e
loss of RHR 82 %
cold overpressurization (excess of charging, over-let-im of offsite power 10 %
e down, or an inadvertent safety injection). A shutdown database specific to Zion was dercloped from plant e
loss +f-coolant accidenit 8%
records and used in quantification.
Examination of the findings reveals that operator failurc
[
Findings to diagnose that a loss of coca.g has occurred and to The mean core-damage frequency (CDF) at shutdown successfully restore it while at reduced inventory in the reactor coolant system (RCS) accounted for M percent of l
was estimated to be 1.8x10 5 per reactor-year.
the total CDF.The two dominant core-damage sequences Examination of the top 10 core-damage sequences re-involved a loss of RilR pump suction as a result of over-
)
vealed the following:
draining of the RCS.
(1) Failures during reduced-inventory operation (in' The findings of NUREG/CR-5015 appeared to corre-cluding equipment unavailabilities and operator er-sp(md to those of NSAC-84. Operator errors dominated rors) appear in eight sequences, totahng 61 percent the risk, particularly during midhiop operation. LOOP of the total CDF; failure of the operator to respond events contributed to 10 percent of the total CDE a rela-during reduced-inventory operation appeared in five tively small contribution.
sequences, accounting for 44 percent of the total CDF' 4.3 Seabrook PRA for Shutdown (2) Since malfunctions of RllR components require Operation some type of operator intervention, all shutdown core-damage scenarios (due to overdraining of the The Seabrook PRA information was collected from a reactor coolant system, LOCAs, and RHR suction number of presentations the licensee made to the NRC.
valve trips) are sensitive to the operator's failure to This study supplemented the level 3 Seabrook PRA by restore core cooling.The operator's failure to deter.
examining the likelihood of core damage for the plant in mine the proper actions to restore shutdown cooling standard Modes 4 (hot shutdown),5 (cold shutdown), and appeared in six sequences. accounting for 56 percent 6 (refueling). Radiological source terms and public health of the total CDE consequences were also considered. 'lhe approach used to model accident sequences was similar to that used in (3) Loss of RHR cooling (primarily pump and suction NSAC-84 with several enhancements which included the valve trips) was the initiating event in eight se-following: fire and flood initiating events unique to plant quences, totaling 56 percent of the CDF: a LOCA shutdown were quantified and considered, an uncertainty 4-1 NUR EG-1449
i i
l L
analysis of the results was performed, the PWR experi-Findings ence database from NSAC-52 was updated and examined with insights being incorporated into plant shutdown De probability of a loss of RHR during cold shutdown models, and thermal-hydraulic calculations for determin-was estimated to be 7.0x10_e per reactor-year. No domi-ing time to core boiling and uncovery were performed for n nt accident sequences were hsted. However,it is impor-different plant configurations after shutdown.
tant to note that the PRA did not melude losses of mven-(
tory control which could be dommant contnbutors to shutdown risk.
~
Findings On the basis of an evaluation of the methodology, models, The total shutdown CDF was 4.5x10 5 per reactor-year; and findings presented in the report, the following are the total full power CDF from Seabrook's individual major contributors to the loss of RHR during shutdown:
plant examination (IPE) was Llx10 4 per reactor-year.
available due to maintenance Loss of RHR initiators contributed 82 percent to Ihe CDE RHR and RHRSW pump failures About 71 percent of the total CDF occurred with the RCS vented and partially drained. The largest contributors to RHR failure were the hardware failure of an operating common-mode failure of RHR heat exchangers e
RHR pump, due to its long mission time, and the loss of RHR suction, due to either madvertent closure of the 4.5 Se9uo)ah LOCA in Cold RHR suction valves or low-level cavitation when the RCS Shutdown was drained (events caused by operator error).
Science Applications International Corporation ad-
)
dressed the probability of a core-melt accident in cold CDE they dominated early health risks. When the RCS shutdown (Mode 5) which was initiated by a postulated Although LOCAs represented only 18 percent of the total loss.or. coolant accident (LOCA) at the Sequoyah nuclear was filled, the equipment hatch integrity was not required plant.Two LOCAinitiating events were ccmsidered: safe-l (the hatch integrity is required during reduced inventory shutdown earthquake and operator error (RHR-induced ccmditions). Under these conditions, a postulated LOCA LOCAs were not considered). A total of 20 cases were would leave the operator only a short time for restoring analyzed with varying assumptions regarding time of i
core cooling. The Scabrook study found that it was un-LOCA initiation following a shutdown. LOCA size, avail-likely that the equipment hatch could be closed before the ability of offsite power, and maintenance status.
containment became uninhabitable. His scenario indi-I cated the need for controls on containment integrity and emergency response procedures for LOCA events during Findings shutdown.This insight might have been overlooked if the The postulated core-melt frequency was estimated to be t
level 2 analysis was not performed. A major contribution in the range from 7.53x10 5 to 8.5x10 7 per reactor-year.
l to this frequency (accounts for 8%) was LOCAs from De maior contributors to core-melt frequency included i
overpressure events resulting from stuck-open RHR re-the following:
i lief valves or ruptured RHR pump seals.
operator-induced LOCAs e
4.4 Brunswick PRA for Loss of RHR
- i"'*""'
(NSAC-83) operator errors during response (lack of procedures For this study, a quantitative probabilistic evaluation was for securing equipment, inadequate RCS monitoring j
performed of the reliability of RHR equipment given a equipment) variety of scenarios in which the plant's RHR function is challenged, including following transients that resulted in failure of an airbound RHR pump e
reactor scrams during a planned shutdown and during a e
RHR suction failure cold-shutdown scenario over time which could lead to a j
suppression pool temperature exceeding 200 'F s93 *C) 4.6 International Studies (assumed core damage). Other functions, such as inven-tory control, reactivity, and contain ment control, were not The staff gained significant insights from studies per-addressed. Brunswick-specific failure data were used. and formed in France. Dese studies focused on identifying generic probability values for operational errors were in-the dominant contributors to risk from dilution events at cluded as basic events in the fault trees.
shutdown and loss of RHR during midloop operation.The NUREG-1449 4-2
1 i
main PRA study excluded such external events as fires, for the NRC. Like the Grand Gulf study discussed in floods, earthquakes, and source terms. De French cate-Section 4.7, this study has two phases. Phase I consisted of gorized this study as a level 1 PRA.
a screening study to determine which accident sequences need to be analyzed in more detail. Phase 2 is the detailed 4.7 Grand Gulf PRA for Shutdown analysis of the dominant accident sequences identified in Phase 1, The PRA is performed in two parts: the accident Operation (Coarse Screen.ing frequency analysis (ievel 1) and the accident progression Study and Detailed Study) and consequence analyses (level 11/111).
Sandia National Laboratories (SNL) is performing a PRA
'ILc objectives of Phase 2 of this program were h (1) of the low-power and shutdown modes of operation at the estimate the frequencies of severe accidents that mk be i
Grand Gulf nuclear plant for the NRC.This study has two initiated during midloop operation, (2) compare 16 csti-phases. Phase I consisted of a screening study to deter.
mated core-damage frequencies, important accident se-mine which accident sequences need to be analyzed in quences, and other qualitative and quantitative results of more detail.* Phase 2 is the detailed analysis of the domi-this study with those of accidents initiated during full-nant accident sequences identified in Phase 1.De PRA is power operation, and (3) demonstrate methodologies for performed in two parts: the accident frequency analysis accident sequence analysis for plants in modes of opera-(level I) and the accident progression and consequence lion other than full power.
analyses (level II/III)
De approach HNL used was to define different outage f
One objective of the screening study has been to identify types and different plant operational states (POSs) within plant operational states (POSs) or initiating events, or each outage type. De outage types were grouped into both, that require more detailed analysis during Phase 2 of four types: refueling, drained maintenance, nondrained the quantification process. The coarse screening in Phase maintenance with the use of the residual heat removal 1 identified and quantified initiating events for seven (RHR) system, and nondrained maintenance without the POSs." POS 5, which includes both cold shutdown and use of the RilR system. The POSs were then used to refueling modes, was selected for the detailed analysis of represent the activities in the plant throughout an outage Phase 2. Some of the major contributing factors in select.
from low-power operation back to power. In a refueling ing POS 5 over POS 4 are (l) t he plant is in POS 5 for more outage, as many as 15 POSs were used to define the plant time and (2) the technical specifications allow for more activities.
equipment to be inoperable in POS 5 during cold shut-down than in POS 4 during hot shutdown. As POS 5 was Three POSs defining midloop operation were selected for i
modeled in more detail, new initiating events were identi.
detailed analysis-POSs R6 and RIO, occurring during a fied.
refueling outage, and POS D6, occurring during a drained maintenance outage. The detailed analysis included
'Ib simplify the development of the event trees, SNL di-analyses of the initiating events, development of event vided the event trees into three types: (1) generic func-trees, thermal hydraulics in support of the event tree tional event trees which are at the functional level and development and accident sequence quantification, quan-apply to any transient,(2) generic system-Icvel event trees tification of the fault and event trees using point estimates which are at the mitigating systems level and form the only, and assessment of human reliability.
basis for the event tree models for each specific transient H NL also performed a fire n. k analysis for low-power and s
initiating event, and (3) specific system level event trees which model the mitigating system's response to each of shutdown operations at Surry Unit 1. De analysis m-the 34 specific initiating events being analyzed in the cluded component-based, transient. fueled, and cable study. SNL is currently in the process of quantifying the fires with the frequencies for the fire events developed unng the latest avadable information. Fire scenanos were detailed accident sequences.
analyred for,dentified critical locations. The analysis m-i ciuded: (1)quantification of the initiators and the impact 4.8 NRC Shutdown PRA for Surry on the safety systems: (2) spurious operation and fire 3
(Coarse Screening Study and growth: (3) quantification of suppression analysis and Detailed Analysis) level I rire risk: and (4) modification of the internal PRA model to include the impacts of fire scenarios and the Brookhaven National Laboratory (HNL) performed a scenario-dependent human reliability errors (HRPs).
probabilistic risk assessment (PRA) of the low-power and Find.mgs shutdown modes of operation at the Surry nuclear plant
- Phase 2 presentation to NRC staff. March 23.1992.
frequency was the failure of the operator to mitigate the NN$si E sEs"o"t o0NN"de erit $nfa# j"M accidents. POS D6 is the most dominant POS with a n
uniu the veswi head is off and level is niwd io the sicam hnes.
core-damage frequency of 3.0x10 5 per reactor-year.The 4-3 NUREG-1449
characteristics of POS I% are high decay heat levels and studies examined above, the most significant events, from l
relatively short time available for operator action. In con-a shutdown-risk perspective, can be summarized as fol-trast, POS R IO has a very low decay heat and its core-dam-lows:
age frequency is approximately 2 orders of magnitude lower (4.7x10 7 per reactor-year) De overall point esti-failures during midloop operation (PWRs) mate of the core-damage frequency during low-power and operator error, especially shutdown operation is 3.4x10 5 per reactor-year.
failure to determine the proper actions to re-The fire areas identified as critical are the emergency store shutdown cooling (especially during mid-switchgear room, the normal switchgear room, thc cable loop)
P vault and tunnel, the containment, and the main control room.The control room fire analysis, excluding the quan.
- procedural deficiencies tification of risk, was done separately.
loss of RHR shutdown cooling, especially
%c quantification indicated that certain scenarios in the operator error induced H and J compartments of the emergency switchgear room, one scenario in the cable vault and tunnel, and one suction valve trips containment scenario dominate the risk. De core-dam-cavitation due to overdraining of the RCS age frequency due to fire events at midloop is estimated as loss of offsite power 2.03x103 per reactor-year.
LOCAs, especially 4.9 Fm, d,ngs operator error induced i
Quantitative results of the PRA studies are shown in Figure 4.1. 'On the basis of the findings from each of the stuck-open RHR relief valves ruptured RHR pump seals i
- Quantitative results are not yet available from the Grand Gulf study.
temporary seals ruptured 1.00E+00 Note: For Brunswick, probability of core damage p
CC 1.00 E-01 equated to probability of suppression pool exceeding 200 'F(93 *C)
%>0C 1.00E-02 W
3 D'
1.00 E-03 G
6, LL 1.00 E-04 1.00 E-05 h
h E
4 EU l
O 1.00 E-06 ew O 1,00 E-07 O
t 1.00 E-08 t
0 8
6 5
5 9
E E
E S
e 5
8 E
5 i
y 5
5 W
E E
5 Figure 4.1 Summary of PRA results NUREG-1449 4-4
b 5 REGUIATORY REQUIREMENTS FOR SHUTDOWN AND LOW-POWER OPERATIONS i
i U.S. requirements and requirements in other countries For BWRs, operability requirements of relevant compo-i were compiled as part of an Organization for Economic nents of the reactor protection system remain in effect in Cooperation and Development / Committee on Nuclear the low-power and shutdown / refueling
- Operation Con-Regulatory Activities study led by the NRC. De findings ditions " nese include operability of the SRM (source are presented in the Nuclear Energy Agency's November range), IRM (intermediate range), APRM (average 1992 proprietary report, " Regulatory Requirements and power range) flux monitors (and trip systems), control rod Experience Related to Low-Power and Shutdown Activi-scram accumulators, scram discharge volume, mode ties," NEA/NRA/DCOC(91)2. Revision 2, and are sum-switch, and manual scrams. ncre are STS requirements i
marized below. No proprietary data were used.
on control rod insertion (for the most part minimizing withdrawn rods) and on shutdown margin.These are aug-5.1 Facilities in the United States mented by special STS for refueling operations and for special tests exceptions. For example, when permitted, 5.1.1 Technical Specifications multiple control rod removal requires prior removal of all fuel m the affected control cell. However, if control rods Two types of regulatory requirements address shutdown are being moved, flux monitors must be operable. The and low-power operations: design requirements and op.
feedwater reactor trip may be disabled during the startup crational requirements. The regulatory design require.
mode and the instrumentation for anticipated transient ments contained in the general design criteria (GDCs)in without scram (ATWS)is not required during startup. All Appendix A to 10 CFR Part 50 and the quality assurance control rod movement is restricted to one control blade at requirements in Appendix B to 10 CFR Part 50 do not a time, unless the associated fuel cell contains no fuel.
E geherally depend on operational mode. He staff has in-The shutdown margin must be at least 038-percent delta terpreted the GDC requirements in the regulatory guides K/K at all times.
and the " Standard Review Plan," NUREG-0800.
5.1.1.2 Inventory Control The technical specifications for individual plants are the primary sources of operatidnal requirements to control For both PWRs and BWRs, leakage limits and leakage shutdown and low power operation.The current standard detection system operability are not required during cold technical specifications (STS) address specific require.
shutdown and refueling. He following additional re-i ments during shutdown and low-power operation for re.
quirements apply only to PWRs: Only one train of emer-activity c<mtrol, inventory control, residual heat removal, gency coolant injection is required during hot shutdown and containment integrity. The SU requirements vary in and none is required in cold shutdown or refueling. The i
degree of coverage and allowable limits when compared RWST is also not required to be operable during cold with those issued earlier in custom technical specifica.
shutdown or refu eling. Instrumentation requirements are tions.The following discussions of technical specifications controlled by the requirements of the systems st.pported
[
are based on the current STS for pressurized-water reac-by the instrumentation; that is, if the injection system is tors (PWRs) and boiling-water reactors (BWR/4s).
required to be operable, the system instrumentation is
[
required to be operable. In addition, for PWRs, low-tem-5.1.1.1 Reactisity Control perature overpressure protection is required in the hot-shutdown, cold-shutdown and refueling conditions. The The technical specifications requirements for PWRs dur-requirernents are that two power-operated relief valves or i
ing shutdown operation include a reduction in the shut-two residual heat removal (RIIR) relief valves are oper-down margin from 1.6-percent to 1.0-percent delta K/K able and no more than one train of high-pressure injection i
during cold shutdown. Reactor protection systems are not can be operable.
i required to be operable once the reactor is shut down, cxcept that flux monitors must be operable wheneyer For BWRs,1wo low-pressure injection trains are required 4
control rods can be moved.De restoration of an inactive during cold shutdown and refueling. This requirement is loop is controlled by temperature and boron concentra-eliminated if the reactor pressure vessel (RPV) head is tion limits during cold shutdown and refueling. Boron removed, the refueling cavity is flooded, spent fuel pool concentration limits are not applicable for the refueling gates are removed, and the level is maintained as required water storage tank (RWST)during hot and cold shutdown by technical specifications (TS). As with the PWR instru.
and refueling operations, and the boron injection tank is mentation requirements, the system instrumentation is i
not required to be operable during cold shutdown and required to be operable if the system is required to be refueling. However, sources of unborated water must be operable. Cooling water syst ems associated with the injec-isolated from the primary system.
tion systems are also generally required to be operable 5-1 NUREG-1449
I s
I only when the injection systems are required to be oper-for draining the vessel, both the secondary containment able, unless required to meet other TS requirements.
and the standby gas treatment system must be operable.
i The staff is reviewing the range of TS requirements for j
5.1.1.3 Residual Heat Removal shutdown and low-power modes, meluding those in the l
In the low-power and shutdown modes, the PWR oper-existing STS and those developed within the Technical i
ability requirements for the RHR function are mode de-Specifications Improvement Program. In performing this pendent. During hot standby, two reactor coolant loops review, the staff has determined that these requirements are required. In hot shutdown, any combination of two are generally less restrictive than the regnirements in the l
R HR loops and reactor coolant loops is acceptable. Dur-full-power operations mode. For example, the TS allow ing cold shutdown, two RHR loops are required, unless fewer operators for PWRs and BWRs during cold-shut-two steam generators are filled to at least 17 percent of down and refueling operations.
the normal level for the steam generators; in that case, two steam generators and one RHR loop are an accept.
5.1.2 Other Regulatory Requirements or able combination. During refueling, two RHR loops or Policies one with the refueling cavity filled are required. Gener-ally, the secondary-side heat removal systems (main and The staff also identified a number of important facts re-auxiliary feedwater) are not required to be operable dur-g rding regulatory requirements or policies pertaining to ing hot and cold shutdown and refueling. However, if a operator training, use of overtime, emergency planning, steam generator is being used as a heat removal system fuel handlmg, heavy loads, fire protection, and proce-l dures.
during hot shutdown, th e condensate storage tank, atmos-pheric dump valves, and one train of auxiliary feedwater (including instrumentation) must be available.
5.1.2.1 Training (Cmcrage of Shutdown Conditions on Simulators)
For BWRs two loops of RHR are required (with one The current Code of Federal Regulations (Title 10, operating)in the hot-shutdown, cold-shutdown, and refu.
Section 55.45(b)(2)(iv)) requires that the simulation facil-cling modes. With the refueling cavity flooded during ity portion of the operating iest only be administcred on a i
refueling, only one RHR loop is required.
certified or approved simulation facility. NRC Regulatory j
Guide 1.149 endorsed the guidance of the American l
One division of electric power is required to be operable National Standards Institute's (ANSI's)/American Nu-in cold shutdown and during refueling, as opposed to two clear Society's (ANS's) standard, " Nuclear Power Plant
+
divisions during all other modes of operation. (A division Simulators for Use m Operator Training," ANSI /ANS is defined to include both an onsite and an offsite source 3.5-1985. 'Ib date, nearly all of the industry's simulators of ac power.)
have been certified to meet this guidance.
The ANS1/ANS Standard 3.5-1985 requires simulation of 5.1.1.4 Containment Integrity minimum normal activities from cold startup to full power to cold shutdown, excluding operations with the reactor l
The containment integrity requirements for PWRs are vessel head removed.
i not applicable during cold shutdown and refueling. This includes the opembility of the containment spray system.
5,1.2.2 Policy on Use of Overtime In addition, the containment isolation instrumentation is not required to be operable during hot shutdown. During Generic Letter (GL) 82-12 transmitted NRC's
- Policy on fuel movement operations, less-restrictive containment Factors Causing Fatigue of Operating Personnel at Nu-clear Power Plants." 'Ih,s policy gives specific guidance i
isolation requirements are in effect. One airlock door must be maintained closed and a "four-bolt rule" is in f r the control of working hours dunng shutdown opera-effect for the equipment hatch.
tions. This guidance allows the plant superintendent to j
approve associated deviations from the guidelines on 1
work.ing hours. The policy applies only to personnel who i
In a BWR, the containment atmosphere canbe de-inerted perform safety-related duties and the individuals who di-r 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> prior to being at a power level less than 15 rectly supervise them.
l percent of rated thermal power. The primary contain-l ment must be inerted within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after exceeding 15 5.1.2.3 Fire Protection percent of rated thermal power during startup. Pnmary containment integrity and containment isolation instru-The plant TS allow various safety systems, including fire mentation requirements are not applicabic during cold protection systems, to be taken out of service to facilitate shutdown and refueling However, during fuel move-system maintenance, inspection, and testing during shut-ment, core alterations, and operations with the potential down and refueling.
NUREG-1449 5-2
~
l i
i' The Appendix R (10 CFR Ibrt 50) fire protection criteria (4) For PWRs and ilWRs, commitments in final safety for protecting the safe-shutdown capability does not in-analysis reports (FSARs) and license amendments clude those systems important to ensuring an adequate require that specified coolant temperatures be main-level of RI1R during non. power modes of operation.
tained in the spent-fuel pool and that fuel pool cool-ing systems be operating to maintain those tempera-l The current Nuclear Regulatory Commission (NRC) fire tures. TS require that specified water levels bc protection philosophy (NUREG-0800, Standard Review maintained in the spent-fuel pool.
Plan Section 9.5.1)does not address shutdown and refuel-l ing conditions and the impact a fire may have on the (5) TS require that, beforc init iating any core changes by plant's ability to remove decpy heat and maintain reactor means of fuel handling, the reactor be subcritical for coolant temperature below saturation conditions.
a specified period, in order to permit decay of short-term fission products.
j S.I.2.4 Reporting Requirements (6) TS require that shutdown margins be ensured before starting the refueling process in order to prevent
.Ihe current NRC regulations require that any operation plant criticality during that period.
or condition prohibited by the plant TS is reportable un-der 10 CFR 50.73.nis includes both power operation and (7) TS ensures operation and operability of core cooling shutdown. However, as discussed earher, there are far fewer TS applicable during shutdown, systems are ensured before and during the refueling process.
[
5.1.2.5 Onsite Emergency Planning (8) As an added protection against excessive radiation j
escaping to the environment, PWR TS require that '
De current guidance for classifying emergencies for nu-containment purge and exhaust isolation systems be j
clear plants during power operation (found in Appendix I operable to isolate the primary containment in the to NUREG-0654 (FEMA-REP-1), Revision 1, titled event of a fuel-handling accident.TS for PWRs also
" Criteria for Preparation and Evaluation of Radiological require that storage pool cleanup systems be oper-Emergency Response Plans and Preparedness in Support able to filter and remove radioactive material from of Nuclear Power Plants"), does not explicitly address the the atmosphere over the spent. fuel pool should an different modes of nuclear power plant operation.
accident occur while fuel is being moved. For BWRs, j
TS require that secondary containment integrity be i
5.1.2.6 Fuel liandling and lleavy Loads ensured (as noted above) and that the standby gas treatment system be operable dunng the refuchng The following requirements apply to the handling of fuel:
procedure.
(1) Plant TS require that fuel-handling equipment be Hey Loads tested before use, in order to prevent dropping fuel Damage to spent fuel or redundant trains of safe-shut-elements.
down ' systems is prevented by following safe load paths, i.e., by circumventing of areas in which spent fuel is stored (2) For both BWRs and PWRs,TS require that a speci-or where safe-shutdown systems are located. Where a fied level of water be maintained above the reactor licensee cannot employ safe load paths at all times, pro-vessel head and in the spent fuel storage pools dur-tection is afforded by one of two alternative methods:
ing refueling, in order to maintain spent fuel cooling capability and to ensure protection against radiation (1) by providing a single-failure-proof handling system, in the event of a fuel-handling accident.
or i
(3) For PWRs,TS require that, before initiation of the (2) by completing an acceptable analysis of a potential j
refueling process, penetrations in the containment drop of a heasy load, as follows:
building be closed or be capable of being closed by an operable automatic valve actuated on a high-(a) For shutdown systems, heavy load drops are radiation signal in the containment. For BWRs, TS analyzed to ensure continued operability of at require that the integrity of the secondary contain-least one train of redundant systems.
ment be ensured before handling irradiated fuel.
He reason for maintaining containment integrity in (b) For spent fuel, heasy load drops are analyzed:
both PWR and flWR plants is to prevent excessive (i) to ensure protection against escape of radia-radiation from entermg the environment in the tion; (ii) to ensure protection against eriticality event of an accident.
of spent fuel arrays, and (iii) to ensure protec-5-3 NUREG-1449
,. ~.
tion against damage to reactor vessels and neric letters to contain recommendations regarding low-spent-fuel pools which would prevent contin-power and shutdown operations.
ued cooling capability of spent fuel.
Thble 5.1 lists seven generic letters related to shutdown E
- E""
"S *
- #'9" 5.1.2.7 Plant Procedures ments and recommendations of GL 88-17.
Appendix B to 10 CFR Part 50 requires that licensees provide control over activitics affecting the quality of Bulletin 80-12 is related to shutdown and low-power op-plant structures, systems, and components that prevent or crations. It discusses the loss of decay heat removal that mitigate the consequences of postulated accidents that occurred at Davis.Hesse in April 1980 and delineates the could cause unduc risk to the health and safety of the actions to be taken by the industry.
public.The control of these structures, systems, and com-ponents is to be consistent with their importance to safety, 5.2 International Facilities and includes maintaining safety during shutdown as well i
as power operation. Activitics affecting quality are to be In January 1991, the Committee on Nuclear Regulatory performed in accordance with procedures or drawings of a Activitics (CNRA) sent a questionnaire to the regulatory type appropriate to the circumstances. Consequently, the agencies of several nations. This questionnaire, " Ele-regulatory basis now exists to require that licensees have ments for a Survey on Low-Power and Shutdown Activi-procedures appropriate for the prevention and mitigation ties," was intended to gather information regarding ap-of risks associated with low-power and shutdown opera-proaches to the control of low-power and shutdown tions and to require that these procedures are commensu-operations at nuclear power plants.1hc objective of the rate with the risk to public health and safety.
questionnaire was that the responses would address all low-powerand shutdown requirements,both of the regu-5.1.3 Bulletins and Generic Letters latory authority and of the facility operators. However, most responses addressed the regulatory requirements NRC use of generic communicati(ms, specifically bulle-and simply acknowledged that operation during these tins and generic letters, offers msight into the events of modes was mainly controlled by procedures and require-interest and the evolution of requirements.These generic ments established by the facility operator.
communications present a chronology of events and ac-In par'icular, the responses were to address requirements tions requested by the NRC (actions for plant licensecs to t
take to preclude or mitigate events that could affect the for reactivity control, inventory control, residual heat re-nuclear power plant during low-power and shutdown op-moval, containment integrity, and outage and maintenan-crations) that have resulted in changes to regulatory re-ce management. Each country indicated that its regula.
I quirements.
tory body has established safety requirements that the perator had to meet. However, the specific operating
'Evo generic letters (87-12 and 88-17) are of interest to requirements were developed by the plant operator.
low-power and shutdown operations. They contain ac-tions requested of licensees or identify actions taken by Technical specifications or their equivalent appeared to licensees. They are the most comprehensive and most be the principal technique used to impose regulatory con-widely applicable of the generic letters. They specifically trol of plant operation during shutdown and low-power I
address shutdown concerns and are the most current ge-operation.
Table 5.1 Generic Letters Concerning Shutdown and Low. Power Operations Generic i
letter Title 80-53 Transmittal of Revised Technical Specifications for Decay Heat Removal Systems at PWRs S1-21 Natural Circulation Cooldown 85-05 Inadvertent Boron Dilution Events 86-09 Technical Resolution of Generic Issue B-59, (n-1) Loop Operation in BWRs and PWRs I
87-12 Loss of Residual Heat Removal (RHR) While the Reactor Coolant System (RCS)ls Partially Filled 88-17 Loss of Decay Heat Removal 90-06 Resolution of Generic Issues 70," Power-Operated Relief Valve and Block Valve Reliability " and 94 " Additional Low-Temperature Overpressure Protection for Pressurized Water Reactors" [pursu ant to 10 CFR 50.54(f)]
NUREG-1449 5-4
.,p s
x
-,a 1
i 4
Table 5.2 Generic Letter 88-17* Recommendations and Program Enhancements Item Recommendation l
(1) +
Discuss with appropriate plant personnel the Diablo Canyon event, lessons learned, and implications. Provide training shortly before entering a reduced inventory condition.
(2)+
Implement procedures and administrative controls that reasonably ensure containment closure will be achieved before the time at which a core uncovery could result from a loss of decay heat removal coupled with an inability to initiate alternate cooling or to add water to the reactor coolant system.
{
(3)+
Provide at least two independent, continuous temperature indications that are representative of the core exit i
conditions whenever the reactor is in midloop operation and the reactor vessel head is located on top of the vessel.
I (4)+
Proside at least two independent, continuous n.. actor coolant system water level indications whenever the reactor coolant system is in a reduced inventory condition.
(5)+
Implement procedures and administrative controls that generally avoid operations that deliberately or knowingly lead to perturbations to the RCS or to systems that are necessary to maintain the RCS in a stab!c and controlled condition while the RCS is in a reduced inventory condition.
i (6)+
Provide at least two available or operable means of adding inventory to the reactor coolant system in addition to the pumps that are a part of the normal decay heat removal systems.
(7)+
Implement procedures and administrative controls that reasonably ensure that all hot legs are not blocked simultaneously by nozzle dams unless a vent path is provided that is large enough to prevent pressurization of the l
upper plenum of the reactor vessel.
(8)+
Implement procedures and administrative controls that reasonably casure that all hot legs are not blocked l
4 simultaneously by closed loop stop valves unless reactor vessel pressurization can be prevented or mitigated.
l (9)#
Provide reliable indication of parameters that describe the state of the reactor coolant system and the perform-ance of systems normally used to cool the reactor coolant system for both normal and accident conditions.The following should be provided in the control room; two independent indications of reactor vessel level and temperature, indications of decay heat removal system performance, and visible and audible indications of I
abnormal conditions.
j i
(10)#
Develop and implement procedures that cover reduced inventory operation and that provide an adequate basis l
for entry into a reduced inventory condition.
l (11)#
Ensure that adequate operating, operable, or available equipment is provided for cooling the reactor coolant i
system. Maintain existing equipment in an operable or available status, including at least one high-pressure system and one other system. Provide adequate equipment for personnel communications.
(12)#
Conduct analyses to supplement existing information and develop a basis for procedures, instrumentation installation and response, and equipment / nuclear steam supply system interactions and response.
(13)#
Identify technical specifications that restrict or limit the safety benefit of these actions and submit appropriate changes.
(14)#
Reexamine recommending item 5 and refine it as needed.
' l
" Itis generic tetter discussed the loss of decay heat removal capability that occurred on April 10.1987. at Diablo Canyon Unit 2 while the plant was in the refueling mode of operation. Additional events at Waterford (on May 12,1988), Sequoyah (on May 23,1988). and San Onofre ton July 7,1988) also contributed to this second generic letter addressingloss of decay heat removal capabilities at PWRs. It provided recommendations and required PWR licensees to respond to the recommendations.
+ Recommended for implementation before operating in a reduced inventory condition.
- Recommended for implementation as soon as practic:d.
5-5 NUREG-1449
m _ _
'lhese requ rements were generally less restrictive in the primary system below the level of the core, this reduction shutdown mode than in the full-power operations mode.
in injection availability was not allowed.
Low-power operation was often approached with the same requirements as full-power operation, although in in general, redundant heat. removal capabilitics were re-l specific instances the technical specifications require-quired at all times by most of the countries. In PWRs, this j
ments during low power were relaxed from the full-pow er redundancy could of ten be supplied by any combination of requirements.
operable steam generators and RIIR systems, shifting entirely to the RIIR systems once the steam generators Of the areas addressed in the questionnaire, the outage cannot be used. For those countries that replied in detail, and maintenance management arca appeared to be the their responses indicated t hat Ihe flooded refueling cavity most within control of the operators of the nuclear facil-can be considered a heat-removal system, because of the ity. General requirements to submit outage plans and large amount of water present. At least two countries tied i
refueling documentation were the most restrictive of the the operability of the R11R system to the decay heat rate requirements imposed by any country, and most appeared as a function of time after shutdown. For these countries, i
to require some type of planning. In the otLr areas ad-the requirements on system operability were reduced as dressed by the questionnaire, some control over the plant the decay heat rate dropped.
1 configuration was exercised in the technical specifications (or their equivalent)in most countries.
In general, containment integrity requirements were I
Reactivity control requirements for PWRs tended to ad-waived under certain conditionsin every country. Usually, i
dress two related items: boron concentration (including during the refueling mode of operation when no fuel both boron injection system operability and the need to transfer was taking place, containment integrity was not isolate the primary system from sources of non-borated required. Cantamment airk>cks were not always required water)andsubcriticalitymargin. Additionalrequirements to remain operable during refueling. When they were mentioned in many responses included requirements to all wed to be open during refueling, they must generally maintain neutron flux monitoring instrumentation oper-is 1 te on a high radiation signal. In BWRs with mcrted able in all modes, unless the control rods cannot be e ntainments, the contamment generally may be de-m-crted several hours before entering a cold-shutdown con-dition and did not have to be re-inerted until after enter-I Generally, fewer reactivity control requirements were ing a hot-shutdown condition.
imposed on the BWRs than on PWRs. During refueling i
operations, restrictions were generally in place regarding Other than some staffing requirements, there were al-the removal of control assemblies from the core. Either most no regulatory requirements that specifically ad-j one rod at a time was allowed to be removed or the dressed outage and maintenance management. Many supercell around the control rod to be removed must be countries did require that outage and refueling plans bc empty.
submitted to the regulatory bodies. These documents l
Several different approaches were taken to describe the must outline the procedurcs and rules to be followed
[
inventory control requirements. Some countries de-during an outage. Ilowever, the licensee generally devel-scribed the instrumentation requirements for the shut-oped the procedures and rules.
down and low-power operational modes. For these coun-tries, additional instrumentation was required at various Sigmficant variability appears to exist among the pro-times during operation in these modes, particularly d uring gr ms in various countries.
PWR midloop operations.
Conclusions The responses from several countrics described injection capability requirements. Combinations of low-and high-The NRC's current requirements in the areas of shut-pressure injection systems were required to be operable.
down and low-power operations were less stringent than Often, during the time that the refueling cavity was those of most other regulatory agencies. However, the j
flooded, the injection system requirements were reduced.
staff concluded that the.NRC's continuing shutdown-risk liowever, if maintenance was being performed on the study appears to address all the significant issues.
i I
I l
NU RI L-1449 54
t 6 TECHNICAL FINDINGS AND CONCLUSIONS 6.1 Overview Many shutdown events have occurred that represented challenges to safety during low. power and shutdown On the basis of the work it completed over the past 18 (LPS) operation. Some of these initiated when the power months, the staff concludes that risk varies widely during plant was in a sensitive condition as a result of madequate shutdown conditions at a given plant and among plants, planmng and mistakes (examples: Diablo Canyon,4/87, see NUREG-1269; Vogtle, 3/90, see NUREG-1410).
and can be significant.,The staff has observed an increas-ing recognition of the importance of shutdown issues Recognizing *. hat the safety significance of such events is a strong function of outage planning and control, and that among licensees and withm the staff. He staff also ob-the NRC has not previously addressed the safety implica-served a general improvement in safety practices during tions of outage planning, the staff initiated a study of such shutdown, both in response to regulatory actions and from the m, dustry's individual and collective imtiatives.
planning and its implications as part of the plant visits program described in Chapter 3, and has supplemented f
this with information from staff inspectors.
Variability of risk dunng an outage period results primar-ily from continuous changes in (1) plant configuration and A wide variety of conditions and planning approaches was activity level, w hich determine the likelihood of an upset observed during the plant visits. These included and. to some degree, the severity; (2) the amount and quality of equipment availabi: to recover from an upset; utages that were well planned and controlled e
(3) the time available to diagnose and recover from an upset; and (4) the status of the pnmary contamment.
outages that were poorly pr epared and poortv organ-
[
e
~
ized Among plants, risk varied because of the many ap-proaches used by utilities to address safety during a shut-priority assigned to safety with the complete licensee e
down condition, differences m plant design features, and organization striving for safety lack of a standard set ofindustry or regulatory controls for shutdown operations. Such variability, along with analyti-an ad hoc approach in which safety was dependent e
cal limitations pecuhar to shutdown (e.g., human reliabil-upon individual judgment ity analysis), makes it difficult to quantify the risk during shutdown in U.S. reactors.De staff has focused its atten-e the perception that short outages represent excel-l tion primarily on operating experience and the current lence i,
capability in U.S. plants to avoid a core-melt accident and l
release of radioactivity. Insights from probabilistic assess-e personnel stress and events that appeared to be the ments have also been valuable in understanding what is result of overemphasis on achieving a short outage important to risk during shutdown.
impact of poor outage planning and impicmen-e As discussed in Chapter 1, about midway through the evaluation the staff identified a n umber of issues believed imprudent operation as a result ofinsufficient atten-e to be especially important and a number of potentially tion to safety important issues. The staff has studied each of these is-sues and obtained specific findings w hich are discussed in 6.2.1 Industry Actions this chapter.
He industry has addressed outage planning and control with programs that include workshops, Institute of Nu-clear Power Operations (INPO) inspections, Electric 6.2 Outage Planm.ng and Control Power Research in stit u te (EPRI) support, training, proce-dures, and other programs. One activity (a formal initia-In the absence.of strict technical specification controls, tive proposed by the Nuclear Management and Resources licensees have considerable freedom in planning outage Council (NUM ARC) has produced a set of guidelines for activities. Outage planning determines what equipment utility self-assessment of shutdown operations will be available and when. It determines what mainten-(NUMARC 91-06); these guidelines serve as the basis for ance activities will be undertaken and when. It effectively an industrywide program that was implemented at all establishes if and when a licensee will enter circumstances plants by December 1992. This provides high-level guid-likely to challenge safety functions and it establishes the ance that addresses many outage weaknesses. Detailed level of mitigation equipment available to deal with such a guidance on developing an outage planning program is challenge.
beyond the scope of the NUM ARC cffort.
6-1 NUREG-1449
i NUMARC 91-06 states:"De underlying premise of this provides regulatory guidance for outage planning guidance is that proper outage planning and control, with and plan implementation.
i a full understanding of the major vulnerabilities that are i
present during shutdown conditions, is the most effective means of enhancing safety during shutdown.
6.3 Stress on Personnel and Programs l
The staff met with NUMARC and the associated utility A large amount of activity takes place during outages.He i
working group on several occasions to share technical increased size of the work force at the site during outages, insights and discuss program status. The imtiative does combined with the rapid changes in plant configurations appear to be a significant and constructive step and effects that occur during these periods, creates a complex envi-may have already been realized by a few utilities using ronment for planning, coordinating, and implementing i
draft guidance m recent outages.
tasks and emergency resporses. As a result, outage activi-1 ties can stress the capabilities of plant personnel and programs responsible for maintaining quality and opera-6.2.2 NRC StafiFindings tional safety. Dis stress can be reduced through outage planning that ensures (1) staffing Icvels are sufficient and On the basis of its review of operating experience, proba-jobs are defined so that workloads during normal or emer-bilistic risk assessments (PRAs), site visits, and informa-gency outage operations do not exceed the capabilities of tion from other regulatory agencies, the staff concludes plant personnel or programs; (2) personnel are ade-that a well-planned, well-reviewed, and well-imple-quately trained to perform their duties, including the im-mented outage is a major contributor to safety. It has further substantiated and/or determmed the following:
piementation of contingency plans; and (3) contingency plans are developed for mitigating the consequences of E
Consistent industrywide safety criteria for the con-e duct of LPS operation do not exist. (NUMARC The present NRC policy concerning working hours of 91-OSprovides high-level guidance, but no criteria.)
nuclear plant staff, as written, provides objectives forcon-Many licensees have no written policy that provides trolling the working hours of plain personnel, and pro-e safety criteria for LPS operation. Some are working vides specific guidelines for periods when a plant is shut down. It permits plant personnel to work overtime hours on such a policy; others had no plan (at the time the staff visited the plant) to prepare such a policy.
in excess of the recommended hours, prosided that appro-priate plant management gives its approval. However, as
)
noted in NRC Information Notice 91-36, in some in-
+
Some licensees enter planned outages with m.com-e plete outage plans.
stances a licensee's work-scheduling practices or policies i
were inconsistent with the intent of the NRC policy.
I Some licensees cannot properly respond 1o an un-The staff reviewed the NUMARC document " Guidelines l
i scheduled outage because their planning is poor.
to Enhance Safety During Shutdown" and concluded that the guidelines establish a sound approach to addressing Safety considerations are not always evident dun.ng e
outage planning' the issue of stress and its risks associated with LPS opera-tions. Effective implementation of these guidelines
[
Changes to outage plans and ad hoc strategies for should reduce the potential for planned or unplanned e
activities not addressed m the plan are often not outage activities to inappropriately stress the capabilities addressed as carefully as the original plan.
of plant personnel and programs by (1) improving control of outage activities, (2) reducing time that people perform The need for training and procedures is not always higher risk activities, and (3) increasing preparedness to e
well addressed in planning.
implement contingency actions, if needed. Consequently, stress on plant programs and personnel during outages is Bases do not exist that fully establish an understand-expected to be reduced.
e ing of plant behavior and that substantiate the tech-niques depended upon to respond to events. Such 6.4 Operator TYaining bases would proside the information necessary for reasonable and practical technical specifications, Conditions and plant ccmfigurations during shutdown for procedures, training, LPS operation (outage) plan-refueling can place control room operators in an unfamil-ning, and related topics.
iar situation. Operators who are properly informed and who understand the problems that could arise during out-Dere is no regulation, regulatory basis, staff policy, ages are essential in reducing risks associated with the e
orotherguidance (such astechnical specificationsor outage activities. Through the comprehensive training staff studies) that currently requires or otherwise programs, operators can gain such knowledge and NUREG-1449 6-2
~ _ _
understanding, thus increasing the level of safe opera-scope of the necessary c: anges would he defined by opera-j tions at nuclear plants. 'lhe level of knowledge and abili-tor tasks identified as requiring training or examina-tion i
ties czm be qualitatively measured by a comprehensive on a simulator. Presently, simulators are used in training examination.
and examinations in those areas where dynamic plan' resp (mse provides the most appropriate means to meet 6.4.1 Examination of Reactor Operators the tr inin8 objectives. Many events that are likely to occur dunng shutdown would result m the majority of I
The knowledge and abilities (K/A) that an operator needs operator actions taking place out in the plant rather than to properly mitigate the events and conditions described n the control room. As a result, such events might be in Chapters 2 and 3 are addressed by NRC's K/A catalogs more appropriately addressed through methods ether (NUREG-1122 and NUREG-1123). 'lhese catalogs, in than simulator trammg.
conjunction witl the facility licensee's job task analysis, provide the basis for developing examinations that con-
.Ib the extent practicable, simulator training for shutdown j
conditions should continue to be conducted.1he Examm-tain valid content. Present guidance for developing exami-i nations is desenbed in the Examiner Standards er St ndards document (NUREG-1021) already requires (NUREG-1021). This guidance aHows for significant cov-examiners to report observations of simulator perform-erage of shutdown operations, but it does not specify any nce in the examination reports. This feedback from the l
minimum coverage. N UREG-1021 provides a methodol, examiners is then used to determme if simulator inspec-ogy for developing examinations that was derived. in part, tions are necessary. Revising NUREG-1021 to place from data collected from licensed senior reactor opera-more emphasis on reducing shutdown nsks should result tors and NRC examiners. The guidance also calls for ex-m m re observations of simulator performance m this j
amination content to include questions and actions based area being reported than at present.
on operating events at the specific facility and other simi-lar plants. A review of samples ofinitial written examina-6.5 Technical Specifications tions indicates that LPS operations are covered generally and the coverage is consistent with assuring adherence t 6.5.1 Residual IIcat Removal Technical the objectives oflicensee training prog /ams and the sam-b CCIIIC3I.80HS P.
pling methodology of NUREG-1021. Ilowever, if licen-see training programs and procedures are revised, liased primarily on the PRA studies discussed in Chapter through an improved outage program, to place more em-4 and the thermal. hydraulic analysis in Section 6.6, the i
phasis on reducing shutdown risks, the staff crpects that staff concludes that current standard technical specifica-more extensive and broader examination coverage will t ion s (STS) for pressu rized-wat e r reactors (PW R s) a re not l
I U"**
detailed enough to address the number and risk signifi-
[
cance of reactor coolant system configurations used dur-6.4.2 Training on Simulators ing cold shutdown and refueling operations. This is par-ticularly true of PWR technical specifications. Safety i
As of May 26,1991, all facility licensees were required to margin during these modes of operation is significantly I
have certified or approved simulation facilities unless spe-influenced by the time it takes to uncover the core follow-i cifically exempted. Nearly all of the industry's simulators ing an extended loss of residual heat removal (RIIR).The have been certified to meet the guidance of the American conditions affecting this margin significantly include de-f National Standards Institute (ANSI) -Nuclear Power cay heat level, initial reactor vessel water level, the status Plant Simulators for Use in Operator Training," ANSI /
of the reactor vessel head (i.e., bolted on or bolted on with r
ANS 3.5-1985, as endorsed by Regulatory Guide 1.149.
bolts detensioned or removed), the number and size of l'
This standard calls for simulation of minimum normal openings in the cold legs, the existence of hot-leg vents, activitics from cold start up to full power to cold shutdown, whether or not there are temporary seals in the reactor excluding operations with the reactor vessel head re-coolant system (RCS) which could leak if the system is 1
moved. Therefore,1hese certified simulators are capable pressurized, and availability of diverse, alternate methods j
of performing many of the operations from a subentical of RIIR in case of complete loss of RIIR systems.1he state to synchronization with the electrical grid.
current technical specifications do not reflect thesc obser-l vations.The staff has also found that some older plants do ANS!/ANS 3.5-1985 is based on the concept that the not have even basic technical specifications covering the scope of umulation should be commensurate with opera-RilR system.
tor trammy needs. In accordance with ANSI /ANS 3.5-19% the svape ol umulanon should be based on a in light of the above findings, the staff has identified a systenmtn, process Ior deurnmg performance-based op-number of proposed improvements to limiting c<mditions j
erator trammy, and moWhcanons should be based on for operation in current standard technical specifications i
autssments of the tranung value this process offers.The for the RilR systems, component cooling water systems, 6-3 NUREG-1449
--e v,r--
l i
i service water systems, and emergency core cooling sys-plant operation that has been cumbersome for both plant tems. These improvements are discussed in Chapter 7.
operators and regulators.
6.5.2 Electrical Power Systems Technical 6.5.3 PWR Containment Technical Specifications Specifications i
As discussed in Chapter 5, containment integrity for Electric power and its distribution system is generally as PWRs and HWRs is not required by technical specifica-vital for accident mitigation during shutdown conditions tions during cold shutdown or refueling conditions, except t
as it is for power operating conditions. There are, how-during movement of fuel. On the basis of operating expe-I ever, some shutdown conditions for which it is not as vital rience, thermal-hydraulic analyses, and PRA assess-and during which losses of power can be accommodated ments, the staff concludes that it may be necessary to
?
3 more easily (e.g., fuct offload and reactor cavity flooded).
ensure PWR containment integrity prior to an interrup-
[
In PWRs, all normal RIIR systems and most components tion in core cooling under some shutdown conditions (this used in alternate methods are powered electrically. ' Die is discussed more fully in Section 6.9.1). Changing the same holds true for the emergency core cooling system technical specification on containment integrity would be (ECCS) and instrumentation. Boiling-water reactors the most direct and effective means of improving contain-(BWRs) are similar, but many more systems that are pow-ment capability where needed. However, the staff recog-r: red by steam are available to remove heat; however, nizes the importance of containment access during out-these systems can only be used when the reactor vessel ages and accepts that having some passive cooling head is on and the main steam system is pressunzed, methods available, in addition to normal cooling systems, Electric power is also vital for secunng pnmary contain-can compensate for an open containment when decay ment integrity promptly at some plants (see Appendix B).
heat is high. Consequently, the staff is considering the need for a proposed technical specification to govern con-Current STS were written under the assumption that all 19 ment integrity for PWRs during some shutdown con-shutdown conditions were of less risk than power operat-ditions; the proposed technical specification recognizes ing ccmditions. As a result of making that assumption, the imponance of passive alternate cooling methods, as most maintenance on electrical systems is donc during discussed in Chapter 7.
i thutdown. Consequently, requirements for operability of j
systems are relaxed during shutdown modes.
6.6 Residual Heat Removal Capability i
Operating experience and risk assessments discussed in Chapters 2 and 3 indicate that for some shutdown condi-6.6.1 Pressurized-Water Reactors f
tions (e.g., midk>op operation) such relaxation of oper-Decay heat is removed in PWRs during startup and shut-l ability requirements for electrical systems is not justified.
down by dumping steam to the main ccmdenser or to the l
In addition, in the past, STS in the electrical system area atmosphere and restoring inventory in the steam genera-have been poorly integrated with technical specifications lors with the auxiliary feedwater (AFW) system. During for other systems that the electrical systems m ust support.
cold shutdown and refueling, the RHR system is used to j
As a result, many plant-specific technical specifications remove decay heat. Hecausc of the relatively high reliabil-i for shutdown conditions are also poorly integrated; and ity of the AFW system and the short time spent in the j
misunderstandings have occurred regarding how the elec-startup and shutdown transition modes, losses of decay trical specifications should be applied to support other heat removal during these modes have been infrequent.
t technical specifications for systems such as RHR systems.
However, loss of decay heat removal during shutdown and i
There are also some facilities that do not have any electri-refueling has been a continuing problem. In 1980, a loss-cal system technical specifications for shutdown modes.
of-RHR event occurred at the Davis-Besse plant when one RHR pump failed and the second pump was out of In light of these findings and knowledge of shutdown service. Following its review of the event and the require-operations gained from the site visits, the staff concludes ments that existed at the time, the NRC issued Bulletin i
at this time that with proper planning, maintenance on 80-12, followed by Generic Letter (GL) 80-53 calling for electrical systems can be accommodated during shutdown new technical specifications to ensure that one RHR sys-conditions of less risk significance. Consequently, the tem is operating and a second is available (i.e., operable) j staff is developing proposed improvements to technical for most shutdown conditions. The Diablo Canyon event specifications for electrical systems which (1) ensure a of April 10,1987, highlighted the fact that midk>op opera-minimum level of electrical system availability in all tion was a particularly sensitive condition. Following its 1
plants. (2) balance the need for higher availability of elec-review of the event, the staff issued GL 88-17, recom-trical systems during some shutdown conditions and the mending that licensees address numerous generic defi-need to still do maintenance during shutdown operations, ciencies to improve the reliabihty of the decay heat re-and (3) bring logic and consistency to an area of nuclear moval capability. More recently, the incident NUREG-1449 6-4 l
i i
i investigation team's report of the loss of ac power at the training literature nor plant procedures. These are dis-Vogtle plant (NUREG-1410) raised the issue of coping cussed in Section 6.6.1.2.
l l
with a loss of RIIR during an extended period without any
,j ac power. In light of the mntinued occurrence of events Instrumentation. Most licensees have generally respor ded l
invoh'ing loss of RIIR and the issues raised in appropriately to GL 88-17 by providing two independent NUREG-1410, the staff assessed the effectiveness of GL RCS level indications, two independent measurements of 88-17 actions and alternate methods of decay heat re-core exit temperature, the capability to continuously i
moval. These assessments *rc discussed next.
monitoring RIIR system performance, and sisible and audible alarms. liowever, wide variability exists among E
6.6.1.1 Effectiveness of GL 88-17 Actions them, as discussed below.
i i
Actions requested in GL 88-17 are listed in Thb!c 5.2. ne Many operators were unaware that core tempera-o staff assessed the response to GL 88,17 through NRC ture cannot be inferred from measurements in the
[
inspections conducted to date and the site visits discussed RilR system when the R11R pumps are not running, m Chapter 3. The more imponant subject areas were and sometimes core exit thermocouples have not evaluated in terms of overall performance since G L SS-17 been kept operabic even though the vessel head was i
was issued, as discussed below.
nstalled.
Operations. Operations with the RCS water level at mid-Potential problems associated with water level indi-loop have diminished generally. Some utilities now per-cations have been observed, including damaged or t
form activities requiring reduced inventory with the reac-incorrectly installed instrument tubing (or both),
tor defueled. Others have taken steps to minimite time lack of independence, and poor maintenance.
spent in reduced inventory or plan sensitive activitieslater j
At some plants, the RIIR system is not being moni-in the outage when the decay heat level is lower. Ilow-e ever, midloop operation is still used widely; in fact, one tored for problems that foreshadow system failure.
utility stayed at midloop for 37 days in its most recent out-6.6.1.2 Alternate Residual lleat Removal Methods
[
age.
In r pn e to the inMent besugatbn team's mpon d Events. Loss-of-RIIR events have continued to occur even the kiss of ac power at the Vogtle plant (NUR EG-1410),
3 years after the issuance of GL 88-17. Three events dis-the staff, with the assistance of the Idaho National Engi-t cussed in Chapter 2 occurred in 1991. All three occurred neering Laboratory, has conducted in-depth studies of at sites that had also expenenced such events before GL passive, alternate methods of RilR heat removal that 88-17 was issued.
could potentially be used when the RilR system is un-f available. nc initial study (EGG-EAST-9337) identified Procedures. As discussed in Chapter 2. procedures for re-fundamental passive cooling mechanisms that could be sp(mding ta loss-of.RilR events have generally improved viable for responding to an extended loss of RIIR and i
m terms of toe level of information provided to operators evaluated plant conditions and procedural actions that and the specification of alternate systems and methods could be used to exploit those mechanisms, as well as that can be used for recovery. In addition, inspection problems in such exploitation. 'Ihe imponant cooling teams have found that procedures written in response to processes include gravity drain of water from the RWST GL 88-17 have been applied effectively outside the in-into the RCS, core water boiloff, and rellux cooling. A tended envelope for lack of other pacedures, for exam-second study (published in April 1992 NUREG/CR-5820) plc, loss of inventory, examined the transient response of a PWR with U-tube steam generators following a loss-of-RiiR event using the llowever, some concerns still exist. Although procedures RELAP5/ MOD 3 reactor analysis code with a model i
often spectfy use of the steam generators or the ECCS as modified for reduced inventory conditions. The signifi-alternate methods for removing decay heat, it has been cant findings from these studies are discussed below.
observed, as discussed in Chapter 3, that neither steam generator availability nor a clear flow path via the contain.
Gravity Drain from the Refueling IVater Storag Tank. Most, 4
ment sump has been planned for and maintained. In addi-but not all, PWRs are theoretically capable of establishing tion, it has also been observed that complete thermal-hy-a drain path between the RWST and the RCS. liowever, draulic analyses and bases have not been developed which the relative elevation difference between the RWST and would ensure that operators have been given the neces-the RCS, which determines how much water is availabic, sary information ta respond to a complicat ed event involv-can vary significantly from plant 1o plant. Under ideal con-ing steam generation in the RCS. including one following ditions for a spectrum of plants studied, RWST feed-and-i a station blackout. A number of important considerations bleed of the RCS could maintain flow to the vessel and re-relating to alternate decay heat removal were not found in move decay heat for as little as 0.4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for one plant to as 6-5 NUREG-1449
much as 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> for another, assuming the loss of RIIR ent designs. An analysis was also performed to determine occurred 2 days after shutdown; for unthrottied flow, the the time to core uncoveryif water was lost via guide tubes times are 0.2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and 5.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
that connect to the bottom of many reactor vessels.
Gravity Feed From Accumulators or Core Flood Tanks ne ne results of the analyses are as follows:
limited liquid contents in accumulators or core flood tanks makes their use of marginal value m terms of long-Anal)ses of the loss of the RHR 5}' stem from mid-e term core cooling. However, if properly controlled, water lo p operation at I day and 7 days following shut-flow from accumulators can provide core cooling for sev-down reveal that the RCS can reach peak pressures eral hours following an event occurring 2 days after shut-m the 25-psig (172-kPa) range when'a stngle U-tube down. From the perspective of operators trying to restore steam generator is used for RHR. Moreover, RCS normal cooling system or source of ac power, this amount peak pressure is msensitive to decay heat level or to of time is significant -.
the time ofloss of RHR system followmg shutdown.
Reflux Coolm.g. Initiation of reflux condensation cooling Additional analyses of the use of U-tube steam gen-erators for RHR show that RCS peak pressures depends on the ability of steam produced by core boilmg to reach condensing surfaces m the steam generator U-approach 80 psig (552 kPa) with initial RCS water tubes. During a plant shutdown condition, the reactor leds above the top elevation of the hot leg. At these coolant level may be at reduced inventory with air or higher water Icvels, calculations indicate that fluid nitrogen occupying the upper volumes of the primary expansion fills the steam generator tubes with suffi-system.This air mhibits steam flow from the reactorvessel cient liquid to prevent RHR until pressures reach 80 to the steam generator U-tubes. Important aspects of psi ($52 kPa) or until sufficient primary to secondary reflux mitiation are (1) the mitial reactor coolant water temperature difference is established. Peak RCS level (2) the need to establish and preserve horizontal pressure is, therefore, sensitive to the initial liquid stratification of the hquid in the hot legs, (3) the primary leves at the time the RHR system is k)st.
system pressure needed to establish a sufficient condens' ing surface, and (4) the possible nced for draining or Since RCS pressures near the design conditions for e
venting the primary system in order to obtain a stable noule dams and temporary thimble seals can be reflux cooling mode at an acceptable pressure.
attained, the successful use of the steam generators l
as an alternative RHR mechanism i, not assured.
The ability to remove decay heat through one steam gen' The loss of the RHR system with initial RCS water l
crator by reflux ccmdensation following a loss-of-RHR levels above the top of the hot leg suggests that using i
the steam generators as an alternative means of de-event during reduced inventory operation represents an alternative way to remove decay heat, one that does not cay heat removal will result in sufficient pressure to require adding water to keep the core covered with a challenge the integrity of temporary boundaries in the RCS.
two-phe e mixture. In many instances, nonle dams are installed in the hot. leg and cold-leg penetrations to one or Analyses of the failure of the RCS temporary e
more steam generators, and the reactor vessel head is bounda:ic (i.e., nonle dams and thimble seals)or installed with air in the unfilled portion of the RCS above openings such as the safety injection line demon-the water level. Should the RHR system fail, the peak strate that if the RHR system fails within the first 7 pressure and temperature reached in the RCS are impor-days following shutdown, there is very little time tant sirtcc the nonic dams must be abic to withstand these (i.e., about 30 to 90 minutes) to prevent core un-conditions to prevent a loss-of-coolant accident. Failure covery under worst core condition involving a nonle of a hot leg nonle dam would create a direct path to the dam failure.
containment through an open steam generator manway.
Such an event could also result in peak RCS pressures 6.6.2 Boiling-Water Reactors sufficient to cause leakage past the temporary thimble I
seals used to isolate the instrument tubes. Hese thimble During a normal sh u tdown, initial cooling is accomplished seals are used during plant outages while nuclear instru-by using the main turbine bypass system to direct steam to ments are retracted from the reactor (see the main condenser, and by using the condensate and NUREG-1410).
feedwater systems to return the coolant to the reactor vessel. The circulating water system completes the heat Analyses were performed in the NUREG/CR-5820 study transfer path to the ultimate heat sink. This essentially is to identify the time to core uncovery due to the failure of the same heat transport path as is used during power i
the hot-leg nonle dam with the manway removed from operation, except that the main turbine is tripped and the steam generator inlet plenum. Nonle dams were bypassed and the steam, condensate, and feedwater assumed to fail at 25 psi (172 kPa). De actual failure systems are operating at a greatly reduced flow rate.
s pressure is not well known and likely varies among differ-When the steam and power conversion system is not avail-NUREG-1449 6-6
t I
i f
able, high-pressure shutdown eculir.g is achieved by isola-Should RHR be lost, operators can usually significantly tion condensers (carly BWRs) or by the reactor core isola-extend the time available for recovery of the system by tion cooling (RCIC) system (later model BWRs). No adding water to the core from several sources, including BWRs have both isolation condensers and an RCIC sys-condensate system, low-pressure coolant injection (LPCI) tem.
system, core spray (CS) system, and control rod drive (CRD) system. Adding inventory raises water to a level that can support natural circulation. In the event that The RIIR system provides for post-shutdown core cooling RHR cannot be recovered m the short term, alternate of the RCS after an initial cooldown and depressurization RiiR methods covered by procedures are normally avail-to about 125 psig (862 kPa) by the steam and power conver-able. The particular method selected will depend on the sion system, the isolation condensers, or the RCIC sys-plant configuration and the decay heat load. If the RV i
tem. Early BWRs have dedicated RiiR systems that are head is tensioned, the reactor pressure vessel (RPV) is separate from the low-pressure ECCS subsystems. later first allowed to pressurize and then steam is dumped to model BWRs have multi-mode RilR systems that per-form the shutdown cooling function as well as a variety of the suppression pool via a safety-relief valve (SRV), and makeup water is provided by one of the water sources ECCS and primary containment cooling functions. ne listed above. If the condenser and condensate system are RIIR shutdown ecoling suction line is opened to align the available, decay heat can be removed by dumping steam to j
suction of the RHR pumps to a reactor recirculation loop the condenser and addmg makeup water from the on the suction side of an idle recirculation pump. Flow is condensate and feedwater system. If the vessel head is established through the RIIR heat exchangers, and the detensioned, decay heat must be removed without the r
primary coolant is then returned to the reactor vessel via a multiple SRVs to dump steam to the suppress}res RPV pressurized. For some BWRs, this requi recirculation line (on the discharge of an idic recirculation ion pool and pump) or a main feedwater line (lat er model BWRs only).
The RHR heat exchangers transfer heat to the RHR cooling the suppression pool by recirculating water usmg the CS or LPCI pumps. For all cooling methods mvolving service water system. The RHR senice water system is a the suppression pool, suppression pool cooling must be l
single-phase, moderate-pressure system that is dedicated mitiated m sufficient time to prevent suppression pool i
to providing cooling water for the RHR heat exchangers.
temperature from becomm, g so high that the pumps lose in later model BWRs (BWR/5s and BWR/6s), RHR cool-ing is supplied by an essential senice water system that l
net positive suction head. If the RPV head is removed and alsIo provides cooling for other safety-related compo-the main steamlme plugs are put m place, the preferred l
method of RHR is to flood the reactor cavity and place the j
nents. In either case, the service water systems may oper-fuel pool cooling system in operation or utilize the reactor ate ou an open, closed, or combined cycle. The senice water and the circulating water systems may operate on water cleany system. A second undesirable, but never-theless effective, alternative is to boil off steam to the different cooling cycles (i.e., a closed-cycle service water secondary contamment and add makeup water from any l
system and an open-cycle circulating water system).
source capable of injecting water at a rate of a few hun.
dred gallons per minute. As discussed in Section 6.9.1, this f
Because of the relatively high discharge pressure of the method of RHR can lead to failure of the secondary
[
RIIR service water pumps (about 300 psid (2068 kPa)), the containment.
[
service water system can be used in an emergency to flood the BWR core or the primary containment. Dis capability he findings of the accident sequence precursor analysis i
is implemented by opening the cross-tic between the serv-discussed in Chapter 2 indicate that BWRs experience j
ice water system and the RHR return line to the RCS. In a fewer and less severe loss-of-RHR incidents than PWRs.
multi-mode RIIR system, this return line branches to the In addition, the review of BWR alternate RHR methods reactor vessel, the suppression pool, and the drywell.
indicates significant depth and diversity. For these rea-l sons, the staff concludes that loss of RHR in BWRs during
[
4 shutdown is not a significant safety issue as long as the j
Loss of Residual Heat Removal Capability equipment (pumps, valves, and instrumentation) needed l
for these methods is operable and clear procedures exist As indicated in Chapter 2, the frequency and significance for applying the methods.
of precursor events involving reduction in reactor vessel water level or loss of RHR (or both) in BWRs have been 6.7 Temporary Reactor Coolant t
less than for PWRs. One reason for this is that BWRs do System Bounaaries I
not enter a reduced inventory or midkop operating condi-tion as do PWRs. Another reason is that a reduction in in the course of the evaluation, the staff identified and l
t reactor vessel (RV) water !cvel will normally be termi-examined plant configurations used during shutdown op-nated by the primary containment and RV isolation sys-erations involving temporary seals in the reactor coolant
)
tem before the level falls below the suction of the RHR system.This includes freeze seals that are used in a variety l
pumps.
of ways to isolate fluid systems temporarily, temporary 6-7 NUREG-1449 i
,r
,g
.c,
-v
plugs for nuctcar inst rument housings, and nozzle dams in placement of a 3-inch diameter [7.6 cm} section of low-l PWRs. The staff has noted instances in which failure of pressure injection piping) failed.
these seals, either because ofpoor installation or an over-pressure andition, can lead to a rapid non-isolable loss of Brunswick 1,19S6. Failure of a freeze seal (used in the reactor coolant. This concern is of special importance in discharge piping of the control roci drive system pump 1 A)
PWRs because the emergency core cooling system caused hydraulic perturbation to a high-level / turbine Q (ECCS)is not designed to automatically mitigate acci-instrument, resulting in a feed pump trip and subsequent dents initiated at pressures below a few hundred psig and automatic scram at 100-percent power.
1 is not normally fully available for manual use during these conditions. In llWRs, the ECCS is required to be operable
'Ihe freeze seal failure at River Bend prompted a visit by during cold shutdown, and during refueling when there is an NRC augmented inspection team (Aff) to perform an fuct in the reactor vessel and the vessel water level is less onsite inspection shortly after the event.The AIT found than 23 feet above the reactor pressure vessel flange. In madequate control of freeze seal work e
addition, the ECCS is actuated automatically when water level is low in the reactor vessel.
lack of training for personnel performing the work e
6.7.] Freeze Seals e
lack of awareness by plant personnel of Ihe potential for freeze seal failure Freeze seals are used for repairing and replacing such flooding that exceeded the design capacity of the components as valves, pipe fittings, pipe stops, and pipe connections when it is impossible to isolate the area of floor drain system j
repair any other way. Frecze seals have been used success-no damage to safety-related equipment fully in pipes as large as 28 inches (71 cm) in diameter.
e liowever, as a result of inadequate use and control, some freeze seals have failed m nuclcar power plants, and som A 10 CFR 50.59 safety evaluation of the freeze seal opera-of the failures have resulted in significant events.This has tion was not performed. The plant operating procedure i
raised a question regarding the adequacy of 10 CFR 50.59 w s subsequently revised to m.clude corrective measures safety evaluations of freeze seal applications.
f r freeze seat mstallation and control. liowever, the h-i censee included no statement to ensure or require that a
.To assess problems associated with freeze seals, the staff 10 CFR 50.59 safety evaluation be performed before al-reviewed the operational experience on freeze seal fail-lowing use of a freeze seal.
I ures, micty-significant findings on freeze scal failures.
In regard to the incident that occurred at Oc<mee, the l
mdustry reports on freeze seal use and installation, and the applicability of industry guidance (NSAC-125) for NRC cited the utility for inadequate freeze seal performing safety evaluations on freeze seal applications.
procedures. A review of the licensce's freeze seal" safety evaluation checklist" found that the checklist questions were similar to 10 CFR 50.59 questions, llowever, the i
6.7.1.1 Operational bperience on Freere Seal checklist was not processed through the licensce's safety Failures committee, as would have been done for a formal 10 CFR 50.59 safety evaluation.
Riwr Bend,1989. Failure occurred in a freeze plug (used in i
a 6-inch [15 cmj senice water line to allow inspection and Information Notice 91-41, " Potential Problems With the
(
repair work on manual isolation valves to a safety-related Use of Freeze Seals," identified potential problems auxiliary building cooler). The failure caused a spill of related to the freeze scalin PWRs and ilWRs, specifically approximately 15.0fX1 gallons (56,781 L) of senice water including both the River llend and Oconee 1 incidents.
into tne auxiliary building and caused the kiss of non-The information notice indicated that freeze seal failure safety-related electrical cabinets (i.e., shorting and an in a PWR reactor boundary system could result in imme-clectrical fireball damaged cabinets and components).
diate loss of primary coolant. In llWRs, failure of a freeze Draining water also tripped open a 13MV supply seal in a system ccmnected to the vessers lower plenum breaker, leading to loss of the RiiR system, spent fuel region, such as the reactor water cleanup (RWCU) sys-pool cooling system, and normal lighting in the auxiliary tem, could result in the water level in the reactor vessel and reactor buildings.The leak was isolated in 15 minutes fallingbelow the top of the active fuel.The estimated time and the RIIR system restarted in 17 minutes.
for this to occur is less than i hour if the seal failed completely and makeup water was not added to the reac-Oconee 1, MS7. Approximately 30.000 gallons (113.562 L) tor.'Ihe information notice indicated concerns that freeze of slightly radioactive water leaked into various areas of seal failures in secondary systems can also be significant the auxiliary building, and a portion drained beyond the because of the potential for consequential failures, such site boundary when a freeze plug (used to facilitate re-as 1he loss of RIIR in the River llend event. The informa-NUREG-1449 6-8 n
-n-
~ ~..
i i
tion notice identified procedural inadequacies that re-conform with the NSAC-125 definition of " temporary suited in a failure to install and monitor a temperature modifications."
detection device, and a lack of personnel training in the i
use of freeze seals. Otherimportant considerations iden-6.7.1.4 Results and Findings tified in the notice included:" examining training, procc-e For BWRs, fai%e w freeze seal in a system con-dures, and contingency plans associated with the use of freeze seals, and evaluating the need for and availability nected to the vessel's bwer plenum region such as of additional water makeup systems and their associated the RWCU system, could cause the core to become support systems." No specific statement was included uncovered in less than I hour if the seal failed com-regarding the applicability of a 10 CFR 50.59 safety evalu-pletely and the ECCS failed to perform its intended
- ation, function of adding makeup water to the reactor.
NSAC-125, industry guidance for applying 10 CFR 6.7.1.2 Industry Reports on Use and Installat. ion of 50.59, covers temporary modifications, but does not
- N'"I' discuss freeze seals specifically.
In February 1989, the Electric Power Research Institute
+
Temporary modifications using freeze seals are not l
e issued EPRI NP-63S4-D, " Free.c Scaling (Plugging) of Piping," to guide nuclear power plant maintenance per, being evaluated per ?0 CFR 50.59.
sonnel in evaluating the use of freeze seals. The guide cautioned personnel on the use of freeze seals and dis, Industry guidance exists for using freeze seals with e
cussed contingency plans should frecie seals fail.
contmgency plans.
Operating experience indicates that freeze seal fail-The Hattelle Col umbus 1.aboratories issued a final report, urcs could constitute safety problems.
" Development of Guidelines for Use of Ice Plugs and Hydrostatic ibsting," in November 1982; the report dis-6.7.2 Th.tmble %be Seals cussed the potential hazards associated with ice plugs and gave guidelines for plug slippage, restraint, pressure, im-The arrangement of the incore instrumentation assem-pact loads, and stress ansmg from handling. Defects and blics in many PWRs may be visualized by considering one personnel safety were also discussed.
end of an approximately 1-inch (2.5-cm)-diameter tube as welded to the bottom of the reactor vessel and the other 6.7.1.3 NSAC-125," Industry Guidelines for 10 CFR cnd welded to the seal table.This tube provides a penetra-50.59 Safety Evaluations" tion into the reactor from below, with the opposite end i
c(mtaining a high-pressure seal during power operation.
NSAC-125, issued in June 1989 by the Nuclear Manage-This " guide" tube is a permanent part of the reactor cool-ment and Resources Council (NUMARC), gave the in-ant system pressure boundary.
dustry guidelines for performing 10 CFR 50.59 safety evaluations.The document provided industry guidance on A thimble tube that has a closed end is inserted into the 4
1 the thresholds for unreviewed safety questions, the appli-guide tube, closed end first, and is pushed through the i
cability of 10 CFR 50.59, and the procedures for perform-guide tube until it extends up into the reactor core. The ing 10 CFR 50.59 safety reviews for facility changes, tests, thimble tube is then scaled to the guide tube by a high-or experiments at nuclear power stations.The staff's re-pressure, Swagelok-type fitting at the seal table, thus view of NSAC-125 identJied the following as appropriate forming a watertight assembly with the area between the j
guidance for the applicability of the 10 CFR 50.59 safety tubes containing reactor coolant system water and the evaluatiou to the use of freeze seals as temporary modifi-inside of the thimble tube open to the containment cations and the application of the 10 CFR 50.59 determi-building. The space between the tubes is subjected to nation of whether an unreviewed safetyquestion exists for reactor coolant system pressure during power operation.
the freeze seal installation: ' Temporary changes to the facility should be evaluated to determine if an unreviewed Preparation for refueling involves withdrawing the thim-saft,y question exists. Examples of temporary modifica-ble tubes out of the core.Thus, the normal seal between tions include jumpers and lifted leads, temporary lead the Swagelok-type thimble tube and the guide tube at the shielding on pipes and equipment, temporary bk>cks and seal table must be opened.
bypasses, temporary supports, and equipment used on a temporary basis "
Once the thimble tube is withdrawn from the core region, the annular gap is closed, often by a temporary seal com-Although the use of freeze seals as a temporary bkick is prising split components and rubber gaskets. Tbrnporary not specifically identified, freeze seals perform the " tem-thimble tube seals have a typical design pressure of 25 psi parary bkxk" function and, therefore, the staff finds they (172 kPa), so that a significant overpressunzation could 6-9 NUREG-1449
cause them to fail. This would cause a leak that is effec-level corresponding to 1 day after shutdown was conserva-tively in the bottom of the reactor vessel.
tively assumed for the three-loop plant modeled in this analysis 10.900 Bru/s (11.5 MW).
The thimble tubes in plants designed by Babcock and Wilcox (B&W) terminate in an "incore instrumentation Thimble seal failure is predicted to occur at about 1.6 tank" that is open at the top, at the refueling floor level, hours after the RHR system is lost. Core uncovery in this with the bottom at roughly reactor vessel flange level. No conservative analysis is predicted to occur about 20 min-temporary seals are used and the tank fills with water (or is utes later if makeup is not provided.
filled) so that tank and refueling cavity water level remain the same. There can be times during typical refueling outages when the tank is open to the containment at the 6.7.3 Intersystern Loss-of-Coolant Accidents bottom and when some of the guide tubes are empty, thus in PWRs providing a potentially significant flow path between the bottom of the reactor vessel and the incore instrumenta-Intersystem loss-of-coolant accidents (ISLOCAs) are a tion tank as well as to the contamment.
class of accidents in which a break ecurs in a system connected to the reactor coolant syste.n (RCS), caus:ng a Most units designed by Combustio n Engineering (CE) do loss of RCS inventory. This type of accident can occur not use such bottom-entering incore instrumentation as when a low-pressure system is inadvertently exposed to described above.The staff unders ands that the few that high RCS pressures beyond its capacity. During shutdown do, use a B&W-type arrangement a terminate the tubes operations, this would most likely involve the RHR sys-in the refueling cavity rather than a separate tank.
tem that interfaces directly with the RCS via the hot leg.
Because of a higher primary pressure present in PWRs, as Analysis of Leakage Via Instrument Tube Thimble Seal e mpared to BWRs, and the more significant precursor events in PWRs. there is greater concern for ISLOCAs in Failure PWRs. However, in all cases, the ISLOCAs of most con-cern are those that can discharge RCS fluid outside the Leakage due to instrument tube thimble seal failure in a reactor containmen t building. In those ISLOCAs, the lost Westinghouse-designed plant was analyzed to determme RCS inventory cannot be retrieved for long-term core how long it takes to uncover the core when one steam cooling during the recirculation phase.
generator is used to remove decay heat following a loss of RHR. His analysis is part of the transient thermal-hydraulic analysis of Ihe loss of RHR in a PWR discussed The principal cause for an ISLOCA in a PWR during in Section 6.6.1.2.
shutdown is overpressurization of the RHR system. In-spections and analyses cond ucted by the staff indicate that n PWRs this could be caused by human errors, notably Thimble seal failure in the instrument tubes was assumed "ND
- " D " *dd to occur when system pressure reached 20 psig (138 kPa).
pc y heat removal capability combined with a failure of Dis value was chosen to investigate the consequences of isolation valves between the RCS and RHR system to failure of the thimble seals and may not reflect actual ci se, such as during a station blackout.
failure pressures for seals. For this analysis, it was as-sumed that there were 58 thimble seals and all of these seals fail, once the assumed failure pressure is achieved.
The consequences of an ISLOCA during shutdown are The break flow area selected for the analysis was based on not expected to be significantly different from those of the cross-sectional area of the thimble tube.This bounds other shutdown-related loss-of-RHR accidents and loss-the actual area which is more accurately represented by of-coolant accidents discussed previously in this chapter.
the annular area between the th:mble tube and guide This is because these accidents may very well involve an tube. The failure was assumed to be k>cated at the seal open containment, and also lack of recirculation capabil-table, which is at the elevation of the reactor vessel flange ity due to failure of low-pressure injection pumps or a for the plant modeled. The tubes are connected to the bh>cked containment sump.
vessel at the bottom of the lower head and are collected at the seal table resulting in an elevation difference between in light of this, the staff has concluded that the risk from these two k> cations of about 7.' S feet (6.7 m).
an ISLOCA during shutdown can be reduced significantly by (1) improving training in pertinent operations and pro-De RCS was initialized with wmr 9190 *F (32 *C) at a cedures. (2) establishing contingency plans that provide level at the centerline of the hot and cold legs. One steam for conservation and replenishment of RCS inventory in generator was available. Air at 90 *F(32 *C)and 100-per-the event of an accident, and (3) planning and conducting cent relative humidity is present in all volumes above the shutdown operations in a way that maximizes availability centerline of the hot and cold legs The decay heat power of electric power sources.
NUREG-1449 6-10
2 1
1 6.8 Rapid Boron Dilution ume control system.ne startup and dilution procedures I
were unportant, as were the procedures to recover from a The staff, with the assistance of Brookhaven National LOOP.
Laboratory (BNL), has completed a study of rapid boron
.I 1
dilution sequences which might be possible under shut.
He initiating frequency of the scenario was considered down conditions in PWRs; the NRC issued this report as for both refueling and non-refueling outages and varied NUREG/CR-5819. Concerns relating to rapid boron d.
from 2.0x10 d per reactor-year to 6.0x10_e per reactor-lution during a PWR startup were raised by the French year, depending on the reactor. The probability that the regulatory authority in its shutdown PRA study. These injected water would cause a region of diluted water be-sequences are the result of a two-step process. In the first fore an RCP was started was treated as a time-dependent s'ep it is assumed that unborated (or highly diluted) water function. It was assured that there was no mixing of enters the normally borated reactor coolant system (RCS) injectant after refueling and sufficient mixing after a non-while the reactor coolant is stagnant in some part of the refueling outage to reduce the probability of core damage primary system. This dituted water is then assumed to by a factor of 0.5. However, the core-damage probability is j
aaumulate in this region withou; significant mixing. ne not constant in time because it takes time to accumulate second step is the startup of a reauor coolant pump (RCP) sufficient diluted water, and because, after emptying the r
so that the slug of diluted water will rapidly pass through volume control tank, the suction from the charging pump the core with the potential to cause a power excursion switches to a source of highly borated water. The time sufficiently large to damage the core. Other variations to dependence of the probability of restarting an RCP was j
this two-step process include (1) having the slug forced also taken into account. The resulting core-damage fre-through the mre by the inadvertent blowdown of an aau.
quency.was found to vary from 1.0x10 5 to 3.0x10 5 per mulator and (2) having a loop isolated using loop stop reactor-year.
l l
valves and, after the kop becomes diluted, opening the loop stop valves while the RCPs are running.
6.8.2 Thermal-Hydraulic Analysis for the Event Sequence 6.8.1 Accident Sequence Analysis A key assumption in the probabilistic analysis is that the f
injectant does not mix with the existing water in the RCS This study considered both probabilistic and determmistic so that a dduted region accumulate 6n the lower plenum.
aspects of Ihe problem and focused on w hat is expected to This assumption was tested by osing mixing models to 6
be the most likely of the 'several sequences that were determine to what extent charpng flow mixes with the i
4 identified as leadmg to a rapid dilution. This particular cristing water when it is injected into a k>op that is either i
sequence starts (see NRC Information Notice 91-54) with stagnant or at some low natural circulation flow rate insuf-i the highly borated reactor being deboratu. as part of the ficient to provide complete mixing. Hese mixing models i
i startup procedure. The reactor is at hot conditions with are based on the regional mixing models that were devel-i the RCPs running and the shutdown banks removed. Un-oped to understand the thermal mixing of cold injectant I
borated or diluted water is being pumped by charging into the " cold" leg whica is at a much higher temperature.
pumps from the volume control tank into the cold leg.nc The thermal mixing problem was originally of interest for imtiating event is a loss of offsite power (LOOP). This the problem of pressurized thermal shock.
1 causes the RCPs and the charging pumps to trip and the shutdown rods to wram. The charging pump comes back The regional mixing model has been utilized to calculate on line quickly when diesel generators start up. Charging the boron concentration in the mixed fluid when the un-i continues until the volume control tank is empty and it is borated, cold, injected water mixes with the hot water in assumed that there is little mixing with the water in the the cold leg which is taken to have a boron concentration i
RCS so that a region of diluted water accumulates in the of 1500 ppm. He model specifically considers the mixing i
lower plenum. It is then assumed that power is recovered region near the point of injection and at the end of the i
so that the RCPs can be restarted. This is assumed to cold leg where the flow is into the downcomer, and ig-l occur after sufficient diluted water has accumulated so nores mixing in the downcomer or lower plenum.
that the slug of diluted water which then passes through the core has the potential to damage the fuel.
The model was applied to the Surry and Calvert Cliffs i
plants under the assumption of no kiop flow.he finding j
De probabilistic analysis was done for this scenario for a was that there is considerable mixing so that the water in i
CE plant (Calvert Cliffs), a H&W plant (Oconee), and a the lower plenum would have a boron concentration that l
Westinghouse (W) plant (Surry).De reactor systems and is only 400-600 ppm less than that originally in the core.
operating procedures involved in the scenario were re-On the basis of the neutronic calculations explained be-viewed, and accident event trees wcre developed. The low, this is insufficient to cause a power excursion when an analysis focused on the specific arrangement of the RCP is restarted, unless the core design results in both a makeup and letdown systems and the chemical and vol-very Jow Doppler reactivity coefficient and a very low j
.[
6-11 NUREG-1449 l
l
shutdown bank reactivity worth. It is dd ficult to generali7e 6.8.4 Other Analyses these results as they are dependent on specific plant pa-rameters defining the loop geometry and the charging Transient calculations somewhat similar to these studies flow.
have been done by several other groups. Two examples follow:
(1) Westinghouse (S. Salah et al.) performed calcula-6.8.3 Neutronics Analysis tions for a situation u herein the loop stop valves are both cold (down to 70 F [21 C] from 547 *F [286
.l'he neutronics of this problem was studied to understand C]) and completely unborated due to an unknown the consequences of havmg a slug of diluted water pass mechanism. W used a three-dimensional neutron through the core. In order to do simple scopmg calcula-kinetics anal)ds to assess the core response when the tions, the staff took a synthesis approach. This approach loop stop valves were assumed to open while the combines steady-state, three-dimensional core calcula-RCPs were running. All rods were assumed to be tions of boron reactivity worth under different configura-nitially out of the core and, hence, the worth of the tions with point kinetics calculations of the resulting scram' reactivity (not including the assumed " stuck power transient.
rod") would be about 6-or 7-percent delta-k. The result, for an initial 15fnppm boron concentration, The steady-state calculauons were done with the was (a) integrated core pow er not above normal core NODEP-2 nodal coJc. The output f rom these calcula-average power, but (b) localized fuel damage in the tions is the static reactivity worth of a diluted slog as a cold, unborated, stuck roJ core region, involving function of position of the slug as it moves through the only about 3 percent of the fuel and "not sufficient core. The two basic shapes that have been considered are energy release to break the integrity of the primary a semi mfinite slup (step function)and a finite slug (rec-syst em."
tangular wave function) with a volume of 535 cubic feet (15 m3). The calculations were done with different dilu-(2) Calculations performed as part of a thesis (S. Jacob-tions, relative to the 1500 ppm assumed as the initial state son) examined similar tr:msients with vanous dilu-of the core. In addition to a radially uniform slug, two tion scenarios. The steam generator tube rupture /
other geometries were considered. In one, the slug was accumulation of a diluted region daring prirnary locahzed in the center 49 assemblics, and in another, the pump shutdown / rapid core dilution following pump slug was found at two peripheral kications affecting 50 turn-on was the most significant event found in the assemblics. The calculations provided not only reacavity study.The conclusion drawn from this study was that sersus position of the leading edge of the slug but also the fuel fadure enterion (similar to that used in the Doppler weight factors for use in the kinetics calculations.
IINL studies above)is not exceeded.
The review and analysis of rapid boron ddution events during shutdown appear to indicate that core damage may The dynamics calculations included the neutron Linctics occur for assumed extreme sets of event parameters,in-as well as a simple fuel rod conduction model to calculate ciudmg a necessary assumption of mini nal mixing of di-a more accurate fuel temperature than would be obtained luted and borated water, and may occur with a frequency by makmg an adiabatic assumption. The calculated peak of1he order of 10 5per reactor-> car. These events can be fuel enthalpy was used as the critenon to judge whether prevented by the use of appropriate procedures which fuel had been damaped. If the calculated peak fuel en-anticipate the possibility of dilution in various recognized t halpy cxceeded 280 calories per gram (ll72 J / gram). cata-situations and prevent it, or prevent the inappropriate strophic fuel damage involvmg a change in geometry was starting of pumps until suitable mixing procedures are assumed to occur. The peak fuel enthalpy was calculated carried out.
using the time-dependent power and a power peakmg factor taken from the static three-dimensional calculation 6.9 COnta.mment c,apahitity at the condition corresponding to the time of the peak pow er.
6.9.1 Need for Containment Integrity During The results show that fuel damage could occur if the boron concentration in a semi-infinite slug is reduced to The NRC staff performed scoping calculations of core 750 ppm. correspond ng to an equal mixing of injected heatup for a Westinghouse four-loop PWR to allow water at 0 ppm and reactor coolant at 1500 ppm. These assessment of containment response and a potential resultsare depenJent on the worth of the shutdown banks release. For loss of RHR during midloop operations, the and on the Dopp!cr reactivity coefficient: calculations time to heat the core to boiling was calculated as 8 min-were done to deermme this sensitivity.
utes. Once boiling began, the reactor vessel level could NUREG-1449 6-12
decrease to the top of the active fuel in as little as 50 of particulates. The evaluations are appropriate for large minutes. This calculation assumed that the reactor had dry PWR containments, subatmospheric containments, operated for a full cycle imd had been shut down for 48 and ice condenser containments for which the ice bed wLs hours. Additionally, 35 percent of the reactor coolant bypassed by the escaping steam. For releases through the l
inventory between the top of the active fuel and the mid-ice bed, reduction factors of between 0.3 and 0.5 are ex-die of the hot leg was assumed to spill from the RCS.
pected.
PWRs have containment structures that are classified as The effect of holdup and platcout in the containment on
]
large dry, subatmospheric, or ice condenser. For any of offsite dose was determined in RBi-91 to be significant.
these containment designs, the reestablishment of con-With a 24-hour holdup in the containment and with design tainment integrity before core damage occurs is important leakage assumed, calculated offsite doses are reduced to l
for reducing offsite doses.The effect of a primary ccmtain.
5x10 5 rem (5xib 3 Sv) (whole body) and 4x10 3 rem l
ment in reducing the offsite dose consequences is evalu-(4x101 Sv) (thyroid) for the gap release case and 0.002 ated by comparing what might occur if the containment rem (0.02 mSv)(whole body) and o.2 rem (2 mSv)(thyroid) were open to what might occur if the fission products for the core-melt case. Thyroid and whole-body doses are remained within the closed containment. An open con, further reduced by factors of 5 and 3, respectively, if the tainment would allow direct release of steam and fission containment spray was operated during the event. Doses l
products to the atmosphere; holdup in the containment would, of course, be increased by any subsequent contain-l would allow platcout and decav to occur.
ment failure and revaporization of fission products that
~
might occur following a hypothetical accident involving p erc N mage.
Offsite dose consequences from a postulated severe acci-dent were evaluated with and without a containment in HWRs are not typically operated in a reduced inventory the NRC "KBt 91: Response Techmcal Manual,
condition as are PWRs. However,2 days into an outage, a NUREG/HR-0150. Raf-91 evaluated offsite dose at a BWR/4 (such as Browns Ferry) may have as little as 205 l
distance of 1 mile from a typical site for varying degrees of inches (521 cm) of reactor coolant above the top of the core heatup and damage. The values used there were active fuel. If shutdown cooling were lost, boiling would based on the assumption that the release occurs immed:-
begin in 28 minutes. The reactor vessel water level would ately after shutdown. In one case, the dose was evaluated
+
be at the top of the active fuel 308 minutes later. His for an accident causing damage only to the fuel cladding corresponds to a steam flow rate of 24.800 cubic feet per with release of the volatile fission products sic-4 m the minute (702 m3/ min)into the Mark I secondary contain-I fuel pin gap space. The dose rate from further heating ment with the drywell head removed for refueling.
mcluded the release of the volatile fission products re-tained in the grain boundary regions within the fuel pel-Dis flow into the secondarv containment could increase lets and, finally, release following a postulated core melt the internal pressure to 05 psig (3.4 kPa) in 5 minutes.
was considered. Without the benefit of containment re-Such pressure is significant because the secondary panels i
tention, the doses I mile (1.6 km) from the plant would be are designed to blow out at 0.5 psig (3.4 kPa), releasing high, ranging from 20 rem (0.2 Sv)(whole body) and 2000 steam and fission products directly to the atmosphere.
rem (20 Sv)(thyroid) for a gap release to 1000 rem (10 Sv)
The calculation to determine the time to secondary con-(whole body) and 100 000 rem (1000 Sv) (thyroid) for a tainment failure was based on an energy balance after
{
^
postulated core melt.
depositing 285,000 pounds (129.273 kg) of steam into the j
secondary containment. The heat sink inside the secon-l A release 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after shutdown would alsa have severe dary containment is made up of structural steel and air.
consequences since most of the dose to the thyroid would No secondary system leakage was assumed.
come from inhaling iodme-131. kxjine-131 has a half-life of 8.1 days for a dose reduction by a factor of 0.84 after 48 Two other calculations were performed to determine the
}
hours. The whole-body dose would be somewhat more secondary ccmtainment's sensitivity to changes in the l
affected by a prior shutdown of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> since short-lived mass of structural steel and air inside the secondary con-l isotopes make up about 80 percent ofIhe whole-body dose tainment. The first calculation increased the mass of steel l
following an immediate release. The whole-body dose 1 inside the secondary containment by five times that used j
4 mile (1.6 km)from the plant would be about 200 rem (2 Sv) in the previous calculation. This increased the amount of considering 48-hour decay. This would come principally time for the secondary containment to reach 0.5 psig (3.4 from iodine-131 with its 8.1-day half-life. Further reten.
ki*a) from 5 minutes to 6 minutes. The second calculation tion of the fission products prior to release would cause decreased the volume of the sec<mdary containnwnt f:om the offsite dose to be reduced by about 97 percent of the 4 million cubic feet (113,267 m3) to 2 million caoic feet initial release value, with long-lived cesium isotopes as (56.633 m3). That resulted in decreasing the amount of the principal contributors to dose. These estimates as-time from 5 minutes to 3 minutes for the secondary sumed release of 25 percent of core iodine and 1 percent containment to reach 0.5 psig (3.4 kPa). This sensitivity 6-13 NUREG-1449
t l
i I
study was necessary because secondary containment de-equipment hatch as a passageway for electrical cables and signs and sizes vary from plant to plant.
hoses. At these sites, rapid removal of this equipment was i
provided for by the use of quick disconnects. Some plants RTM-91 also evaluated offsite doses at a distance of I also provided bolt cutters and axes for contingency use.
i mile from a typical BWR site for varying degrees of core One of the sites visited demonstrated an equipment hatch
{
heatup and damage. If the drywell head were removed, closure capability requirement of within approximately 15 l
the release could go directly into the secondary contain-minutes of loss of RHR. De onsite review report noted j
ment and through the blowout panels for Mark I and Il that this was more often the exception than the rule.
secondary containments, bypassing standby gas treat-ment. As in the PWR evaluation, the dose was calculated for releases from three cases: the fuel pin gap space, th Several factors are key to ensuring th the equipment grain boundary, and core melt. De BWR doses would hatch is closed in a timely matter.Thes nelude account-range from 20 rem (whole body)(0.2 Sv) and 2000 rem (20 ing f r radiolog.ical and environmental conditions that r
Sv)(thyroid) for a gap release to 1000 rem (10 Sv)(whole could result from reactor coolant being boiled into the body) and 100.000 rem (1000 Sv) (thyroid) for a postulated containment, addressing the number and location of clo-core melt. These are the same doses listed for the PWR sure bolts, providing for the loss of ac pov er, keeping tools j
needed for closing the equipment hatch n, ear at hand, and case.
f finally, training and rehearsing personnel in the closure procedure.ne closure of the equipment hatch in suffi.
t RTM-91 Table C-3 gives a reduction factor of 0.01 for dry cient time is essential to keeping possible releases within low-pressure flow and 1.0 for wet high-pressure flow established guidelines. These observations also apply to through the standby gas treatment system filters. Consid-licensees with BWR Mark III primary containments. GL ering the fact that 24,800 cubic feet per minute (702 m3/
88-17 was not sent to BWR licensees, and the onsite min) of saturated steam is being deposited inside the review report noted that these licensees have not made secondary containment and a typical standby gas treat
- provisions for rapid equipment hatch closure.
ment exhaust fan is only rated for 5000 cubic feet per
]
minute (142 m3/ min), the flow through the standby gas l
treatment system will be closer to the wet high-pressure A licensee, reporting a quarter-inch gap at the top of the case and the dose will not be significantly reduced.
equipment hatch when four bolts were used, found it necessary to use two more bolts to close the gap. GL 88-17 specified a no-gap criterion for hatch closure, but not I
6.9.2 Current Licensee Prach.ce everylicensec confirmed that this condition was achieved.
Tests or observations must be performed on internal GL 88-17 was issued to PWR licensees and required, equipment hatches to determine the kication and mini-among other things, implementation of procedures and mum number of bolts needed to obtain an adequate clo-administrative controls that reasonably assure that con-sure. For external hatches, containment pressure effects I
tamment closure will be achieved before the time that on hatch closure must be considered along with the source l
RPV water level would drop below the top of the active term when evaluating the minimum number of bohs nec-fuel following a loss of shutdown cooling under reduced essary to achieve an acceptable leak-tightness.
inventory conditions.ne NRC staff assessed whether the t
requirements of GL 88-17 were in place by implementing special inspections at each site under the inspection guid-Procedures for controlling and closing containment pene-ance m 'Ibmporary Instructions TI-2515/101 and trations varied widely. Some licensees did not initiate 2515/103. The Vogtle Incident inspection Team recog-closure until temperatures exceeded 200 *F (93 *C).
i nized the need to develop broader recommendations for Above 200 *F (93 *C), boiling might begin quickly. He low-power and shutdown operation.nis led to the NRC licensees, however, had not evaluated the in-containm ent staff's program to visit selected plant sites undergoing emironment and the ability of personnel to work in that I
low-power / shutdown operation (see Chapter 3).The staff emironment to perform the necessary containment clo-also observed a variety of practices at Ihe sites. For PWRs, sure opemtions. Some plants require that the contain-i the staff noted that licensees did not meet the recommen-ment always be closed during midloop operations. One dations of GL S8-17. Some licensees went beyond the licensee interpreted this as meeting GL S8-17 tecommen-recommendations of GL S8-17 by providing procedures dations and, therefore, did not develop procedures for I
i for rapid containment closure for plant conditions other rapid containment closure. Water-filled, U-pipe, loop-than reduced inventory.
seal configurations found at several plants provided con-l tainment entry for electrical cables and tubing. ne water-
,i 1
Closure of the equipment hatch would be required for filled U-pipes were judged inadequate for withstanding L
maintaining containment integrity. In one case, a polar containment pressure conditions that might exist follow-crane would have to be used. Some licensees utilized the ing a loss of shutdown cooling.
i NUREG-1449 6-14
6.9.3 P%R and B%R Equipment Hatch rary services are run into the containment. The Indian Designs ibint 2 temporary closure plate is rated for 3 psid (21 kPa) and has penetrations for fluid and electrical services.
In order to gain a better understanding of primary con-tainment capability in PWRs and HWRs during an acci-6.9.4 Containment Environment dent that occurs while a plant is shut down, the staff Considerations for Personnel Access gathered information on the design of equipment hatches from resident inspectors at U.S. plants.
6.9.4.1 Temperature Considerations The hatch survey was conducted using a questionnaire on
'Ihe NRC staff estimated that approximately 50,000 specific equipment hatch characteristics. Answers to the poungis (22,680 kg)of steam could be deposited inside the questionnaire were tabulated and grouped under HWR or containment I hour after RHR in a W four-hop PWR PWR. For HWRs, the survey asked for information on the occurring 2 days after shutdown. 'Ihe steam is a result of equipment hatch that would be used only for removing a boiling in the reactor coolant from the middle of the hot recirculation pump motor; the survey did not address re-leg to the top of the active fuel, and it is assumed that 35 moving and replacing a drywell head. The results of the percent of the reactor coolant is spilled from the RCS.
survey are tabulated in Appendix H.
'Ihe staff assumed that the containment volume was 2 million cubic feet (56.633 m3) of dry air at 70 *F (21 *C)
The majonty of equipment hatches for both HWRs and and that the containment environment after the event PWRs were pressure-seating hatch designs (67% for would consist of air and structural steel at an elevated HWRs,86% for PWRs). For HWRs, the resident inspec-temperature, steam, and condensed steam in the form of tors who were polled indicated that the equipment hatch water. The calculation did not consider the containment (either recirculation pump motor or CRD hatch) would fan coolers and assumed no leakage from the contain-generally be removed along with the drywell head, but ment. Under these conditions, the staff expects the con-i that removal of the equipment hatch alone was unlikely.
tainment atmosphere to go from 70
- F (21 *C) and atmos-l pheric pressure to 150 *F (66 *C)and 5.9 psig(40.7 kPa)in PWR equipment hatches consisted of 9 of the pressure-about I hour (see Figure 6.1).
)
unseating type and 33 ofIhe pressure-seating type. Of the plants surveyed,52 required the use of ac power or com.
This condition would be of concern because at about 160 pressed ai or both) to install the hatch under normal F (71 *C) the air is hot enough to burn the lungs.There-condition at five resident inspectors indicated that the fore personncI inside the containment would have to be licensee t a a procedure for closing the hatch manually.
equipped with self-contained breathing apparatuses.
Four plants with pressure-unscating hatches can use a truck-mounted crane to install the equipment hatch dur-6.9.4.2 Radiological Considerations ing a loss of normal ac power. Five PWR plants did not require the equipment hatch to be in place during fuel Boiling of coolant within an opened reactor system fol-movement. They are Braidwood, Byron, Palisades, San lowing a postulated loss of shutdown cooling would re-Onofre 1 and Zion. These have their hatches kicated so lease dissolved fission products within the containment that they open to the fuel handling building which has a atmosphere. If significant radioactivity were contained in heating, ventilation, and air conditioning system to proc-the coolant, high-radiation-area alarms would be actu-ess contaminated air during a fuel drop event.
ated.These are typically set at twice the background level.
Health physics personnel would be expected to evacuate Three PWR resident inspectors and the licensees for the containment until people could safely enter, observ-Catawba, McGuire, and Salem have noticed that the ing the appropriate precautions and protective measures, minimum number of tolts as specified in the technical to perform any operation required to close the contain-specsfication is not sufficient to bring all hatch sealing ment.
surfaces into contact. A noticeable gap was present with useof theminimum numberof bolts.Twolicensees(Palo
'Ib assess the radiological conditions that workers might Vcrde and Summer) ran successful leak tests, an Appen-experience while closing the containment, the NRC staff dix J fl0 CFR Part 50) type A and a type B, with the performed scoping calculations. The staff assumed that mmimum number of bolts insta!!cd Discussion with two the coolant contained the expected activity for a typical hatch vendors indicated that hatches have been designed operating PWR and then for a HWR as given in RTM-91.
so that the scahng surfaces should mate when the mini.
Radioactive decay was assumed to progress for 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> mum number of holts was installed. Ginna and Indian before boiling began. hidine decay into xenon was Point 2 have fabocated temporary closure plates that are included. The resultant concentration for PWRs was used when the eqmpment hatch is removed. but temiu-about 1/20 of the 1.0 microcuric-per-milliliter maximum 6-15 NUREG-1449
Access Training Manual which states that the risk of one Part 20 maximum permissibic concer.tration (MPC)-hr is 4
160 71.1 approximately equal to 2.5 mrem (0.025 mSv) of whole-body dose.
ne resulting PWR equivalent doses are depicted in Fig-l 140
- 60 ures 6.2 and 6.3. (These ordinarily are conservative be-cause they do not include the factor-of-100 reduction dis-cussed in the preceding paragraph.) Inhaled iodine dose I
I g
in the non-respirator case was computed using soluble E
j MPCs, whereas the respirator case was computed using
)
$120
- 48.9 y the insoluble MPCs for iodine. The calculated equivalent j
g dose increases with time and approaches asymptotic val-l g,
F ucs for a pure steam atmosphere. Dese calculations indi-1 5
7 cate that self-contained breathing apparatus would be 5;
required for an extended stay within the containment j 100
- 37.8 j because of the dose and humidity, since the filtration type g
a would not function adequately in high humidity above g
about 106 'F (41 "C). It may be difficult to perform con-A tainment closure operations in self-contained breathing l
apparatus because the air supply will limit how long per-sonne can stay on the pb. In evaluating recovery actions j
B0
- 26 7 following a potential loss of shutdown cooling, licensees l
should avoid plant conditions in which steaming could l
[.
occur before the containment was closed. unless reduced
/
coolant activities or limited requirements for personnel
=
b" 15.6 l
I-60 0
10 20 30 40 50 60 70 Using the expected coolant activities in RTM-91 for Time in Minutes 13WRs, the calculated equivalent dose with and without respirator protection was much less than for PWRs. See Figure 6.1 PWR Containment Temperature Figures 6.4 and 6.5. This is because BWRs do not retain vs. Time volatile fission products in the coolant. The loss of shut-down cooling with subsequent boiling was assumed to equivalent of iodine-131 allowed in plant technical speci-fications. Although there is no specific requirement, 8
~
~ "
PWR operators typically reduce coolant activity by two orders of magnitude using coolant cleanup systems before I
u,n
,;,,ior soiubi. iodin.
opening the reactor system. Additional reduction can be l6
- M g achieved, but the length of the outage might be increased.
7 3;
E
}
The scoping calculation should be considered conserva-j tive because it did not account for coolant cleanup.
2
$d
" *E f
The volatile fission products-noble gases and iodine-
{
j were assumed to be carried out with the boiled coolant.
'2
- m With these assumptions, the release of fission products to j
the containment was calculated concurrently with the steam released by decay heat boiling.The boiling rate was c
o based on decay heat from a 3400-MW1 plant shut down for 1
60 120 180 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> at the end of cycle. The stcam was assumed to be y,me,n unote, mixed with the containment atmosphere (2 million cubic feet [56.633 m3]/PWR)and the mixture released through containment openings at a constant volumetric flow. Dose Figure 6.2 PWR E.quivalent Vihole. Body Dose l
(Inhaled lodine) rates were derived from the guidance in the NRC Site I
NUREG-1449 6-16
f 6.9.5 Findings t
800 s
ne estimated dose from a core melt 2 days after e
n,i... w.w. w.
shutdown with an open containment is roughly
"*"**"""""'*d""
80,000 rem (thyroid) (800 Sv) and 200 rem (2 Sv) i 800
~
~ 8 g (whole-body) at a 1-mile distance from the plant. A i
2 j
g closed PWR containment with 24-hour holdup fol-
[
g E
lowed by design rate leakage reduces these to 0.2 400
- 4j rem (2 mSv) (thyroid) and 0.001 rem (0.01 mSv) l 5j j
(whole body).
j 3
e BWR secondary containments are anticipated to fail 2x-
- 2 within a few minutes of initiation of bulk boiling if nie..i.,.
steam is released into the secondary containment.
Boiling can begin half an hour after RHR loss if loss 9
o occurs days after shutdown.
l
. - - = >
o so 120 180 Time in Minutes 30 0.3 n ua..t.ai ws.i. s.4v o...
l Figure 6.3 PWR Equivalent Whole. Body Dose n
pi,.., sa..iubi. i.4.n.
(Noble Gases, Particulates) 25 - Nobl. Cnu.1 % P.,ticut.ta
- 025 l
E occur in a typical Mark 11 primary containment 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />
~
Ej l
after shutdown with the drywell head removed. Perfect E
t mixing was assumed in the secondary containment vol.
j 16
- 015j ume above the refueling floor (1.6 million cubic feet j
E I
[45.307 m3}). Other assumptions were similar to the PWR
- io
- o.i 3 calculation. nc lower dose rates calculated for the BWR S
l would allow for a longer stay within the secondary con-
, g tainment than allowed for the PWR case, and the major concern may be the steam conditions in working areas. If practical, procedures for drywell closure under emer-0,
g g''y0 gency conditioris are desirable, smce offsite releases from T'**~"*""*"
a severe accident could have unacceptable consequences.
as discussed in Section 6.9.1.
Figure 6.5 IlWR Equivalent Whole.itody Dose (Noble Gases, Particulates) 6 5
The plant visit program (see Chapter 3) found no
'".$.*.# ',N s
.e. 4 4 n.
Np WG psq mahd &m a w
,i j
considered if RHR were lost. Existing secondary 400
. 4 ccmtainments were judged to be of little use if the f
f reactor vessel and primary containment were open.
g 300-
- 3g PWR licensee response was mixed concerning rec-3 s
e 3
{
ommendations in GL 88-17 regarding containment 2200-
- 2j closure. Some licensees have not fully evaluated at-8 taining a no-gap equipment hatch closure. Closure S
techniques for other penetrations were sometimes 1M-1 poor. No licensee fully addressed the containment work environment if it planned to close the centain-ment while steam was being released into the con-o co 12o iso tainment. Most closure procedures were weak and few had been rehearsed.
Time in uinuto Of1he 107 plants surveyed 52 required the use of ac Figure 6.4 flWR Equivaient Whole. Body Dose e
(Inhaled Indine) power and/or compressed air to install the hatch.
Five indicated that they had a pmcedure to close the 6-17 NUREG-1449
i i
hatch manually in the case of station blackout assure the availability of RilR capability under pos-
.[
(SBO).
tulated fire conditions.
Staff scoping analyses show that PWR containments (3) Review administrative controls and methods for re-e probably require self-contained breathing apparatus ducing fire hazards during shutdown and refueling within an hour of initiation of steam release into the modes of operation.
curainment due to the steam and temperature. (lo-calized heating and steam hazards were not consid-De results of this review and evaluation in each of the ered.) Dose rates may not be serious if there are no three areas are discussed next.
fuel cladding leaks and if the licensee has signifi-cantly cleaned the water in the primary system, al-6.10.1 Adequacy of Current NRC Fire though breathing apparatus is likely to be needed.
Protection Guidance for the Assurance J
Airbome contaminants are of more concern with of Residual Heat Removal Capability fuel leaks or contaminated primary water.
ne NRC fire-pmtection guidance (NUR EG-0800, Stan-Most primary containment concerns are climinated dard Review Plan (SRP) Section 9.5.1) applied to ensure e
if the containment is closed or ifit is assured to be that an adequate level of fire protection exists, is a de-closed before the initiation of steam release from the fense-in-depth approach. Dis approach is focused en the l
RCS.
foll wing pmgrammane areas:
fire prevention through the use of administrative e
6.10 Fire Protection During Shutdown contmis(C E.Ecod housekeepingpractices. control and Refueltng of combustible materials, control and proper han-i dling of flammable and combustible liquids, contml During shutdown and refueling outages, activities that of ignition sources) take place in the plant may increase fire hazards in safety-related systems that are essential to the plant's capability rapid fire detection through the use of early-warning e
to maintain core coolmg. The plant techmcal specifica-fire-smoke-detection systems, fire suppression that tions (TS) allow various safety systems to be taken out of occurs quickly through the application of fixed fire-I service to facilitate system maintenance, inspection, and extinguishing systems and manual fighting means, testing. In addition, during plant shutdown and refueling and limiting fire damage through the application of passive fire-protection features t
outages, major plant modifications are fabricated, m-stalled, and tested. In suppon of these outage-related designing plant safety systems that provide for con-e activities, increased transient combustibles (e.g.. lubricat-tinued operation of essential plant systems neces-ing oils, cleaning solvents, paints, wood, plastics) and igni-sary to shut down the reactor m those instances in i
tion sources (e.g., welding, cutting and grinding opera-which fire-prevention programs are not immediately tions, and electrical hazards associated with temporary effective in extinguishing the fire power) present additional fire risks to those plant systems 7
maintaining shutdown cooling.
The defense-in-depth concept, as it applies to fire protec-tion, focuses on achieving and maintaining safe-shutdown During plant shutdown, a postulated fire condition could conditions from a full-power condition. In addition, the i
potentially cause fire damage to the opemble train or SRP guidance given to licensees for conducting a fire l
trains of residual heat removal capability. This fire dam-hazard analysis specifies that the analysis should demon-age could funher complicate the plant's capability to re-strate that the plant will be able to perform safe-shutdown move decay heat.
functions and minimize radior.ctive releases to the emi-ronment in the event that a fire occurs anyplace in the In order to fully assess the fire risk during refueling condi-plant.ne SRP guidance established for the performance tions, the following action plan was implemented at a of a fire hazard analysis does not address shutdown and PWR and a BWR facility that the staff visited:
refueling conditions, or the potential impact a fire may have on the plan t's ability to remove decay heat and main-(1) Review the adequacy of current NRC fire protection tain reactor water temperature below saturation condi-guidance with respect to the protection of the sys-tions.
tems necessary to perform the RHR function during shutdown and refueling modes of operation.
ne SRP establishes three levels of fire-damage limits for safety-related and safe-shutdown systems. The limits are (2) Evaluate the fire protection requirements of Appen-established according to the safety function of the struc-dix R to 10 CFR Part 50 for cold-shutdown systems ture, system, or component. The following material and determine if those requirements are adequate to summarizes the fire-damage limits: (1) one train of NUREG-1449 6-18
h I
f equipment necessary to achieve hot standby or shutdown decay heat removal capability. By contrast,if the plant was l
(or both) from either the control room or emergency at 100-percent power operations at the time of the fire, control stations must be maintained free from damage by the plant could be held in hot standby until the necessary a single fire, including an expk>sive fire; (2) both trains of repair allowed under Appendix R could be made and i
equipment necessary to achieve cold shutdown may be subsequent cold shutdown could be achieved. For exam-limited so that at least one train can be repaired or made plc, if the power cable to the RHR pump motor suffered l
operable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> using onsite capability; and (3) fire damage, the plant maintenance staff estimated that it both trains of systems necessary for mitigating the conse-would take 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> to repair it and restore power to the quences following design-basis accidents may be damaged pump. If this same postulated fire were to occur during by a single fire. These damage limits are based on the shutdown or refueling, reactor coolant saturation condi-assumption that full reactor power operation is the major tions could potentially occur. As discussed in Section 6.6, limiting condition with respect to fire and its potential risk there are several options available, depending on the s
on reactor safety. The acceptabic fire-damage threshold plant configuration, for supplying water or prosiding lim-I for RHR functions has not been established in the SRP ted RCS cooling. However, it should be noted that, with-with respect to the various shutdown and refueling modes out the performance of a detailed shutdown or refueling of operation.
fire hazards analysis, the alternate RCS makeup and cool-ing options may have been affected by the same fire that 6.10.2 Evaluation of Requirements for Cold caused the loss of decay heat removal.
Shutdown He Appendix R fire protection criteria for the protection During a visit to a BWR plant, it was determined that of the safe-shutdown capability do not include those sys-tems important to ensuring an adequate level of RHR approximately seven areas of the reactor building and ten during non-power modes of operation. Appendix R. Sec.
areas of the control building are associated with the decay tions
.G and Ill.L allow certain repairs to cold-shut.
heat removal function.Hrce areas in the reactor building down components to restore system operability and the and six areas in the control building contained both trains.
ability to achieve and maintain cold-shutdown conditions.
In the areas containing both trains of decay heat removal, His repair provision includes the decay heat removal fire-protection features in accordance with Appendix R, functions of the RHR system. Appendix R requirements Sections Hl.G and HI.L were provided. Since this plant's focus on full-power operation and address the impact a capability to achieve cold shutdown complies with Appen-fire may have on the plant's ability to achieve and main.
dix R, Sections Ill.G and III.L RHR fire-damage / control tain safe-shutdown conditions.
procedures were not required. However, by postulating a fire during shutdown and refueling conditions that re-During plant shutdown conditions in which the reactor quired only one train of decay heat removal to be operable head is removed, the RHR system and its associated sup.
(the train provided with Appendix R fire protection is a'
port systems are performing the decay heat removal func-unavailable due to maintenance), in a plant area where tion (i.e., for PWR-component cooling water system, the unprotected train is present, damage could be sus-service water system offsite/onsite ac/de power train; for tained to the operable train resulting in a total loss of BWR-reactor building closed cooling water system, decay heat removal capability. Under these conditions, high-pressure service water system, offsite/onsite ac/dc RCS heatup to saturation could occur.Dere are several power train). Depending on the specific mode of opera-options available, depending on plant configurations, for tion and the plant configuration (i.e., BWR/PWR-head supplying water to the RCS. Dese options include CRD off the vessel, water level at the vessel flange; PWR-pumps, standby liquid control system from test tank, head off in midknop operations), the plant technical speci-condensate pumps, condensate or demineralized water fications (TS) may require both trains or only one train of via hoses from the senice box on th e fuel floor, core spray decay heat removal capability to be operable, from the torus or condensate storage tank, refueling 3
water transfer pump, high-pressure service water system, At one PWR facility visited, approximately 30 plant areas and makeup to reactor cavity skimmer surge tank and were associated directly with either the A-or B-train of overflow into the reactor cavity. Alternate decay heat decay heat removal. In 15 plant areas, both trains of RHR removal can be accomplished via the reactor cleanup or were present. His facility elected to comply with the the fuel pool cooling systems. It should be noted that Appendix R requirements by utilizing damage control /re-without the performance of a detailed shutdown and refu-pair procedures. Under the Appendix R damage c<mtrol/
cling fire analysis, the alternate RCS makeup and cooling repair approach, a postulated fire during shutdown or options may not be available. The equipment or compo-refueling conditions in a plant area where both decay heat nents (or both) associated with these options may be af-removal system trains are present, could cause fire dam-fccted by the same fire that causes the loss of decay heat age to redundant trains resulting in a potential loss of removal.
6-19 NUREG-1449
6.10.3 Review of Plant Controls for Fire fire risks to their minimum level of TS systems re-Prevention quired to maintain shutdown cooling.
SRP guidance established for the performance of a e
He staff reviewed fire-prevention administrative and control procedures associated with the control of tran.
fire-hazard analysis does not address shutdown and sient combustibles and ignition sources, and the establish.
refueling conditions and the potential impact a fire rnent of compensatory measures for fire-protection im.
may have on the plant's ability to maintain core cool-y pairments. The fire-prevention administrative control mg.
measures are applicable to both power operation and I
shutdown conditions. It was noted that m order to support 10 CFR Part 50, Appendix R, fire-protection criteria certain work activities (e.g., welding and cutting) asso-for the protection of the safe-shutdown capability do ciated with maintenance or modifications, a temporary not i'nclude those systems important to assuring an fire prevention administrative-control procedure was adequate level of decay heat removal during non-changed. For example, a fire watch may be assigned to power modes of operation.
more than one welding or cutting operation, or increased Fire-prevention administrative-control procedures e
combustible loading above that analyzed for full-power did not provide enhanced controls or compensatory conditions may be mtroducert into safety-related areas
~
measures during shutdown conditicas in those plant to support, maintenance neration. Fire-prevention areas critical to supporting RCS makeup or decay admmistrative-control procedures did not provide en-heat removal.
hanced controls or compensatory measures dunng shut-t down conditions in those plant areas critical to supporting The staffing level at the site for fire prevention is RCS makeup or decay heat removal.
limited and inspection activities are restricted be-cause so much paper work was generated by activi-During the PWR and BWR plant visits, when a plant ties associated with maintenance and modifications walkdown was performed in areas that were associated during an outage.
with decay heat removal, an increase in fire hazards was t
noted. These fire hazards included temporary electrical A majority of the fires at the facilities occurred dur-e and test wiring, increased transient combustibles (e.g.,
ing refueling outages.
wood scaffolding, plastic shecting and containers, lube oil, cleaning solvents, paper products, rubber products, and more), and increased weldmg and cutting activities. In 6*11 Fuel HandlinE and Heat 7 Loads addition, the staff noted that fire-protection personnel at M shaps in handling fuels and heavy loads during the the site had not increased their inspections. The staffing refueling process can occur and have a potential for level is limited and fire-prevention inspections are re-stricted due to the increased paper work generated by causing an array of new or spent fuel to become e
activities associated with maintenance and modifications critical
~
during an outage.
damage to fuel assemblics which causes release of e
ne lack of increased fire-prevention / protection activities radioactivity I
commensurate with the increased maintenance and modi-i l
fication activities during plant shutdown and refueling is overheating of spent fuel pool which damages fuel e
reflected by the increased frequency of fires. At the two cladding facilities visited, a review of fire reports for an 18-month operating period showed that three fires occurred at the 6.11.1 Fuel Handling PWR and four fires at the BWR facility. Six of the seven In order to minimize fuel-handim.g mishaps, the fuel-han-fires at these facilities occurred during refueling outages.
dling equipment is designed and built m accordance with specified standards to prevent dropping fuel. In addition, 6.10.4 Summary of Findings fuel. handling equipment is also tested before the fuel-handling process to assure its proper operation. Design A postulated fire could potentially damage the oper-guidelines for such equipment include the provision of e
able train or trains of decay heat removal systems high-temperature alarms and high-radiation alarms, during shutdown conditions. In addition, plant con-should fuel damage or failures be imminent.
figurations can further complicate the plant's ability to remove decay heat.
Criticality involved in the movement of a single fuel assembly is extremely unlikely with the greatest potential e
Increased transient combustibles and ignition occurring in the case of misplacement of an element in the sources during outage activities present additional core or spent fuel pool. Proper planning and particular i
NUREG-1449 5-20 1
attention to details during the fuel-handling process can fuel pools and temperatures be maintained to minimize minimize the probability of mistakes. In BWRs, the poten-dose levels during fuel handling. Spent fuel pool cooling tial for criticality during refueling is minimized by starting systems are analyzed to ensure that proper spent fuel pool the process with the mode switch in the refueling or shut-coolant temperatures are maintained at all times of stor-down position and with all rods in. In PWRs, the boron age of spent fuel so as to prevent overheatingof the stored concentration in the reactor coolant and refueling canal is fuel.
kept at a level sufficient to assure a km equal to orless than 0.95 or, as an alternative, the boron concentration is 6.11.2 Heavy Load Handling kept equal to or greater than 1850 ppm. In addition,licen-h a wh m e em igm h is sees are required to analyze the worst case of fuel misloca-necessary to remove the internal components. In doing so, tion and provide assurance that the concomitant fuel gg g
d ma e does not cause offsite doses m excess of specified be droppec, resulting in the release of radioactivo ele-
~
ments from damaged fuel. Rekication of damaged fuel into a critical mass is also of concern. Similar circum-The licensee is also required to analyze the condition for stances could occur upon lifting a heavy load over spent an uncontrolled control rod assembly (a bank for a PWR fuel elements stored temporarily m the containment or in and a single rod for a BWR) withdrawal at subcritical or the spent fuel storage pool.
low-power condition, and to provide assurance that cer-tain preset criteria, w hich includes thermal margin limits, Any heavy load carried over redundant equipment used fuel centerline temperatures, and uniform claddmg strain for removal of decay heat has a potential for damaging or for BWRs, are not exceeded.
destroying this equipment or other equipment involved in shutdown. Damage, in such case, is limited by following Release of radioactivity from a spent fuel element may be safe load paths or by minimizing the potential for damage, caused by mechanical damage, such as droppmg or strik-as noted below.
ing it against some object. Dropping is minimized by proper design of handling equipment in accordance with Risk associated with heavy loads can be minimized as specified criteria. Nevertheless, equipment has failed and outlincd in NUREG-0612, " Control of Heavy Loads at fuel elements have been damaged. In order to minimize Nuclear Power Plants," (1) by making the potential for a the radiation dosage as a result of such mishaps, all spent load drop extremely small, by utilizing a single-failure-fuel must be moved under water during the refueling proof lifting system in accordance with NUREG-4)612, or process. Current STS for both PWRs and BWRs require (2)by evaluating a potential load drop accident and taking that a specified level of water must be maintained above actions to ensure that damage is so limited that the reactor vessel head and spent fuel storage pools dur-Coolant lost can be replaced by normal makeup e
ing refueling. This level of water is capable of acting as sources.
shielding for the handling of spent fuel and for absorption of the radioactivity that could be released should a spent The capability for systems to maintain safe shutdown fuel element be damaged. In addition, the fuel handimg is not lost.
equipment is tested before being used m order to avoid using faulty equipment, and to assure load handling limi-In order to minimize the potential for a drop of a heasy tations as required by TS.
load, licensees were required to (1) develop procedures for handling heavy loads, (2) train and qualify crane opera-For PWRs, TS require that penetrations in the c<mtain-tors, (3) design special lifting devices in accordance with ment building be closed or be capable of being closed by an specified criteria, (4) design other lifting devices (other operable automatic valve on a high-radiation signal in the than "special") in accordance with specified criteria, (5) containment, before initiating the refuelmg process. For inspect, test, and maintain cranes in accordance with BWRs, TS require that the integrity of the fuel-handlin3 specified guidelines, (6) have cranes designed in accor-i building be assured before handling irradiated fuel.
dance with specified criteria, and (7) follow safe load I
paths.
As a final protection against the potential excessive radia-tion doses resulting from a fuel-handling accident, the Three potential hazards regarding the handling of heasy licensee must provide an analysis of the radiological con-loads are (1) damage to surroundings in the improper sequences of a fucl-handling accident to assure that re-design or use of handling equipment so as to permit swing-l suits will conform to applicable dose limitations.
ing or rotating of the load on breaking of one holding line; 1
(2) improper handling of the internals of the Mark I Spent fuel in the spent fuel pool is kept cool by a spent fuel BWRs and, by reference, of the internals of any reactor so pool cooling system.TS for PWRs and BWRs require that as to damage the vessel, the core, or other safety-related such a system be operable in order to keep spent fuel equipment; and (3) dropping of loads placed on the edge cooled. TS also require that the water level in the spent of the spent fuci pool.
6-21 NUREG-1449
In each NRC regional office, a representative was con.
applicable to shutdown and refueling conditions and their tacted in an effort to determine whether problems had unique characteristics, their use by the licensees has re-been observed in these areas. Only item 3 (i.e., dropping sulted in inconsistencies and oftentimes excess conserva-l of loads from the edge of the fuel pool) was mentioned to tism in the classification of emergencies during shutdown be of concern, but not considered to be a significant shut.
or refueling conditions. For example, the loss of sital ac down risk issue.
power and RIIR at Vogtle Unit 1 in March 1990 was classified as a Site Area Emergency by the licensee, but There appears to be no special generic problem regarding might have been classified as an Alert by a different licen-handling heavy loads. Heavy reactor internals can be han-see. In an event at Oyster Creek in March 1991, an Alert died safely by adhering to the guidelines in NUREG-was declared when it was determined that both sources of i
0612. 'the prchlem of load swing or rotation can be onsite ac power were unavailable. Ilowever, offsite ac i
avoided by proper handling. Since the staff has not identi-power was available at the time and the refueling cavity ed such an event, it concludes that load-handling proce-was flooded with water.
j dures are being successfully employed in the field.
t NUMARC has developed a method for defining emer-6.12 Onsite Emergency Planning gency action levels which is referenced in NUMARC/
i NESP-007. Revision 1. Although the NUMARC ap-The staff's technical evaluation of shutdown and low-proach is not considered complete in that regard. NRC j
power operation shows that event sequences with poten-will continue to work with NUMARC to issue the final l
tial offsite consequences can occur during cold-shutdown guidance that will help licensees to identify initiating con-I and refueling conditions. 'Ihe plant configuration during ditions and develop associated emergency action levels shutdown and refueling conditions is significantly differ-for shutdown and refueling conditions with a resised
)
ent from that during power operation. As a result, the NUREG-0654. In the meantime, the staff will develop sequence of events and the operator's ability to detect and interim guidance for emergency classification during l
respond to an event and mitigate its consequences may shutdown and refueling conditions. The interim is dis-l vary significantly during shutdown and refueling condi-cussed in Chapter 7.
i tions. Therefore, the need for an operator to respond appropriately to an incident, including emergency classifi-cations and notifications of offsite officials, still exists 6.12.2 Protection of Plant Workers l
during cold-shutdown and refueling conditions.
NRC regulations in 10 CFR 50.47(b)(10) require that a 6.12.1 Classification of Ernergencies range of protective actions be developed for emergency workers and the public. In meeting this requirement, as i
Guidance for classifying emergencies at nuclear plants stated in Criterion J of NUREG-0654. the NRC expects during power operation is found in Appendix 1 to each licensee to (1) evacuate nonessential personnel in NUREG-0654 (FEMA-REP-1). Revision 1, entitled the event of a Site Area or General Emergency and (2)
" Criteria for Preparation and Evaluation of Radiological account for onsite personnel within 30 minutes of the Emergency Response Plans and Preparedness in Support declaration of an emergency. During outage periods, h un-i of Nuclear Power Plants.** This guidance does not explic.
dreds of additional workers may be on site for maintenan-itly address the different modes of nuclear power plant cc, construction, and repairs. In addition to the presence operation. It is generally recognized however, that the of large numbers of workers on site duri.g ar. :=mge, l
initiating conditions established in Appendix 1 to many unusual activities will be taking place and normally l
NUREG-0654 apply as a whole to a nuclear plant during available equipment and instrumentation may not be its power operation and hot shutdown modes. Some, but available. These conditions, common during shutdown not all, of the initiating conditions in NUREG-0654 may and refueling outages, can place an additional burden on l
apply to a nuclear plant during cold. shutdown and refuel-the emergency respcmse capability at the time of an acci-ing conditions.
dent. Emergency plans and procedures must address the
)
evacuation and accountability of the large number of non-13ecause initiating conditions contained in Appendix 1 to essential personnel on site should an accident occur dur-l NUREG-0654 were not intended to be directly and fully ing plant shutdown e refueling.
i i
l NUREG-1449 6-22
.=
I r
i 7 POTENTIAL INDUSTRY ACTIONS 7.1 Introduction and Perspective warranted if it can be gained at a reasonable cost. in addition, an improvement in the likelihood of contain-The comprehensive technical evaluation of shutdown and mentisolation when neededappearsappropriate. Aspart low-power operations described in the previous chapters, of the regulatory analysis, the staff is presently determin-included observations and inspections at a number of ing the potential benefits and costs of all potential new plants, analysis of operating experience, deterministic requirements to the extent practical.
safety analysis, and insights from pnibabilistic risk assess-ments. From this evaluation, the staff has concluded that 7.2 Previotis Actions although public health and safety have been adequately protected during the period that plants have been in Over the past 12 years, the NRC has issued eight generic 4
shutdown conditions, safety could be improved substan-letters related to shutdown and low-power operations.
tially and such improvement appears to be warranted for These generic communications present a chronology of the following reasons:
events and actions requested by the NRC to preclude or mitigate events that could affect the nuclear power plant l
(1) Significant precursor events involving loss of the during low-power and shutdown operations. Generic l et-i decay heat removal (DIIR) capability continue to ter (GL) 88-17, "Imss of Decay IIcat Removal " is the f
occur despite NRC cfforts to resolve the problem.
most comprehensive and most widely applicable of the l
generic letters. It specifically addresses shutdown con-(2) Accident sequences during shutdown that are as cerns and is the most recent generic letter to make rec-rapid and severe as those that occur during power a
a WP wu and shutdown opera-operation should be addressed with commensurate m
re mmen anons for opnating requirements. This is supported by the staff's engi-pressurized-water reactors (PWRs) with reduced inven-t necring analysis of accidents during shutdown condi-Lory; the recommendations concerned areas of instru-tions documented herein.
mentation, administrative controls, operator procedures.
and operator training.
(3) 1.here is a significant lack of con tr ols, m.cluding regu-latory controls, that in the past allowed plants to 1.icensees have implemented GI 88-17 to varying de-i enter circumstances hkely to challenge safety fune-grees of effcetiveness and completeness. All licensees tions with minimal mitigation equipment available operating PWRs have improved reduced inventory op-and containment integrity not established.
cration. Some licensees exceeded the GL 88-17 recom-l l
mendations; others responded minimally. In GL 88-17, 1here have been only a very limited numher of probabilis-the staff limits its discussion to operation of PWRs during l
tic risk assessment (PR A) studies covering shutdown con-reduced inventory. The staff's positions given below ex-ditions, and those studies contain considerable uncer-pands coverage to conditions other than reduced inven-tainty. The uncertainty is due largely to the predominant tory in PWRs and to some conditions in llWRs (boiling-role played by operators and other licensee staff in shut-water reactors).
I down events and recovery from them. Iluman reliabilityis difficult to quantify, especially under unfamiliar condi-The staff recogniics that industry has adJrc,= d shut-tions which are often not emered in training or proce-down and low-power operations with programs that dures. 'lhe collection of PR A studies discussed in Chap-include workshops. Institute of Nuclear Power ter 4 does give some insight into the plausible range of Operations (INPO) inspections, Elect ric Power Research shutdown risks for the spectrum of current plants. The Institute (EPRI) support, as well as enhanced training mean core-damage frequency (CDF) for shutdown events and procedures. One activity (a formal initiative proposed appears to be in ihe range of 3x103 to 7x10 6 per reactor-by the Nuclear Management and Resources Council year. Although detailed uncertainty analysis is not avail-(NUMARC)) has produced a set of guidelines for the able for most of the shutdown PRAs, some insight can be utilities to use for self-assessment of shutdown operations pained by examining the uncertainty analysis in (NUMARC 91-06). This high-level guidance addresses NUREG-ll50 where the ranges of CDF (5th and 95th many of the areas in outage plann;ng that need to be percentiles) are approximately one order of magnitude.
improved. Detailed guidance on developing an outage From this limited mformation, we conclude that a reason-planning program is outside the scope of the NUM ARC able estimate of the range of CDFis 1x10> to lx10 6 per effort; and, consequently, such important areas as fire reactor-year.) The risk to public health appears to be protection and operability of mitigative equipment are dominated by core damage in combination with an open not treated explicitly. The staff finds that NUMARC or partiidly open ctmtainment.This would indicat e that an 91-06 represents a significant and constructive step, ef-improvement in CDF of about one order of magnitude is fects of which have already been realized by many utilities 7-1 NUREG-1449
i that used the guidance in recent outages; however, to (5) strong technical input based on safety analysis, risk address all of the issues relating to safe operation during insights, and defense in depth outages requires more than the guidance of NUMARC 91-06.
(6) independent safety review of the outage plan and subsequent modifications 7.3 Improvements in Shutdown and (7) planning and controls that (a) maximize the avail-h IAw-Power Operations ability of existing instrumentation used to monitor i
temperature, pressure, and water level in the reac-l The evaluation described in the preceding chapters indi_
tor vessel and (b) give accurate guidelines for opera-cates that additional requirements governing shutdown tions when existing temperature mdications may not operation in the following areas are warranted:
accurately represent core conditions outage planning and control (8) controlled information system to provide critical e
safety parameters and equipment status on a real-fire protection time basis during the outage e
technical specifications (9) contingency plans and bases, including those neces-
~
e sary to ensure that effective decay heat removal e
instrumentation (DHR) during cold shutdown and refueling condi-tions c m be maintained in the event of a fire in any 73.1 Outage Planning, Outage Control, and plant area Fire Protection (10) realistic consideration of staffing needs and person-The technical findings in the previous chapters show that nel capabilities with emphasis on control room staff a more safety-oriented approach to planning and control-ling outage activities will reduce risk during shutdown by (11) training red ucing the incidence of precursor events and improving defense in depth. Such an approach should include (1) a (12) feedback of shutdown experience into the planning comprehensive program for planning and controlling out, prpcess age activities, including fire protection, and (2) limiting conditions for operation (LCOs), controlled through the Because the role of outage planning and controlis central i
plant technical specifications, for plant equipment to shutdown safety, some regulatory controls to ensure needed to ensure key safety functions are available. It is adequacyand continued implementation at all plants may better to use 1cchnical specifications rather than adminis-be appropriate. Controls could be impos ed through a new trative controls to control the availability of safety-related regulation governing outages, or byincluding the require-equipment, because operators are already trained and ments in the admmistrative controls section of the exist-accustomed to operating the facility within the clearlimits ing techm, cal specifications. In either case, such a require-set by technical specifications. In addition, the 1cchnical ment would call for a program for planning and control of specifications establish clear and enforceable regulatory outages that (1) includes the 12 elements listed above i
Elements for an Outage Program (2) is documented in a controlled procedure subject to inspection by the NRC It is the staff's position that a complete program for plan-ning and controlling outages in a safe manner would in-(3) is subject to revision with the approval of an onsite i
clude those elements listed below:
safety review organization 3
(1) clearly defined and documented safety principles for outage planning and control 73.2 Technical Specifications for Control of Safety-Related Equipment i
(2) cicarly defined organizational roles and responsibili-Findings in previous chapters lead the staff to conclude ties that current standard technical specifications (STS) do not reflect the risk significance of many reactor coolant (3) controlled procedure defming the outage planning system configurations used during cold-shutdown and re-process fueling operations. This is particularly true of technical specifications (TS) for PWRs. The staff also notes that l
(4) carly planning for all outages some older plants do not have even basic TS covering NUREG-1449 7-2
i -
l l
l l
t residual heat removal (RHR) and electrical systems. 'IS (2) A technical specification for the emergency core are important because they establish the minimum safety cooling system during shutdown (i.e., "ECCS-standards during various operational conditions, and li.
Shutdown") sheald be added to require two trains of censees carefully track them as a way of ensuring compli-high-pressurc.njection (HPI) during cold shutdown i
ance with other regulatory requirements. Ihe staff is and refueling with water level in the refueling cavity considering the following changes to the current STS for less than [23] fect ([7] m) above the reactor pressure l
BWRs:
vessel flange. The applicability for the S13 on l
"ECCS-Operating" should be extended to M ode 4.
(1) The specification in the STS for ac power sources Also, the applicability of the STS covering the refu-during shutdown (i.e., "AC Sources-Shutdown")
cling water storage tank (RWS1) should be ex-should be modified to require that redundant onsite tended to Modes 5 and 6 when the waterlevel in the I
emergency ac sources be operable during cold shut-refueling cavity is less than 23 [ feet] ([7] m) above j
down and refueling when the water level is less than the reactor pressure vessel flange and when the cav-l
[23] feet ([7] m) above the reactor pressure vessel ity is not being flooded with water from the RWST.
l I
flange and fuel is in the vessel. Redundancy is not (3) Because of the change to the technical specification required when the waterlevel in the refueling cavity for "ECCS-Operating," the specification for "Iow equals or exceeds [23] fect ([7] m) above the reactor Temperature Overpressure Protection" should be I
pressure vessel flange because the passive coolmg modified to require either a larger size vent to miti-capability m the refueling cavity allows sufficient gate the effects of higher mass addition from a sec-I time to restore a DHR hyop or establish an alternate and HPI train, or specific controls to isolate HPI method of cooling. This change ensures that the trains during shutdown and refueling (i.e., keep HPI capability to remove decay heat will not be lost un-discharge valves closed and tagged and keep pumps
[
der such conditions as a loss of offsite power and a in pull-to-lock).
I single failure of one onsite ac source.
j (4) Studies in previous chapters indicate that shutdown j
(2) New specifications should be added to the STS to risk is highest when decay heat is high and the reac-l require operability of the plant service water system tor coolant syst em (RCS)is in a condition of reduced
{
(standby service water system for BWR/6) and ulti-inventory. In light of this, a new specification should mate heat sink during, Modes 4 and 5.
be added to the STS to rcquire containment integrity under these conditions. This specification should j
Ihe staff is considering the following changes to the cur.
require containment integrity to be maintained dur-rent STS for PWRs:
ing Mode 5, should nat ural circulation cooling not be available, and Mode 6, should the water level in the refueling cavity be less than [23] feet ([7] m) above j
(1) The technical specifications for "RCS Imops-Mode the reactor vessel flange. Containment integnty m 5, loops Filled," and "RCS Imops-Mode 5, Imops these modes should not be required after the core j
Not Filled" should be combined into one specifica-decay heat has been reduced below a plant-specific 4
tion for "RCS leops-Mode 5." In addition, Action y lue so that the contamment can be closed manu-I statements should be added requiring that (a) con-ally before boiling occurs in the RCS, assuming a loss tainment integrity be established if one required f the offsite electrical power system and the vn-DHR loop becomes inoperable and cannot be re-availability of the onsite ac power system.
]
turned to service in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />,(b)an alternate method of DHR be established if both required DHR loops Some licensees may have alternate emergency ac are inoperable, and (c) containment integrity be es-sources available to them, as defined in 10 CFR 50.2, tablished if both reo,uired DHR loops become inop-or portable power supplies that could be used to erable, and containment integrity has not been es-assist in manually closing the containment. This tablished by a separate specification on containment equipment should be credited in estimates of the integrity discussed in item 4 below.
times to manually close the containment, if these
)
power supplies are ensured to be available through l
'the requirements to establish an alternative the outage plan.
method of DHR and achieve containment integrity, The staff believes that such an LCO would give when one or more DHR loops becomes inoperable, licensees considerable flexibility, through planning.
are designed to ensure defense m depth when nor-and good engineering, to minimize the need for con-mal cooling systems become unavailable. In most tainment integrity during normal activities while in cases, the emergency core coohng system will be Mode 5 or 6*
available to serve as backup to cool the core und to act as a first line of defense when normal systems are (5) New specifications should be added to the STS to unavailable.
require redundant systems for (a) component 7-3 NUREG-1449
} l
--.--..em
cooling water and (b) service water and operability of first line of defense when normal systems are un-the ultimate heat sink during cold shutdown and available.
refueling when the waterlevel in the refueling cavity is less than [23] feet ([7) m) above the reactor pres.
(8). Action statements should be added to the technical sure vessel flange. Redundancy is not necessary dur-specification for *DHR and Coolant Circulation-1 ing refueling when the water level in the refueling High Water Level" to require that with no DHR cavity equals or exceeds 123] feet ([7] m) above the loops operable or in operation, containment integ-reactor pressure vessel flange because the passive rity should be established within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
i cooling capability in the refueling cavity allows suffi-j cient time to restore a DHR loop or establish an 7.3.3 Water-Level Instrumentation in PWRs i
alternate rnethod of cooling.
PWR licensees have added level instrumentation to cover shutdown operation in response to GL 88-17 and, in I
(6) ne specification in the S.TS for ac power sources PWRs, level indications have generally improved in the durmg shutdown (i.e., "AC hources-Shutdown")
last 3 years. However, events in PWRs continue to occur should be modified to require redundant onsite (e.g., Prairie Island,1992)in which existing methods for i
emergency ac sources to be operable during cold shutdown and refuchng when the water level m the monitoring water level have failed to adequately indicate refueling cavity is less than [23] feet ([7] m) above a level too low to support DHR pump operation. Conse-the reactor pressure vessel flange. Redundancy is quently, the staff is considering a potential requirement for licensees of PWRs to install an additional means of not necessary when Ihb water level m the refuelmg cavity equals or exceeds [23] feet ([7] m) above the accurately monitoring water level in the RCS during mid-loop operation. This additional instrumentation should reactor pressure vessel flange because the passive not be affected by errors induced in the other level meas-i coolmg capability m the refueling cavity allows suffi-cient time to restore a DHR loop or establish an urements by changes in pressure in the RCS orconnected alternate method of coolm, g. The specificat,on systems. Normally, ultrasonic devices or other such local -
i i
should also require that if ac sources become inoper-measurements as pressure differential across the hot leg able and czmnot be returned to service within b will be needed for meeting this criterion. The installed instrumentation should include visual and audible indica-hours, the equipment supported by those sources must be declared moperable. Alternate sources of tions in the control room to alert operators to an inappro-ac power that may be available at some sites during priate condition.He instrumentation should be placed in shutdown operations may be credited under some operation before the plant enters a reduced inventory condition.
conditions. However, the staff would consider plant-specific technical specifications that factor in such sources on a case-by-case basis.
7.4 Other Actions Considered 1
r (7) Action statements should be added to the specifica-In the course of its evaluation of key issacs of shutdown tion m the STS on *DHR and Coolant Circulation-risk, the staff considered one additional potentia 1 industry low Water Level" to require that, with one DHR action but chose not to pursue it. This was to issue a supplement to Generic Letter 88--20, " Individual Plant loop inoperable, the water level m, the refueling Examinatioh (IPE) for Severe Accident Vulnerabilities,"
cavity be raised to least 23 [ feet] ([7] m) above the reactor vessel flange or that containment integrity asking licensees to include shutdown and low-power con-be established if the loop c;mnot be returned to ditions in their IPEs. The reasons for not pursuing this action at this time are discussed below.
service within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. If both required DHR loops are inoperable, an ahernate method of DHR must The intent of the IPE program is to identify plant-specific be established. Containment integrity must.be es-deficiencies mostly involving hardware and not directly or tablished before boiling occurs in the reactor coolant effectively handled in the licensing process. He shut-system if both required DHR loops become inoper-down risk program is aimed at resolving generic issues I
~
able and containment integrity has not already been associated with operations during shutdown and low-established.
power operation and this can be done most effectively with generic requirements. However, not having a shut-
{
The requirements to establish an alternate method down IPE program at this time doesn't mean that the staff of DHR and achicvc containment integrity when wishes to discourage licensees from applying risk-based one or more DHR loops becomes inoperable are methods to understand the implications of shutdown ac-designed to ersure defense in depth when normal tivities or to help in planning outages. Anotherimportant cooling systems become unavailable. In most cases, reason for not recommending an IPE for shutdown and
+
the emergency core cooling system will be available low-power conditions at this time is that IPE is dependent i
to serve as backup for core cooling and to act as a on a well-developed and understood PRA methodology, i
NUREG-1449 7_4 I
~ _..
. ~..
1 and this does not currently exist for shutdown and low-through improved technical specifications and con-i
. power conditions.nc current IPE program follows more tingency plans; (c) availability and reliability of con-than a decade of experience with PRAs for power opera-tainment through improved technical specifications tion.The NRC Office of Regulatory Research expects to and response procedures; and (d) emergency pre-i complete its I! ras for shutdown and low-power condi-paredness through improved contingency plans.
i tions in 1794.
(2) The potential requirements are aimed directly at l
problems that have been observed repeatedly in op-i 7.5 Conclusions erating experience, e.g., loss of DHR, loss of ac
{
power, loss of RCS inventory, fires, personnel cr-ne staff is considering a number of potential require-rors, poor procedures, poor planning, and lack of i
ments that can address shutdown and low-power issues training.
i effectively. These are appropriate for the following rea-sons:
In accordance with the backfit rule,10 CFR 50.109, the staff is currently performing a formal regulatory analysis (1) %e potential requirements reficct the traditional to determine if the potential requirements discussed NRC safety philosophy of defense in depth in that above will yield a substantial improvement in safety and l
they address (a) prevention of well-understood and are cost effective. A final decision will be made on the credibic challenges to safety functions through im-need for new requirements and the form they should take provements in outage planning and fire protection; after the Commission, the Advisory Committee on Reac-(b) mitigation of challenges by redundant protection tor Safeguards, and the Committee To Review Generie
.j systems, well. founded procedures, and training, and Requirements have reviewed the issues.
t i
i I
i i
f i
I i
L l
I:
1 7--5 NUREG-1449
~.
8 POTENTIAL NRC STAFF ACTIONS l
As discussed in Chapter 1 and in SECY 91-283, the staff better address shutdown issues. As a preliminary result, j
has evaluated a number of key issues regarding shutdown the staff has developed a temporary instruction (TI) for i
risk, and additional technical issues. By means of this the conduct of a shutdown risk and outage management review, the staff has identified potential actions that can team inspection. The staff has conducted five pilot in-improve the following NRC programs as they relate to spections at Oconce Unit 2, Indian Point Unit 3. Diablo shutdown and low-power operations: the licensing re-Canyon Unit 1, Prairie Island Units 1 and 2, and Cooper views for advanced reactor design, the inspection pro-Station to fully develop the TI. The staff is continuing to gram, the operator licensing program, and the program assess the need for this type of team inspection. Shutdown for analysis and evaluation of operational data. In addi-risk and outage management are being evaluated as a tion, probabilistic risk assessment (PRA) studies of shut-potential topic for the mandatory team inspection pro-l down and low-power conditions at Surry and Grand Gulf gram. The results of these activities, upon their comple-will continue.
tion, will be presented to the Commission with recom-mendations.
i From a more general viewpoint, the staff has reconfirmed that nuclear reactor safety is the product of prudent, 8.2.1 Assessment of the Inspection Program thoughtful, and vigilant efforts of the NRC and the licen-sees and not the result of " inherently safe" design or The staff examined its current inspection program to see
- inherently safe" conditions. The current areas of weak.
ifit needed to be improved. As described in NRC Inspec-nessin shutdown operations stem primarily from the false tion Manual Chapter 2515, " Light-Water Reactor In-l premise that " shut down" means " safe." He primary spection Program-Operations Phase" the inspection staff action must be a recognition of this fact and a resolve program comprises three major program e;ements:
not to substitute complacency for appropriate safety pro-i (1) core mspections j
grams.
(2) discretionary inspections (which include regional in-8.1 Advanced Light-Water-Reactor itiative inspections, reactive inspections, and team i" " c "
Reviews (3) area-of-emphasis inspections (which include generic Insights from the shutdown operation work are be.mg area team inspections and safety-issues inspections) factored into future light-water reactor design reviews.
t Staff members conducting these reviews have periodically Issues of shutdown and low-power risk are addressed to met with staff personnel working on shutdown issues varying degrees in each of the three major program elc-since Generic Letter (GL) 88-17 was issued, and appro-ments in Manual Chapter 2515. Recent changes to core-priate concerns have been addressed both in meetings inspection procedures have added emphasis to monitor-with industry and in questions asked of the industry. As ing operations during shutdown conditions. A number of previously discussed, the April 30 through May 2,1991, reactive inspections, including several augmented inspec-l inter-office meeting on shutdown / low-power issues iden-tion teams and one incident investigation team inspec-l tified issues and topics for further consideration. These tion, have been conducted in response to shutdown insights were incorporated into questions asked of indus-events. Safety-issues inspections have also been con-try representatives working on fut ure light-water-reactor ducted to verifyimplementation of recommended actions designs. His work is continuing. For example, several and program enhancements required by GL 88-17, A j
meetings have been held with General Electric on shut-recently issued TI (2515/113) also addressed inspection of i
down issues for the advanced boiling. water reactors and licensee activitics and administrative controls for reliable with ABB Combustion I!ngineering on the System 80+
decay heat removal during outages. These inspections design. He findings and conclusions reached in this re-have succeeded in directing attention to issues of shut-port will be reviewed for applicability to these designs, down and low-power risk. However, recurring problems 7
and appropriate initiatives will be taken to ensure their in the area of outage management indicate a possible adequate ccmsideration.
need for an increased inspection emphasis in this area.
8.2.2 Team Inspection 8.2 Proposed Changes to the Inspection Prograni A generic area team inspection could focus NRC and industry attention on the area of outage management, The staff reviewed the current NRC inspection program should the Commission desire such emphasis. The in-to determme how the program could be expanded to spection would assess the effectiveness of licensee pro-8-1 NURIiG-1449
_ ~ _.
grams for planning and conducting plant outage activities.
8.2.3 Inspection of the Use of Freeze Seals As currently ensisioned, the inspection would consist of a minimum of 2 weeks of onsite inspection by a team of five 1oss of freeze seals used in pipe connections on the bot-inspectors (including the site resident inspector). These tom of the reactor vessel head in boiling-water reactors inspections would be scheduled to coincide with the con-(BWRs)could cause a rapid loss of reactor coolant and a I
duct of a planned outage.The first week of the inspection potential for core uncovery. Other concerns with the use would coincide with an outage planning and the sec(md of freeze seals are discussed in Section 6.6.1. The staff j
with the outage period. Em'phasis would be placed on the concluded that freeze seals should be treated as plant l
following areas:
modifications and, therefore, should be evaluated in ac-cordance with requirements of 10 CFR 50.59. Conse-quently, the staff intends to revise the NRC Inspection management involvement and oversight of outage Manual to include guidance on application of 10 CFR e
1 planning and implementation 50.59 to freeze-scal operations to ensure that proper safety evaluation is performed and unreviewed safety the relationships among significant work activities questions are identified 1his revision will be evaluated to e
and the availabdity of electrical power supplies. de-determine if it constitutes a backfit (i.e., change of a staff i
cay heat removal systems, inventory ccmtrol systems, position) and will be presented to the Committee To and containment capability Review Generic Requirements for review.
the procedures and training related to controlling 8.3 Operator Licensing Program o
plant configuration during shutdown conditions i
The staff recognizes that operators who have proper j
areas in which operations, maintenance, and other knowledge and understanding of risks associated with e
plaat support personnel work together and channels shutdown can greatly reduce risk associated with outage
[
of communications hetween them activities. This knowledge and understanding ccm be in-creased through training programs that give more empha-sis to shutdown operations.1he staff also recognizes that super ision of work activities and control of changes although the current Nuclear Regulatory Commission a
to the outage schedule (NRC) Examiner Standards (NUREG-1021) allow for coverage of shutdown operations, the standards do not assurance of component and system restoration be-specify what constitutes an acceptable level of coverage.
e fore plant restart Consequently, the staff revised the current NRC Exam-met Standards. The standards for the amtial examination i
I have been revised to strengthen reference information operator response procedures, contingency plans, and ensure that at least one job performance measure e
and training for mitigation of events invoh ing loss of related to shutdown and low-power operations was evalu-decay heat removal capability, loss of reactor coolant ated.1he standards for requalification examinations have system inventory, and loss of electrical power been revised to (1) place more emphasis on shutdown sources during shutdowri conditions operatbns and (2) review the licensee's requalification exari kst outline for coverage of shutdown and low-the operator's ability to monitor plant status in order power operations, consistent with the licensce's Job Task e
to detect and ' classify an emergency Analysis and Operating Procedures. These changes are incorporated in NUREG-1021, Revision 7.
The pilot inspections have identified some plant deficien-cies with respect to control of outage activities. In particu-8.4 Analysis and Evaluation of lar, at Oconce Unit 2, a required nuclear instrument Operational Data reliability check had not been performed during fuel movement, and at Indian Point Unit 3, a commitment in The Office for Analysis and Evaluation of Operational response to Generic Letter 88-17 concerning residual Data (AEOD)is performing an analysis of shutdown and heat removal (RHR) pump motor current indication had low-power (SD/LP) operational data. This special study not been satisfactorily completed. The pilot inspections (similar in approach to the Reactor Scram Study, found that licensees were beginning to implement the NUREG-1275, Volume 5)is an assessment of existing NUMARC 91-06 guidelines.1he outage planning proc.
SD/LP operating performance and is designed to provide ess had been modified to address such areas as assessing a baseline and the process for trending future perforn; the risks associated with planned outage activities and ance. The analysis will identify industry-wide indicators scheduling outage activities to minimize overall plant risk.
and provide a means of assessing trends for SD/l _P issues.
The study will also evaluate the availability of operational y
l NUREG-14@
8-2
data for effective assessment of SD/LP performance ied. in which many of the containment barriers were un-l
. trenos.
available.
i SD/LP event reporting practices were also reviewed. Al-8.6 Eniergency Planning though sufficient mformation is available to analyze SD/
1 LP operating performance, weal s.;ses were identified-De Nuclear Management and Resources Council AEOD will incorporate the results of this review in a (NUMARC) has developed a system similar to that in revision to NUREG-1022,
- Event Reporting Systems,10 NUREG-Oo54 for classifying abnormal occurrences at CFR 50.72 and 50J3," as appropriate.
nuclear power plants. The NUMARC methodology is documented in NUMARC/NESP-007, Revision 2,
" Methodology for Development of Emergency Action 8.5 PRA Studies Levels." In developing this system, NUMARC has recog-nized that initiating conditions are more accurately de-The Office of Nuclear Regulato.y Research (RES) con-fined when the plant's mode of operation is considered. In ducted PRA investigations of shutdown and low-power the NUMARC methodology, initiating conditions are de-operations at Suny and Grand Gulf in several stages, pendent on the reactor mode of operation.ne NRC staff Quantitative findings in the form of point estimates for endorsed the NUMARC methodology in Regulatory the level 1 internal events have been completed. Results Guide 1.101, Revision 3, issued in August 1992.
l for the seismic and internal fire and flooding analyses will follow later in 1993.
Although the NUM ARC methodology includes initiating conditions for nuclear plants during shutdown and refuel-An uncertainty analysis and a comprehensive report cov-ing, it is not considered complete in that regard.
cring this stage will be completed by the end of 1993. nis NUMARC intends to complete its analysis of the findings will include a conventional PRA for the complete set of of the NRC's shutdown and low-power evaluation and to level 1 sequences, to be followed by a more comprehen-develop an mdustry position on possible further guidance.
l He NRC staff will coordinate its efforts with NUMARC sive analysis using state-of-the art methods.
to develop and issue guidance that will help licensees identify initiating conditions' and to develop associated J
R ES has also performed abridged level 2 and 3 analysis for emergency action levels for the shutdown and refueling I
Surry and Grand Gulf for specific plant operating states conditions.
(i.e., specific ponions of the overall low-power and shut-down mode).The results of these analyses indicated that conditions hsted in Appendix 1 in NUREG-0654 are i
- De initiatin'hcensec to develop emergency action icve based on site the consequences of a core-meltdown accident could be used byeach significant, at leart for the specific operating states stud-specMc measurableuservable plant indicators.
l l
I i
S-3 NUREG-1449
l 9 REFERENCES The references listed here were used to varying degrees in conducting this evaluation and preparing this report.They are arranged by issuing body or author.
t American National Standards Institute ANSI /ANS-3.5-1985
" Nuclear Power Plant Simulators for Use in Operator Training."
i Ilattelle Columbus Laboratories
" Development of Guidelines for Use of Ice Plugs and Ilydrostatic Testing,"
l November 1982.
Brookhaven National Laboraton "PWR Low Power and Shutdown Accident Frequencies Program-Phase 1:
Coarse Screening Analysis," Draft Letter Report, November 13,1991.
"PWR Low Power and Shutdown Accident Nrequencies Program-Phase 2:
Internal Events," Draft Letter Report, August 31,1992.
" Fire Risk Analysis of POS 6 and 10 Surry Low Power and Shutdown Project" Draft Letter Report, January 8.1993.
l 1
Electric Power Research Institute l
EPRI NP-6384-D
" Freeze Scaling (Plugging) of Piping," February 1989.
Idaho National Engineering Laboratory EGG-EAST-9337, Rev. I
" Thermal-Hydraulic Processes involved in Loss of Residual Heat Removal Dur-ing Reduced Inventory Operation." February 1991.
Jacobson,S.
"Some Local Dilution 'Ihmsients in a Pressurized Water Reactor," Thesis No.
171, LIU-TEK-LK-1989;11, Linkoping University, Sweden.
Nuclear Management and Resources Council i
" Guidelines for Industry Actions To Assess Shutdown Management," December 1991.
NUMARC/NESILOO7, Rev. I
" Methodology for Development of Emergency Action Levels," 1991'.
Nuclear Regulatory Commission AEOD Special Report
" Review of Operating Events Occurring During Hot and Cold Shutdown and Refueling," December 4,1990.
" Decay Heat Removal System Operability," May 1980.
CN 87-22 "NRC Inspection Manual."
" Transmittal of Revised Technical Specifications for Decay IIcat Removal Sys-tems at PWRs," June 1980.
" Natural Circulation Cooldown," May 1981.
" Nuclear Power Plant Staff Working Hours," June 15,1982.
" Inadvertent Baron Dilution Events," January 1985.
" Technical Resolution of Generic issue 11-59, (n-1)1eop Operation in BWRs and PWRs," March 1986.
9-1 NUREG-1449
" Loss of Residual Heat Removal (RllR) While the Reactor Coolant System
[
(RCS) Is Partially Filled," J uly 1987.
" Loss of Decay Heat Removal," October 17,1988.
" Initiation of the Individual Plant Examination for Severe Accident Vul- -
nerabilities " August 1989.
Generic Letter 90 " Resolution of Generic Issues 70, " Power-Operated Relief Valve and Block Valve Reliability," and 94 " Additional Low-Temperature Overpressure Protec-
-j tion for Pressurized Water Reactors" [ pursuant to 10 CFR 50.54(f)]," June 1990.
" Nuclear Plant Staff Working Hours," June 1991.
}
" Potential Problems With the;Use of Freeze Seals," June 27,1991.
" Foreign Experience Regarding Boron Dilution," September 1991.
{
Memorandum From J.M. Taylor to the Commissioners, " Staff Plan for Evaluating Safety Risks During Shut-down and Low Power Operations," October 22,1990. (Available in the Public Document Room attached to' minutes of public meeting with NUMARC, November 7,1990.)
\\
" Control of Heasy Loads at Nuclear Power Plants," July 1980.
NUREG-0654, Rev.1
" Criteria for Preparation and Evaluation of Radiological Emergency Response l
Plans and Preparedness in Support of Nuclear Power Plants"(FEM A-REP-1),
l November 1980.
NUREG-OS00
" Standard Review Plan for the Review of Safety Analysis Reports for Nuclear
-f Power Plants," June 1987.
l NUREG-1021 Rev. 6
" Operator l'icensing Examiner Standards," 1990.
" Event Reporting System,10 CFR 50.72 and 50.73," September 1991.
j NUREG-1122 "Knowledges and Abilities Catalog for Nuclear Power Plant Operators: Pressur.
I ized Water Reactors," December 1989.
NUREG-1123 "Knowledges and Abilities Catalog for Nuclear Power Plant Operators: Boiling Water Reactors," December 1989. '
" Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants,"
(
December 1990.
6 i
" Loss of Residual Heat Removal System," June 1987.
{
" Reactor Scram Study," March 1989, Addendum August 1989.
" Loss of Vital AC Power and the Residual Heat Removal System During Mid-l loop Operations at Vogile Unit 1 on March 20,1990." June 1990.
j NUREG/BR-0150, Rev. I "RW 91: Response Technical Manual," Volumes 1 and 2, AEOD, April 1991.
i I
" Precursors to Potential Severe Core Damage Accidents: 1990, A Status Re-j port," Oak Ridge National Laboratory, Volume 14, September 1991.
" Improved Reliability of Residual Heat Removal Capabilityin PWRs as Related to Resolution of Generic issue 99," Brookhaven Nationa1 Laboratory, May 1988.
NUREG-1449 9-2 l
L
)
i i
- Prehability and Consequences of Rapid Boron Dilution in a PWR: A Scoping i
Study," Brookhaven National Imboratory, March 1992.
" Consequences of Loss of the RIIR System in Pressurized Water Reactors" Idaho National Engineering Laboratory, May 1992.
- Emergency Planning and Preparedness for Nuclear Power Reactors," Rev. 3, August 1992.
l Regulatory Guide 1.149 "NucIcar Power Plant Simulation Facilities for Use in Operator License Exami-l nations." April 1987.
- Evaluation of Shutdown and Low Power Risk issues," James M. 'Paylor, Exceu-tive Director for Operations, to'Ihe Commissioners, September 9,1991.
l Site Access Training Manual Compiled by NRC Technical Training Center, June 1991.
Nuclear Safety Analysis Center EPRIINSAC)
I i
NSAC-52
" Residual IIcat Removal Experience and Safety Analysis, Pressurized Water l
Reactors," January 1983.
u NSAC-83
- Brunswick Decay IIcat Removal Probabilistic Safety Study," Final Report, j
October 1985.
2 i
NSAC-84
" Zion Nuclear Plant Residual 11 cat Removal PRA," July 1985.
l NSAC-125
" Industry Guidelines for 10 CFR 50.59 Safety Evaluations " June 1989.
Salah, S., et al.
"Ihree Dimensional Kinetics Analysis of an Asymmetric Boron Dilution in a l
PWR Core," Trans. ANS, 15:2 (1972)
{
.s Sandia National Laboratories
- BWR Low Power and Shutdown Accident Sequence Frequencies Project-l Phase 1: Coarse Screening Analysis," Draft Letter Report, November 23,1991.
l i
I
?
I 9-3 NUREG-1449
l l
APPENDIX A l
Cold Shutdown Event Analyses This appendix documents the precursor analyses of ten cold shutdown events. This documentation includes (1) a description of the event, (2) additional event-related information, (3) a descdption of the model developed to estimate a conditional core damage probability for the event, and (4) analysis results. A table of contents, Table A.1, follows.
l
\\
l Table A.I.
Index of cold shutdown analyses 1
LER No.
Descrintion of Event Plant Pace 4
{
271/89-013 Reactor cavity draindown Vermont Yankee A-2 285h0-006 Loss of offsite power, diesel fails to load Fon Calhoun A-8 automatically i
4 287/88-005 Ermrs during testing resulted in a 15 min loss of Oconee 3 A-12 shutdown cooling dudng mid-loop operation d
i 302/86-003 Loss of decay heat removal for 24 min due to Crystal River 3 A-18 l
pump shaft failure and redundant loop suction valve failure 323/87-005 Loss of RHR cooling results in reactor vessel Diablo Canyon 2 A-24 bulk boiling 382/86-015 Localized boiling during mid-loop operation Waterford 3 A-32 i
387 S 0-005 RPS bus fault results in loss of normal Susquehanna 1 A-40 shutdown decay heat removal 397/88-011 Reactor cavity draindown WNP 2 A-54 456/89-016 RHR suction relief valve drains 64,000 gal from Insidwood 1 A-67 RCS 458/89-020 Freeze seal failure River Bend A-75 i
i NUllEG-1449 43
^PP'"'
^
,1
i ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT ANALYSIS 1
h L E R N o.:
271/89-013 R1 Event
Description:
Reactor cavity draindown l
Date of Event:
March 9,1989 Plant:
Vermont Yankee Nuclear Power Station Summary Vermont Yankee maintenance personnel established a reactor cavity leak path on March 9,1989 when they performed required post-maintenance testing on a residual heat removal / shutdown j
cooling (RHR/SDC) suction valve. Operators took more than 47 min to determine the flow path for the resultant drain-down which transferred about 10,300 gal of water to the suppression pool. The leak path was isolated in two min once the source of the leak was discovered. The conditional core damage probability estimated for this event is less than 1 x 104 Event Description On March 4,1989, Vermont Yankee placed the "B" loop of RHR into SDC and took the,"A" loop out of service for maintenance. Five days later the "A" and "C" RHR pump motors were racked out for maintenance. System logic,in effect at that time, opened the min-flow valve for these pumps. About 15 h later, electrical maintenance personnel racked out the "A" and "C" SDC suction
)
valves. Following the repair work on the valves, the technicians manually stroked open the valves as required by procedure. This established a leak path for the reactor cavity. Personnel working on the refuel floor notified the control room operators within five min that they had noticed an 18" drop in the reactor cavity water level. The operators thought this was due to the refilling of the recently opened ponion of the "A" RHR loop. However,15 min later the refuel floor personnel reported another 18" drop in level. The refuel floor was evacuated, as a result, and the operators began to search for the leakage path. Refuel floor personnel reponed additional level decreases at 15 min intervals. Successive level drops of 24" and 60", following the first two 18" drops, were i
noted before the control room operators discovered the leak path. An operator was sent to close the
(
manual isolation valve in the minimum flow line which isolated the leak path.
It should be pointed out, RHR SDC was never lost and the reponed total level drop was 120" while the measured drop was 72". The latter measurement was based on the inventory increase in the suppression chamber. Funher, this event could only have occurred with vessel head removed.
f Fig. I is a simplified drawing of the RHR system.
r Appendix A A-2 NUREG-1449
Additional Event-Related Information Initial water level was about 290" above. top of active fuel (TAF), this corresponds to 13" below the reactor vessel flange. Primary containment isolation system automatic initiations occur at 127" above TAF. Specifically, a reactor scram and the automatic isolation of the RHR SDC from the reactor recirculation system. Emergency core cooling system (ECCS) initiation occurs at 82.5" above TAF. Upon ECCS initiation, RHR automatically lines up for low-pressure coolant injection (LPCI) mode. That is, valves line up for pump suction on the suppression chamber, SDC isolation, and test return isolation.
ASP Modeling Assumptions and Approach Analysis for this event was developed based on procedures (e.g. Procedure OP 2124, Rev. 20, Issued October 13,1988) in effect at Vermont Yankee at the time of the event, the Plant Technical Specifications, and the Final Safety Analysis Repon. While the following assumptions are specific to Vermont Yankee, they are applicable to most contemporary boiling water reactors (BWRs).
- a. Core damage end state. Core damage is defined for the purpose of this analysis as reduction in reactor pressure vessel (RPV) level above TAF or unavailability of suppression pool cooling in the long term. With respect to RPV inventory, this definition may be conservative, since steam cooling may limit clad temperature increase in some situations. However, choice of TAF as the damage criterion allows the use of simplified calculations to estimate the time to an unacceptable end state.
- b. Prolonged maintenance on an RHR train (as in this event) is only likely with the reactor head removed. Therefore, only this head state was considered in the analysis. If the head is removed, then any makeup source greater than ~200 gpm, combined with boiling in the RPV, will provide adequate core cooling.
- c. Four makeup sources were available during this event: low-pressure coolant injection (LPCI),
core spray, control rod drive (CRD) flow and the feedwater/ condensate system. Use of any other source of makeup is considered a recovery action.
I The event tree model for the event is shown in Fig. 2. If the loss ofinventory is corrected before RPV isolation (as was the case during the event), then RHR cooling is maintained. Once RPV level decreases to the RHR SDC isolation setpoint (127" TAF) and either of the RHR suction line isolation valves close, normal shutdown cooling is lost. In this case, RPV makeup using LPCI, core spray, CRD flow or the condensate /feedwater system will provide continued core cooling.
LPCI and core spray will automatically initiate once RPV inventory drops to the ECCS initiation serpoint (82.5"),if not initiated manually before this point. If RHR SDC isolation fails, then one LPCI or core spray pump will provide sufficient makeup to offset the loss through the open min-flow valve.
The following branches are included on the event tree:
A-3 Appendix A N t !Rl!(i-1419
i l
Inventorv Loss Terminated Before RHR ISO. Operator action to identify and isolate the inventory loss prior to the RHR SDC isolation serpoint will prevent loss of SDC. Based on simplifying j
assumptions, it is estimated that the vessel level would reach the RHR SDC isolation serpoint in approximately 1.8 h.
Assuming (1) an exponential repair model, (2) that the observed time to detect and isol' te is the a
I median time for such actions, and (3) that no isolation was possible during the first 20 min (to account for required response and diagnosis), a probability of 0.1 is estimated for failing to isolate l
the inventory loss prior to reaching the RHR SDC isolation setpoint.
Inventory Loss Terminated by RHR ISO. Closure of either of the SDC suction isolation valves will isolate the RHR system and terminated the loss of inventory. Based on the failure probabilities used in the ASP program, a probability of failing to isolate RHR of I x 10-3 is estimated. If one division were unavailable, a probability of I x 104 would be estimated.
l LPCI Flow Available. On Vermont Yankee, one or more RHR/LPCI pumps take a suction from the suppression pool (i.e. torus) and discharge to the core via the reactor recirculation loops.
RHR/LPCI consists of two redundant trains, each of which includes two parallel RHR/LPCI pumps, one suction valve (open when a train is aligned for LPCI, closed when aligned for SDC),
and one discharge (RPV injection) valve (closed when a train is aligned for LPCI, open when aligned for SDC).
In this event, the pumps in one of the two trains were unavailable because of maintenance.
Injection success for the operating train requires the suppression pool suction valve for the operating RHR pump to open. If this valve fails to open, the non-operating pump must start and its suction valve must open. Based on probability values used in the ASP program, a LPCI failure probability of 3.7 x 104 is estimated. It was assumed that normahy-open valves and check valves do not contribute substantially to system unavailability.
Core Sprav Flow Available. For Vermont Yankee, the core spray system consists of two trains.
Each train includes one pump with a single, normally open motor-operated suction valve and a single normally-closed discharge (RPV injection) valve. The pump suction source is normally the suppression pool. Based on the probabilities used in the ASP program, a failure probability of 6.8 x 104 is estimated. If one division were unavailable, this probability would be 6.8 x 10-3. It was assumed that normally-open valves and check valves do not contribute substantially to system unavailability.
1 CRD Flow Available. At cold shutdown pressures, one of two CRD pumps can provide makeup.
Since one pump is typically running, the system will fail if that pump fails to run or if the other (standby) pump fails to start and run. Assuming a probability of 0.01 for failure of the standby CRD pump to start, and 3.0 x 10-5/hr for failure of a pump to run, results in a estimated failure probability for CRD flow of 3.0 x 104. In this estimate, a short-term, non-recovery likelihood of 0.34 was applied to the non-running pump failure-to-start probability, consistent with the approach used to estimate the failure probability for the core spray system. A mission time of 24 h was also Appendix A A-4 NURiiG-1449
o i
assumed.
If only one train is available (because of maintenance on the opposite division), wen the CRD failure probabihty is estimated to be 7.2 x 104 Feedwater/Condensat? Available While the feedwater or condensate pumps can provide more than adequate makeup, they are often unavailable during a refueling outage because of work on the secondary system; however, for this event, the feedwater/ condensate system was available. A failure probaMity of 0.01 was assumed on this analysis.
l For this event, substantial time existed to recover equipment failures. If RHR isolation was successful, more than 24 h would have been required before core uncovery. This long period of l
time is primarily due to the large volume of vessel inventory above the core and the relatively low decay heat load from the core. If RHR isolation failed,1.4 h would have been required to reduce RPV level to TAF. These estimates are based on an initial water level 13' below the top of the vessel flange. Nonnally, with the head off, the reactor cavity would be flooded, which would add significant additionalinventory.
Analysis Results Based on the model described abov.3, the conditional probability of severe core damage for this l
event is estimated to be less than 1.0 x 104. This low value reflects the multiplicity of systems available to provide continued core cooling and the reactor vessel head status believed to be required before conditions which lead up to the event could have occurred.
I i
l 1
NURiiG-1449 A-5 Appendix A r
.~
i
.,a..h.,v D.I R =. $
-=
L p 6
r r
t e
ac acerr mg,.g Ir
[ [
,,. y m.u u.
r b.
r n l c
l
.at h, g
t t =:.a wa.)
~
x a
g p
Cff
= [ ;,... r-- wn a n,r JM T
_e l.../ O *.J* -
- l *
- O ra
\\
=1 m.
a,- g 4
.g '
p e
a-w pc v
W;' !,,!.
g.__@
O!. '!
ms
- -.c g.., e I
-e-J
.~ ~ r w.
m, S. '
l
.-r l
e-g -.~--
l l
l[4 5: ;;.
t G
+
i Fig.1. Vermont Yankee RHR System 1
Appendix A A-6 NUREG-1449 l
l
Z C
3W T'
inventory inventory ss Loss LPCI CS 00 Condensate c
Terminated Terminated F%
F Flow F%
j inventory Before RHR by RHR g,
gy, g,
m m
End Seq.
State No.
Notes m
201 m
202 m
203 3.7 x 104 6.8 x 104 m
205 i
3.0 x 104 CD 206 0.01 m
207 t
0.001 m
208 3.7 x 104 1
6.8 x 104 Fig.2. Event tree nxxici for LER 271/89-013 R1 3
Notes:
1.
Altemate sources of service water may also pmvide injection
- -.. -.. +.. -.. - _,.. ~.. -,
-.-_,..1._,_.,-..._m.,..~,..m.__
I ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SIIUTDOWN EVENT ANALYSIS L E R N o.:
285/90-006 Event
Description:
Loss of offsite power, diesel fails to load automatically.
Date of Event:
February 26,1990 Plant:
Fon Calhoun Summary During a refueling outage, a spurious relay actuation resulted in isolation of offsite power supplies to Fon Calhoun. One diesel generator (DG) was out of service for maintenance, the other started but was prevented from connecting to its electrical bus by a shutdown cooling pump interlock.
Operators identified and corrected the problem, and the DG was aligned to restore power to the plant. The conditional probability of core damage estimated for this event is 3.6 x 104 The dominant sequence involves failure to recover AC power or provide alternate RCS makeup from the RWT prior to core uncovery. The calculated probability is strongly influenceu by estimates of failing to recover AC power in the long term. These estimates involve substant.d uncertainty, and i
hence the overall core damage probability estimated for the event also involves substantial uncenainty.
Event Description On February 26,1990, on the ninth day of a refueling outage and with the RCS partially filled (above mid-loop) to support control element assembly uncoupling, spurious actuation of a switchyard breaker backup trip relay opened circuit breakers supplying power to 4160 V buses 1.A1, l A2, I A3, and 1 A4 from the plant 22 kV system. Normal power supplies to ESF buses I A3 and 1 A4 are from the 161 kV system, but these supplies had been removed to suppon maintenance activities. Emergency power supplies are provided for buses I A3 and 1A4. The emergency power source for bus I A3, DG Dl, was out of service for maintenance, so no emergency power was available to that bus. The backup power source for bus I A4, DG D2, started but was prevented from energizing the bus by an interlock in a low-pressure safety injection (LPSI) pump circuit. This resulted in interruption of all AC power supplies to plant equipment.
Prior to the event, LPSI pump "B" had been placed in service for residual heat removal. The plant electrical system is designed such that,if a LPSI pump has been manually staned and a subsequent loss of offsite power occurs, the LPSI pump breaker cannot be opened automatically and the DG output breaker for the affected train cannot be closed to feed its ESF bus. Thus, while DG D2-staned correctly in response to the ;mdervoltage condition on bus I A4, the LPSI pump remained tied to the bus and the DG could not supply its loads.
Approximately one minute after the loss of offsite power (LOOP), plant operators opened the LPSI Appendix A A-8 NUREG-1449
[
pump breaker and DG D2 energized bus I A4. The pump was then returned to service for j
shutdown cooling. Thirteen nunutes later, offsite power was restored to bus I A3.
Event-Related Information 5
Current plant procedures (pp 5-6 of AOP-32, " Loss of 4160 Volt or 480 Volt Bus Power")
address the need to manually trip an operating RHR pump breaker before attempting to power the l
bus from its DG. Note that Rev. O of this procedure was issued in February 1991. However, the
{
operators were able to restore shutdown cooling within 44 seconds, which indicates knowledge of this design condition did exist.
ASP Modeling Approach and Assumptions f
Ofinterest in this event is the ability of plant operators to determine the need to remove loads from
)
a deenergized ESF bus before attempting to repower fmm the emergency DG. This requirement is currently proceduralized and operator actions during the actual event show that the operators did i
not experience difficulty in repowering the bus.
The probability value used in the ASP program for failure of a single DG to start and supply its loads is 0.05. The likelihood that operators would fail to open the LPSI pump breaker, allowing j
the DG to feed ESF loads, is considered to be small in comparison. Therefore, the interlock design feature was not separately modeled.
During shutdown and refueling operations, a loss of AC power will result in loss of shutdown cooling / decay heat removal. The amount of time that decay heat removal can be unavailable before i
core damage results is a function of a number of variables including core power history, time since l
shutdown, water level in vessel, heat sinks available, and refueling configuration (head off/on, i
cavity flooded /not flooded, etc.).
l j
De most limiting case occurs during mid-loop operation (reactor coolant drained to level of mam i
coolant nozzles) with a high decay heat load (see discussion of Vogtle event NUREG-1410). With j
lesser decay heat loads and/or a larger volume of coolant in the reactor coolant system (RCS),
additional time exists for recovery actions. The likelihood of success for such actions has not been well quantified to date. However, it is believed that the increased likelihood of success associated with the additional time available when the plant is not in mid-loop more than compensates for the higher fraction of time that the plant is in a non-mid-loop condition, and that the risk associated with mid-loop therefore dominates.
In this event, the LOOP occurred early in a refueling outage, when decay heat loads could be l
expected to be fairly large. One train of emergency power was out of service. Fort Calhoun was l
above mid-loop at the time of the event. However any of three states may be found nine days into a refueling outage: mid-loop, normal shutdown, or refueling (reactor head off and cavity filled).
As discussed, the first case is believed to dominate risk.
j 1
NUREG-1449 A-9 Appendix A w
w w
I The event was modeled as a loss of offsite power during mid-loop operation. The event tree model is shown in Fig.1. Recovery of RHR is not specifically shown, but is assumed to occur within j
one-half hour of recovering power to the safety-related buses. This time period reflects the l
potential need to vent the RHR system if reactor vessel inventory is lost because of boiling. Note j
that use of gravity feed from the RWT for RCS makeup is not viable at Fort Calhoun because of the location of the tank, and hence is not addressed in the model.
i Branch probabilities were estimated as follows
.l 0.11, based on NUREG-1410 (pp 6-7). Assuming the occurance of a LOOP is independent of j
the shutdown RCS status, the likelihood of being in mid-loop, given a loss of offsite power
-l occurs during shutdown, is 0.11.
1
- 2. Emergency power' fails. One DG was unavailable prior to the event. Since operator action to trip the operating RHR pump (to allow DG load) is not believed to appreciably impact the overall emergency power reliability, a nominal DG failure probability of 0.05 was assigned to this branch.
- 3. Offsite power recovered prior to saturation. By interp Ntion of data fmm NUREG-1410, it was estimated that, in mid-loop operation, the RCS cwat inventory would have reached saturation temperature in approximately I h. Recovery of offsite power prior to this time was 1
assumed to prevent core damage. A probability of not recovering offsite power within one f
hour of 0.25 was used in the analysis. This probability was estimated using the plant-centered j
LOOP recovery curves in NUREG-1032 by assuming (1) that the observed time to recover off:;ite power (14 min) represented the median of such recovery actions and (2) that the shape
{
of the plant-centered non-ecovery distributions were representative for this event.
]
successful restart of RHR (including any required venting) or provision of pressurized RCS makeup is assumed to prevent core damage. Assuming core uncovery would occur in about 3 1
h, a probability of failing to recover AC power by that time, given that it was not recovered at 1 I
h, of 0.26 is estimated.
Analysis Results l
l l
The estimated conditional core damage probability associated with the LOOP at shutdown, given that one emergency DG was unavailable,is 3.6E-04. This value is essentially unrelated to the j
" design feature" which prevented auto DG loading if an RHR pump was in operation. The conditional probability is strongly influenced by assumptions regarding operator actions to align emergency power. It is also influenced by the assumption that no procedural requirement exists to prevent one DG being removed from service for maintenance at the same time that the RCS inventory is reduced below normal levels.
i l
Appenda A A-10 NUREG-1449
{
1 l-l 5
l t
LOOP RCS OFFSITE AC POWER POWER RECOVERED DURING LEVEL EMERGENCY RECOVERED PRIOR TO SHUTDOWN (MID-POWER PRIOR TO CORE END COOLING LOOP)
SATURATION UNCOVERY STATE I
OK OK 1
0.11 I
OK i
0.05 I
OK l
f 0.25 0.26 CD I
Fig.1. Core Damage Event Tree for loss of Offsite Power During Refueling i
Outage at Fort Calhoun
.d I
l N tilti.(i-1449 A_1 i Appendix A
l ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT ANALYSIS i
L E R N o.:
287/88-005 Event
Description:
Errors during testing resulted in a 15 min loss of shutdown cooling during mid-loop operation Date of Event:
September 11,1988 t
Plant:
Oconee 3 i
Summary A loss of AC power occurred at Oconee 3 while at mid-loop as a result of errors during emergency power switching logic circuit testing. This loss of power, which had to be recovered by local breaker closure, resulted in a 15 min loss of decay heat removal. The conditional probability of core damage estimated for the event is 1.7 x 10-6. The dominant sequence involves failure to recover main feeder bus power from either of two offsite sources and failure to implement altemate reactor coolant system (RCS) makeup using the standby shutdown facility. Had this event occurred at a later time, when the current loss of the low pressure injection (LPI) system procedure was in effect, the conditional probability would be estimated to be below 1.0 x 10-6. This is a result of the additional methods of decay heat removal specified in the current procedure.
Event Description Oconee 3 was in cold shutdown with RCS in mid-loop. Test procedure PT/3/A/0610/01H, "Emerger cy Power Switching Logic Standby Breaker Closure Channel A & B," was started to test I
the circuMy for the emergency power switching logic. A decision was made to use the "Pmeedure j
for Remwing From or Returning to Service 6900/4160/600 Volt Breakers," (R&R procedure) during the test. This decision was made since the breaker checklist, which confirms that gmups of breakers are properly aligned, had already been completed in preparation for Unit 3 startup. The control room supervisor did not review the R&R procedure to identify any differences between it I
and the emergency power switching logic test procedure. In actuality, differences did exist and inapplicable sections of the R&R procedure should have been so marked by the control room supervisor.
i During performance of the test, questions were raised by the non-licensed operator (NLO) responsible for aligning the breakers about an inconsistency between the two procedures regarding racking in breakers. The test procedure required this be done with the control power fuses removed to prevent spurious breaker trips when trip signals were generated, while the R&R procedure required control power fuses to be installed before breaker closure. This inconsistency was resolved by the control mom supervisor, but inapplicable sections of the R&R procedure were still not marked.
Later in the test, the NLO originally responsible for aligning the breakers was reassigned to another Appenda A A-12 NUREG-'1449
task. A second NLO, who was now supporting the emergency power switching logic test, also questioned the inconsistency between the two procedums (he had been verbally informed the R&R procedure was being used after he had aligned breakers based only on the switching logic test procedure). The control room supervisor who had reviewed the two pmcedures was unavailable because of a meeting, and the unit supervisor instructed the NLO to restore the control power fuses in accordance with the R&R procedure.
Upon installation of the control power fuses, breaker 3 BIT-1 tripped open and a loss of power occurred on Unit 3. At the time of the trip (0317), decay heat removal was being accomplished through the LPI system. RCS temperature was 90F. Upon the loss of power, the operating LPI pump was deenergized and decay heat amoval capability was lost. Since the incore thermocouples had not been reconnected and the loss of power caused a failure of Reactor Vessel Level Transmitter 5, there were no available indications to determine the condition of the core. Even though the reactor protective system indications are battery-backed, these indications come fmm hot leg and cold leg resistence temperature detectors (RTDs), which were not available due to the system being open and due to the ongoing outage work.
The first method that was used in an attempt to restore power was to open the standby breakers and try to close breaker 3 BIT-1 to provide power from the startup bus. This method was attempted since it was initially believed that 3 BIT-1 tripped because the standby breakers were closed when the control power fuses were installed.
What actually tripped the breaker was a trip signal from a variable voltage transformer being used during the performance of the emergency power switching logic test. However, when the loss of power occuned, the variable voltage transformer also lost power. This resulted in a no-power-on-the-startup-bus-condition being sensed by the breaker, which prevented the breaker's closing.
Operations personnel then racked tne standby bus breakers into the closed position and energized the standby bus through those breakers.
When the standby bus was energized at 0332, the loss of power was terminated and the LPI pumps were restarted, and decay heat removal capability was again established. The core temperature was found the have riser approximately 15 degrees to approximately 105F. At 0355, an ALERT was declared on Unit 3 due to the " Loss of Functions to Maintain Plant Cold Shutdown" which occurred during the loss of power from 0317 to 0332. The ALERT was terminated at 0410.
' Event Related Information At the time of the event, Unit 3 had completed refueling. The reactor vessel head was in place but not bolted, the RCS was depressurized, and RCS loops were drained to approximately 15 in above loop center line. One LPI pump was operating for decay heat removal, maintaining core coolant temperature at approximately 90F. The reactor building equipment hatch was open; therefore, containment was not closed at the time of the event. The reactor status was approximately 32 d after shutdown. When power was lost to the LPI pumps, decay heat removal was lost.
NUlmG-1449 A-13 Appendix A I
The subject event was analyzed by Duke Power, using actual plant conditions. Based on this analysis, the water in the vessel was expected to reach saturation 125 min after the loss of decay i
heat removal. Subsequent boiling would lead to core uncovering 10 h after saturation occurred.
l In the Duke Power Company response to Generic Letter 87-12, a worst case scenario was i
analyzed for loss of decay heat removal while the RCS is depressurized. In this scenario, the RCS is depressurized and drained to 10 in above the loop center line elevation, the temperature initially at 100F, and the refueling canal drained. With a loss of decay heat removal occurring 72 h after shutdown, core uncovery was predicted to occur at 2 h and 41 min.
The " Loss of Low-Pressure Injection System" procedure (AP/3/A/1700/07) applicable at the time of the event specified the following if the RCS was opened and both LPI trains were inoperable:
evacuate the reactor building and establish containment integrity, utilize one HPI pump with suction from the BWST to maintain RCS inventory (and RCS temperature <200F if thermocouples are available), and if the fuel transfer canal is full, use the spent fuel coolers to maintain RCS temperature. Use of gravity feed from the Boric Water Storage Tank (BWST) is not specified in the procedure in place at the time of the event.
The " Loss of Power" procedure (AP/3/A/1700/11) applicable at the time of the event specified reenergizing the main feeder from the startup source (transformer CT3), the Keowee hydro units l
(transformer CT4), or from the Lee gas turbines (transformer CI'5). If none of these sources were available, operators were instructed to start the Standby Shutdown Facility (SSF) diesel and provide RCS makeup using the SSF RCS makeup pump or provide RCS makeup using HPI pump powered from the auxiliary service water pump switchgear (which is powered from standby bus
)
1). SSF RCS makeup is provided by a 26 gpm positive displacement pump Based on simplified calculations and scaling of other analysis results, this pump can compensate for boil off at 22 d after shutdown (eight days after shutdown if the core is refueled).
A simplified diagram of the Oconee power system is shown in Fig.1.
l The current loss of power procedure is similar to the earlier procedure for actions applicable to this l
event, but with supplemental information added. The cmrent loss of LPI system procedure has been expanded to include detailed instructions for establishing containment integrity and for I
pmviding RCS makeup using gravity feed from the BWST.
ASP Modeling Assumptions and Approach The event has been modeled as a loss of decay heat removal during mid-loop as a result of the unexpected breaker trip and subsequent loss of power to the main feeder buses. All actions specified in the loss of LPI system procedure which existed at the time of the evat required operable electrically-powered pumps. Since recovery of power to the main feeder buses would also recover power to the LPI pumps, alternate decay heat removal methods available once power was recovered were not included in the model. Instead, the event tree model considered two possible means of providing continued decay heat removal: restoring power to the main feeder 1
3 Appendix A A-14 NUIEG-1449
buses by closing one of the breakers from a powered offsite source (transformer CT-3 and CT-5) or providing RCS makeup from the SSF RCS makeup pump.
An additional complication in the analysis is the short,1-h battery lifetime identified for Oconee m the FSAR. Probabilistic risk assessments (PRAs) typically assume battery lifetime can be j
extended following a station blackout by shedding less imponant loads. In addition, battery j
lifetimes at cold shutdown are also expected to be greater than just after a trip from power (see ASP i
analysis of the March'20,1990 event at Vogtle, documented in NUREG/CR-4674, Vol.14, i
" Precursors to Potential Severe Core Damage Accidents: 1990, A Status Report"). It was assumed in this analysis that the battery lifetime would be greater than the time required to l
manually rack in the breakers and restore main feeder bus power.
l The event tree model is shown in Fig. 2. Event tree branch probabilities were estimated as follows:
- 1. Main feeder bus recovered. Based on the time available to perform the proceduralized actions regarding recovery of main feeder bus power, only the likelihood of equipment (breaker) l failure was considered when estimating this branch probability. Using a probability of 1 x 10-3 for failure of one of the breakers to close, and typical conditional probabilities of 0.1, 0.3 and 0.5 for failure of the second, third, and fourth breakers results in an estimated probability of 1.5 x 10-5 for failure to recover main feeder bus power from an offsite source.
I
- 2. SSF RCS makeup provided. Failure of this branch would occur if the SSF diesel or the SSF l
RCS makeup pump failed to start and run. A failure probability cf 0.11 was employed, based on the analysis documented in the Oconee PRA (NSAC-60, Vol. 3, "Oconee PRA: A Probabilistic Risk Assessment of Oconee Unit 3").
l Analysis Results i
The conditional core damage probability estimated for this event is 1.7 x 10 6. This low value l
reflects the fact that an alternate, proceduralized approach for decay heat removal was available, i
and that power for thp LPI system could be easily recovered prior to battery depletion or core uncovery by manual operation of redundant breakers.
l If this event occurred earlier in the refueling, when the small SSF RCS makeup pump could not i
make up for boil-off, a core damage probability of 1.5 x 10 5 would have been estimated.
l However, the decision which precipitated the event (use of the R&R procedure in conjunction with the emergency power switching logic test procedure) was made because the plant was near the end i
of the outage.
l Had this event occurred at a later time, when the current loss of LPI system procedure was in effect, the conditional probability would be estimated to be below I x 10 6. This is a result of the l
cunent requirement to use gravity feed from the BWST for RCS makeup.
j i
NUIEG-1449 A-15 Appendix A j
1 P
Switchyard Keowse O
Lea Steam Unde ground S witchyard
- Feeds, Station L
.L L
s 4
7 -m='
Gen.3 CT3 Cid CT5 MM MM
/"# %
l Startup Lus Units 1 & 2 4160 V standby tx>s 1
(Il(
(l (I
( (
i 4160 V main feeder bus I,
I I
I I
I 4160 V engmeered saloguards 3TC 3TD 3TE switchgear buses i
Fig.1. One line diagram of the Oconee 3 power system Appendix A A-16 NURiiG-1449
i 1
i
[
t
)
I Loss of DHR Main Feeder SSF RCS in Msd-loop Due Bus Power Makeup to Loss of MFB l
Rocovered Provided -
pg Power State G
i W
t 1.5 x 10- 5 O.11 f
Fig. 2. Event tree model for LER 287/88 005 i
\\
^~U Appendix A
1 ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT ANALYSIS I
i LER No:
302/86-003 Event
Description:
Loss of decay heat removal for 24 min due to pump shaft failure and redundant loop suction valve failure Date of Event:
February 2,1986 i
Plant:
Crystal River Unit 3 Summary Crystal River Unit 3 was in cold shutdown when the "B" train of decay heat removal (DHR) was
'l lost due to a pump shaft failure. The suction isolation valve for the "A" train DHR pump would not open on demand from the control room. An operator was sent to manually open the isolation valve. DHR capability was re-established approximately 24 minutes after the "A" train pump failed. Reactor coolant system (RCS) temperature rose to 131F from 98F during the I eriod that i
DHR capability was unavailable.
j Procedures identify 5 altemate means of providing DHR capability in addition to the "B" train of the DHR system. This event is estimated to have a probability of fuel damage of less than
{
l.0 x 104 i
Event Description i
Crystal River Unit 3 was in cold shutdown and was performing repairs on a reactor coolant pump.
The reactor coolant level was below the level of the reactor coolant pumps and the RCS was vented
(
to atmosphere. Reactor vessel temperatures were being maintained at 98F by the "B" train of DHR..At 21:48, the "B" DHR pump, DHP-1B, tripped due to a motor overload caused by a failed
.l pump shaft. Action was taken to place the "A" train in operation; however, the isolation valve j
(DHV-39) on the suction side of pump "B" failed to open on demand from the control room.
l Valve DHV-39 was manually opened and DHR was restored at 22:12. RCS temperature rose to 7
131F during the period that DHR capability was unavailable.
After repair of the damaged pumps, personnel observed movement of the pump and piping when water was being added to the system in order to fill this train of DHR. An examination revealed that several pipe restraints in the vicinity of the pump were loose or damaged.
Event' Related Plant Information i
The motor of DHP-15 overloaded and tripped as a result of a failed pump shaft. A failure analysis indicated that the failure occurred due to torsional fatigue induced by excessive shaft loading. The i
excessive shaft loads were most likely the result of pump air entrainment due to vortexing that occurred during operations at low RCS levels.
i t
Appendix A A-18 NUREG-1449 I
l l
i The failure of the suction isolation valve, DHV-39, to open on demand was a combination of j
several problems. Lubrication of the operator drive shaft and universal joints may have been
. inadequate. The operator torque switch setting was too low and the circuit breaker setpoint was too low for the motor load. Isolation valve DHV-39 was originally a manually operated valve. Its i
motor operator was installed in response to a NUREG-0578 item.
l Crystal River 3 procedure AP-360, " Lass of Decay Heat Removal," has been substantially revised since 1986, when this event occurred. In the 1986 version, the operators are instructed to first start the alternate decay heat removal train, if available. If the alternate decay heat train cannot be l
started, then the procedure identified the use of OTSG cooling (if available) or SFC system, which -
can be tied to the DHR system on Crystal River. The use of high-pressure injection (HPI), low-pressure injection (LPI) or gravity feed from the borated water storage tank (BWST) to provide t
makeup to delay core uncovery is not identified in the 1986 procedure.
The current procedure has been updated to identify the following additional actions to maintain core i
cooling: flooding the fuel transfer canal, use of core flood tank inventory, and low-or high-pressure injection with suction from the BWST or reactor building sump.
Internals vent valves are installed in the core support shield on Crystal River 3 to prevent a pressure imbalance which might interfere with core cooling following a cold leg break. These i
valves are closed during normal operation, but in the event of a break in the cold leg, open and vent steam generated in the core directly to the break. During the 1986 loss of DHR, the RCS was open i
at a reactor coolant pump. Had DHR been lost for a sufficient period of time that boiling in the i
core region occurred, the vent valves would have opened to vent the steam directly to the cold legs.
i This would have prevented any significant reduction in pressure vessel level due to increasing pressure above the core. The location of this valve is shown in Fig.1.
I ASP Modeling Assumptions and Approach i
The event has been modeled as a loss of decay heat removal during midloop with the non-runnmg l
DHR train initially unavailable. Based on the 1985 loss of DHR procedure, recovery of the non-1 running train and the use of spent fuel pool cooling as an alternate means of providing decay heat removal are addressed as proceduralized actions. Controlled makeup to the RCS using HPI, LPI, or gravity feed from the BWST is addressed as an ad-hoc recovery action.
The event tree model is shown in Fig. 2. Based on the heatup rate specified in the LER, the time to 4
saturation is estimated to be 83 minutes. This time period is considered more than adequate to perform the proceduralized actions which were required to open the closed DHR suction valve, DHV-39, and to implement alternate cooling using SFC system,if the valve could not be opened.
Therefore, only the likelihood of equipment. failure was considered when estimating branch pmbabilities, and not the likelihood of failing to implement required actions.
NUREG-1449 A-19 Appendix A
i Event tree branch probabilities were estimated as follows:
- 1. Alternate DHR train started before saturation. A valve failure-to-open probability of 0.01/ demand was used in the model. While this value is consistent with other ASP analyses, it j
is conservative compared to values used in NUREG-1150 efforts (3 x 10-3/ demand, see NUREG/CR-4550, Vol.1, Rev.1). Since both of these values include failures associated with valve operators and actuation logic, they are both probably conservative for local, manual i
i valve operation which was actually perforrned during the recovery of DHR. However, since
)
the cause of the valve failing to operu.c was attributed to a variety of mechanical and electrical problems, the assumption of a typical manual valve failure-to-open probability 1
(1 x 104/ demand) cannot bejustified.
l i
- 2. Decay heat removal using the spent fuel cooling system prior to saturation. On Crystal River 3, the SFC system can be valved into the DHR system in the event that DHR pumps or heat exchangers are unavailable. This process, specified in OP-405," Spent Fuel Cooling System,"
)
involves alignment of SFC and DHR system components to provide flow from the DH drop line, through one of the two SFC pumps and heat exchangers, and back to the RCS via the "B" DH inlet line.
Considering the position of DHR system valves prior to the event, use of the SFC system requires the opening of two manual valves which normally isolate this system from the DHR system (SFV-89 and SFV-87), closure of two valves to isolate the spent fuel storage pools from the SFC system (SFV-8 and SFV-9), and the start of one of two SFC pumps (SFP-1 A or 1
SFP-1B). Several additional valves must be operated, but alternate series valves or parallel paths exist should these valves fail. Based on the screening probability values used in the ASP i
program, the probability of not initiating cooling using the SFC system is estimated to be 1.4 x 10-3 i
- 3. Controlled makeup to RCS using HPI or LPI or gravity feed from BWST (ad-hoc action at time of event). The use of HPI, LPI or core flood inventory to provide RPV makeup and delay
(
the onset of core damage is not addressed in the procedures of 1986. This action has been f
i included on the event tree as an ad-hoc action, and was assigned a failure probability of 0.1.
l This value is consis' tent with IPE requirements for non-proceduralized actions.
(
Analysis Results The conditional core damge probability estunated for this event is 1.4 x 10-6 This low value reflects the fact that an alternate, proceduralized approach for decay heat removal was available following the loss of the operating DHR train, and that the non-operating train could be recovered by local recovery of one valve.
~
Had this event occurred at a later time, when the cunent loss of DHR procedure was in effect, the I
conditional probability would be estimated to be below 1.0 x 10-6. This is a result of the additional i
I I
i Appendix A A-20 NUREG-1449
)
i methods for decay heat removal specified in the cunent procedure.
i 3
L r
I i,
I i
t i
h t
I 1
i 1
I
\\
\\
NURI?G-1449 A -21 Appendix A -
I I
I t
1 u_;
t.s L.s i
'y i
s A
i T
i 1
/
r
-r-
. -t, K a-p i
s 13,as 1
)
)
}
M
,k vent 6-h
[.!\\
' d gj a.),e
]
__)
,(
CORE
\\
FLOODING
(
h
.,,\\
i N0ZZLE i
=
k 3 a
s
- 4r
,I 'NNV i
t
- : N N
a
+
I i
i i
Fig.1. Internals Vent Valve and Core Suppon Shield
-i Appendix A
' A-22 NUREG-1449
l i
)
i Controlled Decay heat Alternate DHR removal using makeup to RCS Loss of using HPl LPI, train started spent fuel pool DHRin or gravity feed
)
before cooling system Midloop from BWST saturation prior to (ad hoc action 90 saturation at time of event)
STATE m
W f
W 0.01 i
1,4 x 10- 3 0.1 Figure 2. Event Tree Model for LER 302/86-003 i
l l!-
l.
I i
l l
i NUREG-1449 A-23 Appendix A
i ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT ANALYSIS L E R N o.:
323/87-005 R2 l
Event
Description:
Loss of RHR cooling re.sults in reactor vessel bulk boiling Date of Event:
April 10,1987 Plant:
Diablo Canyon 2 i
l Summary 1
During the first refueling outage, the reactor coolant system (RCS) was drained to mid-loop to facilitate the removal of the steam generator (SG) primary manways for riozzle dam installation prior to SG work. As a result of a leaking valve during a penetration leak-rate test, RCS inventory was lost. The resulting low RCS level caused vortexing and air entrainment and loss of both
]
residual heat removal (RHR) pumps. RHR cooling was lost for ~1.5 h, during which boiling occurred After determining that the SG manways had not been removed, the RCS was flooded by gravity feed from the refueling water storage tank (RWST) and an RHR pump restarted.
i The conditional core damage probability point estimate for this event is 5.5 x 10-5. This value is strongly influenced by assumptions concerning the operation staff's ability to implement non-proceduralized recovery actions.
Event Description On April 10,1987, the RCS was drained down to mid-loop to facilitate the removal of primary SG manways for nozzle dam installation prior to SG work. The plant was in the seventh day of the first refueling outage. RCS temperature was being maintained at ~37F. Local leak rate testing of containment building penetrations was also being perfomied.
Temporary reactor vessel water level indication was being provided by a Tygon tube manometer inside containment and two level indicators in the control room. The level alarms on the reactor water level indication system (RVRLIS) had not yet been reset to alarm at the mid-loop low level setpoint of 107'.
Reactor vessel level was being varied by draining to and feeding from the RWST via valves 8741, 8805A, or 8805B, as appropriate. Letdown was from the RHR pump discharge via valve HCV-133, and charging was by flow from the volume control tank (VCT) via the normal charging path (through a non-operating centrifugal charging pump). Once the RCS had been drained down to mid-loop (107'), level was being maintained by balancing letdown flow and makeup (charging) flow with the aid of VCT level changes. The allowed level range was from 107'0" (below which RHR pump cavitation was expected due to vortexing and air entrainment) and 108'2" (at which j
water could enter the channel head areas of the SGs).
l Appendix A A-24 NUREG-1449
RHR pump 2-2 was in service providing flow through both RHR heat exchangers (the trains were cross tied). RHR pump 2-1 was operable but not in service. All RHR system instrumentation was in service.
Additionally-The safety injection (SI) pumps were electrically isolated but available for service, if manual r
operation of valves was perfonned.
Centrifugal charging pump (CCP) 2-2 was operable and available for immediate service. CCP l
2-1 and the nonsafety-related positive displacement charging pump were tagged out but were available for service.
The RWST was available with level at approximately 97%.
All four accumulators had been cleared and drained.
All four SGs had a secondary side water level of approximately 73%, with the generators vented to atmosphere through the open secondary pressure relief system.
All core exit thermocouples had been disconnected in preparation for reactor vessel head removal.
The containment equipment hatch and personnel airlock were open. The emergency personnel hatch was closed. Various jobs were in progress inside of containment, and a continuous purge was in progress with the containment ventilation exhaust fan discharging to the plant vent.
At approximately 2010 h, a plant engineer entered containment to begin draining a containment -
penetration to conduct a local leak-rate test. The penetration had been previously isolated, but one of the isolation valves did not properly seat. The plant engineer did not notify the control room that he was draining the penetration. Due to the leaking isolation valve, a drain path was created between the VCT and the reactor coolant drain tank (RCDT). VCr level immediately began to decrease. The operators attempted to restore VCr level by increasing letdown flow to the VCT.
This action resulted in a slow decrease in the reactor vessel water level, as indicated on the temporary RVRLIS.
Due to the apparent loss ofinventory from the RCS, plant operators isolated charging and letdown flow paths at approximately 2122 h. The resulting loss of flow to the VCT caused the VCT level to decrease rapidly. The decrease in the level in RCS stopped at an indicated level on the RVLIS of 107'4".
At 2125 hours0.0246 days <br />0.59 hours <br />0.00351 weeks <br />8.085625e-4 months <br /> control room operators noticed that the amperage on the 2-2 RHR pump began to fluctuate. The pump was shut down, and RHR pump 2-1 was started. Amperage on the 2-1 RHR pump also' fluctuated and it was shut down, Plant operators suspected vortexing or cavitation of N URIIG-1449 A-25 Appendix A
the pumps as the cause of the pump motor emperage fluctuations. At this point both RHR pumps were stopped, R.HR cooling capability was lost, and RCS heatup began. Since the core exit thermocouples had been decoupled in preparation for subsequent reactor head removal, no RCS temperature indication was available to the plant operators.
Since the apparent vortexing or cavitation of the RHR pumps was unexpected, plant operators suspected the validity of the temporary RVRLIS indication in the control room, and an operator was dispatched into the containment building to verify level indication on the Tygon tube manometer which was being used for RCS level indication inside containment.
j The shift foreman, being uncertain of the status of activities involving the removal of primary side manways on the SGs, requested that the status of this work be wrified. This was necessary to i
assure that no personnel were inside or in the vicinity of the SG channel heads or manways before he opened valves in either of two paths to allow gravity flow of water from the RWST to the RCS.
At approximately 2210 h, the cocol room recorder for the temporary RVRLIS began to show an increase from 107'4". (Plant operators subsequently, at approximately 2241 h, attributed the indicated increase in RVRLIS indication to steam formation in the reactor vessel head area.)
Eleven min later, the control room operators received notification that the Tygon tube manometer f
inside containment indicated a level of between 106'9" and 107'0". At this time an attempt was made to restart RHR pump 2-1. The pump was immediately shut down due to amperage i
fluctuations.
J At approximately 2241 h, the control room operators were notified that the SG manways had not been removed, although bolts securing some of the manways had been de-tensioned. Valves were then opened from the RWST to establish makeup to the RCS. Thirteen min later, with RCS water l
levelindicating 111*7", plant operators successfully restaned RHR pump 2-2. Shortly following l
the pump start, the RHR pump discharge temperature on the control board recorder rose to
[
approximately 220F. Within five min, the pump discharge temperature had dropped to less than 200F.
i Event-Related Plant Information l
RHR Design. The Diablo Canyon 2 RHR system consists of one suction pipe which draws water from one RCS hot leg, two RHR pumps, two heat exchangers, and return lines which direct cooled water back to the RCS cold legs. At Diablo Canyon, water is normally returned to all four cold legs.
RCS Level Indication and Control. When the RCS is partially drained, water level is measured by making two connecti6ns to the RCS and determining a pressure difference. The first connection is an RCS drain on the crossover pipe of Loop 4, and the second is at the top of the pressurizer.
Two types of level instrumentation are used - a Tygon tube for local level indication and two differential pressure transmitters which display level in the control room on a recalibrated and relabled accumulator level instrument. The level observable in the Tygon tube was assumed to be Appendix A A-26 NUREG-1449 i
RCS level. The Tygon tube manometer in use during this event suffered form a number of j
deficiencies:
~
the tube was of small diameter (which slowed response) and its installation was poorly controlled.
the level of interest was in a high radiation area and was difficult to read.
the Tygon tube was marked with a marking pen at approximately one-ft graduations. Water level had to be estimated by sighting structural elevation markings and transposing by eye j
across available cat walks, etc. to the Tygon tube.
i RVRLIS level indication is influenced by RHR flow, the extent of air entrainment and temperature l
differentials. Level indication in the Tygon tube was further impacted by the small diameter of the j
tubing, w hich introduced significant delays in response. The utility estimated that two inches was i
added to indicated RVRLIS level by pumping 10% entrained air at 3000 gpm RHR flow.
r RCS drain down in preparation for SG maintenance requires very close control of RCS level.
Rapid draining of SG tubes requires RCS level be maintained below 107'5.5" but above 107'3.5",
at which vortexing in the vicinity of the RHR suction piping connection is fully developed with an RHR flow of 3000 gpm (Westinghouse calculation). At 1500 gpm, vortexing is fully developed at 107'1 7" l
Core Heatup. Bulk boiling was estimated to have occurred 45 min afterloss of RHR. This was twice as fast as indicated in information available to the operators at the time of the event. Since the l
RCS was essentially intact, little inventory was lost, and it has been concluded (NUREG-12.69, l
" Loss of Residual Heat Removal System") that the core would have remained covered for an extended period of time because of condensation of steam in the SGs. If the SG primary manways i
had been removed at the time of the event, thereby pmviding a vent path for the RCS, time to core uncovery is estimated to be 1.6 h after initiation of boiling, or 2.4 h total.
l RHR Recoverv and Supplemental RCS Makeup. Diablo Canyon pmcedure OP AP-16, Rev. O, l
" Malfunction of the RHR System," applicable at the time of the event provided no information specifically concerning loss of RHR during mid-loop operation. General guidance was pmvided for loss of RHR with the reactor head in place (repressurize the RCS with the charging pumps, start a reactor coolant pump or establish natural circulation, and utilize the SGs for decay heat
. removal).
i Fur this event, the RWST was full and had been used earlier to provide RCS makeup water. In addition, the SI pumps and charging pumps could be used for RCS makeup.
l Analysis Approach '
Core Damage Model. The core damage model considers the possibility that the loss of RPV l
inventory and subsequent loss of RHR could have occurred either with the RCS intact (which was NUREG-1449 A-27 Appendix A
the case during the event) or with the RCS vented to the containment through openings such as the SG manways.
l In the event the RCS is intact, core cooling is assumed to be provided if RCS makeup is provided j
and if RER is recovered or the SGs are available for steaming. For the SGs to be effective for l
core cooling, steam from the reactor vessel must travel to the SGs, and condensate must flow back l
to the vessel, as described in NUREG-1269.
If the RCS is open, then continued RCS makeup is assumed to provide com cooling success.
]
The event tree model is shown in Figure 1. Three core damage sequences are shown. Sequence 1 involves the situation in which the RCS is open and RCS makeup is not provided. Sequences 2 and 3 involve a closed RCS. In sequence 2, RCS makeup is provided, but both RHR recovery fails and the SGs are unavailable for core cooling. In sequence 3, RCS makeup fails.
Branch probabilities were estimated as follows:
1
were scieJ:d to be removed at about the time of the event. The likelihood of the RCS being open was assumed to be 0.5.
- b. RCS Makeup. The likelihood of failing to maintain RCS makeup for decay heat removalif the RCS was open was estimated based on crew error probabilities developed from time reliability correlations and shown in Figure 2. Four types of crew response are addressed: (1) response based on detailed operating procedures, (2) trained knowledge-based performance (3) typical j
knowledge-based performance, and (4) knowledge-based performance during very unusual j
events. Figure 2 was developed from curves appropriate to in-control room action, and the response time was skewed 20 min to account for recovery outside the control room. Typical i
knowledge-based response was assumed for the event (the operating procedure provided no information concerning mid-loop operation). For the estimated 2.4 h to core uncovery, a crew error probability of 1.0 x 104 is indicated.
L For cases in which the RCS was closed, restoration of RCS level to allow RHR pump restart f
was considered to be a part of normal RHR recovery actions. The failure probability for equipment associated with restoration of RCS level was estimated to be 1.0 x 10-5,
{
- c. RHR recovery. Recovery of RHR was effected by starting RHR pump 2-2 after RCS level was recovered. It was assumed that RHR pump 2-1 could also have been used, although venting might have been required. Failure of RHR would therefore require failure of both RHR pumps to start and run. Based on probability values typically used in the ASP program, a branch probability of 3.4 x 104 is estimated.
I i
i
secondary relief system was open, continued decay heat removal could be provided as long as l
SG makeup was available. For this analysis, it was assumed that the motor-driven AFW I
Appendix A A-28 NUREG-1449
l pumps were available for SG injection. (SG makeup would only have been required after a considerable period of time, considering the water levelin the SGs at the start of the event.) A branch probability of 3.4 x 104 was utilized in this analysis.
Analysis Results The estimated core damage probability associated with the loss of RHR cooling at Diablo Canyon is 5.5 x 10 5. This value is strongly influenced by assumptions concerning operator action during the event.
i Substantial uncenainty is also associated with this estimate. Provided the RCS was intact and the SGs were available for decay heat removal, an extended period of time was available to effect recovery. If the RCS was open,2.4 h were still available for recovery. However, recovery actions were not proceduralized at the time of the event.
The impact of diffe4ent assumptions concermng the time after shutdown, the status of the RCS, and ability to cool the core using SGs as described in NUREG-1269 are shown below.
Revised Core Assumption Darnage Probability Event occurs two days after shutdown (time to boil estimated to be 0.13 1.3 x 10-3 h, time to core uncovery with open RCS estimated to be 1.0 h.).
SG manways removed.
1.0 x 104 Natural circulation cooling using SG ineffective.
1.8 x 104 A
T i
I i
N NUR11G-1449 A-29 Appenda A a
I
P i
J t
)
i P
SGs t
RPV Level Open Makeup Recovery -
Core
" 6 Cooling Erd Seq.
State No.
{
m I
CD 1
l 1.0E-4 l
m G
l 3.4E-4 0.5 3.4 E-4 CD 3
i 1.0E-S i
i Fig.1. Event tree model for LER 323/87-005 R2 i
I 1
i i
i l
.- 7 l
Appendix A A-30 NUREG-1449 7-99, m
-r-m
+-
m
i l
l 1.0 0.1 0.01 I
0.001 -
Unusual Event (knowledge-based) i P
Trained Event (knowledge-based)
Ty Ical Event (knowledge-based)
O.0001
\\
Operating Procedure I
l l
1 10 100 1000 Time (minutes)
Fig. 2. Probability of not implementing RCS makeup NUREG-1449 A-31 Appendix A
l l
1 ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SIIUTDOWN EVENT ANALYSIS LER No:
382/86-015 Event
Description:
Iocalized boiling during mid-loop operation Date of Event:
July 14,1986 Plant:
Waterford Unit 3 Summary While draining the reactor coolant system (RCS) to mid-loop in preparation for replacement of a RCS pump seal, RCS level dropped below mid-loop and the operating shutdown cooling (SDC) pump Dow-pressure safety injection (LPSI) pump "B"] cavitated. Approximately 4 h were required to restore SDC (level was restored approximately 40 min after recognition that the "B" LPSI pump was cavitating). During this period, local boiling was occmring in the reactor vessel.
The conditional core damage probability estimate for this event is 2.1 x 104 This value is strongly influenced by assumptions concerning the operation staff's ability to restore SDC using non-proceduralized pump jogging and the availability of the steam generators (SGs) as an altemate means of removing decay heat.
Event Description On July 14,1986, at 0113, personnel drained the RCS to mid-loop (13'4" elevation at centerline of hot-legs) in preparation for replacement of the seal package for the "2A" reactor coolant pump. The water was being drained into the refueling water storage pool (RWSP) via (1) the LPSI pump "B" mini-recirculation valves SI-120B and SI-121B (this was not specified by procedure), and (2) the holdup tanks via the chemical and volume control system (CVCS) purification exchangers through valve SI-423.
Personnel secured draining the RCS (incorrectly) at 0113 by just closing SI-423. Operations personnel neglected to close SI-120B and SI-121B; this resulted in RCS inventory being pumped into the RWSP.
A temporary Tygon tubing line was Ining used to measure RCS level. Throughout the draining operation, personnel experienced preblems with the Tygon tubing. Positive pressure in the RCS was maintained by a nitrogen blanket. However, nitrogen could not be added fast enough to compensate for the drain down. %erefore, a slight vacuum existed in the RCS. This slight vacuum caused indicated RCS level to fluctuate. Because of this, operators did not trust the level indication.
Appendix A A-32 NUltliG-1449
i I
To obtain an accurate reactor vessel 1: vel indication, operations personnel began venting the RCS.
l The process was complicated by the n eed to substitute local operators because the original operator
[
was suffering from heat prostratiort Upon completion of the venting process, the indicated vessel l
level fell to 9 ft (well below the hc'. 2e.1). As a precaution, operations personnel initiated charging
)
flow. Since 'he LPSI pump "B" was operating satisfactorily and the reactor vessel monitoring l
system ir dicated a higher level, operations personnel felt that the local indication was inaccurate.
j At 0317, LPSI pump "B" began to cavitat, The pump wu immediately secured thus terminating j
shutdown cooling Dow. At this time, personce! ded they neglected to close valves SI-120B and SI-121B and immediately closed the valves. In order to fill the RCS with LPRI pump "A",
valve SI-109A was opened. LPSI train "A" was originally aligned for SDC; however, by opening SI-109A LPSI train "A" was re-aligned to inject water into the RCS from the RWSP. The RCS j
was being refilled at approximately 600 gpm. At 0351, vessel level was observed to be just below centerline of the hot leg.
i l
At 0400, conditions within the RCS indicated that local boiling was occurring (i.e., core exit thermocouples were reading 223F). Several attempts were made to start LPSI pump "B";
however, cavitation persisted (probably due to air and/or steam binding). [ Note: NRC Inspection j
Report 50-382/86-15 notes that LPSI pump "A" also cavitated when it was started.]
i i
Operations personnel attempted to restore SDC by jogging the "A" and "B" LPSI pumps while cycling their respective v arm up valves, SI-135A and SI-135B. Therefore, intermittent flow was i
being established by jogging the pumps. By opening SI-135A and SI-135B when jogging the pumps, some of the water was being diverted back to the LPSI pump suction, thus ; iming the pumps. This operation continued until approximately 06:58 when LPSI pump "A" was secured l
t and SDC was re-established with the "B" LPS! pump.
1 Fig. I contains a simplified drawing of the RHR system.
t Event Related Plant Information l
l l
The Loss of Shutdown Cooling procedure applicable at the time of the event (OP-901-046 Rev. 2) l addressed both system leakage and loss of SDC Dow, but provided little detailed guidance.
If RCS level indications were not stable (decreasing), the procedure specified that LPSI flow was to be initiated. If LPSI Dow could not maintain RCS level, then HPSI was to be inidated. If HPSI l
had been used to recover RCS level and that level had returned to normal, then the steam l
generators (SGs) were to be used for decay heat removal provided the RCS was pressurized. If the RCS was depressurized (presumably open), then containment cooling was to be maximized. If the LPSI pumps were used for RCS makeup, then one pump was to be stopped and the suction of i
the other shifted to partially take suction on the RCS via the RCS drop line.
I For a loss of SDC, the procedure required use of the SGs for decay heat removalif no RHR pumps could be returned to service. If loss of Gow was due to air binding, the procedure required NURIiG-1449 A-33 Appendix A
the shutdown priming system be placed in service.
The LPSI pumps serve two functions. One of these is to inject large quantities of borated water into the RCS in the event of a large pipe rupture. The other function of the LPSI pumps is to provide shutdown cooling flow through the reactor core and shutdown cooling heat exchanger for normal plant shutdown cooling operation or as required for long-term core cooling for small breaks. During nornial operation the LPSI pumps are isolated from the RCS by motor-operated valves. When performing their safety injection function, the pumps deliver water from the RWSP
{
to the RCS, via the safety injection nozzles. Sizing of the LPSI pump is governed by the
)
shutdown cooling function.
1 The high-pressure safety injection (HPSI) pumps primary function is to inject borated water into j
the RCS if a break occurs in the RCS boundary. The HPSI pumps are also used during the recirculation mode to maintain borated water cover over the core for extended periods of time. For t
long term core cooling, the HPSI pumps are manually realigned from the main control' room for i
simultaneous hot and cold leg injection. This insures flushing and ultimate subcooling of the core independent of break location.
I The HPSI and LPSI pumps are located in rooms in the lowest level of the reactor auxiliary building. This location maximizes the available net positive suction head (NPSH) for the safety 1
)
injection pumps.
t During the July 14,1986 event, one LPSI pump was used to restore RCS level (This is required j
by the RCS leakage portion of the procedure, but not by the loss of SDC portion. Erratic SDC j
flow is an indication for the RCS leakage portion of the procedures). However, the vacuum j
priming system was apparently not used to vent the LPSI pump suction piping even though l
j required by the loss of SDC portion of the procedure. Instead, flow through the LPSI pump l
warm-up lines was used, together with jogging the pumps, the re-establish shutdown cooling j
flow. This process took three hours. (The difficulty with this can be seen from the RCS elevation i
shown in Fig. 2. The LPSI pump suction piping raises in a U-bend 9 ft above the bottom of the hot leg. Once this U-bend is voided,it could not be easily refilled without the use of the vacuum
{
priming system. However, during this event, hot leg temperatures were greater than 212F, and the vacuum priming system could not have been used to evacuate the loop seal.)
In addition to the LPSI and HPSI pumps specified by procedure, the containment spray system (CSS), safety injection tanks (SITS), and charging pumps could be used to inject borated water
)
into the RCS on an ad-hoc basis. A brief description of these systems follows.
I The CSS consists of two independent and redundant loops each containing a spray pump, j
shutdown heat exchanger, piping, valves, spray headers and spray nozzles. The system has an
)
injection mode and a recirculation mode. Containment spray pumps can be aligned to inject into the same cold-leg RCS piping as LPSI and HPSI.
l l
l Four SITS are used to flood the core with borated water following depressurization as a result of a t
l Appendix A A-34 NUREG-1449
3 loss-of-coolant accident (LOCA). Each SIT has a total volume of 2,250 ft and a water volume of 3 o 1,807 ft3 (12,600 gal to 13,517 gal) of borated water at a pressure of 600 psig from 1,679 ft t (235 to 300 psig in shutdown). Each SIT is piped into a cold leg of the RCS via a safety injection nozzle located on the RCS piping near the reactor vessel inlet. Although the SIT isolation valves are closed when RCS pressure is down to 377 psig the operator can open these valves.
A method available for injection of unborated water immediately is one of threcipositive l
displacement charging pumps (capable of injection at approximately 44 gpm each). The other two -
l charging pumps could be " racked"in and staned in a shon period of time.
j The three positive-displacement charging pumps (44 gpm each) can also be used for RCS l
injection. During cold shutdown, two of these pumps are normally depowered, but could be restored to power by rackinpn the pump breakers.
j Analysis Approach The event tree model developed for this event is shown in Fig. 3. This model is based on the procedure in effect at the time of the event and includes the use of both HPSI and LPSI for RCS makeup. If the RCS is open to containment, then continued makeup provides core cooling success. If the RCS is closed (as it was during this event), then recovery of SDC or use of the SGs (either by steaming or through a bleed and feed operation involving the blowdown system) is also required for core cooling success.
l l
Branch pmbabilities were estimated as follows:
j
i
In this event, one LPSI pump had been secured because it was cavitating. The branch probability for failure of LPSI was developed under the assumption that only one LPSI pump was considered to be available. For LPSI success, that pump must start and run and its associated RWSP isolation valve must open. The failure probability for LPSI makeup is estimated to be 6.8 x 10-3, using component failure probabilities typical of other calculations in j
the ASP program.
i Three HPSI pumps are normally available but depowered while in cold shutdown. These pumps provide flow to the four RCS cold legs through parallel, normally closed, motor-j operated injection valves (two per cold leg). For HPSI success, one pump must start and run, j
and one associated injection valve must open. Based on the probabilities employed in the ASP program, the failure probability for HPSI injection is estimated to be 1.5 x 104 Combining these values results in an overall failure pmbability for RCS makeup of 1.0 x 104 1
NUREG-1449 A-35 Appendix A l
L
- c. RHR recovery. Recovery of RHR required three hours and involved use of the LPSI pump warmup lines in conjunction with LPSI pump jogging, which was inconsistent with the procedure. A failure probability of 0.3 was assumed in the analysis,
Emergency feedwater (motor-driven pumps) and the atmospheric dump valves were available.
Based on probability values employed in the ASP program, a failure probability of 6.8 x 104 is estimated.
i Analysis Results The estimated conditional core damage probability associated with the loss of RCS level and RHR cooling at Waterford is 2.1 x 104 This value is strongly influenced by the assumption that recovery of RHR cooling by repeated LPSI pump jogging, as was done during the event, was maiginal. The dominant sequence involves failure to recovery RHR and failure to remove decay heat using the SGs.
The event conditional probability is also strong influenced by the fact that the SGs were available for decay heat removal. If this were not the case - for example,if the event had occurred during an extended outage when extensive work was being performed on the secondary side - a significantly higher core damage probability would be estimated.
Appendix A A-36 NUREG-1449 f
l,,
l,,
ig is!
es!
j is!
es!
I ffI th:
'I th th sc>Ill ff.t di if if..: di if,,! c">Il[h..! di th: ff.idida I
gigg gg gg I!
8 : g je I~t
- oI![
oId ~
t t
l Il
%i l %I di
("II *II si 8
s!i t
i tii
- oKi di
.i.
.i.
.I.
.i.
U U
U U E
r ra OKl fi (E
DKi i
(E OK!
o u
EN o
U U.
6 "I
2 Xi XI XI t
t c
zi li di-t zi li
- to
~j i[
i[
-c i
D-
?
i e
s.
2 i Ski 5
I)
.E
- [
i li i
Zi
- i t}i 1
.I
.s M
O 9
i t
I[it a :$!-
g
..I F
$i di lj i i
s gm ag i
1 NUREG-1449 A-37 Appendix A 1
>3o E. '
A x
nc-ass % sititt vtNT TO HOR XRC-309 5/c g
5
- simr vion y
- e ar.
4-~
O
\\
/~
I IO PZR or R
- s < s-s <1-r 3
H-Il norrou or 42p X -'"'
.g p=t K
ace
, 2o-t (g
J P
)
+ss t-CatDLEClHOTttG
- -Ct,3 3 4-f y,p y
nc-tos 2 TtWP 4 yt
(
, ensur~
,"~
t R
SDC SUCTION ITH i-lL CNmt _
vtssa
-a rtN
- - s o-sr-Sara (o) n_g
'M I
warm un vtv M
--w rt w cves
.CONTgHp@ Mig
, N*g LPSI.
(
INJECDON LNE M
M
- - 3"'
toor rtow 1
Jg rcy cont y
1 y
tes accmc tot isot z
Fig. 2. RCS/SDC position and elevation reference mO
,L 2
e
~.
}
i i
SGS I
Loss of itB Provide RPV Level Open Makeup Recovery Core and SN Cooling End State OK L
CD i
OK 4
CK 0.3 cn 1.0 6.8E-4 (D
1.0E-6 Fig. 3. Event Tree Model for LER 382/86-015 1
i l
NUREG-1449 A-39 Appendix A
4 l
l ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT _
ANALYSIS P
L E R N o.:
387/90-005 l
Event
Description:
RPS bus fault results in loss of normal shutdown decay heat removal l
Date of Event:
February 3,1990 Plant:
Susquehanna 1 i
i Summary i
On February 3,1990, a loss of reactor protection system (RPS) bus B occurred at Susquehanna 1 l
during RPS bus breaker testing, a result of a short to ground in a DC distribution panel. The loss
[
of the RPS bus prevented recovery of residual heat removal (RHR), which had been previously isolated for the breaker testing, for over five h. The conditional probability of subsequent severe core damage estimated for the event is 2.7 x 105. Dominant sequences are associated with failure l
to implement alternate core cooling strategies in the event that RHR could not be recovered in the short term. The calculated probability is strongly influenced by estimates of the likelihood of failing to recover initially faulted systems over time periods of 6-24 h. These estimates involve i
substantial uncenainty, and hence the overall core damage probability estimated for the event also involves substantial uncenainty.
i Event Description t
On February 1,1990, Susquehanna 1 was shutdown due to a leak in the main turbine hydraulic l
control system. The leak was repaired and preparations for startup began. The plant was in operational condition 4 (shutdown with reactor coolant temperature less than 200F) with the "A" loop of the RHR system in service in the shutdown cooling (SDC) mode.
At 1555 on February 3,1990, with reactor coolant temperature at approximately 125F, the RHR l
system was removed from service as part of preparations for performing a semi-annual functional l
test of the RPS electrical protection assembly (EPA) breakers. The EPA breakers, two in series for l
each RPS bus source, ensure that the power supplied is within the voltage and frequency design I
specifications of the RPS by automatically tripping open when a power source is outside of this l
specification. The normal power supply to each of the RPS buses (A and B) is a dedicated motor generator set and the alternate is a dedicated voltage regulating transformer. RHR is taken out of service during this surveillance because isolation signals to the RHR SDC suction valves, i
HV-151F008 and 9, are initiated when the RPS distribution buses are de-energized during the test.
With the exception of the EPA breaker functional test, all surveillances required for startup were I
complete.
The EPA breaker functional test was in progress. All EPA breakers had been demonstrated to be j
functioning properly and only restoration activities remained to be performed. The last two EPA i
Appendix A A-40 NUREG-1449
breakers (normal supply to RPS bus "B") had been tripped open satisfactorily. All other EPA breakers had been reset and closed previously in the test.
At 1725 on February 3,1990, with reactor coolant temperature at 188F, attempts to restore normal power to RPS bus "B" by resetting and closing the last two EPA breakers tested were unsuccessful. When attempts were made to transfer RPS bus "B" to its alternate supply, the alternate supply EPA breakers also tripped open. A consequence of not being able to restore power to RPS bus "B" is the inability to restore RHR SDC due to the fact that the isolation signals to the reactor vessel suction valves, which are common to both loops of RHR, were still present.
The loss of RPS bus "B" was caused by a short circuit to ground in the RPS bus "B" distribution panel. This occurred when a copper mounting bolt (also used as a conductor) for one of the bus output breakers shorted to the breaker mounting baseplate. The cause of the fault was a combination of the breaker mounting / termination configuration design and the fact that the length of the insulating sleeve, as supplied by the vendor, was insufficient to completely insulate the mounting / conductor bolt from the baseplate.
The plant implemented the existing loss of shutdown cooling procedure, ON-149-001.
The sequence of events following the loss of the RPS bus was as follows:
Time Event 1753 acactor coolant temperature exceeded 200F, which resulted in entry into operational condition 3 (hot shutdown). ALERT declared.
1840 The "B" loop of RHR was placed in service in the suppression pool cooling mode in preparation for manually opening SRVs, as required by procedure ON-149-001. The suppression pool temperature was 63F.
1846 With the reactor coolant at 230F and reactor vessel pressure at 10 psig, the "A" safety relief valve (SRV) was opened.
1923 With the reactor coolant at 245F and reactor vessel pressure at 15 psig, the "B" SRV was opened.
1925 The RPS EPA breakers were reset and power was restored to RPS bus "B" following repairs of the short circuit to ground in the RPS bus "B" distribution panel.
1947 With the reactor coolant at 250F and reactor vessel pressure at 19 psig, the "C" SRV was opened which stabilized reactor coolant temperature at 253F.
NUIEG-1449 A-41 Appendix A r
2240 The reactor water cleanup system, which hr.d also received isolation signals when RPS bus "B" was de-energized during the EPA breaker test, was retumed to service.
i 2302 The "A" loop of RHR was placed in service in the shutdown cooling mode.
2322 With the reactor coolant at 233F and reactor vessel pressure at 12 psig, the i
"C" SRV was closed.
2324 The "B" SRV was closed.
i 2327 The "A" SRV was closed.
0015-0024 With reactor coolant at 192F, the unit was declared to be in operational (Feb. 4,1990) condition 4 (cold shutdown), the operating recirculation pump was secured, and the ALERT was terminated.
i 0200 The "B" loop of RHR, which was providing suppression pool cooling, (Feb. 4,1990) was taken out of service. Maximum suppression pool temperatum during the event was 69F.
During the event, reactor vessel water level was maintained at greater than 87" [248" above top of l
active fuel (TAF)] using the control rod drive (CRD) system as the source of water rnakeup.
Following the event, Pennsylvania Power & Light removed the existing GE type TEB-111100 i
circuit breakers and associated mounting plate in the RPS distribution panels on both Susquehanna units and replaced them with GE 277V distribution panels and GE type TEY-1100 circuit breakers.
In addition, an investigation was conducted to determine if other similar breaker mounting configurations existed in the plant, and it was concluded that there were none. The utility stated that this investigation involved document searches, panel walkdowns, personnel surveys, and vendor assistance.
ASP Modeling Approach and Assumptions l
Event Treefor Loss ofRHR An event tree model of sequences to core damage given a total loss of boiling water reactor (BWR) shutdown cooling was developed based on procedures and outage planning information developed by Pennsylvania Power & Light Company (Procedure ON-149-001, Loss of RHR Shutdown Cooling Mode, September 7,1990, and NSAG Project report 4-90, Outage Planning Information, October 17, 1990). While the references are specific to Susquehanna, the resulting event sequences are considered applicable to most contemporary BWRs.
Appendix A A-42 NUREG-1449
The event tree is shown in Fig.1. The following comments are applicable to this event tree:
a.
Core damage end state. Core damage is defined for the purpose of this model as reduction in i
reactor pressure vessel (RPV) level above the TAF or failure to remove heat from the suppression pool in the long term. With respect to RPV inventory, this definition may be conservative, since steam cooling may limit clad temperature increase in some situations.
[
However, choice of TAF as the damage criterion allows the use of simplified calculations to estimate the time to an unacceptable end state.
l b.
Short-term recovery of RHR. All historic losses of RHR have been recovered before RPV level would have dropped to below TAF. Including RHR recovery allows operational events to be more realistically mapped onto the event tree model. Shon-term RHR recovery can be delayed if a recirculation pump can be started or if RPV level can be raised to permit natural circulation. Availability of RPV injection to raise water level for natural circulation is included in the model.
c.
Successful termination of the loss of RHR is defined as recovery of RHR or provision of l
alternate decay heat removal via the suppression pool or main condenser, or, if the head is i
removed, via refueling cavity boiling. Short-tenn decay heat re noval methods (such as feed with bleed to a tank) with subsequent long-term recovery of RHR, is not addressed in the event tree, altho, ugh such an approach can provide additional time to implement a long-term core cooling approach.
d.
Three pressure vessel head states are addressed in the event tree: head on and tensioned, head on and detensioned, and head off. If the head is on and tensioned, then decay heat removal methods which require pressurizadon are assumed to be viable. If the head is on, but
[
l detensioned, then failure to maintain the RPV depressurized is also assumed to pmceed to core l
l damage (this assumption is conservative). If the head is off, then makeup at a rate equal to boil-off is assumed to provide core cooling.
e.
Four makeup sotirees are shown on the event tree: LPCI, core spray, CRD flow and the
[
condensate system. Branches for these sources are shown before short-term RHR recovery.
This is because injection from any source to raise RPV level and allow natural circulation i
substantially increases the amount of time available for recovery of RHR. The four makeup sources have been placed before RHR recovery to address this issue, even though the need for l
significant flow from these systems is only required if RHR is not recovered (the event tree has been structured to correctly address the need for makeup if RHR is not recovered).
It should be noted that the loss of shutdown cooling procedure and the outage planning I
document identify other makeup and heat removal methods which have not been included on L
the event tree. Some of these would not have been effective at the decay heat levels which existed during the event. Others are short-tenn measures which eventually require transfer of decay heat to the ultimate heat sink. Additional sources ofinjection have not been modeled since loss ofinjection sequences are already of very low probability (see Fig. 2).
NUREG-1449 A-43 Appendix A
--p
f.
Short-term recovery of RHR is assumed to successfully terminate the loss of RHR. In the event that RHR cannot be recovered, then altemate core cooling sequences are included in the event tree. If the head is tensioned, these involve allowing the RPV to repressurize, opening of at least one SRV, and dumping decay heat to the suppression pool. If the condenser and condensate system are available, then decay heat can also be dumped to the condenser. If the head is detensioned, then decay heat must be removed without the RPV being pressurized.
l This requires opening of at least three SRVs and recirculating water to the suppression pool using the core spray or low-pressure coolant injection (LPCI) pumps. For all cooling modes involving the suppression pool, suppression pool cooling must be initiated in sufficient time to prevent the suppression pool from exceeding its temperature limit. If the head is removed, then any makeup source greater than ~200 gpm, combined with boiling in the RPV, will j
provide adequate core cooling.
l Figure 1 includes the following core damage sequences:
l Secuence Descriotion Sequences with the Head Tensioned l
103 Unavailability of long-term heat removal from the suppression pool with failure to recover RHR but following successful alternate short-term l
decay heat removal using LPCI or core spray injection and relief to the suppression pool via one or more SRVs.
I i
104 Failure to recover RHR and failum to initiate alternate short-term decay heat removal due to unavailability of the SRVs for relief to the suppression pool.
107 Similar to sequence 103 except LPCI and core spray are unavailable.
RPV injection provided using CRD flow, i
108 Similar to sequence 104 except LPCI and core spray are unavailable.
[
RPV injection provided using CRD flow.
i i
112 Unavailability of long-term heat removal from the suppression pool with failure to recover RHR but following successful alternate short-term decay heat removal using the condensate system for injection and relief to the suppression pool via one or more SRVs. Relief to the suppression pool is required in this sequence because the main condenser is unavailable as a decay heat removal mechanism.
113 Failure to recover RHR and failure to initiate alternate short-term decay heat removal due to unavailability of the SRVs for relief to the suppression pool and unavailability of the main condenser as a decay heat removal mechanism.
l 5
I Appendix A A-44 NURiiG-1449 1
3 1
115 Failure to recover RHR and unavailability of LPCI, core spray, CRD i
flow and the condensate system to raise RPV level to provide for natural j
circulation. The time available to recover RHR in this sequence is less than for sequences with RPV injection unless a recirculation pump can l'
be started, since RPV level cannot be raised to provide for natural circulation cooling.
i Sequences with the HeadDetensioned 118 Unavailability oflong-term heat removal from the suppression pool with failum to recover RHR but with successful alternate decay heat removal using LPCI or core spray injection witn discharge to the suppression pool using three or more SRVs.
119 Failure to recover RHR and failure to initiate alternate short-term decay l
heat removal due to unavailability of three or more SRVs for relief to th suppression pool.
i 121 Failure to recover RHR with unavailability of LPCI and core spray for alternate decay heat removal. CRD flow provides sufficient water to raise RPV level and allow natural circulation, extending the time f
available to recover RHR.
l 123 Similar to sequence 121 except CRD flow is also unavailable.
Condensate is used to increase RPV level and allow natural cimulation.
j 125 Failure to recover RHR without RPV injection to extend RHR recovery
~
time.
Sequence with the HeadRemoved 129 Unavailability of LPCI, Core Spray, CRD flow and condensate for RPV makeup. Core damage in the long term if a supplemental makeup source cannot be provided.
Branch Probabilities Head Status. For the operational event in question, the head was on and tensioned. A review of BWR refueling outages over the last five years indicates a distribution of outage durations with peaks at 66 and 104 d. These values represent a mix of 12 mth and 18 mth refueling cycles.
Assuming (1) the lower peak is more representative of a yearly refueling outage duration (and that the mean length of a yearly outage is relatively close to the peak), (2) that the fraction of time with the head on is about the same as with the head off, (3) that two d of the outage are not at cold shutdown, and (4) that the total time during an outage that the head is on but detensioned is approximately two days, results in the following time periods for the three head states over a j
NURiiG-1449 A-45 Appendix A
period: head on,31 d; head detensioned but on,2 d; and head off,31 d.
I In addition to refueling outages, there are typically three outages of an average length of 5.6 d. If we again assume two days per outage not at cold shutdown, and assume that during the remainder of the time the plant is at cold shutdown with the head on, the following overall fractions of time
. for the three head states are estimated:
l t
head m 0.56 head on but detensioned 0.03 l
head off 0.41 t
LPCI or CS Flow Available. To simplify the estimation of the probability of failure of suppression pool cooling (which is dependant on the status of LPCI), only the probability of failure of core spray was used to estimate this branch probability. For Susquehanna, the core spray system consists of two trains. Each train includes two parallel pumps with a single, normally open motor-operated suction valve and a single normally-closed discharge (RPV injection) valve. The pump suction source is normally the suppression pool. Assuming that normally-open valves and check valves do not contribute substantially to system unavailability, the equation for failure of core spray l
is therefom (CS-P1 A*CS-P1C+CS-5A)*(CS-P1 B* CS-P1D+CS-5B).
i Reducing this equation results in the following minimal cutsets:
CS-PIA CS-PIB CS-PIC PS-PID CS-PI A CS-PIC CS-5B CS-PIB CS-PID CS-5A CS-5A CS-5B Applying screening probabilities of 0,01 for failure of a motor-driven pump to start and run and failure of a motor-operated valve to open; 0.1,0.3 and 0.5 for the conditional probabilities of the second, third and fourth similar components to operate, and a likelihood of 0.34 of not recovering a failed core spray system in the short-term results in an overall system failure probability estimate of 4.0 x 104 i
If only one train is available, as would be the case of one division was out-of-service for maintenance, the core spray system failure probability (using the same approach as above) is l
estimated to be 3.7 x 10-3 CRD Flow Available. At cold shutdown pressures, one of two CRD pumps can provide makeup.
Since one pump is typically running, the system will fail if that pump fails to run or if the other (standby) pump fails to start and run. Assuming a probability of 0.01 for failum of the standby CRD pump to stan, and 3.0 x 10-5/hr for failure of a pump to run, results in an estimated failure i
probability for CRD flow of 2.5 x 104. In this estimate, a short-term non-recovery likelihood of 0.34 was applied to the non-running pump failure-to-stan probability, consistent with the approach 1
Appendix A A-46 NUREG-1449
l
?'!
t used to estimate the failure probability for the core spray system. A mission time of 24 h was also assumed.
If only one train is available (because of maintenance on the opposite division), then the CRD j
failure probability is estimated to be 7.2 x 104 Condensate Available. While the condensate pumps can provide more than adequate makeup, they are often unavailable during a refueling outage because of work on the secondary system. For this analysis,it was assumed that the condensate system is unavailable during a refueling outage once the plant enters cold shutdown. During a non-refueling outage, the probability of the condensate
[
system being unavailable was assumed to be 0.1. This results in an overall unavailability, based on the fraction of cold shutdown events which are refueling-related (see Head Status), of 0.87.
Since the event at Susquehanna did not involve a refueling outage, an unavailability of 0.1 was assumed.
j i
RHR (SDC) Recovered (Short-Termt For Susquehanna, RHR can be restored to service provided RPV level is greater than the low-level isolation level and RPV pressure is less than the high pressure isolation pressure, and, of course, the cause of the initial loss of RHR is repaired.
j For event tree branches with the head on and for which reactor vessel (RV) inventory was increased to provide for natural circulation, RHR must be recovered prior to RV pressure reaching the high pressure isolation setpoint (98 psig at Susquehanna), which would pre;ent opening the j
suction line isolation valves and restoring RHR. Once the high-pressure isolation serpoint is l
reached, operation of at least one SRV is assumed to be required, and the ',equence proceeds with l
RPV depressurization and the use of R.HR in the suppression pool cooling mode to remove decay heat. In estimating the probability of not recovering RHR (SDC), the time period of concern for j
these sequences is from initial loss of RHR until the high-pressure. solation setpoint is reached.
3 (Approximately 7.5 h from the loss of RHR for the event under consideration, based on very simplified analyses and consideration of the observed heatup and xssurization rates.)
f For event tree branches with the head on but with short-term makeup unavailable, the time to reach the high pressure isolation serpoint is estimated to be approximately six h. This estimate assumes all decay heat is absorbed in the coolant directly surrounding the core.
For event tree branches with the head detensioned, the time period to recover RHR is the time to reach boiling. This time period was 2.3 h for the loss of RHR at Susquehanna. For sequence 125, which involves a failure to recover RHR prior to boiling without an injection source and with the head detensioned, the time period would be even less.
For this event, the time to restore the fauhed RPS bus (which caused the RHR isolation) was two hours. Assuming that the likelihood of not repairing the faulted bus as a function of time can be described as an exponential, NUREG-1449 A-47 Appendix A
t no repair was possible during the first 20 min (to account for required response and diagnosis outside the control room),
-[
an additional 0.5-1.0 h is required to restart the RHR system once repaired (0.5 h if l
RHR venting is not required and 1.0 h if venting must be performed prior to restart),
and the two-hour time-to-restore the RPS bus represents the median of repair times for this j
- event, the likelihood of failing to repair the bus can be represented by l
PNREC Bus = e 415(t 33) t 2.33.
l l
Skewing this an additional one-half hour to account for restoration of RHR results in an overall i
estimate of failing to recover RHR of PNREC RHR = e.415(t.83) t 2.83.
l For t <.83 h, PNREC RHR = 1.0.
Applying this formula to the time periods discussed above, and subtracting the period oi.ime that RHR was unavailable prior to the loss of the RPS bus (1.5 h), results in the following estimates for the probability of failing to recover RHR:
Seouence Time to Recover RHR*
Probability Head tensioned with short-term 6.0 h 0.12 injection flow available (sequences 101-113)
Head tensioned with short-term 4.5 h 0.22 injection flow unavailable (sequencbs 114-115)
Head detensigned but on, short-term 0.8 h 1.0 injection Dow available (sequences 116-123)
Head detensioned but on, short-term
<0.8 h 1.0 injection flow unavailable (sequences 124-125)
- from discovery ofloss of RPS bus i
i Appendix A A-48 NURiiG-1449
L
)
Main Condenser Available. The main condenser is modeled as a heat removal mechanism for.
l sequences in which the condensate system is used as an injection source and the head is tensioned.
The probability of the condenser being available for heat removal, given the condensate system is available, was assumed to be 0.5. The actual likelihood is dependant on the nature of the outage.
Required SRVs Onened. Sixteen SRVs are installed on Susquehanna. For sequences with the i
head tensioned (sequences 102-104,106-108, and 111-113), opening of one or more SRVs provides success. For sequences with the head detensioned but still on the vessel (sequences 117-j 119) opening of three ' RVs is required for success. In either case, failure of the valves to operate S
is dominated by dependant failure effects.
A probability of 1.6 x 104 was used for failure of multiple SRVs to open. This value was based on the observation of no such failures in the 1984-1990 time period, combined with a non-recovery likelihood of 0.12. This approach is consistent with the approach used to estimate this probability for other ASP evaluations, but includes a longer observation period and a lower i
probability of failing to recover to account for the 4-6 h typically available to open the valves [a non-recovery value of 0.71 is used for the probability of not recovering an ADS actuation failure in a one-half hour time period (see NUREG/CR-4674, Vol. 6)- this value was also used to estimate the likelihood of SRV failure for sequences with the head detensioned but on, since time periods i
for these sequences are short].
A value of 1.6 x 104 is consistent with failure probabilities which can be estimated from individual i
valve failure probabilities and beta factors, as described in NUREG/CR-4550, Vol 1, Rev.1,
" Analysis of Core Damage Frequency: Internal Events Methodology," and the conditional I
probability screening values used in the ASP program. The failure probabilities esdmated using 7
either approach are p'robably conservative, considering the number of valves potentially available for use. (NUREG/CR-4550, Vol 4, Rev.1, Part 1," Analysis of Core Damage Frequency: Peach Bottom, Unit 2, Internal Events," used a value of 1.0 x 104 for common cause SRV hardware
~
faults, based on engineering judgement.)
Suopression Pool Cooline (Lone-Termt On Susquehanna, like most BWRs, suppression pool cooling is a mode of RHR. One or more LPCI/RHR pumps take suction from the suppression-pool, pump water through an RHR heat exchanger, and return it to the suppression pool. The l
suppression pool cooling mode of RHR consists of two redundant trains, each of which includes two parallel LPC1/RHR pumps, one heat exchanger, and two series return valves which must be
~
opened to return flow to the suppression pool. For the train providing RHR prior to its loss, the suppression pool suction valves (normally open for LPCI but closed for RHR) must also be opened to provide suction to their respective pumps. During this event, RHR loop A was providing shutdown cooling, and hence opening of suction valves RHR 4A and 4C is assumed to be required.
1 NUREG-1449 A-49 Appendix A
i Assuming availability of RHR service water and electric power, the equation for unavailability of.
suppression pool cooling is:
((RHR-4A+RHR-PI A)* (RHR-4C+RHR-P 1 C)+RHR-26A+RHR-24 A* RHR-27A)
- (RHR-P1 B *RHR-P1 D+RHR-26B +RHR-24B
- RHR-27B).
l
?
The minimal cutsets for this equation are i
RHR-4A RHR-4C RHR-PIB RHR-PID RHR-4A RHR-4C RHR-26B RHR-4A RHR-4C RHR-24B RHR-27B f
I RHR-4A RHR-PIC RHR-PIB RHR-PID RHR-4A RHR-PIC RHR-26B RHR-4A RHR-Plc RHR-24B RHR-27B RHR-P1A RHR-4C RHR-PIB RHR-PID i
RHR-PIA RHR-4C RHR-26B RHR-PIA RHR-4C RHR-24B RHR-27B RHR-PIA RHR-PIC RHR-PIB RHR-P1D i
RHR-PI A RHR-PIC RHR=26B RHR-PIA RHR-PIC RHR-24B RHR-27B l
RHR-PIB RHR-P1D RHR-2.6A I
RHR-26A RHR-26B RHR-26A RHR-24B RHR-27B J
RHR-PIB RHR-PID RHR-24A RHR-27A RRR-26B RHR-24A RHR-27A
{
RHR-24A R3R-27A RHR-24B RHR-27B Applying screening probabilities of 0.01 for failure of a motor-driven pump,0.34 for failure to recover a faulted pump,0.0001 for failure of a closed valve to open (because of the length of time available for recover, the NUREG-1150 value for a failure of a manual valve to open was employed), and 0.1,0.3, and 0.5 for the conditional probabilities of the second, third, and fourth similar components to operate, results in an overall system failure probability estimate of 6.3 x 10-5, If only one train is available (because of maintenance on the other division), then the suppression pooling cooling failure probability is estimated to be 4.2 x 104 It should be noted that, because of the length of time available to recover suppression pool cooling (greater than 24 h), and the general lack of understanding of the reliability of such actions, this estimate has a high degree of uncertainty associated with it.
Y -
Appendix A A-50 NUREG-1449
F I
Analysis Results Branch probabilities developed above were applied to the event tree model shown in Fig. I to estimated a conditional probability of subsequent severe core damage for the loss of RHR at 1
Susquehanna. This conditional probability is 2.7 x 10 5 Branch.and selected sequence probabilities are shown in Fig. 2. Because of the way the event tree was constructed, the dominant sequences are associated with LPCI or low-pressure core spray (LPCS) success in providing RPV makeup. In the actual event, CRD flow was used for RPV makeup, and LPCI and LPCS were not actuated. The two dominant sequences both involve successful RPV makeup, failure to recover i
RHR (SDC) in the short-term, and failure to implement altemate core cooling because of failure to open at least one SRV (sequence 104) or failure to initiate suppression pool cooling (sequence 103). As discussed under ASP Modeling Approach and Assumptions: Branch Probabilities, above, the failure probabilities for these two branches are dependant on the probability of the branch failing when initially demanded and the probability of not restoring an initially failed branch over a period of perhaps 6-24 h. While the probability of initial failure on demand can be reasonably estimated, no information exists which would allow confident estimates of the probability of not recovering an initially failed component.
Additional calculations were performed to illustrate the sensitivity of the estimated conditional probability to analysis assumptions, as shown below:
Analysis Chance Conditional Probability Probability of failing to open required SRVs = 1.0 x 10-6 7.6 x 10-6 i
)
Event could occur with head on, detensioned but on, 5.8 x 10-5 l
or off[ probabilities of each case specified under (The dominant sequence ASP Modeling Approach and Assumptions: Bmnch for this case involves Probabilities (Head Status)]
failure of RHR with the head on but detensioned, with l
failure to open at least three i
SRVs in the short-term.)
Random head status and one division out of service 1.9 x 10 4 l
for maintenance and assumed non-recoverable (The dominant sequence for l
this case also involves the head on but detensioned.)
Use of MSIV bypass valves / main condenser and
~4.8 x 10 6 HPCI for decay heat removal. (These decay heat removal methods are not addressed in ON-149-001.)
I NUlWG-1449 A-51 Appendix A l
i
m 7
Men Regts orf g
Loss or W rf 0
'N orcs Flem Recowed Condenser SRve AHRIS@
Sm Ave 4 73,, g,,,,
4,,,
(gge,,wm}
gw goN 'e"")
END SFO S E'O STATE NO_
PROG NOTES x
OK 101 OK 102 h SRV CD 103 4
CD 104 4
Tenscred OK 105 OK 106 1
1 SRV CD 107 4
CD 106 4
OK 109 OK 110 OK 111 1
i SPV E
CD 112 4
CO 113 4
CM 114 C) 115 2.4.5 OK 116 OK 117 3
3 SRVs CD 118 4
Dewskred w
its 4
OK 120 i
CD 121 4
OK 122 i
CD 123 4
OK 124 CD 125 2, 4 p.g OK 126 W
OK 127 OK 126 CD 129 s
Figure 1. BWR Class C Loss of RHR in Cold Shutdown Notes: 1. Suppression poollevel we inaease in tNs sequence.
'2
- 2. Reduced time to recover RHR If recirmf ation pump unavallaNe since rnakeup required to achieve natural circutation is also unavailable.
C
- 3. Water In rnain steam lines may overstress these lines.
3
- 4. use of RWCU/ Condensate Transfer to transfer hot water to the condenser or condensate storage tank wift Increase the time available to recever RHR or W
Initiate suppression poolcooling.
I'
- 5. Afternate injection sources such as servkm water may afso prov!de injection.
Z
- 6. If primary and semndary conta!nrnent cannot be established. ins sequence is prescribed.
Z Cx Lose or Hesd Cerensee SP Cconng i
MW 8'*h*
M fLW tam)
END SEO SEC Fin A,wt Avon (Shorte)
Aval Opened g
STATE NO.
FAOg NOTES e
OK 101 OK 102 1 SRV i
CD 103 71M 4
0.12 6 3E-5 HMut 1 S E-4 TemW OK 105 10 OK 106 1
1 SRV i
CD 107 3 cEN 4
CD toe 7.7E-09 4
16E-4 4 cE-4 gy OK 110 OK itt 1
3 i SRv CD 112 4
2.5 E-6 1.3F 5 1 $E-4 i
0,1 CD 115 2, 4, 5
.22 c,
OK 117 3
y 6
3SRys CD itt 4
CD 119 4
Dowwened 0
M 120 i
CD 121 4
OK 122 i
CD 123 4
OK 124 I
CD 125 2, 4 y
OK 126 W
CM 127 0
CM 128 CD 129 5
Figure 2. Susquehanna loss of RHR in Cold Shutdown (Branch and Selected Sequence Probabilities Shown)
Notes: 1. Suppresson poollevel willinaease In this sequence.
- 2. Reduced time to romver RHR if recirmlation pump unavailable s!nce makeup required to achieve natural cirmtation is also unavailable.
- 3. Water in main steam lines may overstress these lines.
- 4. Use of RWCU/ Condensate Transfer to transfer hot water to the condenser er condensate storage tank will !iaease the time available to recover RHR or a2 initiate suppression pool cooling.,
?
- 5. Alternate injection sources such as service wster may also provide injection.
F
- 6. If primary and secondary containment cannet be established, this sequence is prescribed.
- 7. LPCS failure probability.
ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT ANALYSIS L E R N o.:
397/88-011 Event
Description:
Reactor cavity draindown l
Date of Event:
May 1,1988 Plant:
Washington Nuclear Plant 2 Summary Washington Nuclear Plant 2 (WNP 2) was at cold shutdown on May 1,1988. While changing from loop "B" to loop "A" of residual heat removal / shutdown cooling (RHR/SDC), the operator inadvertently opened the suppression pool suction valve on loop "B" before the reactor RHR/SDC I
suction valve on loop "B" was fully closed. The two valves were simultaneously open, for approximately 40 see which provided a drain path for the reactor pressure vessel (RPV) to the suppression pool. The RPV water level dropped fast enough to cause a low level scram and j
isolation of RHR/SDC. The RHR/SDC isolation stopped the RPV level drop, but RHR/SDC was lost for about seven min until level was restored and the isolation was reset. The conditional probability of subsequent severe core damage estimated for the event is 4.6 x 10-5. Dominant sequences are associated with failure to implement altemate core cooling strategies in the event that RHR could not be recovered in the short term. The calculated probability is strongly influenced by estimates of the likelihood of failing to recover initially faulted systems over time periods of 6-24 h. These estimates involve substantial uncertainty, and hence the overall core damage -
probability estimated for the event also involves substantial uncertainty.
Event Description l
On May 1,1988 WNP 2 was at cold shutdown with the reactor coolant temperature between 140F and 160F. RHR "B" was on line in the SDC mode, RHR "A" was in standby, lined up for emergency core cooling system (ECCS) actuation, and reactor recirculation pump 1A was operating at 15 cycles per second. The plant had begun a refueling outage on April 29,1988 and operators were preparing to changeover to loop "A" of RHR for SDC and to place loop "B" of RHR in standby for ECCS actuation. The procedure governing this evolution required the i
operator to close the reactor suction valve for SDC (RHR-6B) before he opened the suppression l
pool suction valve (RHR-4B) when he placed loop "B"in standby. However, the operator did not wait for RHR-6B to fully close before opening RHR-4B. This action violated the approved operating procedure as well as a " permanent operator aid" caution label on the control panel. Both l
these valves have stroke times of about 120 sec, and, as a result, both valves were simultaneously open for approximately 40 sec. This was long enough for the reactor cavity to gravity drain about 10,000 gal of water to the suppression pool. The draindown was stopped when the reactor water level reached the RPV low level scram and SDC isolated. The isolation signal closed the SDC suction isolation valves inside primary containment (RHR-8 and -9), but closing RHR-8 and -9.
Appendix A A-54 NUREG-1449
L also failed RHR SDC. The operator backed-up the automatic isolation by manually closing RHR-8 and -9. RPV water level was restored in about seven min using the control rod drive (CRD) and condensate systems and SDC was reestablished at that time.
Fig.1 is a diagram ofloop B of the RHR system for this plant.
Additional Event-Related Information
)
Reactor scram and the automatic isolation of RHR/SDC from the reactor recirculation system occur i
at 174 in above the top of active fuel (TAF). The high-pressure core spray (HPCS) system automatically lines up for and initiates vessel makeup and the reactor recimulation pumps trip off at l
111" above TAF. LPCI and LPCS initiation occurs at 32" above TAF. At this point, RHR automatically lines up for and initiates low-pressure coolant injection (LPCI) mode. That is, appropriate valves line up for pump suction on the suppression chamber, SDC isolation, and test return isolation. Also, the low-pressure core spray (LPCS) system automatically lines up for and initiates vessel makeup.
A previous event (LER 397/85-030) that was referred to in the LER occurred in 1985. That event was remarkably similar to this event except in the 1985 incident the operator waited 30 see before he began opening the suppression pool suction valve. Consequently, the level did not drop as far as in this event. SDC was lost for about one h; however, the plant had been shutdown for approximately four d for an extended maintenance outage following a mn for over three weeks at a i
reduced power of 45%.
ASP Modeling Approach and Assumptions Event Tree for Loss of RPV Inventow
}
An event tree model of sequences to core damage given the loss of RPV inventory is shown in Fig.
- 2. If RHR isolation successfully terminates the inventory loss, the event tree describes sequences associated with loss of SDC. This portion of the event tree was developed based on procedures (e.g. Procedure PPM 2.4.2, "RHR System", September 7,1990) in effect at WNP 2 at the time of I
the event, the Plant Technical Specifications, and the Final Safety Analysis Report (FSAR). If RHR isolation faib, the event tree describes the use of LPCI, core spray, or HPCS (break-size dependant), plus long-term suppression pool cooling to mitigate core damage.
The followmg comments are applicable to this event tree:
Core damage end state. Core damage is defined for the purpose of this model as reduction in I
a.
RPV level above TAF or failure to remove heat from the suppression pool in the long term.
With respect to RPV inventory, this definition may be conservative, since steam cooling may limit clad temperature increase in some situations. However, choice of TAF as thei damage criterion allows the use of simplified calculations to estimate the time to an unacceptable end state.
NUlmG-1449 A-55 Appendix A
- b. Short-term recovery of RHR. All historic losses of RHR have been recovered before RPV level would have dropped to below TAF. Including RHR recovery allows operational events to be more realistically mapped onto the event tree model. Short-term RHR recovery can be delayed if a recirculation pump can be started or if RPV level can be raised to permit natural circulation. Availability of RPV injection to raise water level for natural circulation is inclu'ded j
in the model.
i Successful termination of the loss of RHR is defined as recovery of RHR or provision of i
c.
alternate decay heat removal via the suppression pool or main condenser, or, if the head is removed, via refueling cavity boiling. Short-term decay heat removal methods (such as feed with bleed to a tank) with subsequent long-term recovery of RHR, is not addressed in the event tree, although such an approach can provide additional time to implement a long-term core cooling approach.
I
- d. Three pressure vessel head states are addressed in the event tree: head on and tensioned, head on and detensioned, and head off. If the head is on and tensioned, then decay heat removal methods which require pressurization are assumed to be viable. If the head is on, but detensioned, then failure to maintain the RPV depressurized is also assumed to proceed to core damage (this assumption is conservative). If the head is off, then makeup at a rate equal to i
boil-offis assumed to provide core cooling.
- e. Five makeup sources are shown on the event tree: LPCI, LPCS, HPCS, CRD flow and the condensate system. Branches for these sources are shown before short-term RHR recovery.
This is because injection from any source to raise RPV level and allow natural circulation substantially increases the amount of time available for recovery of RHR. The five makeup sources have been placed before RHR recovery to address this issue, even though the need for
{
significant flow from these systems is only required if RHR is not recovered.
i If RHR isolation fails, RPV makeup must compensate for the flow from the RHR system to j
the suppression pool. Sources of this makeup must take suction from the suppression pool to l
prevent the suppression pool from being completely filled. The use of LPCI, LPCS, or HPCS is included on the event tree.
- f. In the event that RHR cannot be recovered, then alternate core cooling sequences are included in the event tree. Based on studies done at Susquehanna, if the head is tensioned, these involve allowing the RPV to repressurize, opening of at least one safety relief valve (SRV),
l and dumping decay heat to the suppression pool. If the condenser and condensate system are available, then decay heat can also be dumped to the condenser. If the head is detensioned,
{
then decay heat must be removed without the RPV being pressurized. Again, based on studies done at Susquehanna, this requires opening of at least three SRVs and recirculating water to the suppression pool using the LPCS or LPCI pumps. For all cooling modes involving the I
suppression pool, suppression pool cooling must be initiated in sufficient time to prevent the suppression pool from exceeding its temperature limit. If the head is removed, then any makeup source greater than ~200 gpm, combined with boiling in the RPV, will provide I
Appendix A A-56 NUREG-1449 i
- - - - - - - - - - - - - - - - - - - - - - - - - - - -I
adequate core cooling.
Fig. 2 includes the following core damage sequences:
Sequence Description Sequences with the Head Tensioned andLoss ofInventory Terminated 104 Unavailability of long-term heat removal from the suppression pool with failure to recover RHR and unavailability of the main condenser but following successful alternate short-term decay heat removal using the condensate system with relief to the suppression pool via one or more SRVs.
105 Failure to recover RHR and unavailability of the main condenser and failure to i
initiate alternate short-term decay heat removal due to unavailability of the SRVs for relief to the suppression pool.
108 Unavailability of long-term heat removal from the suppression pool with failure to recover RHR but following successful alternate short-term decay heat removal using LPCI or LPCS injection and relief to the suppression pool via one or more l
SRVs.
109 Failure to recover RHR and failure to initiate alternate short-term decay heat j
removal due to unavailability of the SRVs for relief to the suppression pool.
112 Similar to sequence 108 except the condensate system, LPCI, and LPCS are unavailable. RPV injection provided using HPCS flow.
113 Similar to sequence 109 except the condensate system, LPCI, and LPCS are
{
unavhilable. RPV injection provided using HPCS flow.
j 116 Similar to sequence 108 except LPCI, LPCS, and HPCS are unavailable. RPV I
injection provided using CRD flow.
117 Similar to sequence 109 except LPCI, LPCS, and HPCS are unavailable. RPV injection provided using CRD flow.
119 Failure to recover RHR and unavailability of LPCI, LPCS, HPCS, CRD flow and the condensate system to raise RPV level to provide for natural circulation. The l
time available to recover RHR in this sequence is less than for sequences with RPV injection unless a recirculation pump can be started, since RPV level cannot be raised to provide for natural circulation cooling.
i l
l NURiiG-1449 A-57 Appendix A l-!
Sequences with the Head Detensioned and Loss ofInventory Terminated 122 Unavailability of long-term heat removal from the suppression pool with failure to recover RHR but with successful alternate decay heat removal using LPCI or LPCS injection with discharge to the suppression pool using three or more SRVs.
123 Failure to recover RHR and failure to initiate alternate short-term decay heat removal due to unavailability of three or mom SRVs for relief to the suppression pool.
125 Failure to recover RHR with unavailability of LPCI and LPCS for alternate decay heat removal. HPCS flow provides sufficient water to raise RPV level and allow natural circulation, extending the time avai}able to recover RHR.
127 Failure to recover RHR with unavailability of LPCI and LPCS for alternate decay heat removal. HPCS flow is unavailable but CRD flow provides sufficient water to raise RPV level and allow natural circulation, extending the time available to recover RHR.
129 Similar to sequence 127 except CRD flow is also unavailable. Condensate is used to increase RPV level and allow natural circulation.
Sequence with the Head Removed and Loss ofInventory Terminated 134 Unavailability of LPCI, LPCS, HPCS, CRD flow and condensate for RPV makeup. Core damage in the long term if a supplemental makeup source cannot be provided.
Sequences without Termination ofInventory Loss 136 Unavailability of long term decay heat removal from the suppression pool with successful LPCI or LPCS injection to make up for the loss of RPV inventory.
138 Similar to sequence 138 except LPCI and LPCS are unavailable. HPCS (with suction from the suppression pool) provides injection. HPCS injection ruccess is i
break-size dependant.
l 139 Unavailability of LPCI, LPCS, and HPCS to provide makeup for the loss of RPV inventory.
Branch Probabilities l
Loss ofInventory Terminated by RHR ISO. Closure of either RHR-8 or RHR-9 at the SDC isolation serpoint willisolate RPV flow to the suppression pool. Assuming a screening probability of 0.01 for the failure of a motor-operated valve to close and 0.1 for the conditional probability of Appendix A A-58 NUIEG-1449 i
I 1
P the second valve results in a branch failure probability estimate of 1.0 x 10-3. Note that closure of RHR-6B would also tenninated the RPV inventory loss. This valve was not considered in estimating the failure pmbability for this branch.
Head Status. A review of WNP 2 refueling outages over the last five and one half years indicates an average outage duration of 75.6 d. Assuming that t.wo days of the outage are not at cold j
shutdown, and that the total time during an outage that the head is on but detensioned is approximately two days, results in the following time periods for the three head states over a period: head on,4 d; head detensioned but on,2 d; and head off,67.6 d.
e In addition to refueling outages, there has been 47 outages of an average length of 4.6 d. If we again assume two days per outage not at cold shutdown, and assume that during the remainder of the time the plant is at cold shutdown with the head on, the following overall fractions of time for i
the three head stateshre estimated:
head on 0.27 head on but detensioned 0.02 head off 0.71 l
Condensate Available. While the condensate pumps can provide more than adequate makeup, they are often unavailable during a refueling outage because of work on the secondary system.
However, the condensate system was available during this event and was used to restore the RPV level following the reactor cavity draindown. A failure probability of 0.01 was assumed.
LPCI or CS Flow Available. For sequences involving successful RHR isolation, flow from any LPCI or LPCS pump will provide adequate makeup. To simplify the estimation of the probability of failure of suppression pool cooling (which is dependant on the status of the LPCI trains which also provide SDC), only the failums associated with LPCS,and the non-RHR train of LPCI were l
used to estimate this branch probability. For WNP_2, LPCS consists of one train. The train includes one pump with a single, normally open motor-operated suction valve and a single normally-closed discharge (RPV injection) valve. The pump suction source is normally the suppression pool. LPCI train C consists of a motor-driven pump, a normally-open motor-operated suction valve and a normally-closed motor-operated discharge (RPV injecticn) valve. The pump suction source is also the suppression pool. Assuming that normally-open valves and check valves do not contribute substantially to ' ystem unavailability, the equation for failure of LPCS is s
therefore (LPCS-P1 + LPCS-5) * (RHP-P2C + RHR-42C)
Applying screening probabilities of 0.01 for failure of a motor-driven pump to start and run and failure of a motor-operated valve to open,0.1 for the conditional probability of the second similar j
component to operate, and a likelihood of 0.34 of not recovering a failed LPCI train or core spray system in the short-term results in an overall system failum probability estimate for this branch of 7.5 x 10-4 NUREG-1449 A-59 Appendix A
l l
l For sequences involving failure to isolate RHR, two of the four LPCI and LPCS trains must operate to provide makeup for the flow path to the suppression pool. The operating RHR train's suction supply must be aligned to the suppression pool. In the two non-operating LPCI trains and the LPCS train, the pumps must start and the discharge isolation valves must open. Since success requires tw o of four trains, three of four trains must fail for injection failure:
(LPCS-P1 + LPCS-5) * (RHR-P2C + RHR-42C) * (RHR-PA2 + RHR-42A
- RHR-53A) +
(LPCS-P1 + LPCS-5) * (RHR-P2C + RHR-42C) * (RHR-6B + RHR-4B) +
(LPCS-P1 + LPCS-5) * (RHR-PA2 + RHR-42A
- RHR-53A) * (RHR-6B + RHR-48) +
(F.HR-P2C + RHR-42C) * (RHR-PA2 + RHR-42A
- RHR-53A) * (RHR-6B + RHR-4B)
The.ninimal cutsets for this equation are RHR-4B RHR-P2A RHR-P2C RHR-42C RHR-6B RHR-P2A RHR-6B RHR-P2A RHR-P2C LPCS-5 RHR-42C RHR-P2A LPCS-P1 RHR-42C RHR-P2A LPCS-5 RHR-P2A RHR-P2C L.PCS-P1 RHR-P2A RHR-P2C LPCS-5 RHR-42C RHR-4B LPCS-P1 RHR-42C RHR-4B LPCS-5 RHR-42C RHR-6B LPCS-P1 RHR-42C RHR-6B LPCS-5 RHR-4B RHR-P2C LPCS-P1 RHR-4B RHR-P2C LPCS-5 RHR-6B R.HR-P2C LPCS-P1 RHR,6B RHR-P2C LPCS-5 RHR-4B RHR-P2A LPCS-P1 RHR-4B RHR-P2A LPCS-5 RHR-6B RHR-P2A LPCS-P1 RHR-6B RHR-P2A RHR-42C RHR-4B RHR-P2A Applying the screening probabilities described above results in a branch probability estimate of 5.6 x 10-5, HPCS Flow Available. HPCS at WNP 2 consists of one train. This train includes one pump with a single, normally open motor-operated suction valve and a single normally-closed discharge (RPV injection) valve. The pump suction source for HPCS is normally the condensate storage tank (CST). Again assuming that normally-open valves and check valves do not contribute Appendix A A-60 NURiiG-1449
i substantially to system unavailability, the equation fo failure of HPCS is therefore HPCS-P1 + HPCS-4 Applying the screemng pmbabilities described above results in an overall system failure pmbability estimate for HPCS of 6.8 x 10-3 For sequences involving failure ;o isolate RHR, HPCS cannot provide makeup for flow fmm the open suction valve. The unavailability of HPCS for those sequences is 1.0.
i CRD Flow Available. At cold shutdown pressures, one of two CRD pumps can provide makeup.
Since one pump is typically mnning, the system will fail if that pump fails to nm and if the other (standby) pump fails to start and run. Assuming a probability of 0.01 for failure of the standby CRD pump to start, and 3.0 x 10-5/hr for failure of a pump to run, results in an estimated failure probability for CRD flow of 2.5 x 104. In this estimate, a short-term rion-recovery likelihood of 0.34 was applied to the non-running pump failure-to-start probability, consistent with the approach l
used to estimate the failure probability for the core spray system. A mission time of M h was also assumed.
If only one train is available (because of maintenance on the opposite division), then tb CRD failure probability is estimated to be 7.2 x 104 RHR (SDC) Recovered (Short-Term). For WNP 2, RHR can be restored to service provided RPV level is greater than the low-level isolation level and RPV pressure is less than the high 4
pressure isolation pressure, and, of course, the cause of the initial less of RHR is repaired.
For event tree branches with the head on and for which reactor vessel (RV) inventory was increased to provide for natural circulation, RHR must be recovered prior to RV pressure reaching the high pressure isolation setpoint (135 psig at WNP 2), which would prevent opening the suction line isolation valves and restoring RHR. Once the high-pressure isolation setpoint is reached, operation of at least one SRV is assumed to be required, based on the studies done at Susquehanna, and the sequence proceeds with RPV depressurization and the use of RHR in the suppression pool cooling mode to remove decay heat. In estimating the probability of not recovering RHR (SDC), the time period of concern for these sequences is from initial loss of RHR until the high-pressure isolation setpoint is reached. (Approximately 7.5 h from the loss of RHR for the event under consideration, based on very simplified analyses and consideration of the observed heatup and pressurization rates.)
r For event tree branches with the head on but with shon-term makeup unavailable, the time to reach the high pressure isolation setpoint is estimated to be approximately six hours. This estimate assumes all decay heat is absorbed in the coolant directly surrounding the core.
I For event tree branches with the head detensioned, the time period to recover RHR is the time to reach boiling. The time to reach boiling following the loss of RHR at WNP 2 was approximately 1 h. For sequence 131, which involves a failure to recover RHR prior to boiling without an NUREG-1449 A-61 Appendix A
injection source and with the head detensioned, the time period would be even less.
i For this event, the time to restore RHR(SDC) was about seven minutes when the vessel level was recovered and the isolation was reset.
l l
This event involved no actual component failures or any loss of supplied power. The plant was also at operational condition 4, which means ECCS was available and operable. Therefore, the l
probability of failing to recover RHR was assumed to be dictated by the failure probabilities of components in the LPCI system. No additional impact resulting from human error was assumed.
]
Failure to recover RHR is dominated by failure of either RHR-8 or RHR-9 to open, both RHR l
j pumps to start, or both injection valves to open. Applying the screening probabilities described i
above results in a branch probability estimate of 7.5 x 10-3 T
Main Condenser Available. The main condenser is modeled as a heat removal mechanism for
{
sequences in which the condensate system is used as an injection source and the head is tensioned.
The probability of the condenser being available for heat removal, given the condensate system is 1
available, was assumed to be 0.5. The actual likelihood is dependant on the nature of the outage.
i Required SRVs Opened. Eighteen SRVs are installed at WNP 2. The following analysis is based j
on the studies done at Susquehanna. For sequences with the head tensioned (sequences 102-104, l
j 106-108,110-112, and 115-117), opening of one or more SRVs provides success. For sequences l
with the head detensioned but still on the vessel (sequences 121-123) opening of three SRVs is required for success. In either case, failure of the valves to operate is dominated by dependant q
F failure effects.
A probability of 1.6 x 104 was used for failure of multiple SRVs to open. This value was based
]
on the observation of no such failures in the 1984-1990 time period, combined with a non-l recovery likelihood of 0.12. This approach is consistent with the approach used to estimate this j
j probability for other ASP evaluations, but includes a longer observation period and a lower probability of failing to recover to account for the 4-6 h typically available to open the valves [a non-recovery value of 0.71 is used for the probability of not recovering an ADS actuation failure in l
a one-half hour time period (see NUREG/CR-4674, Vol. 6). This value was also used to estimate
)
the likelihood of SRV failure for sequences with the head detensioned but on, since time periods for these sequences are short].
A value of 1.6 x 104 is consistent with failure pmbabilities whlch can be estimated from individual valve failure probabilities and beta factors, as described in NUREG/CR-4550, Vol 1, Rev.1,
" Analysis of Core Damage Frequency: Internal Events Methodology," and the conditional probability screening values used in the ASP program. The failure probabilities estimated using either approach are probably conservative, considering the number of valves potentially available for use. (NUREG/CR-4550, Vol 4, Rev.1, Part 1," Analysis of Core Damage Frequency: Peach Bottom, Unit 2, Internal Events," used a value of 1.0 x 10-6 for common cause SRV hardware faults, based on engineering judgement.)
s Appendix A A-62 NUREG-1449
Suottression Pool Cooline (Lone-Termt At WNP 2,like most BWRs, suppression pool cooling -
is a mode of LPCI. The LPCI system consists of three independent loops at WNP 2, and each loop contains its own motor-driven pump, has a suction from the suppression pool, and is capable of discharging water to the reactor vessel via a separate nozzle or back to the suppassion pool via a full-flow test line. Two of these loops have a heat exchanger which is cooled by normal or standby service water. The suppression pool cooling mode of RHR consicts of two redundant trains, each of which includes an RHR/LPCI pump, a heat exchanger, and a single return valve which must be opened to return flow to the suppression pool. For the train providing RHR (SDC), the suppression pool suction valve (normally open for LPCI but closed for RHR-SDC) must also be opened to provide suction to its respective pump. During this event, RHR loop A had been providing shutdown cooling and RHR loop B was just going into standby. It was conservatively assumed opening of suction valve RHR-V-4A was required for this mode of operation.
Assuming availability of RHR service water and electric power, the equation for unavailability of suppression pool cooling is:
(RHR-4A + RHR-P2A + RHR-24A) * (RHR-4B + RHR-P2B + RHR-24B)
'Ihe minimal cutsets for this equation are RHR-4A RHR-4B RHR-4A RHR-P2B RHR-4A RHR-24B RHR-P2A RHR-4B i
RHR-P2A RHR-P2B RHR-P2A RHR-24B i
RHR-24A RHR-4B RHR-24A RHR-P2B RHR-24A RHR-24B Applying screening probabilities of 0.01 for failure of a motor-driven pump,0.34 for failure to recover a faulted pump,0.0001 for failure of a closed valve to open (because of the length of time available for recover, the NUREG-1150 value for a failure of a manual valve to open was employed), and 0.1 for the conditional probability of the second similar component to operate, results in an overall system failure probability estimate of 3.5 x 104 The conditional failure probability for suppression pool cooling given failure to recover RHR (SDC) in the short term is 4.5 x 10-2. This value is influenced by the fact that failure of both RHR/LPCI pumps faults both branches. If only one train is available (because of maintenance on the other division), then the suppression pool cooling failure probability is estimated to be 3.6 x 10-3 For sequences involving a failure to terminate the loss of inventory with LPCI or LPCS success, a branch probability of 3.0 x 104 is estimated.
NUREG-1449 A-63 Appendix A
It should be noted that, because of the length of time available to recover suppression pool cooling (greater than 24 h), and the general lack of understanding of the reliability of such actions, this estimate has a high degree of uncertamty associated with it.
Analysis Results Branch probabilities developed above were applied to the event tree model shown in Fig. I to estimate a conditional probability of subsequent severe core damage for the reactor cavity draindown at WNP 2. This conditional probability is 4.6 x 10-5. The dominant sequences involve successful termination of the loss ofinventory, successful RPV makeup, failure to recover RHR (SDC) in the short-term, unavailability of the main condenser for decay heat removal, and failure to implement altemate core cooling because of failure to open at least one SRV (sequence 105) or failure to initiate suppression pool cooling (sequence 104). As discussed under ASP Modeling Approach and Assumptions: Branch Pmbabilities, above, the failure probabilities for these two branches are dependant on the pmbability of the branch failing when initially demanded and the probability of not restoring an initially failed branch over a period of perhaps 6-24 h. While the probability of initial failure on demand can be reasonably estimated, no information exists which would allow confident estimates of the probability of not recovering an initially failed component over these time periods.
5 i
I L
Appendix A A-64 NUREG-1449
E*
rt*.g an-l I
a o
a g
i
[(
i a
e a,
q 6
i SX2 tE:
XI Xi Il if lf r
e G I am' }tI s
ori ozt=
or!
e ;oI!
oII l.
1 tZ=
oI!
l oEi on m
"8 f
a 5.
e d
n e
or; g
a h
13 V
E" MZ%
BY NA t
NI
[
ti OKi
=
W I.r' oli E
7 l~1 E
oK11 I
du 2g s-e 5 1 W;i!
OXj
[]
f2 oK.i l
I I
E!
E
)
e
!h I
kI i
4 m
)
i 7
Lu i
g *u oI!
sI:
j a,
t U
1 v
NUREG-1449 A-65 Appendix A
Laes W tm W LPQ HPCS DID RWEDC) neWn Remhed W
- eakrF se C4 Fkus Fhw ReaproW Conconeer BRW3 l
Dwensey isanone by BM Ad Fbur Avat AvelatMe Aves Shys-mm)
Aves opyed W""")
E@
SEO l
RHRMio
$7 ATE NO.
OK tot CK 102.
p g.3 i
M OS e M-s Tennemme CD 100 CJ7 og 933 i
OK 107 l
'.g.g CD m
4 7.M 3 CD 108
]
C et OK 111 l
CD 119 7 M-3 L--
CD 113 l
7E4 OK 115 l
CD 118 8 el 3 M
110 CD 119 OK 120 K
1 he Hand P
'.E-3 4
Deummened 7 d-3
', g CD 123 0.02 OK 1 24
'80 y g.3 7.E4 CO 127 e E.3
]
OK its Co m
Head OK m
Removed I
a.r, on
's' r
0,01 l
,E4 oK m
- 4 Co a
j OK 135 5
CD 138 3
ok
$87
,x i
l we **ees -=eno Co i3e see CD 138 i
Fig. 2. Event Tree Model for LER 397/88-011 r
l l
l l
l l
I l
i l
i l
I i
i Appendix A A-66 NUREG-1449 I
i i
ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT ANALYSIS LER No:
456/89-016 I
Event
Description:
RHR suction relief valve drains 64,000 gal from RCS Date of Event:
December 1,1989 Plant:
Braidwood I Summary l
A residual heat removal (RHR) pump suction relief valve opened below its design setpoint and would not rescat. Approximately 64,000 gal flowed through the relief valve to the boron recycle holdup tank before the leakage path was isolated. About 54,000 gal were made up from the j
refueling water storage tank (RWST). Identification of the faulted valve was delayed because the valve was in the non-operating RHR train, and initial ol erator response addressed the operating i
train. The event occurred after a full core reload, when no decay heat load existed, and hence the j
conditional probability of subsequent core damage is very small. Had the event occurred when decay heat removal was required,its conditional probability would still be below 1.0 x 104 Event Description Prior to the event, Braidwood I was in cold shutdown with "A" RHR train in service. "B" train was aligned, but not operating. Reactor coolant pressure was 350 psig, and temperature was 170F. The pressurizer was solid, and preparations were under way to draw a steam bubble.
i By 0142, reactor coolant system (RCS) pressure had risen to 404 psig when the IB RHR pump suction relief valve opened. The pressure serpoint for this valve was supposed to be 450 psig.
Inspection and testing after the event indicated an as-installed set pressure of approximately 410 psig (apparently because ofincorrect maintenance 20 months earlier-April,1988). In addition, the nozzle ring setting was out of adjustment by 233 notches, which prevented the valve from reclosing during the event.
Pressurizer level began declining from off-scale high and decreased rapidly. The operator began reducing letdown flow and increasing charging flow. Boron recycle holdup tank level began increasing rapidly. By 0151, pressurizer leet was off-scale low. Operations concluded that a RHR pump suction relief valve had lifted and f ailed to rescat.
E Initially, plant operators assumed that the RCS leakage was from the operating RHR train (valve RH 8708A). At 0155,"A" RHR train was removed from service and "B" train placed in service.
i i
The operating charging pump was aligned to the RWST. RCS pressure stabilized at 272 psig, The utility believes that the RCS level at this point was somewhere in the lower portion of the pressurizer surge line, and that, by this time, charging flow equaled leakage from the relief valve.
NUREG-1449 A-67 Appendix A
i 1
i j
This elevation corresponds generally to the lower portion of the steam generator tubes and to the j
upper portion of the reactor vessel. Reactor vessel level instrumentation indicated 100% at all j
times, and subsequent RCS venting using the head vents indicated no gases in the reactor vessel.
l l
Charging pump IB breaker was racked-in and the pump was started at 0235. By 0245, i
j pressurizer level indicated above 0%, and IB charging pump was secured. Reactor pressure was l
]
310 psig. By 0254, pressurizer level had again declined off-scale, and RCS pressure was 4
l declining. This implies that the leakage rate was greater than the capacity of the operating charging f
j pump and that the lowest RCS level achieved may have been at 0235,just before charging pump
[
j 1B was first started. Charging pump 1B was restarted at 0254, and pressurizer level rose above l
0% at 0302, whereupon charging flow from the two pumps was throttled. Holdup tank levels l
continued to merease.
1 l
At 0319, it was finally determined that the IB RHR pump relief valve (RH 8708B) was leaking.
i i
By 0350, RHR train "A" was again in service and RHR train "B" was isolated, ending the event.
j Approximately 64,000 gal were lost through the RHR pump suction relief valve. About 54,000 gal were made up from the RWST.
A simplified drawing of the Braidwood RHR system is provided in Fig.1. A detailed sequence of I
events is provided in Attachment A.
l Additional Event-Related Information j
Braidwood was in the 101st day of a refueling outage. A complete fuel reload was performed'and the potential for temperature increase from decay heat did not exist. The RCS inventory was always sufficient to keep the core covered and no loss of shutdown cooling occurred As specified in attachment A, one centrifugal charging pump was operating prior to the event. The
]
other charging pump was tagged out-of-service with its breaker racked out (as required by the plant Technical Specifications for this operating mode), as were both safety injection (SI) pumps. The tagged out charging pump was restored to service during the event, and the two SI could apparently also have been restored to service if required. All four steam generators (SGs) were i
available with water levels between 63 and 69 percent.
I The Braidwood procedure for loss of RHR cooling applicable at the time of the event also addresses loss of RCS inventory while the RHR system is in operation. This procedure specifies l
l a variety of methods to provide decay heat removal: bleed and feed using excess letdown and normal charging, steaming of intact SGs, bleed and feed using the pressurizer power-operated relief valves (PORVs) and normal charging, refuel cavity to fuel pool cooling, SI pump hot leg injection, accumulator injection, and gravity feed from the RWST. In addition, the procedure includes instructions for venting the RHR trains, including requirements to close the RHR drop j
line valves during venting. Had the open relief valve not been discovered, and the charging and SI j
systems and the accumulators failed to pmvide RCS makeup such that the RHR pumps had to be vented, then closure of the drop line valves would have isolated the open relief valve and i
Appendix A A-6S NUREG-1449
~
I s
terminated the event. _ At this point, the SGs could have been steamed to provide decay heat removal.
Analysis Approach The analysis approach for this event depends upon when the relief valve could have lifted. For the actual event, the valve lifted after a complete fuel reload when there was no decay heat. In this case, the conditional probability of subsequent core damage is extremely small.
If the relief valve had lifted shonly after entering shutdown, then RCS makeup from the charging system, SI system or accumulators would have provided for extended decay heat removal until the open relief valve was found. Once the open valve was isolated and RCS inventory loss terminated, the SGs or intact RHR train could have been used for decay heat removal. For this situation, the following failures would have been required before core damage would have i
occurred: (1) failure to align the charging pumps to the RWST or failure to stan the non-operating pump, (2) failure of both SI pumps to provide RCS injection, (3) failure of the operators to use the accumulators for RCS makeup, and (4) failure to close the RCS drop line valves or failure to use the SGs or intact RHR train for decay heat removal.
Applying typical ASP failure probabilities to components in the above systems results m a core damage probability estimate considerably below 1 x 10-6. If one division had been out of service l
for maintenance, then only the operating RHR train drop valves would have been open. In this case, the operators would have rapidly identified the appropriate relief valve and terminated the loss j
of RCS inventory. Following this, the operating charging pump would have provided adequate decay heat removal until the other RHR train could be restored to service.
I Analysis Results i
Because a complete fuel reload was completed prior to this event and no decay heat load existed, the event is estimated to have a very small probability of subsequent core damage. Had the event i
occurred when decay heat removal was required, its conditional probability would still have been below 1.0 x 10 6, i
r NUREG-1449 A-69 Appendix A
~.
=
=
0
=
g 0
=
4 4
4 4
4 4
4 4.
+
+
=
=
==
=
+
=~
l*
- g A-
~
R A-g $+ s
- q-R~g s $ s+-
~
y
+
+
=
=
=
=
=
=
8 m
e t
s y
+
s 1"
S_. '"'
R S_.
~.
A E
R do o
o o
w d
i a
.x'-
s rB e
_Ns-t= $.e t=.& T
]
h e
t s
f k
o g
[
n 9
i h,
g w
Ug a
r p~ ~m s
d
$ 7, rg d
3 a
e c ~~ g 5
m i
f
~
i l
p
.N m
o i
S 1
- g b.
ke g
i F
S A
M
.S.
r.
=._
':l
=..
S..
M.
=.
/
e,.-
- b. b A_ S_ ""
fa.
t.
t fO f
I-
>manh >
>S 2@mOL2e
i i
)
i i
i l
1 I
I ATTACIIMENT A SEQUENCE OF EVENTS i
(for LER 456/89-016) i i
i i
l b
l I
.i l
j l
1 NUREG-1449 A-71 Appendix A
,w
DECEMBER 1,1989 CENTRAL STAbtARD TIME i
i NOTE: Thefollowing sequence times are based on a collection of the best information available during the inspection. Therefore, there may be some variances with other information provided.
)
0000 Initial Conditions: At the beginning of Shift 1, Unit I was in cold shutdown (Mode 5), RCS was solid with the temperature at 175F and pressure was 350 psig.
Operations personnel were in the process of drawing a bubble in the pressurizer.
Reactor coolant pumps (RCPs) B and D were in operation with the pressurizer power operated relief valves in " cold over pressure protection" condition. l A RHR I
pump (train) was in operation in the shutdown cooling mode with IB RHR train j
idle and available for operation. The 1 A charging pump was in normal operation j
with letdown coming from the RHR system. IB RHR pump and both safety injection pumps were secured and tagged out of service as required by Technical Specifications and pmcedures for RCS cold over pressure protection. In addition, 1A RHR pump suction valve IRHR 8701B was tagged out of service open with
]
power removed by procedure to assure RHR would be maintained in the event of a pressure switch malfunction.
0055 Commenced drawing a bubble in the pressurizer by increasing letdown flow and energizing PZR heaters per BwOP RY-5," Drawing a Bubble in the Pressurizer."
l I
0128 RCS pressure had increaseu to about 395 psig. Letdown flow was increased to stabilize pressure.
0142 Letdown flow was maximized and charging flow was minimized (to about 70 gpm) to accommodate the RCS pressure increase to 404 psig as indicated on the wide
(
range pressure instrument. Later it was found that the IB RHR pump suction pressure had reached 416 psig. Although unknown at the time, this is where the
[
1B RHR pump suction relief valve is believed to have lifted.
1 i
0144 Pressurizer level reached on scale from off scale high and was decreasing rapidly.
Letdown flow was reduced to stabilize pressurizer level.
i 0145 The radwaste operator informed the control room of a significant increase in holdup
(
i tanks (HUTS) levels.
t 0149 Charging flow was increased to correct for the rapid drop in pressurizer level.
t i
Appendix A A-72 NUREG-1449 l
1
... l
t l
Operations personnel manually swapped charging pump suction from the volume control tank (VCT) to the RWST.
0152 Pressurizer level went off-scale low.
l 0153 Charging flow was increased to maximum and letdown was reduced to minimum.
0155 IB RHR train cooling was started and 1 A RHR train was secured and isolation staned. This is based on field repons of a relief problem in the vicinity of the 1 A RHR pump suction relief valve and accepted engineering practice to assume a fault is on the operating train.
0159 Secured IB RCP due to primary pressure dropping to less than 325 psig and the lowest pump shaft seal differential pressure. 1D RCP continued to operate throughout the event. Primary system pressure was noted to be 272 psig and later verified by computer data to be the lowest RCS pressum throughout the event.
0215 IB charging pump out of service was lifted and was placed in operation to provide
[
additional charging flow. This resulted in an associated RCS pressure increase.
l 0227 A GSEP " ALERT" was declared for loss of coolant inventory beyond the capability of the makeup system.
l i
l 0235 1A RHR pump suction valve out of service was lifted and the valve shut to complete isolation of the IA RHR train and suspected leak.
0237 Nucleai Accident Report System (NARS) notification made to State of Illinois.
0245 Pressurizer level was identified as increasing on Channel LI462 and RCS pressure I
reached 310 psig.
i i
IB charging pump was secured. Radwaste reponed HUTlevels still mereasmg.
0254 Pressurizer level was identified as decreasing. IB charging pump was restaned.
0302 Pressurizer level was increasing. Charging flow was reduced to slow the rate of pressurizer level inemase and possible thermal shock to the pressurizer.
0319 An operator in the auxiliary building reponed evidence of flow through the IB RHR pump suction relief valve due to noise level and associated pipe temperatures (touch).
j 0322 Opened and closed 1RH 8734A (I A RHR cross connect to letdown) to reduce 1 A RHR train pressure for assurance that the 1 A RHR pump suction relief valve was shut.
NUREG-1449 A-73 Appendix A
0324 Resident Inspectors were notified.
0326 ENS notification to the NRC.
0335 Unit I shift foreman reponed leakage, from the vicinity of relief valve OAB 8634 (discharge common to RHR pump suction reliefs to the HUTS). This was later detennined to be from a weep hole in the side of the valve and was the source of the l
30 to 50 gal of water released to a limited area of the auxiliary building.
l 0342 Charging flow was increased for adjustment to maintain pressurizer level.
0345 An operator was stationed near the 1 A RHR pump suction relief valve.
0346 1 A RHR train isolation valves were opened and locally verified that there was no evidence of flow through the 1 A RHR pump suction relief valve.
0349 Placed the 1 A RHR train in operation by starting the 1 A RHR pump.
0350 Secured the IB RHR pump and isolated the IB RHR train.
0352 Pressurizer level showed significant increase.
l 0353 Secured the IB CV pump.
j 0354 A field operator reported no evidence of leakage from the 1 A RHR pump suction i
relief valve.
l 0356 A field operator reported no evidence ofleakage from IB RHR pump suction relief j
valve.
0400 Placed the 1 A RHR letdown in service.
0402 Radwaste reported HUT levels had stabilized.
0415 Manually transferred charging pump suction from RWST back to the volume control tank.
0427 l
GSEP control transferred to Technical Support Center (TSC).
i 0435 GSEP" ALERT" terminated.
l l
i l
l l
l i
Appendix A A-74 NUREG-1449 l
r l
l 1
ACCIDENT SEQUENCE PRECURSOR PROGRAM COLD SHUTDOWN EVENT ANALYSIS L E R N o.:
458/89-020 Event
Description:
Freeze seal failum Date of Event:
April 19,1989 Plant:
River Bend Summary River Bend Station was in a refueling outage on April 19,1989 when a freeze sealin the standby service water (SSW) system failed. When the seal was lost, water from the system was discharged from a disassembled 6" valve, and flowed across the floor and down to the next lower level in the building. A switchgear on the lower level was shorted out resulting in the loss of reactor l
protection system (RPS) Division Il and subsequently the loss of a vital 120 V-AC power supply, j
The plant lost shutdown cooling (SDC) for 17 min, normal lighting for the reactor, control, and auxiliary buildings, a load center transformer, normal spent fuel pool cooling (SFPC) system, and a RPS motor generator (MG) set as a result of the 15,000 gal flood. Operators isolated the leak within 15 min. The conditional core damage probability estimated for is event is less than
- 1 x 104 Event Description On April 19,1989 work was being performed on the SSW supply (ISWP*V524) and return (ISW*V525) valves for unit cooler 1HVR*UC11B, since these valves were non-isolable, a freeze seal had been established so the valves could be disassembled. Two freeze plugs had been formed using one supply line from two liquid nitrogen sources. A freeze seal watch had begun, and 10 min after nitrogen supplies had been switched, a loud noise was heard by the person on watch.
The supply line freeze plug had given way, but the return line plug remained in place and did so i
throughout the event. The control room was notified of leakage past a freeze seal. An operator sent to investigate the leak in the auxiliary building found water on the floor at the 114-ft elevation. He then proceeded to the 141-ft elevation and found water flowing across the floor and a 6-ft high column of water flowing from the body of the inlet isolation valve to cooler 1HVR*UC11B. The operator then assisted maintenance personnel trying to re-install the valve bonnet on the valve. This operator'did not contact the control room to tell the operators of his assessment of the situation and the status of the leak. Water flowed from the 141-ft elevation to the i
114-ft elevation through openings under motor control centers (MCCs) 2J and 2L. On the 114-ft I
elevation water entered load centers INJS-LDC 1 A/B. The resulting ground faults in the load centers caused windings of the step-down transformer, INJS-X1 A, to burn out and an electrical explosion in the adjacent 13.8 kV manual disconnect switch bay. Switchgear INPS-SWGIA Breaker 16 then opened and interrupted power to load centers INJS-LDC 1 A,1B, IC, ID,1S, and IT. This tripped RPS Bus "B" and resulted in a half scram and Division Il containment i
NUREG-1449 A-75 Appendix A I
isolation valves to close; thus, isolating SDC, tripping normal SFPC, tripping normal lighting to the reactor building, containment building, and auxiliary building. Operators then proceeded to restore SDC and SFPC using their abnormal operating procedures. Also, at this time, the shift supervisor (SS) and control operating foreman (COF) were trying to ascertain the source of the leak. After discussion and investigation, The SS and COF decided to isolate Division II of SSW and remove it from service. The SS and COF did this without positive confirmation that it was the leak source, but they had correctly inferred that it was the leak source from their investigation.
Within minutes the leak stopped and the maintenance personnel re-installed the bonnet on the valve i
body that was leaking. Shortly thereafter, RHR SDC was restored using Division I RHR. Normal SFPC was restored about six h later.
The delay in restoring SFPC was due to re-establishing power to the component cooling water (CCW) pumps which were powered by the damaged 13.8 kV load center.
A drawing of the River Bend SSW system is provided in Fig. I and a drawing of Division I of j
RHR is provided in Fig. 2.
Additional Event-Related Information Initial water level was 23 ft above the reactor vessel flange, this corresponds to about 640 in (or more than 53 ft) above top of active fuel (TAF). A reactor scram and automatic isolation of the
'I RHR SDC from the reactor recirculation system occur at 172 in above TAF. Emergency core cooling system (ECCS) initiation occurs at 19 in above TAF. Upon ECCS initiation, RHR automatically lines up for and initiates in the low-pressure coolant injection (LPCI) mode. Also, j
both high-pressure core spray (HPCS) and low-pressure core spray (LPCS) systems automatically I
line up for and initiate vessel makeup.
3 Various pieces of equipment on the lower elevations of the auxiliary building were jeopardized by the flooding. As a result, the potential for flooding becoming a common mode failure mechanism through which redundant systems could be disabled was examined. The most limiting sequence of events was detennined to be due to the inadequate capacity of the floor drains associated with the flooding of the lower elevations in the auxiliary building caused by the leak and/or from postulated fire fighting activities for electrical fires in transformers, switchgear, or MCCs resulting from the leak on higher elevations. If the drain system allowed the water to collect on the lower elevations, the safety-related equipment there would be jeopardized. However, it was determined that while three RHR/LPCI, the LPCS, and the HPCS pumps are all located on the lower elevations of the auxiliary building and it is possible following extensive unchecked flooding and/or fire fighting activities to put these pumps at risk, this was considered to be unlikely; moreover, only the LPCS and one RHR/LPCI pump were located directly below the leak. Flooding, in this case, posed little risk to the core.
Appendix A A-76 NUREG-1449
ASP Modeling Assumptions and Approach Analysis for this event was developed based on procedures (e.g. Procedure STP-204-0700, Rev.1, effective March 3,1989) in effect at River Bend at the time of the event, the Plant Technical Specifications, the Augmented Inspection Team (AIT) report, and the Final Safety Analysis Report (FSAR).
The following comments are applicable for the analysis of this event:
- a. Core damage end state. Core damage is defined for the purpose of this analysis as reduction in reactor pressure vessel (RPV) level above TAF or failure to cool the suppression pool in the long term. With respect to RPV inventory, this definition may be conservative, since steam cooling may limit clad temperature increase in some situations. However, choice of TAF as the damage criterion allows the use of simplified calculations to estimate the time to an unacceptable end state.
- b. Boil-off of RPV inventory can be delayed if RPV level can be raised to permit natural circulation. Availability of RPV injection to raise water level for natural circulation is included in the analysis.'
- c. Three pressure vessel head states were considered for the analysis: head on and tensioned, head on and detensioned, and head off. If the head is on and tensioned, then decay heat removal as well as vessel makeup methods which require pressurization are assumed to be viable. If the head is on, but detensioned, then failure to maintain the RPV depressurized is also assumed to proceed to core damage (this assumption is conservative). If the head is off, then makeup at a rate equal to boil-offis assumed to pmvide core cooling.
- d. Five makeup sources were available during this event: HPCS, LPCI, LPCS, control rod drive (CRD) flow and the feedwater/ condensate system. Use of any other source of makeup is considered to be a recovery action.
- c. Successful termmation of a loss of RHR (SDC) is defined as recovery of RHR or provision of alternate decay heat removal via the suppression pool or main condenser, or, if the head is removed, via refueling cavity boiling. Also, injection from any source to raise RPV level and allow natural circulation increases the amount of time available for recovery of RHR.
- f. If RHR (SDC) cannot be recovered, then alternate core cooling methods are needed. If the head is tensioned, these involve allowing the RPV to repressurize, opening of at least one safety relief valve (SRV), and dumping decay heat to the suppression pool. If the condenser and condensate system are available, then decay heat can also be dumped to the condenser. If the head is detensioned, then decay heat must be removed without the RPV being pressurized.
This requires opening of at least three SRVs and recirculating water to the suppression pool using the core spray or LPCI pumps. For all cooling modes involving the suppression pool, suppression pool cooling must be initiated in sufficient time to prevent the suppression pool NUREG-1449 A-77 Appendix A
from exceeding its temperature limit. If the head is removed, then any makeup source greater than ~200 gpm, combined with boiling in the RPV, will provide adequate core cooling.
The event tree model for this event is shown in Fig. 3. In the event, electrical faults from the flood resulted in RHR isolation. Isolation of Division 11 of SSW also rendered RHR Division II unavailable, since the two RHR heat exchangers in that division could not provide cooling.
Because of these faults, the event has been modeled as a loss of SDC with one train of RHR (SDC) and suppression pool cooling unavailable. Note that these trains were recoverable once the bonnet on the open isolation valve was re-installed.
The event tree modelincludes the following branches:
Head Status. For 'he operational event in question, the head was off. However, since the event t
involved isolation of one auxiliary building cooler for valve maintenance with both SSW trains in operation, it was assumed that the event could have occurred with the head on as well. The likelihood of the three different head states was assumed to be:
head on 0.27 i
head detensioned 0.02 head off 0.71 These values are consistent with values developed for Washington Nuclear Plant, Unit 2, based on an analysis of shutdown outages for that plant.
LPCI or LPCS Flow Available. LPCI consists of three trains at River Bend. Each train includes one pump with a single normally-open suction valve and a single normally-closed discharge (RPV injection) valve. The pump's normal suction source is the suppression pool.
LPCS consists of one train at River Bend. This train includes one pump with a single, normally open motor-operated suction valve and a single normally-closed discharge (RPV injection) valve.
The pump suction soume is normally the suppression pool.
To simplify the estimation of the probability of failure of suppression pool cooling (which is dependant on the LPCI trains which also provide RHR), only the probability of failure of core spray and the probability of failure of the "C" train of LPCI was used to estimate this branch t
probability. Assuming that neither the LPCS nor LPCI pumps require SSW for injection, and that normally-open valves and check valves do not contribute substantially to system unavailability, the equation for this event tree branch is therefore (LPCS-P1 + LPCS-5) * (LPCI-P2C + LPCI-42C).
Applying screening probabilities of 0.01 for failure of a motor-driven pump to start-and-run and failure of a motor-operated valve to open,0.1 for the conditional probability of the second similar component to operate, and a probability of not recovering the faulted branch, results in an overall failure probability for the branch of 7.5 x 10-4 Appendix A A-78 NUltl!G-1449
l HPCS Flow Available. HPCS consists of one train at River Bend. This train includes one pump with a single, normally-open motor-operated suction valve and a single normally-closed discharge (RPV injection) valve. The pump suction is normally the condensate storage tank. Making the same assumptions as for the previous branch msults in a failure probability estimate of 6.8 x 10-3 CRD Flow Available. At cold shutdown pressures, one of two CRD pumps can pmvide makeup.
Since one pump is typically running, the system will fail if that pump fails to run or if the other (standby) pump fails to start and run. Assuming a probability of 0.01 for failure of the standby CRD pump to stan, and 3.0 x 10-5/hr for failure of a pump to run, results in an estimated failure probability for CRD flow of 2.5 x 104. In this estimate, a shon-term non-recovery likelihood of 0.34 was applied to the non-running pump failum-to-stan probability, consistent with the approach used to estimate the failure probability for the core spray system. A mission time of 24 h was also assumed.
If only one train is available (because of maintenance on the opposite division), then the CRD failure probability is estimated to be 7.2 x 104 Feedwater/ Condensate Availab!e. River Bend has three motor-driven feedwater and three motor-driven condensate pumps; and, while the condensate pumps can provide more than adequate makeup, they are often unavailable during a refueling outage because of work on the secondary system. However, for this event, the feedwater/ condensate system was available. A failure probability of 0.01 was assumed.
RHR (SDC) Recovered (Short Term). For River Bend, RHR is available provided RPV level is greater than the low-level isolation level and RPV pressure is less than the high-pressure isolation pressure. For events with the head on and for which reactor vessel inventory was increased to provide for natural circulation, RHR must be recovered, if lost, prior to reactor vessel pressure reaching the high-pressure isolation serpoint (135 psig at River Bend), which would prevent opening the suction line isolation valves and restoring RHR. Once the high-pressure isolation I
l setpoint is reached, operation of at least one SRV was assumed to be required, and the event i
proceeds with RPV depressurization and the use of RHR in the suppression pool cooling mode to 1
remove decay heat. The main concern, then, is the time from the initial loss of RHR until the high-l pressure isolation serpoint is reached, and for events with the head on but with shon-term makeup unavailable, this time period is even more restrictive.
1 If the head is detensioned, the time period to recover RHR is assumed to be the time to reach boiling, and usually this is the most limiting time period.
If the RPV head is off, as was the case for this event, it is estimated based on simplifying assumptions that the water above the core would not reach boiling for approximately four d, and it would be more than 25 d before the core would be uncovered. This very long time is attributable to
[
the enormous vessel inventory available above TAF (23 ft above the flange), the equally large volume of water available from the spent fuel pool, and the relatively low decay heat load fmm the core 36 d after shutdown.
NURiiG-1449 A-79 Appendix A
During this event, SDC was recovered by transferring RPS bus "B" to its alternate supply, which allowed the Division II containment isolation signal to be reset and the SDC isolation valves to be opened. This action was performed in 17 min. Considering the time period available for SDC l
recovery, ample time exists to accomplish this action. Therefore, the probability of failing to recover SDC was estimated based only on component failure likelihoods, without consideration of any associated human errors.
Since one of the two RHR trains was unavailable because of the isolation of its associated SSW train, both suction isolation valves must open and the remaining-train RHR pump must start and run for RHR success. Using the same screening probabilities as for the earlier branches, a failure i
probability of 1.0 x 10 2 is estimated.
Main Condenser Available. The main condenser is modeled as a heat removal mechanism for sequences in which the condensate system is used as an injection source and the head is tensioned.
The probability of the condenser being available for heat removal, given the condensate system is
)
available, was assumed to be 0.5. The actual likelihood is dependant on the nature of the outage.
l g
Required SRVs Opened. Sixteen SRVs [seven of which are also designated automatic depressurization system (ADS) valves] are installed at River Bend. For events with the head tensioned, opening of one or more SRVs is assumed to provide success in mitigating a loss of RHR (SDC). For events with the head detensioned but still on the vessel opening of three SRVs are assumed to be required for success. The number of valves which are assumed to be required is based on calculations done at Pennsylvania Power and Light for Susquehanna. In either case, i
failure of the valves to operate is dominated by dependant failure effects.
A probability of 1.6 x 104 was used for failure of multiple SRVs to open. This value was based j
on the observation of no such failures in the 1984-1990 time period, combined with a non-recovery likelihood of 0.12. This approach is consistent with the approach used to estimate this t
probability for other ASP evaluations, but includes a longer observation period and a lower l
probability of failing to recover to account for the 4-6 h typically available to open the valves [a non-recovery value of 0.71 is used for the pmbability of not recovering an ADS actuation failure in a one-half hour time period (see NUREG/CR-4674, Vol. 6)- this value was also used to estimate the likelihood of SRV failure for sequences with the head detensioned but on, since time periods for these sequences are short].
t A value of 1.6 x 104 is consistent with failure probabilities which can be estimated from individual valve failure probabilities and beta factors, as described in NUREG/CR-4550, Vol 1, Rev.1,
" Analysis of Core Damage Frequency: Internal Events Methodology," and the conditional probability screening values used in the ASP program. The failure probabilities estimated using either approach are probably conservative, considering the number of valves potentially available for use. (NUREG/CR-4550, Vol 4, Rev.1, Part 1," Analysis of Core Damage Frequency: Peach Bottom, Unit 2, Internal Events," used a value of 1.0 x 10-6 for common cause SRV hardware faults, based on engineeringjudgement.
i 1
Appendix A A-80 NUREG-1449
i i
i Sucoression Pool Cooline (Lone-Termt Suppression pool cooling at River Bend, like most BWRs, is a mode of RHR. RHR consists of three independent loops at River Bend, and each loop contains its own motor-driven pump, has a suction from the suppression pool, and is capable of discharging water to the reactor vessel via a separate nozzle or back to the suppmssion pool via a full-flow test line. Two of these loops have two heat exchangers which are cooled by normal or i
standby service water. For these two loops, one or more RHR/LPCI pumps take suction from the j
suppression pool, pump water through the heat exchangers if necessary, and return it to the suppression pool. The suppression pool cooling mode of RHR consists of two redundant trains, i
cach of which includes an RHR/LPCI pump, two series heat exchangers, and a single return valve which must be opened to return flow to the suppression pool. For the train providing RHR (SDC), the suppression pool suction valve [normally open for LPCI but closed for RHR (SDC)]
must also be opened to provide suction to its respective pump. During this event, RHR loop B j
was providing shutdown cooling, and hence opening of suction valve E12*MOVF004B was assumed to be required for this mode of operation.
Since one of the two RHR trains was initially unavailable (because of the isolation of its SSW train), the RHR pump in the remaining train must start and run, its suppression pool suction valve must open, and its discharge valve (E12*MOVF024B) to the suppression pool must open. In addition, one of the suction valves from the reactor recirculation loop and one of the normal RHR injection valves must close. If this train fails to provide suppression pool cooling, then the initially faulted train must be recovered. A branch probability of 0.03 is estimated, conditional on the failure to recover RHR (SDC)in the shon term.
It should be noted that, because of the length of time available to recover suppression pool cooling (greater than 24 h), and the general lack of understanding of the reliability of such actions, this time i
estimate has a high degree of uncertainty associated with it.
l Analysis Results j
l Branch probabilities developed above were applied to the event tree model shown in Fig. 3 to estimate a conditional probability of subsequent severe core damage for the event at River Bend.
l This conditional pmbability is much less than 1.0 x 104, based on the head state (removed) which existed during the event. Branch probabilities are shown on Fig. 3. The dominant sequence i
involves failure to provide RPV makeup from one of the variety of sources in the long term.
i An additional calculation was performed to determine the impact of head status on the conditional I
probability estimate. If the event could have occurred with the head on, detensioned but on, or off (with probabilities as previously specified), then the conditional probability for the event is estimated to be much higher, ~9.0 x 105. This high probability is a result of the two train design 1
of the RHR system on this plant, and the component failure pmbabilities assumed in the analysis.
Flooding in the auxiliary building was examined and it was determined that the RHR/LPCI and LPCS systems would only suffer a loss of redundancy if the flooding were allowed to proceed j
unchecked. Since it was unlikely that extensive flooding would have occurred during this event, NUREG-1449
^_g1 Appendix A j
i y
'1 l
this analysis did not perform a complete flooding analysis. Even if a hypothetical flood, such as the one posed by the AIT investigation, of the auxiliary building had occurred which failed all the ECCS equipment located on the lower elevation, both the CRD and condensate systems were available for vessel makeup. Several things happened during this event that would have mitigated extensive flooding. First, no electrical fire occurred, so flooding from fire fighting activities was
}
not possible. Second, maintenance personnel in the area of the failed freeze seal were in the t
pmcess of reassembling the valve when the control room operators remotely isolated the leak, and '
these maintenance technicians would have been able to stop the leak within minutes if no remote isolation had occurred. Third, the flooding that did occur only impacted a single division of ECCS.
(
Lastly, the leak was confined mostly to the upper elevations since there was only one small flow path to the lower elevations. Therefore,it is unlikely that other ECCS equipment would have been jeopardized.
I t
I i
i i
1 i
i l.
i l
t Appendix A A-82 NUREG-1449
[
i k
A e=
88 Es i
Er a
v si di
- di ej a
a A.-
liiliiliijii
'i!
a t
!!i dii 4
4*
dit i
g g
=
11, i
si Ili
?
1 5n sig e
L I!
15 cde II J a
si si j
g i
i y
oI!
Zs Zs oI m
a w
lk d' 3
3 E
i y
I i
If
-d; ji-5 0
eso E
E i
i-i,
(/-
(f.
I-Ils II L
J mm m>
I D.
g l
[]
- [
i i
l in oXi ol.g
.! C T !
OI.!
!i i
j g
,g l
5 t!
(!
l 5
E l
E E
E E
E...
E.
si i
!I l!
l
- S 1
NURIIG-1449 A-83 Appendix A
id o
e l
a d e
([-
i s-e e
fj
-l!$
[E k
oKi tX =
s 2
I i
t2 E
l g
t e
tZ:
OIg i
i I
m, >
gge i23 3
} EEI [
grll oKi cd" 5
tZ i;
og!
1 g
gl r3 g
E l
li
-E E
@8 g
w U
i
%s l8E OKl M
~
g 7
7 i "I
- Egge
-s 3 in '
W i
[!e gg n
ca g
@g, 5
v a
g I
r, l
e i
e rr k
s
-i 5
j a
E
.:~I g
}
5, T 06 oKj OKi i
E-g-
12 1 si el s
l E.
A I!ll Eg$5 Im 1
l O
i Appendix A A-84 NUREG-1449
'O a
a g
I o[
g w.
Of EBE!!!B!!!E?EEEEEEIB 595555955EEBBBE5 j j j$
9.!! 5588558855885558858558858585858555BB i
2[
i f5
- 2 l
J ti gE z
~
3 9
iT E
aj E s.
II 6
Ih D
b T
E 015 3
f.!!
)1 E
I
-$B 6 h
$ { r.
N I
~~
nj a
- I 1*I[s 811 s
E 5
2 k5 e !&
s 9 &
@{y I
__i b b.si!
I j
i n
}I
}c
}.
s
}j
.1 s
1 M
s'5 I j!
Elif<a
.:aris de M
$z NURIIG-1449 A-85 Appendix A
1 1
I APPENDIX B Details of Equipment Hatch Survey p
l l
?
6 t
i l'
O A
ZCg Table B.1 Boiling Water Reactors O
L Additional Tempo-2 Contain-inspection rary Air or Plant &
ment flatch No. of for refuel-plat-ac Bolt (OL date) type type 1 bolts ing closurez form 3 needed pattern
- Comments Big Rock Pt.
Sphere In N/A App. J.
No ac N/A TS requires containment when (64) lypeB fuel is in reactor 7 Browns Ferry Mark I In5 12 No Ladder Manual iIolddown Double door G3D406) clamp Brunswick 1&2 Mark I In 12 No No Manual B
G6D4)
Clinton Mark III In 20 No Yes Manual B
(87)
Cooper Mark I In 8
No No None A
G4)
Dresden 2&3 Mark I In 8
No No Manual B
tp (69D1) b Duane Arnold Mark I In 12 No Yes ac B
Need ac for crane to install hatch G4)
Fermi Mark I Out/In 20/36 No Yes Manual B
Two equipment hatches (85)
Fitzlbtrick Mark I In 8
No No Manual B
G4)
Grand Gulf Mark III In 20 No No ac B
(84)
Hatch 1&2 Mark I In 8
No Yes Manual B
Can close hatch without G4ng) temporary platforms.
Hope Creek Mark I In 24 No Yes Manual B
(86)
LaSalle 1&2 Mark II In 16 No No Manual B
(82/84) limerick 1&2 Mark II Out 80 No Yes ac B
(85/89)
Mark I In 8
No Ladder Manual B
h.
(Millstone 1 86) tp See footnotes at end of table.
k
,o Table B.1 (cont.)
t2 Additional Tempo.
Contain-Inspection rary Air or Plant &
ment Hatch No. of for refuel-plat.
ac Belt (OL date) type -
type bolts ing closure 2 form 3 needed pattern
- Comments 1
Monticello Mark I In 8
No No Manual B
(81)
Nine Mile Pt.1 Mark I Out 36 No Yes Manual B
Inspector noticed a gap with G4) minimum bolts installed.
Nine Mile Pt. 2 Mark II Out 64 No Yes Manual B
(87)
Oyster Creek Mark I In 36 No No Air B
(69).
Peach Bottom 2&3 Mark I In 8
No No Manual B
G3/74)
Perry Mark III Out 72 No Yes ac A
(86)
Pilgrim Mark I Out 8
No No No A
Licensee noted speedy closing dif-g 4
G2) ficult due to temporary services.
Quad Citicsl&2 Mark I In 8
No Yes Manual B
G2/72)
River Bend Mark III Out 64 No No Manual A
(85)
Susquehanna 1&2 Mark II Out 30 No No Air & ac B
Can close hatch manually.
l (82/84)
Vermont Yankee Mark I Out 8
No No Manual B
G3)
WNP-2 Mark II Out 64 No No Air A
Can close hatch manually.
(84)
I llatch type: Out = pressure-unseating design; In = pressure-seating design.
2A confirmatory inspection done voluntarily by some licensees to verify that the hatch is seated properly.
Mmporary platforms are uwd in some plants for workmen to reach the bolts.
D011 pattern: A = bolt in threaded hole; D = bolt swing.
4 5Flat plate
- ZClc M
?za
2Cx Table B.2 Pressurised Water Reactors b
.L Additional
- Tempo, t
- Plant, Contain.
inspection rary Air or l Vendor l, &
ment flatch No. of for rrfuel.
plat.
ac Ilott (OL date) type type 1 bolts ing closurv2 form 3 needed*
patter -5 Comments Arkansas 1 Large dry In 4/24 None No Manual 13
[Il&W](74)
Arkansas 2 Large y in 4/16 Nonc No Manual 13 No procedure for temporary
[CE] (78) closing just tighten tmit, close opening.
licaver Valley l&2 Subatmos-In 4/24 None Ladder Manual 11 Emergency airlock inside hatch.
[W] (76/87) pheric Braidwtud 1&2 brge dry In 0/200 None Yes ac B
Ifave loop ISO vales, don't drain
[W)(87/88) to midloop.
Ilyron 1&2 Large dry in 0/208 None Yes ac B
(W)(85/87)
=
Callaway Large dry in 4/20 None No ac 11 Special rigging needed to close 04 [Wl(84) hatch dunng station blackout.
Calvert Cliffs 1&2 Large dry In 4/20 None No ac 11
[W](74/76)
Catawba 1&2 Ice con.
In 4/16 None No ac 11 Unit 2 modified to add bolts to
[W](85/86) denser 4/24 scal.
Inspector notes increased number of bolts used for fuel move toclose gap. Unit I uses 10, Unit 2 uses 15 tmits.
Comanche Peak Large dry in 4/16 None Ladder Manual B
[W] (90)
Cook 1&2 Ice con.
Out 0/3 28 None No ac A
No requirement for hatch but
[W] (74/77) denser licensee maintainsit for fuelmove
& midloop.
Crystal River Large dry Out 4/72 None Yes Air B
Hatch can be closed manually y
[B&W)(77) with truck-mounted crane.
a3 Davis-Besse Large dry in 4/12 None Yes Manual B
[B&W) (77) wW See footnotes at end of table.
3 Table B.2 (cont.)
8.
W Additional Tempo.
- Plant, Contain-inspection rary Air or (Vender), &
ment Ilatch No. of for refuel.
plat.
ac Bolt (OL date) type type' bolts ing closure 2 form 3 needed*
pattern 5 Comments Diablo Canyon 1&2 12rge dry in 4/48 Daylight Ladder hianual B
Perform daylight check. One
[Ej (84/85) check seal may be used for hiodes 5 & 6.
Farley 1&2 Large dry In 4/28 None Yes hianual 11
[El(77/81)
Fort Calhoun Large dry In 4/36 None No ac H
[CE](73)
Ginna Large dry Out 36/36 QC metal Yes hianual B
Licensee uses a temporary
[El(84) closure plate for temporary se m ces.
Iladdam Neck Large dry Out 18/92 None No ac H
hiobile crane am be used to
[El(74) install hatch.
W 1-larris Large dry Out 4/36 Nonc 12dder hianual A
[El(87)
Indian Pt. 2 Large dry in 20/20 None No ac7 11 Licensee has a temporary closure
[Ej (73) plate for temporary services.
Indian Pt. 3 Large dry in 20/20 None No ac7 H
Licensee has no ter.iporary
[Ej (76) closure plate.
Kewaunce Large dry In 12/12 None 8
ac A
Use boatswain chair to close
[E](73) hatch.
hiain Yankee Sphere Out 8/74 None No hianual A
hiobile crane used to install
[CE](73) hatch.
NicGuire 1&2 Ice con-In 4/16 None Ladder hianual IIolddown Noticed gap with 4 & 8 bolts
[E](81/83) denser clamp in place.
hiillstone 2 Large dry in 4/20 None Yes hianual B
[CEj (86)
Subatmos-In 4/16 None No hianual 11
$ (hiillstone 3 CE](86) pheric
$ North Anna 1&2 Subatmos-In 4/20 None No hianual B
Licensee requires every 2nd 9 [E)(78/80) pheric bolt be installed.
E
$ See footnotes at emt of table.
~
%Cy Oconee 1,2, & 3 Large dry in 4/48 None No ac B
Can position hatch without power.-
o
[Il&WjG30304) i j
lblisades l2rge dry In 0/24' None Ladder Manual B
Procedures to discontinue tem-
[CE) p2) porary senicet an loss of shut-e down cooling.
Iblo Venic Large dry in 4/32 Ran inte-No ac B
Can close hatch manually. Han 1, 2, & 3 grated leak integrated leak rate test with 8
[CE](85/86/87) rate test bolts.
with 8 bolts Licensee closes hatch on reduced inventory.
Ibint Ileach 1&2 Large dry In 66/66 None No Manual B
[El 00n3)
Prairie Island 1&2 Large dry In 0/12e App. J.
ladder Manual B
'I3 does not specify number of
[Ej G404)
'I)pe B bolts Ladders are secured near hatch.
Robinson Large dry Out 8/48 None Ladder Manual &
80-ton mobile crane used for m
[W] 00) mobile closing hatch.
6, crane Has a hatch seal penetration system.
Salem 1&2 LarEe dry In 4/16 None Yes ac B
Licensee & inspector noticed
[El06/81) gap with 4 bolts installed.
San Onofre 1 Sphere in 0/12 None No Manual B
Unit I refuels through hatch.
[E](67)
Close hatch quickly on station blackout.
San Onofre 2&3 Large dry In 4/16 None No ac B
4 hr to close hatch on station
[CE](82/83) blackout.
Seabrook Large dry In 4/32 None Yes ac crane B
Recently completed 1st refueling.
[E](90)
Sequoyah 1&2 Ice con-In 4/20 None No ac winch Can use chain fallin place of
[Wj (80/81) denser winch.
South 'Itxas 1&2 Large dry In 4/28 None No ac B
[W)(88/89)
St. Lucie 1&2 Large dry Out 4/12 None No ac B
W
[CE) G6/83)
l Table B.2 (cont.)
s Additional Tempo-
- Plant, Contain-inspection raty Air or
{ Vendor). &
ment flatch No.of for refuel-plat.
ac Bolt (OL date) type type' bolts ing closure 2 form 3 needed*
pattern 5 Comments Summer Large dry In 4/30 AppJ
- 1. adder ac B
Integrated leak rate test with 4
[H](82)
Type B bolts.
Can close hatch without ac power.
Surry 1&2 Subatmos-In 4/36 None No Manual B
Licensee has temporary cover
[Wj G2n3) pheric plate used for auxiliary services. -
TMI-I Large dry Out 402 None Yes Manual B
Emergency hatch common with
[B&W) 04) equipment hatch and mounted on carriage.
Trojan Large dry In 4/20 None No No B
Procedure to close hatch during
[E) p5) station blackout.
. Turkey Pt. 3&4 12rge dry In 4/58 None No Air A
flatch can be positioned
. y
[W] G2n3) manually.
Vogtle l&2 Large dry in 4/30 None No ac B
Can close hatch during station
[W] (87/88) blackout.
Waterford large dry in 4/16 None Yes Manual B
[CE](85)
Wolf Creek Large dry In 4/20 None No ac B
[H](85)
Yankee Rowe Sphere In 4/56 None No ac B
[Ej (63)
Zion 1&2 Large dry In 0/128 Seal press.
No ac/ air B
Licensee can install hatch in 2
[E](73U3) system hours during station blackout.
Ilatch installed during midloop.
'Ilatch type: Out = pressure-umeating design; In = perssu eating design.
2A confirmatory ingretion donc voluntarily by some licensees to verify that the hatch is seated properly.
[ Mmporary platforms arr used in some plants for workmen to reach the bolts.
d f neither ac power or air is required, the equipment hatch is clowd manually.
l
.y t*1 5 Dolt ponern: A = bolt in threaded bole; B = tett swing.
g eZero bolts required during refueling because hatch opens to fuel handling buikling.
TPolar ersne.
5 Crane SDd boatswain chair.
l
i i
i APPENDIX C J
Staff Responses to Comments Received on Draft NUREG-1449 I
l l
I e
i s
l l
1 f
i 1
1 1
i l
P
2
'z.Cx Table Col StafT Responses to Comments Received on Draft NUREG--1449 mO h
No. Subject Organization Comment
Response
e 1
Clanfication BWROG Define the term " integral RCS' in The term " integral RCS" describes the reactor coolant system Section 7.2(4) of NUREG-1449.
when the reactor coolant pressure boundary is intact.
I
-2 Clarification BWROG Clarify statement on page 7-6 regarding The statement reflects observations during visits to BWR plants containment closure plans for llWRs.
that those plants do not have ctmtingency plans for closing the i
primary containment in an emergency.
t 3
Clarification BWROG Comments at top of page 6-13 regarding Statement on page 6-13 has been modified to correctly reflect ECCS operability not consistent with the requirements in Section 3.5.2 of the current IlWR/4 and ilWR/4 STS 3.5.2.
IlWR/6 STS.
4 Clardication BWROG Clarify statements' on page 6-12 regarding Additions and corrections have been made in Section 6.7 to methods of RilR in BWRs.
reflect the wide variability among BWRs regarding methods of RilR.
L 5
Clarification BWROG Several statements in Chapter 5 on '13 Appropriate corrections have been made in Section 5.1 to n
incorrect. Need clarification, properly reflect current BWR/4 STS in the areas of reactivity
.L control, low-pressure ECC subsystems, and containment atmosphere.
l 6
Clarification llWROG Clarify Section 7.2(4)(11)in NUREG-1449, This refers to the language in some PWR technical specifications i.e., proposed relaxation of TS action to go that requires entry into MODE 5 (< 200 *F)(<93 *C) from to cold shutdown.
MODE 4 when an RIIR train is declared inoperable and RCS loops are still available for heat removal via forced or natural circulation.
7 Clarification BWROG Add statement to Chapter 5 which references General statements in Chapter 5 regarding BWR technical the BWR STS used for the evaluation.
specifications are based on current ilWR/4 standard technical specifications. A statement to this effect has been added to Section 5.1.1.
8 Clarification FP&L Clarify the *1brkey Point event listed in Statement was added to the NUREG indicating that boric acid
'lable 2.6.The boric acid flow path to flow path from the refueling water storage tank to the reactor l
charging pumps was available, via the charging pumps was available during the event.
9 Clarification GEORGIA Section 6.12,2 needs clarification. It may be Section 6.12.2 in NUREG-1449 has been modified to clarify that d
POWER at odds with plant-specific cmcrgency plans.
the 30-minute time period only applies to the accountability of 3
site personnel and not to the evacuation of nonessential personnel.
m 10 Correction IND/MICH Correct information in Appendix B regarding Corrections were made in Appendix B of NUREG-1449.
O POWER the equipment hatch at D.C. Cook.
f m-4
..-m,--..
.m_,.-
m..,.
m
_._.-,,-mm m.
m
._,__e
,k 9
Table C.1 (cont.)
Io No. Subject Organization Comment
Response
11 Clarification NOK111 EAST Clarify statement on page 2-10 regarding Statement was revised for greater clarity.
~
UTIL ASP analysis.
12 Correction
_NORrilEASF Delete last paragraph of Section 2.2.2 on The staff agrecs with the statement and it has not been IJFIL page 2-11.
deleted.The staff and its contractor wish to discourage comparison of conditional core melt frequencies for at-power and shutdown events modeled in the ASP program.
I 13 Correction NORriiEAST On page 6-12, in the first paragraph, the The term " reactor protection system" has been replaced with IJrIL term " reactor protection system" is used the terms " primary containment and reactor vessel isolation incorrectly.
system "
14 Clarification NORilIEAST Regarding discussion on page 6-7; adequate The staff agrecs and page 6-7 has been modified. During UTIL defense in depth can be obtained by other than nonaccident conditions, a passive method of subcooled decay containment integrity.
heat removal can suffice while normal decay heat removal systems are being restored and precludes the need for containment integrity.
OL 15 Clarification NUMARC Differentiate between primary and secondary The report has been revised to clarify c<mtainment function, containment in NUREG-1449.
16 Correction TVA Correct the title of'Ihble 2.3 and 'Thble 2.4.
Titics for Tables 2.3 and 2.4 have been corrected.
17 Fire Protection BWROG The benefit of a shutdown fire hazards The staff disagrees. NUMARC 91-06 does not address fire analysis is not demonstrated given current protection.
requirements and NUMARC 91-06.
18 Fire Protection DETROrr-NUREG-1449 does not take into account The staff disagrecs. Equipment required to be operable was EDISON that TS require fire protection equipment to considered.
be OPERABLE when equipment protected is OPERABLE.
l l
19 Fire Protection ENTERGY
'lhe need for a fire hazards analysis is not The staff disagrees. A focused analysis based on realistic l
OP.INC demonstrated. A better approach is to have assumptions is appropriate.
l strong administrative controls.
20 Fire Protection NORillEAST Shutdown fire hazards analysis is not needed.
The staff disagrees. See responses to comments 17 and 19.
2 UTIL Existing fire hazards analysis, better TS, and NUMARC 91-06 are sufficient.
mO 21 Ftre Protection NUMARC Fire hazards analysis for shutdown is not The staff disagrecs. Sec responses to comments 17 and 19.
.L necessary. Ilazards will be considered in implementation of NUMARC 91-06.
.,..---w-...w,,
e e w-o,--
,_r-,_ _ _ _ _ _. _ _ _ _.____..
~ _
ZCc - 22 Fire Protection NUMARC We disagree with the observation that there Observation is based on sample inspections. Staff agrees are fewer fire protection controls during this may not be the case at all sites.
.L diutdown.
i t
l 23 Fire Protection NUMARC Fire risk is not greater during shutdown:
De staff disagrees. As noted in Section 6.10, increased fire staff should reevahtate the basis for its hazard conditions have been observed which would increase conclusions.
the probability that fire development and consequences would have increased significance.
24 Fire Protection TVA A fire hazards analysis and improved controls De staff disagrees. See respmse to comment 19.
are not.necessary because fires are not sigmficant contributors to shutdown events.
25 Fire Protection WESTING-De NRC staff should assess the severity of De staff agrees that the industry has not suffered a serious llOUSE past fires during shutdown before developing fire during shutdown. Ilowever, precursor fires (e.g., Brunswick requirements.
and Browns Ferry) have occurred.
26 Fire Protection WESTING.
We disagree with the statement that "..(fire)
De staff disagrees. See response to comment 23.
IIOUSE risk during shutdown is greater than for power operations."
n 27 Fire Protection YANKEE De staff's statement that fire protection The staff disagrees. Protection during power operation is the ATOMIC requirements do not apply to shutdown is intent of the regulation. Exemption of the RilR system from incorrect.
protection presumes that hot shutdown can be reached and maintained. His may not be possible from a cold shutdown condition.
28 Fire Pmtection YANKEE He staff's statement that the probability of The staff disagrees. See response to comment 23.
AmMIC serious fire is greater during shutdown is not supported.
29 Regulatory ENTERGY NRC should provide additional guidance on Additional guidance will not be provided. Individual issues Action 011 INC meeting GL 88-17 given statements in will be resolved through the inspection program.
30 Regulatory ENTERGY ne staff should work with industry to De staff agrees. It is NRC policy to solicit input from Action OP. INC develop a performance indicator. Design industry and the general public when developing performance differences are important.
indicators.
31 Regulatory ENTERGY Regulatory changes should be reviewed The staff disagrees.His approach is not receiving serious Action OP. INC against forthcoming NRC PRA results prior consideration due to the uncertainty in the PRA models, the
-d to promulgation.
age of the database, and the narrow scope (i.e.,2 plants that
?
are less than typical).
E.W 32 Regulatory NORTilEAST We agree with staff's conclusion not to N/A I
n Action UTIL address shutdown in the IPE program.
~
s?
Table C.1 (cont.)
E.
k No. Subject Organization Comment
Response
33 Regulatory NORI'llEAST The NRC should not take regulatory action The staff is considering this approach in its current regulatory Action UTIL until the effectiveness of NUh1 ARC 91-06 is analysis.
evaluated.
34 Regulatory NUMARC NRC should assess effectiveness of industry lhe staff is considering this approach in its current regulatory Action actions prior to proposing requirements in analysis.
some areas.
35 Regulatory NUh1 ARC NRC should assess industry actions and The staff is doing this as part of its current regulatory analysis.
Action regulatory requirements collectively, not as separate items.
36 Regulatory NUh1 ARC NUREG-1449 does not recognize that it will The staff recognizes that it will take time for industry actions Action take time for industry actions to take effect.
to take effect. The staff is considering ti.is in its current regulatory analysis.
37 Regulatory PACIFIC Rulemaking would overlap and conflict with The staff is considering the potential for conflict between Action G&E industry initiatives. Allow industry time to potential regulatory requirements and industry initiatives in n
make improvements.
its current regulatory analysis.
L 38 Regulatory PIIIL Assess the effectiveness of industry action The staff is considering this approach in its current regulatory Action ELECTRIC
-(by monitoring precursor events) prior to analysis.
taking regulatory action.
39 Regulatory TVA Issuing new requirements could decrease the See response to comment 37.
Action effectiveness of industry efforts to address shutdown.
40 Regulatory YANKEE NUREG-1449 studies do not support the The staff is currently performing a formal regulatory analysis Action ATOh11C need for new requirements.
to determine the need for new requirements. Studies documented in NUREG-1449 are being considered with other inputs in this analysis.
41 Regulatory YANKEE Refrain from regulatory action until industry's
'Ihc staff is considering this approach in its current regulatory Action ATOMIC initiatives are implemented and assessed.
analysis.
42 Regulatory YANKEE Licensees should evaluate NUREG-1449
'Ihe staff agrees.
Action ATON11C and factor information into the outage 2
planning process.
C;c 43 Regulatory YANKEE NRC currently has regulatory authority to For some circumstances, and to a limited degree, this is true.
]
Action ATOh11C deal with poor performance during shutdown llowever, backfitting in accordance with 10 CFR 50.109 would g,
operations.
be necessary to impose clearly enforecable requirements to g
address most of the concerns raised in NUREG-1449.
e
2Cy 44 Inspection ENTERGY Team inspections would stress and dilute his is a valid concern. Ilowever, the staff pursues a policy of a
OP. INC industry resources aimed at safe outage minimizing impact on licensees in the management of all its g
operations, mspection actmties.
O 45 Inspection NUMARC Team inspections have too adverse an impact, The staff is considering this approach in its current regulatory c.g., stress during outage. Tl 2515/113 analysis, as noted in Section 8.2.
inspection is reasonable 46 Inspection PACIFIC NRC should inspect each utility's imple-The staff is considering the need for this action as part of its G&E mentation of NUMARC 914M and INPO current regulatory analysis.
initiatives.
47 Instrumentation GEORGIA A system like SPDS for shutdown would be The staff is currently considering the need for improved POWER costly and has little safety benefit.
instrumentation in its current regulatory analysis.
48 Instrumentation NUMARC Broadening GL 88-17 requirements for The staff is currently considering whether or not broadening instrumentation is not justified.
GL 88-17 requirements for instrumentation is warranted.
49 Analysis llNL Revise NUREG-1449, Section 6.8 (rapid Revisions have been incorporated.
boron dilution) based on final version of NUREG/CR-5819.
9
$0 Analysis llWROG PRA results in Chapter 4 are based on ne staff recognizes the ages of these studies and has viewed the obsolete information. Use Surry/ Grand Gulf results of the studies accordingly.ney are being retained in the results when available.
report to document past work in this area.
51 Analysis HWROG Revise Figure 4.1 of NUREG-1449 to refer Footnote has been added 1o Figure 4.1 to clarify criterion for to boiling rather than core damage.
assuming core damage.
52 Analysis HWROG
" Misagree with statement that ilWR Mark ne staff has reviewed the BWROG analysis, ne results are condary containments offer little reasonable given the assumptions (less conservative than staff).
u.on.
Ilowever, the staff continues to believe there are credible shutdown accidents that coilld lead to secondary containment failure.
53 Analysis llWROG The calculation showing UWR secondary See response to comment 52.
containment failure in Section 6.9.1 is based on unrealistic assumptions.
54 Analysis DETROIT We disagree with the staff finding that BWR See response to comment 52.
EDISON Mark I/II secondary containments offer little protection.
3 55
' Analysis ENTERGY De time to drain the Grand Gulf vessel from This is a reasonable estimate for flooded conditions.The staff 8.
OP. INC a flooded condition is 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> for rupture of assumed initial water level was just below the top of the steam 7
a 4" RWCU system drain pipe.
separators, i.e., a normal, non. flooded condition. His accounts O
for the much shorter drain time of I hour.
. ~
d 3
Table C.1 (cont.)
0 No. Subject Organization Comment
Response
56 Analysis ENTERGY Our calculations show 6-12 hours are available The staff agrees that this amount of time may be available for OR INC to restore RIIR capability and prevent a some initial plant states.
I significant offsite release at Grand Gulf.
i 57 Analysis ENTERGY A LOCA could lead to llWR core damage in Liquid holdup may act as a filter depending on the release point.
OR INC a short time; but liquid holdup in the secondary llowever, the staff's analysis of a severe core damage accident containment would filter the release of during shutdown in a llWR/6 does not indicate that liquid holdup radioactive material.
is a significant barrier to offsite or onsite releases.
58 Analysis NOltriiEAST
'Ihe secondary containment release scenarios See response to comment 52.
IJFIL are not credible and should be removed from NUREG-1449.
59 Analysis NUMARC The freeze seal failure analysis is not credible
'Ihc staff agrees that a significant amount of time would be if the refueling cavity is flooded.
available to mitigate a draindown event when the cavity is flooded. Ilowever, stopping a leak from the bottom of the o
vessel would be difficult.
l 60 Analysis NUMARC The thimble tube seal failure analysis is not Conservatism in the analysis is acknowledged in the report.
credible. Conservative assumptions make the time to uncover the core too short.
61 Analysis NUMARC The secondary containment release analysis is See response to comment 52.
I not credible.
62 Analysis IlWROG 10 CFR 50.59 reviews should be performed for The staff agrees.
use of nozzle dams, main steamline plugs, and other temporary mechanical seals.
63 Operations DETROIT Changes to the license examiners handbook Comments from industry and the general public have been EDISON should be evaluated and validated by licensees considered in developing the latest revision to the license prior to being issued.
examiners handbook.
64 Operations GEORGIA NUMARC 91-06 will not reduce hours worked As discussed in Section 6.3, overtime can be managed POWER but rather reschedule work to times of lower effectively with good planning. Depending on circumstances, E
risk (Sec. 6.3).
it may be acceptable to shift work schedules according to a plan that considers risk as opposed to reducing hours worked.
mtp 65 Operations NUMARC Assess industry actions before imposing new
'Ihc staff is considering this approach in its current g
requirements in the areas of operations, regulatory analysis.
.e training, and procedures.
ZC y
66 Operations NUMARC The staff should reassess current requirements ne staff agrecs tha: there are tradeoffs between doing diesel b
contributing to the unavailability of ac power generator maintenance caring power operation versus shutdown.
i
.L (e.g., diesel generator maintenance).
Dese issues would normally be examined as part of the g
implementation of the maintenance rule.
67 Operations
'lVA PRA should be the basis for picking scenarios PRA can serve as a basis for developing scenarios for simulator for simulator training.
training. Ilowever, considering the complex human element in shutdown events and the simplicity of PRA models for shutdown, operating experience may be a better basis for shutdown.
68 Operations WESTING-Reconsider the position in NUREG-1449 Based on further technical review on this issue, Section 3.3.3 J
IlOUSE regarding venting the RCS by lifting the vessel of the NUREG report has been revised.
head on its studs.
69 Operations BWROG We recommend no regulation of outage ne staff is considering this approach in its current regulatory planning and control until NUM ARC 91-06 analpis.
is impicmented and assessed.
70 Operations ENTERGY De conclusion in Section 6.7.1.4 regarding The staff recognizes that improvements have been made in this OP.INC 50.59 reviews for freeze seals is no longer area. and that Mississippi Power and Ught has developed a valid. Remove it.
strong program.The conclusion in Section 6.7.1.4 pertaining to "50.59" reviews has been revised to reflect these improvements.
]
71 Operations ENTERGY A full core offload would require 1.000 more ne staff has considered this information in its current OP.INC fuct movements, adding 12 days to a typical regulatory analysis as necessary.
Grand Gulf outage.
72 Operations ENTERGY ne safety benefit of fully offloading the core his is true. De studies in NUREG-1449 deal only with j
OP. INC is not demonstrated because loss of fuel pool operations when there is fuel in the reactor vessel. The staff cooling is not addressed in NUREG-1449.
is not considering a specific requirement for full core offload in its current regulatory analysis.
73 Outage ENTERGY New requirements are not appropriate now.
He staff is considering this approach in its current regulatory 7
Planning OP. INC Give industry efforts time to take effect.
analysis.
74 Outage NUMARC Regulatory requirements on outage planning See response to comment 37.
Planning and control are unnecessary and duplicate industry efforts.
75 Outage S. CAROLIN A Regulatory requirements for outage planning See response to comment 37.
Planning ELC and control are unnecessary and duplicate d
industry efforts.
'R g,
76 Regulating TVA Rulemaking is not necessaiy because See response to comment 43.
Er Action shutdown operations are covered under O
10 CFR 50 (Appendix B).
n3 Table C.I (cont.)
O No. Subject Organization Comment
Response
i 77 Outage VEPCO NUMARC 914% has been impicmented at The staff has observed that utilities have realized the positive i
Planning Surry and North Anna: NRC inspection effects of implementation of NUh1 ARC 91-06 and has reflected l
(4/92) did not identify any problems.
this in the final report.
78 Outage WESTING-Iloid requirements for outage planning and The staff is considering this approach in its current regulatory Planning flOUSE control in abeyance until NUh1 ARC 91-06 is
- analysis, implemented and assessed.
79 Tech Specs llWROG Current ilWR/4 STS already provide 'I3 The staff is considering this in its assessment of the need to l
improvements proposed by the staff for change standard technical specifications that apply to nonpower i
RilR and ECCS in llWRs.
operations.
80 Tech Specs ENTERGY The technical basis for a requirement to close Dis is true. The staff has to show that such a requirement OP. INC IlWR/hlark Ill containment is not provided provides a cost. justified safety enhancement prior to imposition.
in NUREG-1449.
This was not donc in NUREG-1449.
9 81 Tech Specs ENTERGY Current procedures for c(mtainment closure De staff is currently evaluating whether a technical OP. INC in PWRs are adequate. Requiring closure specification governing containment integrity in PWRs during before boiling is too restrictive.
cold shutdown and refueling is warranted.
82 Tech Specs ENTERGY The staff should coordinate development of Comments from industry and the general public on any OP. INC new '13 with appropriate industry groups.
proposed changes to standard technical specifications will be solicited and considered.
83 Tech Specs ILLINOIS The containment closure requirement being See respcmse to comment 80.
POWER considered for llWR/hf ark III designs should be deleted due to its high cost / benefit ratio.
84 Tech Specs NUh1 ARC The TS improvements being cemsidered by De staff is currently evaluating whether changes to technical the staff would complement industry initiatives. specifications to address shutdown issues are warranted.
l 85 Tech Specs NUh1 ARC We agree that the containment sump should be The staff is considering specific requirements regarding available to mitigate a LOCA: but TS should availability of the containment sump in PWRs during shutdown z
be ficxible.
in its current regulatory analysis.
C 86 Tech Specs NUh1 ARC RilR TS should require that support systems De staff is considering specific requirements regarding the o
be FUNCITONAL not OPERAllLE.
availability of systems that support the residual heat removal i
system in its current regulatory analysis.De staff is considering the desire for operational flexibility.
1
ZC y 87 Tech Specs NUhtARC Get NSSS input from NSSS Owners Groups ne staff met with each NSSS owners group individually in June b
when developing new TS.
1992 to discuss shutdown issues. Staff expects to meet again L
with NSSS owners groups should new proposed requirements g
be issued for comment by the industry and the general public.
88 Tech Specs NUh1 ARC New TS for ac power should be flexible and The staff is considering specific requirements regarding ac power recognize need to perform maintenance. A in its current regulatory analysis of potential requirements.
requirement to have a minimum of 3 ac sources OPERA 13LE is acceptable.
89 Tech Specs NUh1 ARC The staff should not require 2 ECCS trains ne staff is considering the need for redundant trains of ECCS to be OPERAllLE in reduced inventory and the potential conflict with LTOP requirements in its current because it is not justified and conflicts with regulatory analysis of potential requirements, requirements for CROP systems.
90 Tech Specs NUhtARC Only require PWR containm.cnts to be closed The staff is considering need for containment integrity versus in reduced inventory, not full containment
" containment closure" in its current regulatory analysis.
integrity.
91 Tech Specs PACIFIC NRC should adopt TS proposed in The staff will solicit comments from the industry and the general G&E NUREG-1449 with NUhtARC clarifications.
public on new technical specifications if they are to be proposed.
- 92 Tech Specs S. CAROLINA Containment closure for PWRs should be See response to comment 90.
ELC defined as in GL 88-17.
93
'Ibch Specs S. CAROLINA ne LCO for RIIR in reduced inventory ne staff is considering requirements for FUNCrlONAL versus ELC should be 1 train OPERAHLE and I train OPERAllLE systems in its current regulatory analysis.
i FUNCrlONAL i
94 Tech Specs TVA ne staff should work with industry to develop See responses to comments 87 and 91.
new 13 so as to achieve optimal safety and minimal impact.
95 lbch Specs TVA Relaxation of requirements to automatically The staff will consider this in its current regulatory analysis, go to cold shutdown when an RilR train is inoperable should be applied to BWRs as well as PWRs.
%. Tech Specs TVA Browns Ferry does not have two trains of This comment refers to technical specifications which require two t
RilR which can be assigned to shutdown redundant trains of RIIR. Given the Browns Ferry design, custom-cooling at same time.
ized technical specifications for RilR may be most appropriate.
3g, 97 Tech Specs VEPCO New T3 for shutdown conditions are See responses to comments 87 and 91.
W warranted. Industry should participate fully O
in the development of new 13.
}
___.-_-._.----_--.__._____-__.___-_____.-._____._.________.______._s, enr,.,-,-+,
+--.-+.,...,m-.
.-,,,-,.e.,_v.s
..+,.,
.-w...,, _,. -,,.
n,.n.
n--.
, + -, -,
d u{
Table C.1 (cont.)
w 0
No. Subject Organization Comment
Response
98 Tech Specs WESTING-In developing new TS, the staff should seek De staff agrees. See responses to comments 87 and 91.
IlOUSE NSSS Owners Group input through NUMARC.
99 Tech Specs.
WESTING-New E should be based on NRC shutdown The staff is considering results of PRAs and operating IlOUSE PRAs and staff review of operating experience.
experience along with traditional regulatory criteria of redundancy and diversity in evaluating potential changes to technical specifications.
100 Tech Specs WESTING-New shutdown TS should be consistent with The staff agrecs. Any new proposal for changes to standard ilOUSE interim policy statement on TS and not based technical specifications will be consistent with the policy on the current STS.
statement.
s i
l l
ZClcmO I
e
.'l
-.. -, ~.,. ~.. _,. _... _. _
m APPENDIX D Abbreviations ABWR advanced boiling-water reactor IIT incident investigation team ACRS Advisory Committee on Reactor ILRT integrated leak rate test Safeguards INEL Idaho National Engineering Laboratory AEOD Office for Analysis and Evaluation of INPO Institute of Nuclear Power Operations Operational Data IPE individual plant examination AFW auxiliary feedwater IRM intermediate range monitor AIT augmented inspection team ISLOCA intersystem loss-of-coolant accident ALARA as low as reasonably achievable K/A knowledge and abilities ALWR advanced light-water reactor ANS American Nuclear Society LCO limiting condition for operation ANSI American National Standards It stitute LER licensee event report APRM average power range monitor LOCA loss-of-coolant accident ASME American Society of Mechanical Engineers LOOP loss of offsite power ASP accident sequence precursor LP low power ATWS anticipated transient without scram LPCI low-pressure coolant injection LPS low-power / shutdown BNL Brookhaven National Laboratory LPSI low-pressure safety injection B&W Babcock and Wilcox LTOP low-temperature overpressure protection BWR boiling-water reactor MC manual chapter CDF core-damage frequency MOV motor-operated valve CE Combustion Engineering MPC maximum permissible concentration CFR Code of Federal Regulations CNilA Committee on Nuclear Regulatory NEA Nuclear Energy Agency Activities NPRDS nuclear plant reliability data system CR control rooms NRC Nuclear Regulatory Commission CRD control rod drive NRR Office of Nuclear Reactor Regulation CRGR Committee Tb Review Generic NSAC Nuclear Safety Analysis Center Requirement NSSS nuclear steam supply system CS core spray NUMARC Nuclear Management and Resources CST condensate storage tank Council i
DG diesel generator OECD Organization for Economic Cooperation DHR decay heat removal and Development OGC Office of the General Counsel EAL emergency action level ORNL Oak Ridge National Laboratory ECC emergency core cooling ECCS emergency core cooling system PORV power-operated relief valve EDG emergency diesel generator POS plant operational state EOP Emergency Operating Procedures PRA probabilistic risk assessment EPRI Electric Power Research Institute PWR pressurized-water reactor ESF engineered safety features RCIC reactor core isolation cooling l
FSAR final safety analysis report RCP reactor coolant pump FY fiscalyear RCS reactor coolant system RES Office of Nuclear Regulatory Research GDC general design cnteria RHR residual heat removal i
GE General Electric RHRSW residual heat removal service water I
GL generic letter RPS reactor protection system l
RPV reactor pressure vessel ilPI high-pressure injection RV reactor vessel NUREG-1449 D-1 Appendix D
i RWSP refueling water storage pool SRP StandarMtwiew Plan (NUREG4)800)
RWST refueling water storage tank SRV safety-rehef valve SIS standard technical specifications SAIC Science Applications International SW service water Corporation SBO station blackout TAF top of active fuel SD shutdown TI temporary instruction SDC shutdown cooling TS technical specification (s)
SFP spent fuel pool SG steam generator VCr volume control tank -
SI safety injection SNL Sandia National Laboratories E
Westinghouse SRM source range monitor WNP-2 Washington Nuclear Plant 2 SRO senior reactor operator l
1 1
l t
Appendix D D-2 NUREG-1449
NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION 1 REPORT NUMBER (2-89)
(Assigred by NRC, Add Vol.,
NRCM 1102, Supp., Rev., and Addendum Num-l 32o1, 3202 BIBLIOGRA.
., DATA SHEET b-
" *"rJ l
(se. anstruew.s on it. reverse)
- 2. TITLE AND SUBTITLE
- 3. DATE REPORT PUBLISHED Shutdown and I.nw-Power Operation at Nuclear Power Plants m the United States September l MONTH Yr.AR 1
Final Report 1993
- b. AulnOR(b)
- 6. TYPE OF REPORT Technical 7 PERIOD COVERED (Inciusive Dates)
I
- 8. PERFORMING ORGANIZAllON - NAME AND ADORE 6S (ft NRC, provios Division, Off6ce or Region, U.S. Nuclear Regulatory Comrnission, and maihng address; if contractor, pro,nde name and mailing address.)
Division of Systems Safety and Analysis 1
Office of Nuclear Reactor Regulation j
U.S. Nuclear Regulatory Commission Washington, DC 2055541001 9 E>PONSORING ORGANIZATION NAME AND ADDRE SS (If NRC, type *Same as above*! l' Contractor, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Commissson, and mailing address.)
Same as above
- 10. SUPPLEMENT ARY NOTES
- 11. ADSTRACT (200 words or less)
De report contains the results of the NRC Staff's evaluation of shutdown and low-power operations at U.S. com-mercial nuclear power plants. The report describes studies conducted by the staff in the following areas: operating experience related to shutdown and low-power operations, probabilistic risk assessment of shutdown and low-power conditions and utility programs for planning and conducting activities during periods the plant is shut down. The re-port also documents evaluations of a number of technical issues regarding shutdown and low-power operations per-formed by the staff, including the principal findings and conclusions. Potential new regulatory requirements are dis-j cussed, as well as potential changes in NRC programs. A draft report was issued for comment in February 1992. This j
report is the final version and includes the responses to the comments along with the staff regulatory analysis of po-j tential new requirements.
- 12. KEY WORDS/DESCRIPTORS (List worcs or phrases that will assist researcters in locating the report.)
- 13. AVAILABluTY ST ATEMENT Unlimited
- 14. SECURITY CLASSIFICATION Shutdown (m raso Low-Power Unclassified Operations
<Twis sepor:3 Risk Unclassified Safety 23.nuggesorp,ae3
- 16. PRtCE NRC FORM 335 (2-89)
i l
l I
l 1
i on recycled paper i
Federal Recycling Program l
UNITED STATES j ff"'13953y sezciat rounTH class nAtle NUCLEAR REGULATORY COMMISSIOM
' T y ' 'r(7 ?4Dv 2
,["5-M e ".1!'c p.nt IC Ty my,,1 4 *; y y ', 1 9
- I I s,
POSTAGE QND FEES PAO WASHINGTON, D.C. 20555-0001
? ct ussac
~Pyy~
PERMIT NO. G 61
- ,'2 S t> y <,9 7
~
3 !!c g OFFICIAL BUSINESS PENALTY FOR PRtVATE USE. $300 p'
?'$5g
.a
h[ffI3953y UNITED STATES srte AL rounTH cuiss mart NUCLEAR REGULATORV COMMISSION OTV r.
049y 1
J4.jyy#190 posTAce Ano rtes eno -
d' ~"21, -S - o k
.",W or,ue t T C L TI n..?
WASHINGTON, D.C. 20555-0001 8 D
- 1Is, usunc PERwi"o o er US S u j S;g,
S 'tc g 0FFICIAL BUSINESS PENALTY FOR PRtVATE USE, $300
' ' 5 5 c:
I
[
-M
-