ML20132B244

From kanterella
Jump to navigation Jump to search
Non-Power Reactor Survey, Draft Rept
ML20132B244
Person / Time
Issue date: 12/01/1996
From: Brockman K, Jerome Murphy, Ross D
NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To:
Shared Package
ML20132B169 List:
References
NUDOCS 9612170113
Download: ML20132B244 (49)
v  d  e


Text

. . _ -- .. -. . . - - _ - . . _-. - _ _ . . ._ . . . . - . . - . . _ - -

v, I

+ AEOD C96-xx l

l NON-POWER REACTOR SURVEY December 1996 D. F. Ross, Chair J. Murphy K. Brockman A. Mohseni I

l l

l l

I l

l l

l e

Safety Programs Division U.S. Nuclear Regulatory Commission 9612170113 961212 PDR v'

ORG NEXD PDR

t I

i l

l i

l l

l l

l l

ee 11

1 1

< 1 o'

CONTENTS 1

EXECUTIVE

SUMMARY

. . . . . . . . . ................................. v j 1

1 In t rod u ct io n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.1 B ackgro und . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l

1.2 Selected Instances of Core Damage Events ................ ....... 4 i

2 Review of Selected Safety Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 l 2.1 Reactivity Related Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 2.2 Loss-of-Coolant Accident (LOCA) and Loss of Flow Analyses . . . . . . . . . . 12 i 2.3 Inlet Flow Blockage Analyses ................................ 13 I l

2.4 Other................................................. 14 2.5 Summary .............................................. 14

.3 Review of Selected Operating Events as Related to Safety Analyses .......... 16  :

3.1 Reactivity Related Events ................................... 16 3.2 Loss-of-Coolant Accident and Loss of Flow ...................... 19 l 3.3 Fue l Handlin g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.4 Radiation Protection Events, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 l 3.5 Design Basis Control .................... ................. 21 j 3.6 Operating Experience Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.7 S afety Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4 Conclusions, Recommendations, and Observations . . . . . . . . . . . . . . . . . . . . . . . 34 4.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.2 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.3 Observatio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5 References ................................................... 38 TABLES 1 Reactivity Control, Coolant Leaks, and Fuel-Handling Events at MTR-Fueled Reactors 2 2 MW .................................. 3 2 Notice of Violation ................... ......................... 32 APPENDIX Operating Events til

__ . . _ _..-....--..s..--.,~..~.....-...~-....-.... . _ ~ . - . . - . . . . - - - - - . . ~ . . . . - . , . - . . . . . . . _ ~ . . . . . . . - . . - . . . . . . . . .. -

i' l

il i

e 9 1 9

l l

l

. I 1

l l {

]

I l

t i

i l }

l r

f f

'l 4

i i

O i

i l

{,

l i

t i

1 1

I l

l 1

4 s

O IV

.. . -. - -.. .- = . - ... - . . . - . . -

1 t

l. EXECUTIVE

SUMMARY

l Occurrences at non-power reactors (NPRs) in 1993 involving loss of multiple scram )

l l

! functions and reactivity control problems raised questions in the U.S. Nuclear Regulatory l

Commission's Office for Analysis and Evaluation of Operational Data (AEOD) about NPR i l

1 safety performance. Because of the potential for these events to be precursors to more serious l events, AEOD initiated a study to provide an independent assessment of the safety 1

performance of these reactors, to assess the adequacy of the feedback of operating experience

{

1 within the non-power reactor community, and to identify recommendations for improvement if needed. This study included review of operating events, inspection findings, National l Organization of Test, Research, and Training Reactors (TRTR) feedback to the NPR l l

community, feedback of lessons learned, NRC enforcement actions, and visits to representative NPR facilities. Individual facility design and safety analyses were reviewed as l

necessary to ensure understanding of the safety significance of the operating experience and 1

the importance of root causes, corrective actions, and lessons learned. The study did not include an evaluation of the design bases for the facilities nor their major design features. A panel (hereafter, the Panel) was formed by the AEOD office director to evaluate the information collected for the study and prepare this report.

The Panel took a fresh look at the safety problem associated with NPRs and reviewed the history of NPR core disruptive events. The Panel noted that reactivity events, as personified by BORAX, SPERT, and SL-1 had displayed the highest accident potential. It

! was also noted that the NPR class of reactors tend to have much higher individual rod worth, l

as contrasted with power reactors. The Panel reviewed the accident analysis assumptions in a v

i

O subset of the NPRs that were considered to have the highest accident potentials, namely, the ,

MTR-type fueled reactors that operate at, or above,2 MW. As could be expected considering the different licensing eras, large variations exist in the Safety Analyses Reports (SARs). Of significance was the fact that the reactivity potential was not uniformly considered. The evaluation of the safety culture and radiation protection practices were based on all classes of non-power reactors, since the issues were generic.

In developing conclusions, the Panel reviewed a set of reports (Appendix) on NPR performance that were assembled for the study. These reports were sorted into one of seven categories, according to seven categorical divisions which the Panel determined best described the areas covered by the study. The majority of the events were reactivity related.

There is considerable inherent safety in the NPR community of reactors and, given proper regulatory attention and focusing on improved operational practices, adequate safety can be sustamed. The Panel did not see that fundamental design changes are warranted.

However, the panel did see a need for improvement in procedural measures and in basic nuclear safety training for the operations and maintenance staff, and ensuring compliance with current rules and regulations.

The Panel observed a pattern of indifference with respect to the proper operation of the reactor protection system. These facilities should have a startup check sheet that instructs the operators to verify integrity of connections and operability of recorders. Also, an operator should know not to conduct fuel movements while the reactor is critical; yet, it happened.

The Panel was of the view that action is warranted in this area, in terms of training, procedural compliance, rigorous startup checks, post-maintenance checks, and, vigorous vi 1

d inspection and enforcement. It is not that these are new requirements; they are common-sense 1  :

items that all should follow. However, increased inspection and enforcement actions may be I needed in order to ensure the necessary degree of excellence in operational performance.

None of the recent operating events resulted in fuel damage, radiation releases or, except in one event, personnel exposures above 10 CFR 20 limits. No adverse effect on public health and safety was seen. However, complacency was apparent in some events, and lessons i

! learned from NPR operating experience can be used by both the NRC and facility licensees to enhance safety performance and to reduce the likelihood of more significant events in the future. Expanded feedback of operating experience could improve safety performance, as

, only half of the operating events described in this report were reported back to other licensees l

l via public or private means. There needs to be some explicit tutorials to the NPR operators on the consequences of planned events, such as the oscillatory behavior of SPERT-IV, and i 1

unplanned events, such as the excursion related fatalities at SL-1.

Non-power reactors have numerous intrinsic safety attributes. They have been operating for many years (most, if not all are 25 or more years old) without causing harm to the public.

Any one, or even all of these incidents, does not indicate an immediate safety question.

l l However, most of these facihties are located at institutions of higher learning. Their duty is 1

not only to teach their students the basic science and engineering associated with the students' course of study, but also to inculcate the safety culture attendant to the reasonable use of the l

l technology. The sense of complacency and inattention to detail that may be inadvertently 1

transferred to the students could well be the most significant negative result of the events

. considered in this study.

I i vii i

l

. 1 Introduction i

1.1 Background

! Occurrences at non-power reactors (NPRs) in 1993 involving loss of multiple scram -

functions and reactivity control problems raised questions in the U.S. Nuclear Regulatory ,

1 i l Commission's Office for Analysis and Evaluation of Operational Data (AEOD) about NPR  ;

1

, safety performance. Because of the potential for these events to be precursors to more serious events, the Director, AEOD, requested from the Safety Programs Division (SPD), a study of these facilities in a memorandum dated June 17,1993. The study included review of operating events, inspection fimdings, National Organization of Test, Research, and Training Reactors (TRTR) feedback to the NPR community, feedback of lessons learned, NRC enforcement actions, and visits to representative NPR facilities. One to two day visits were made to research reactors at the Armed Forces Radiobiology Research Institute, Georgia Institute of Technology Neely Nuclear Research Center (NRRC), General Atomics, Massachusetts Institute of Technology Nuclear Reactor Laboratory (MIT), Oregon State University Radiation Center and TRIGA Reactor (OSU), University of Arizona, University of Illinois Nuclear Reactor Laboratory, University of Missouri Research Center (Columbia)

(MURR), University of Texas at Austin Nuclear Engineering Teaching Laboratory (UofT),

and the test reactor at the National Institute of Standards and Technology (NIST), to understand unique reactor features, research programs, and operational performance. During facility visits, site tours were undertaken; interviews were conducted with reactor operators, reactor management, and radiation protection management; operator logs and safety evaluations were reviewed; and operating events were discussed. A Panel was used to 1 )

J

evaluate the material assembled during the study to assess the safety performance of the .

facilities and to identify lessons learned. The Panel consisted of:

. Denwood Ross, Deputy Director, AEOD, Chair i

i

. Joseph Murphy, Special Assistant, Office of Nuclear Regulatory Research

. Kenneth Brockman, Deputy Director, Division of Reactor Safety, Region IV

. Aby Mohseni, AEOD i I

The first three members have all had experience in the operation, licensing, or regulation of non-power reactors, while Mr. Mohseni has expertise in characterization of the consequences of reactor accidents.

l The Panel decided to focus on the relation between the operating events (or conditions) and the accident analysis appropriate to the reactor experiencing the event. Therefore, salient portions of the accident analyses were extracted and captured in Chapter 2 of this report. The Panel organized Chapter 2 according to classes of hazards:

. Reactivity related (some events involved degradation of the Reactor Protection System [RPS])

Loss of Coolant (LOCA)/ Loss of Flow .

1

. Inlet Flow Blockage (there was one event)

]

. Other categories (such as fuel handling; radiation protection) l Section 2 provides a brief summary of the safety analysis practices for these categories. l The Panel organized Chapter 3 in seven categories which the Panel determined best described the areas covered by the study. For each category, the operating experience was 2

considered along with the related safety analysis discussion from Chapter 2. For completeness, the operating experience summaries are included as an Appendix.

Selected events that were reviewed are enumerated in Table 1. These events occurred primarily at NPRs whose power is greater than 2 MW and, include the various types of scenarios discussed in Chapter 2, namely: reactivity events, LOCA events, and fuel-handling events.

Table 1 Reactivity Control, Coolant Leaks, and Fuel-Handling Events at MTR-Fueled Reactors 2: 2 MW l Facility 90 91 92 93 94 95 96 Total Georgia Technical Institute of 1 1 Technology Massachusetts Institute of Technology 1 1 4 6

National Institute of Standards and 3 [1] 1 5 Technology Rhode Island (1) 1 3 University of Michigan 1 2 4

[1]

University of Missouri 1 2 1 2 1 7 4 (Columbia)

University of Virginia 2 (1) (1) (1) 5

]

Total 4 1 3 8 3 8 2 29 l

4 For these 7 higher powered MTR fueled reactors:

Reactivity Control Event Average = 0.5 events / year / reactor (Reactor Coolant Leak Event Average = 0.09 events / year / reactor) *

[ Fuel Handling Event Average = 0.04 events / year / reactor] *

  • Calculation based on 6.5 years of operating experience (as of 8/13/96) 9 3

1.2 Selected Instances of Core Damage Events -

The Panel reviewed the ways that these types of reactors can get into trouble. Based on operating experience and testing of the past, it is well-known that step or ramp injections of reactivity, carried to the extreme, can cause core damage. Also, in this prior history there have been several instances of partial core melting, usually limited to parts of a single bundle, caused by a coolant inlet flow blockage. Some brief descriptions of such events follow below.

Recounting this historical experience is intended to place into context the hazards of this class of reactors, relative to the large power reactors, whose risk has been subject to much more exhaustive characterization (e.g., NUREG-1150, " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," and TMI-2). On one hand, NPRs are smaller in power and generally do not run for months at a time. This reduces the fission product inventory. The MTR-plate type fueled reactors have a fuel melt temperature on the order of 1200 *F, and this means the less volatile elements (e.g., Lanthanum) stay in the solid form. The lower power reactors have less tendency to melt following a Loss-of-Coolant Accident (LOCA).

On the other hand, the non-power reactors have higher worth individual rods, are generally not housed in a robust containment (although it is suitable for the purpose); do not have the rigorous operator training programs as do power reactors; have much less of an exclusion radius; and, in some instances lack equipment redundancy and diversity. On balance the public risk associated with NPRs is still much less than that of large power reactors. The following discussion should illustrate this point.

4

l- WTR On April 3,1960, there was a fuel element failure at the Westinghouse Testing Reactor at Waltz Mills, Pa. (Ref.1). This was a modified MTR type fuel system. There was ..

a release of fission products to the Primary Coolant System (PCS), and some gaseous fission products released to the atmosphere.

The reactor was in the process of being uprated from 20 MW to 60 MW. Some low flow boiling tests had been done in order to explore the limits of operation. While the reactor was at 30 MW, the primary flow rate was deliberately reduced, but no boiling was observed. The power was then raised to 34 MW and leveled off. However, the power level started to drop; the shift supervisor ordered rods to be withdrawn to and power raised to 40 MW. En route to 40 MW, there were radiation alarms; soon thereafter the reactor was scrammed.

Apparently, at one location, there was a poor metallurgical bond between the fuel matrix and cladding such that most of the heat generated had to be conducted through only one side l

of the fuel, instead of both. As a result, there ums localized melting. The molten material, in l

l tum, blocked the flow channel. Among other things, it was noted that the operations staff I should not have continued to increase power following the initial downturn in power. Rather, a questioning attitude might have prevented failure altogether.

I i

5 i

ORR, MTR, ETR -

Several test reactors have suffered fuel damage due to inlet flow blockages, dating back l to the mid-50s (in the MTR). The MTR actually had two such events. In 1954, some fuel 1

buckled and there was some local melting. Then, in 1962, one plate partially melted due to l some rubber seal material becoming lodged in a coolant channel. j 1

According to Thompson (Ref. 2), the ETR also had an incident of fuel melt as a i result of flow-restriction in 1961. A plastic sight-glass had been left in the reactor tank.

Eighteen plates, in six elements, melted.

There was an incidence in ORR (Ref. 3) on July 1,1963. The reactor was at 24  !

MW at the beginning of cycle startup. A large neoprene gasket had become lodged in the l

upper end box of a fuel element. The procedure which was followed called for an inspection of the core for foreign objects as part of the startup sequence. However, the affected bundle could not be seen easily. During the power ascent past 9 and 12 MW, there was some slight increase in noise on the nuclear channels. In retrospect, it was concluded that boiling was occurring at this juncture. At 24 MW the neutron noise increased considerably; so did the radiation monitors. Power was reduced to 12 MW. Radiation levels further increased, and the reactor was scrammed. Water radioactivity had increased by factors of about 200.

Subsequent examination showed one plate in one element had some melting, corresponding to about 30 to 50 percent of the fueled area, or about 3 to 5 gm of fuel. About 150-200 mci of iodine was released at the stack. Several direct causes were noted: the gasket in the system; failure to detect this during visual examination; and, failure to recognize boiling. The WTR event is also discussed by Thompson (Ref. 2).

6

There were no personnel exposures and a minor release to the site, even though one

! element melted. The cleanup cost was about one million dollars.

BORAX A series of experiments was performed on the Borax reactor in 1954 to investigate l subcooled reactivity transients (Ref. 4). The final runaway experiment was a rod l ejection in the amount of 4 percent reactivity. The resulting reactor period was 2.6 msec, and 1

l about 135 MW-sec of energy was released. Most of the fuel plates melted, and the reactor tank failed. It is possible that some of the damage was a result of a subsequent steam explosion (with the molten aluminum).

SPERT l

The SPERT program consisted of several facilities designed to explore reactivity l

l transients. Silver (Ref. 5) provides a status report. In 1962, the first destructive test on SPERT 1 was done. A 3.5$ insertion was accomplished, with a resultant period of 3.2 msec. After the first power peak decayed, apparently there was a secondary reaction of water and molten aluminum (i.e., steam explosion) which produced a large pressure pulse. The core )

l was destroyed.'  ;

1 SPERT IV was a large pool facility investigating instability from reactivity transients for pool-type reactors. Tests were done with forced flow as well as stagnant conditions. Further information was provided on SPERT-IV by Silver in 1965 (Ref. 6). In SPERT-IV, the effects of various water heads and forced flow were investigated in the context of l 1

l reactivity transients. The most significant result was the observation of oscillatory reactor l

power behavior following an initial burst. With increasing flow rate, both the frequency and l

1 I 7 i

(

1 l

l amplitude of the oscillations increased. It appears that under some conditions a 4$ insertion -

(above critical) can produce oscillations at 2 Hz, with divergent amplitudes.

l SL-1 An unplanned reactivity event occurred at the SL-1 reactor in January 1961 (Ref. 7). It was estimated that 2.4 percent excess reactivity was inserted, producing a 4 msec period. Fuel was probably vaporized in the center of the fuel plate. The total energy generated was on the order of 130 MW-sec. The steam formed resulted in the acceleration of l

water from the core and deceleration at the lid of the pressure vessel, which in turn lifted the vessel 9 feet. Piping was sheared along with the lid shielding. About 20 percent of the core was destroyed. About 5 percent of the gross fission products were ejected from the vessel.

1 Apparently the steam pressure was about 500 psi. Three operators on top of the tank at the time were killed.

Within the first hour of the event the dose rate just outside the building was 250 mrem, and was more than 500 rem near the reactor floor (Ref. 8). According to Thompson (Ref. 2) 14 people received occupational doses in excess of 5 rem. Four days after the event, the dose at the guard house (about 200 feet from the reactor building) was about 25 mrem per hour. At 2000 feet in au cirect ons i the dose rate was less than two mrem / hour. In all, about 100 curies ofI-131 was released to the environment over a several day period.

8 4

2 Review of Selected Safety Analyses i

General The Panel reviewed the safety analysis sections of a sample of the NPR community of I reactors; specifically those for a selected set of seven reactors that had MTR-type fuel elements and operated at 2 MW or higher. Summary comments on these safety analyses follow.

2.1 Reactivity Related Analyses The Georgia Tech (5 MW) reactor considered a sudden reactivity insertion of l 1.5 percent with the reactor critical, and asserted it was a highly improbable event l

l (Refs. 9 and 10). A fuel loading event might produce as much as 2.5 percent addition, which could produce fuel melting. An arbitrary sequence involving fuel melting and ,

l vessel rupture would produce about 135 MW-sec energy. The internal containment pressure would be between 2 and 11 psig. This scenario was, however, considered incredible.

The University of Michigan (2 MW) reactor considered a 1.6 percent reactivity addition, which would take the fuel to 900 *F (Ref.11). (Melting is above 1200 *F). A 1.8 percent addition would result in incipient melting. Oscillations were not postulated.

MIT (5 MW) analyzed a spectrum of reactivity insertion accidents, including the  !

uncontrolled withdrawal of the regulating rod and the step reactivity insertion resulting from the instantaneous failure of the highest worth experiment allowed in the reactor (Refs.12 and 13). These events involve a maximum reactivity insertion of 1.8 percent. The analyses were based on correlation with data obtained at the SPERT facilities, and indicated the resulting fuel temperatures would be well below clad melting temperature.

9

At the NIST (20 MW) reactor, the licensee analyzed the startup accident that might .

result from control rod withdrawal (Refs.14,15, and 16). The shims were 2 postuued to be withdrawn steadily until the reactor was scrammed by a high power trip. The initial power level was at 10[E-4] MW, the reactivity insertion rate was 5x10-4 Ak/sec, and the high power trip was set at 30 MW (150 percent of full power). The energy of the 4

excursion was 4.8 MJ, and the peak power was 43.3 MW. The energy required to j (adiabatically) bring only the metal of the fuel element structure within the core to the melting point was calculated to be 34 MJ, a factor of seven times that calculated for the startup accident. Therefore, no core damage should result. Dropping a fuel element into a critical core was not considered credible. Broken shim arms, beam tube collapse, and the cold water accident were all considered and shown to be less severe than the startup accident.

For the NIST reactor, the n.aximum ramp reactivity insertion rate is 2.6 percent AK/sec.

The ramp insertion was assumed to take place while the reactor was at full power (20 MW).

The reactor was tripped at 30 MW. With maximum ramp insertion, the energy excursion was 7.1 MJ, well below the 34 MJ required to melt the metal of the fuel element structure. .

l For the Rhode Island Nuclear Science Center Research Reactor (2 MW) l (Refs.17 and 18), the startop acciaent, as analyzed, was the most limiting credible reactivity insertion accident for the Low Enriched Uranium core. The two most limiting accidents for this type of reactor were analyzed. Maximum reactivity insertion was l assumed with the reactor in cold and clean conditions, reactor power at the source level, and the regulating rod withdrawn. The maximum reactivity insertion was the sequential withdrawal of all safety blades at the maximum rate. It was assumed that the period scram 10 1

failed, and a delay of 0.5 seconds occurred before the safety blades were free to drop. The reactor would trip on the high neutron flux scram (120 percent of full power). The analysis resulted in a maximum fuel temperature of 88.1 C.

The licensee also presented a more conservative analysis with the added assumption that the reactor did not trip on the high neutron flux scram. Reactor power would rise until negative reactivity from the void and temperature coefficients of reactivity compensate for the positive reactivity from the withdrawing safety blades. This scenario would result in a peak clad temperature of 148.5 *C (still well below the melting temperature of 582 *C). The licensee also determined that if the reactor did not trip automatically, the fuel would operate in nucleate boiling with no damage until a trip was manually initiated.

No reactivity insertion excursions for the 10 MW reactor at the University of Missoun ,

I (Columbia) were found (Ref.19). According to the AEC 1966 Safety Evaluation Report, the preliminary analysis at 10 MW indicated that the reactor could withstand a 0.8 percent step input without fuel damage.

The University of Virginia (2 MW) reactor considered two reactivity insertion rates, 10(E-4) A h/k/sec and 2 x 10(E-4) a k/k/sec (the second corresponds to the simultaneous withdrawal of all three shim rods) (Ref. 20). A peak power of 3.5 MW was obtained for both reactivity insertion rates. It was found that for the most severe credible reactivity insertion, the transient peak power would remain below the safety limit for the 744 gpm true value of total coolant flow. There was no credible nuclear excursion possible with l the University of Virginia reactor that could exceed the safety limits for the fuel. According to the Safety Analysis Report, there v as reasonable assurance that fission product activity t

11 l

would not be released from the fuel to the environment as a result of a reactivity insertion ,

event.

2.2 Loss-of-Coolant Accident (LOCA) and Loss of Flow Analyses Georgia Tech considered a LOCA which, absent operation of the Emergency Core Cooling System, would provide some fuel melting (Refs. 9 and 10). At a containment leak rate of 0.5 percent / day, Part 100 doses would be realized near the containment. For loss of flow, it was assumed that the reactor would scram on low flow rate, and that there would be no fuel failure.

The University of Michigan (2 MW) considered a core uncovery following a leak (162 gpm) with no makeup (Ref. I1). The core would uncover in 4 hrs; no core damage was calculated.

Loss of flow was not a concern at MIT. Additionally, no pool drainage event which would lead to a LOCA was identified as a concern (Refs.12 and 13).

The University of Missouri (Columbia) (10 MW) considered that a 20 percent flow reducuon was required to produce core boiling (Ref.19). No releases ensued. A complete flow loss in the Pool Coolant System would boil the core dry, with some melting. The assumptions were: 10 percent melt; 25 percent release of halogens,75 percent of nobles, and 1 percent of others; fission product release to the containment immediately, and the l containment leaks at a rate of 1 percent per day. The offsite doses to the thyroid and whole 1

body were well within Part 100.

The University of Virginia considered a core uncovery from a double-ended guillotine (DEG) break in the outlet coolant pipe, which uncovered the core in about 20 minutes 12

I l

1 I

(Ref. 20). Two independent core spray systems were assumed not functioning. Core melt .

I was not indicated. Even given an instantaneous LOCA and only one core spray functioning, the core was not predicted to melt.

I 2.3 Inlet Flow Blockage Analyses Georgia Tech did not analyze inlet flow blockage; presumably, the consequences of a LOCA would bound this event (Refs. 9 and 10).

MIT (5 MW) postulated the blockage of five channels, with four melted fuel plates (Refs.12 and 13). Iodine would be reduced by absorption in the water (factor of 10). About

.075 percent of the iodine inventory would be available for release to the environment, at a I'

leak rate of 1 percent per day. Thyroid and whole body doses would be well within Part 100.

NIST (20 MW) considered an object blocking all flow through a single fuel element leading to the failure of a fuel element (the Design Basis Accident [DBA]) when the reactor 1

l was at 20 MW (Refs.14,15, and 16). The highest power element (730 kW) was assumed to melt. It was assumed that 100 percent of the blocked elements's cladding would melt and release fission products that would escape from the primary water into the containment building. It is assumed that 100 percent of noble gases and 50 percent of iodines escape into confinement. At the site boundary, within the confinement building, the whvie uvay dosa was 0.012 rad for the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />,0.035 rad for 2-24 hours, and 0.058 rad for the next 29 days.

At the nearest site boundary outside of the confinement building, exposure from the exhaust l

plume would result in a whole body dose of 0.021 rad for the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />,0.038 rad for l

2-24 hours, and 0.002 rad for the next 29 days.

l 13

For the University of Missouri (Columbia), the AEC 1974 Safety Evaluation Report -

considered a flow blockage that resulted in the melting of 4 fuel plates (the DBA) (Ref.19).

The fuel elements are designed to prevent large flow blockages from occurring. Doses from this event were within Part 20 limits. Exposure calculations were adequately conservative and the resultant exposure from the DBA would be only a small fraction of Part 100 criteria.

Furthermore, a total meltdown was postulated following a prolonged period of operating l

l at 10 Mw and the radiological consequences were evaluated. It was assumed that 100 percent of the nobles and 25 percent of the halogens would remain airborne and be available to leak from the containment which is initially at 2 psig. Under atmospheric inversion conditions the i

)

whole body dose was less than 20 rad and the thyroid dose was 280 rad at the 500 ft exclusion radius for the first two hours. These are just within Part 100 criteria.

2.4 Other MIT considered external events, such as seismic, and decided that the facility would not be damaged for credible events (Refs.12 and 13).

The University of Virginia postulated failures in fueled experiments (Ref. 20). Nominal doses resulted for both occupational and non-occupational personnel. I 2.5 Summary The differences in the form and content of hazard analyses as indicated by the review of this, admittedly, small sample, is that they reflect evolution which has occurred in licensing l since 1956. Indeed, some facilities were licensed before the definitive experiments of SPERT, or the SL-1 event, or some of the noteworthy inlet flow blockage events. Also, there was not a standard form and content for hazard analysis. Therefore, wide variations should be 14

1 expected. The Panel believes that comprehensive modernization and updating of the safety analyses for each of the reactors in the NPR community is not necessary in view of the l ensemble of safety analyses of similar reactors, together with experimental information described in Chapter 1. This compilation of the analysis for each reactor is not a basis for 1

backfitting a consistent analysis. l Two points do remain as the Panel's first recommendation:

4 Panel Recommendation #1: The NRC should assure that: i

a. If the likelihood of an unanalyzed event is determined to be much-higher than J

l previously thought (viz, the inlet flow blockage at UVA) then the licensee should l demonstrate that this credible scenario does not have consequences which exceed those of the event previously considered bounding; and,

b. When the facility is due for license renewal, the safety analysis should be reviewed in depth, taking into account the lessons of the last 10 years and updated as needed.

15

3 Review of Selected Operating Events as Related to Safety Analyses .

General J

Operating experience for a broad class of reactors was examined, and the experience mapped into the seven areas discussed in Sections 3.1 through 3.7. Some operating events mapped into more than one area. For example, an event involving inoperable conditions of the RPS might map both into the Reactivity area and the Safety Culture area.

For each of the seven sections below, after summarizing the operational experience, the information was evaluated and the Panel's views and recommendations presented. All recommendations are consolidated in a single place in Chapter 4.

3.1 Reactivity Related Events There have been numerous incidences of problems with reactivity control at the larger research reactors. At MIT, the reactor was operated with 2 of 3 power safety level channels inoperable and with four of six period and power safety level channels improperly connected 4

to the low voltage protection system (March 1989). The reactor was operated at low power with two inoperable flux channels (March 1995). It also was operated with a power tilt with one control rod in the core (July 1995). The core was taken critical with one control rod slipping as it was withdrawn (August 1995).

NIST experienced shim rods not fully inserting on manual scram (three instances in 1990) that e.ppear to have been corrected with bearing replacement.

At the University of Michigan, operations staff removed a fuel element from the core while the core was at low power (8 kW) (June 1992).

16 i

l The University of Missouri (Columbia) had seven failures of the regulating blade between 1988 and 1996. While not affecting the ability to automatically shut down the l l

, l reactor, these failures impaired the reactivity control function and led to a reactor trip.

i The University of Virginia operated for 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> with both power level scrams, the l

intermediate range scram, the low primary coolant flow scram, the loss of power to pump )

scram (and others) inoperable because of errors during maintenance (April 1993). The manual scram remained available.

l l An examination of these events indicates no inadequacies in the basic designs of the systems. There have been no known failures to scram on demand, although it appears likely that manual scram would have been required if an initiating event requiring scram had

! developed during the 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> the University of Virginia had its automatic scram disabled.  ;

1 Those equipment failures that occurred should have been expected and covered by routine maintenance activities. The basic problems appear to have derived from human error, inadequate training, complacency in operation and management, and inattention to maintenance needs.

The safety significance of these events must be considered in terms of the basic physics l

of reactors of these types. The safety analyses referenced earlier, as well as the experimental j tests of MTR-type reactors in transients conducted at the BORAX and SPERT facilities in the 1

late '50s and early '60s, suggest significant reactor damage in a transient would not occur unless the plants were experiencing a reactor period of less than 5 milliseconds. To achieve a period this small in plants of this type would require a reactivity insertion of considerably greater than 1 percent (perhaps as much as 1.4 percent to 1.5 percent). This is well beyond i

4 17 i

S the normal capability of these facilities. Thus, these events should not be regarded as ,

precursors of serious accidents. No fuel damage has been experienced and there has been rs release of radioactive material to the environment.

i i

The events illustrate not that the systems are deficient, but that the tests and I l

maintenance, procedures, and training are in need of improvement. This is especially I important in light of the accident potential from large reactivity transients.

Accordingly, the Panel's recommendations are:

Panel Recommendation #2: The NRC should review its requirements for startup checks, l

on a plant-specific basis, and implement license amendments where needed. This same philosophy should apply to tests and maintenance on the RPS, in order to assure that the system is returned to operable status, after test or maintenance.

Panel Recommendation #3: The NRC should ensure that a training course is developed by the NPR community or by individual licensees, for use by reactor operators and their l

supervisory chain. The purpose of this course would be to instill an understanding of hazards of this family of reactors during postulated transients and accidents. Inasmuch as AEOD has already developed a course along these lines for power reactors (R-800,

" Perspectives on Reactor Safety"), AEOD should provide advice and mimee. The course would be most effective if given by the NPR community itself. Every operator and supervisor should, in the fullness of time, be required to take the course. The course should also be mandatory for NRC staff who work in the licensing and inspection areas.

18

. 3.2 Loss-of-Coolant Accident and Loss of Flow Relatively minor pool leakages have occurred at the Rhode Island Atomic Energy Commission Nuclear Science Center (1995) and at the University of Virginia (1993-94).

There have also been small primary to secondary leaks in the heat exchanger at the University of Virginia (1995). These leaks have been on the order of 100 gallons per day or smaller.

Two safety concerns were considered. First, for research reactors at or above 2 MW in l

l power, if the loss of coolant led to core uncovery, fuel damage could result. Second, the l

water draw-down will also lead to increased radiation levels above the core as the thickness of the water shield is reduced. However, these pools contain tens of thousands of gallons of water. Draining at the rates experienced (or even many times those rates) should be easily detectable and correctable.

The more likely way in which fuel may be damaged in reactors of this type appears to be from loss of core cooling due to inlet flow blockage or from loss of forced flow when operating at high power. The recent event at the University of Virginia (March 1996) in which a paper towel on top of a fuel element lead to 200 kW (i.e.,10 percent of rated power) power fluctuations is illustrative of the potential effect of minor blockage. The lessons leamed years ago fium tne dPERT-IV experiments and the earlier incidents at higher powered research an i test reactors (referenced earlier) should not be forgotten or discarded. Core inlet blockages fiam things as simple as paper towels or gaskets can lead to damaged fuel. The significance of inlet flow blockage is reflected in several of the accident analyses submitted by these licensees.

I 19

Because of the potential safety significance of core flow blockages, the Panel adopted -

the following recommendation:

Panel Recommendation #4: The NRC should review the plant-specific procedures for 1) '

preventing extraneous material from entering the pool or cooling systems for the plants listed in Table 1, and 2) licensee inspections of the core prior to start-up or closure of l

the facility. If the procedures are deficient (or do not exist) then improvements should be sought.

3.3 Fuel Handling At NIST (June 25,1991) A new fuel element dropped off the handling tool and landed on the top grid of the core.

This single event was not enough to warrant a specific recommendation in this area.

However, the NRC should consider the safety significance of a fuel drop accident, but on a medium priority basis.

3.4 Radiation Protection Events J

Several past notices of violation (NOV) (Table 2; end of this chapter) were considered to determine the significance of radiation protection incidents. Based on this, only one event resulted in 10 CFR 20 dose hmits being exceeded. In addition to the review of past violations, the results of site visit survey observations and experiences were reviewed.

As Low as is Reasonably Achievable (ALARA) practices were good at most facilities.

However, there have been instances of complacency towr.rds radiation safety. In one case, a facility allowed the use of normal street clothes during refueling, despite several personnel contamination events within the past year. Members of the refueling crew were also observed 20

_. __ __ _ _ _ _ _ . _ - _ . _ . _ _ _ _ . . _ . _ . _ ~ _ _ _

l l

to have materials in their shirt pockets while moving fuel, creating the potential to drop foreign material on top of the core. The observations indicated that sample handling and fuel movement were the most probable sources of personnel exposure and contamination. One l researcher received an 8.9 rem dose to his fingers. In another event two operators received l 9.2 and 11.5 rem to their hands in an experiment, and left the area without surveying

)

themselves thereby subsequently contaminating the control room. In another case, radioactive particles of gold were found on the pants of two operators during the past year.

There are differences in radiation protection practices from licensee to licensee. These l include posting of radiation areas and eating and drinking in radiation areas. Poor planning i and a lack of adherence to established procedures contributed to the unplanned exposure  ;

events.

Sample handling and shipping practices were also reviewed. While no overexposure l

l resulted, there were some poor practices in mislabeling packages. '

Given that these are largely institutions of higher learning, it is particularly important  ;

that a higher degree of management attention be given toward improving radiation protection I

practices. More guidance is not needed; rather, adherence to existing practices is needed.

l 3.5 Design Basis Control A lack of design control contributed to the occurrence and consequences of several events and selected summary information is provided below:

At the University of Michigan during a routine maintenance period (November 1992),

the shim range-control rod interlock system was removed from the reactor control system for a modification that had been reviewed and approved by the facility Safety Review Committee.

21 l

l

. .- - _ __ - _ _ - - _. - . = - - - - -

Subsequent post modification testing was inadequate to identify that the power level deviation interlock was inoperable due to a wiring error.

At the University of Missouri (Columbia) (1988 to 1996), a series of seven operational failures of the regulating blade necessitated manual reactor scrams. The primary contributors to these occurrences were the inadequate corrective actions developed in response to the continuing problem. The continual recurrence of this problem indicated that the licensee did not maintain control of the facility.

During maintenance activities at the University of Virginia (April 1993), two mixer-driver modules were changed in the scram logic drawer. This resulted in the inoperability of both power-level scrams, the intermediate-range scram, the low primary coolant flow scram, the loss of power to the primary pump scrams, the range switch scram and the key switch scram for a period of 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. All of these scram functions were required by the Technical Specifications (TS).

The exchange was made during troubleshooting activities that were being conducted to determine the cause of a spurious reactor shutdown earlier in the day. Although the two new mixer-driver modules appeared to be identical, they had been altered internally by the facility staff. A system verification (the minimally proper post modification testing) was not performed after the exchange due to an inappropriate decision by the shift supervisor. The loss of scram function (s) were not self-revealing, so only a proper scram system check would have revealed the inoperabilities.

A shim rod failed to fully insert into the TRIGA reactor at the United States Geological Survey (January 1996) during a normal shutdown. Shim rod 2 had been replaced during a 22

1 routine control rod inspection conducted in December 1995. Prior to the installation of the new shim rod, the fuel-follower control rod had been measured and found to be about 2 inches shorter than the rod it was replacing. Calculations at the time ofinstallation ,

indicated that the new rod was of sufficient length to remain below the top of the bottom grid plate when retracted to its uppermost configuration. In fact, the rod did not remain below the

! top of the grid plate, but instead, " caught" on the plate's edge, thereby hanging up several l

j inches above the fully inserted position. The 10 CFR 50.59 evaluation of this modification l was not adequate to identify this potential.

All reactors (power and non power) are licensed to operate as utilization facilities under i Title 10 and in acordance with the Atomic Energy Act (AEA) of 1954, as amended'. The l

AEA stated that utilization facilities for research and development should be regulated to the minimum extent consistent with protecting the health and safety of the public. The NRC has l

promulgated these concepts in 10 CFR 50.40, 50.41, and in other parts of Title 10 that deal '

with non-power reactors. 1 The licensed thermal power levels of non-power reactors are several orders of magnitude lower than power reactors, thereby resulting in the accumulation of a proportionally smaller inventory of fission products in the fuel. This has been one of the bases upon which the NRC has determined that less stringent and less prescriptive measures are required to adequately protect the safety of the public, workers, and the environment.

1 i

' The AEA was written to promote the development and use of atomic energy for peaceful purposes and to l

[

control and limit its radiological hazards to the public. These purposes are expressed in paragraph 1104 of

! me AEA.

23 l

Also, since potential hazards vary widely among non-power reactors, the regulations have also -

been implemented in different ways between various non-power reactors.

The issue of what standards to use in evaluating accidents at a research reactor was -

discussed in an Atomic Safety and Licensing Appeal board (ASLAB) decision issued on May 18,1972, for the research reactor at Columbia University in New York City. ASLAB  !

stated that "as a general proposition, the Appeal Board does not consider it desirable to use the standards of 10 CFR Part 20 for evaluating the effects of a postulated accident in a )

research reactor inasmuch as they are unduly restrictive for that purpose. The Appeal Board strongly recommends that specific standards for the evahation of an accident situation in a research reactor be formulated." The staff did no'. find it necessary to conform to that recommendation to develop separate criteria for the evaluation of research reactor accidents, since the majority of research reactors have been able to adopt the conservative 10 CFR Part 20 criteria (Ref. 21).

The control of the design basis of non-power reactor facilities is not as prescriptive as with power (commercial) reactors. Safety Analysis Report;(SARs) are not required to be updated on a periodic basis as is the case wi+h power reactors (10 CFR 50.71[e]). Instead, the requirement for non-power reactors is to subad an SAR as part of the initial license application and to submit revisions to the SAR in conjunction with any license renewal.

Licensees are, however, encouraged to maintain current SARs on file with the NRC. As with power reactors, non-power reactor licen .ee are required to review all facility changes and modifications for their potential to result in unanalyzed safety questions. Changes which do not result in such conditions can be implemented by the licensee under the allowances of 24

\

l 10 CFR 50.59. A report which summarizes the changes made under the allowances of l l

10 CFR 50.59 is required to be submitted annually (Ref. 22).

The events within this study do not directly support the need to revise the regulations .

concerning the maintenance of a current SAR. The relative simplicities of non-power reactor i

SARs and the few number of significant changes that are made to non-power facilities obviate the need for a prescribed periodic update of SARs. In addition, the requirement that licensees submit an annual report to the agency summarizing all changes made to the facility under the i

j allowances of 10 CFR 50.59 assures that the information needed by the NRC to fulfill its l statutory obligations will be available.

i .

This does not relieve licensees from maintaining the information necessary to properly J

l and safely operate the facility. All data, procedures, and reference documents needed to l conduct safety evaluations, submit licensing requests, and provide proper and effective i

training must be maintained and controlled.

At least two events (those at the University of Virginia and the United States Geological Survey) directly indicate that current evaluations by non-power reactor licensees are not thorough enough. Non-power reactor licensees are not relieved from the requirements of 10 CFR 50.59.

1 However, the two events noted above do not, in and of themselves, support an overhaul a

j of the 50.59 process. They do suggest that the NRC may need to be more attentive to the effectiveness and the comprehensiveness of licensee evaluations. In addition, the lessons that l

have been learned from Millstone, indicate that a special sensitivity is needed in this area.

1

! Inspection activities similar to those currently being undertaken by power reactor Project

$f 25 A

l Managers should be initiated. Additionally, appropriate enforcement actions should be taken .

if 10 CFR 50.59 evaluations are found to be significantly lacking.

All of the events discussed in this report which had repetitive occurrences could have 1

been precluded by a more detailed and insightful root cause analysis of the initial (or subsequent) event.

The NRC should inspect and enforce requirements, especially in response to operational

, events. Compliance and safety are not mutually exclusive, but instead form a symbiotic, mutually supportive relationship. Licensees must operate within their licensing domain and I the NRC must ensure compliance with its regulations. The relative safety significance of individual events should be captured by the degree of enforcement. sanction which is imposed, 4

not by whether an action is taken. I The Panel, even in consideration of the above important points, did not prepare a specific recommendation in this area. What is needed is for both the regulators and the l

regulated, to comply with existing rules and practices, and more guidance is not needed.

3.6 Operating Experience Feedback d

Reporting requirements are interpreted such that precursors that do not violate TS are not reportable, such as: reactor pool leaks below TS limits, operation with inoperable reactor scrams not listed in TS, unexpected control rod withdrawal, high core excess reactivity below TS limits, or power fluctuations caused by debris on the core. Licensees, however, have often reported important events or conditions that fell below the legal threshold of the reporting requirements in their TS.

26

The "TRTR Newsletter" does an outstanding job in highlighting NRC inspection emphasis and problems identified, and calls attention to some important events so that others can learn more by contacting the facility directly. However, reported operating experience was often transmitted to NPR licensees through the TRTR Newsletter without identifying the l

facility name in the articles, even though the information was available to the public in the l

l NRC Public Document Room. Many informal communications occurred between licensees.

Industry conferences, generally held on an annual basis, addressed selected operating l experience. These processes disseminated information on a portion but not all of the events noted in this report. There were events documented at some facilities that were not disseminated to the NRC or others in the TRTR community. Furthermore, some licensee event reports lacked sufficiently detailed root causes or corrective actions to be of use to others.

The Panel believes that NPR facilities can learn from each others problems despite their design differences. Yet, the study found differences of opinien in the NPR community toward systematically sharing operating experience. While some NPR personnel expressed a desire to increase the sharing of operating experience, a few appeared reluctant to share their problems publicly or even privately. The vehicles are in place to effectively learn from operating experience; however, they could be used to a greater extent. A more public, expanded exchange of operating experience has the potential to further improve NPR safety performance.

j Some positive mechanism must exist in order for the improvements to come about.

l l Hence, the Panel recommendation is divided into two parts:

l l

l 27 I

l i

Panel Recommendation #5: . )

l 1

a. The NRC should review the reporting criteria for events and make such j

modifications as are needed to assure that important events are reported on a timely basis; and,

b. AEOD should include in its annual report an assessment of the prior year's NPR experiences, or else publish them in a separate annex to its report. This work i product should be disseminated widely to the NPR community.

3.7 Safety Culture i

Safety culture deficiencies contributed to the occurrence and consequences of several l 1

avents some of which have also been discussed in previous sections of this report. Examples  !

(not inclusive) are:

At the University of Michigan (November 1992) during a routine maintenance period, i

i the shim range-control rod interlock system was removed from the reactor control system for a modification that had been reviewed and approved by the facility Safety Review Committee.

Subsequent post modification testing was inadequate to identify that the power level deviation interlock was inoperable due to a wiring error. Additionally, the startup check list that was conducted after the modification was done by a trainee and there was no engineering or quality assurance oversight. The review by the Safety Review Committee was inadequate, l and the decisions associated with the subsequent startup checklist were ineffective in J

demonstrating the operability of the system.

At the University of Missouri (Columbia) (1988-1996), a series of seven operational failures of the regulating blade necessitated manual reactor scrams. The primary contributors 1

28

. - . . . - -. - . - - - . - . . _. - _ - ~ . - - . . _ - _ .

to these occurrences were the inadequate corrective actions developed in response to the continuing problem. The continual recurrence of this problem indicated that the licensee did not pursue the root cause of the problem.

During maintenance activities at the University of Virginia (April 1993), two mixer-l driver modules were changed in the scram logic drawer. This resulted in the inoperability of i

( both power-level scrams, the intermediate-range scram, the low primary coolant flow scram,

! i the loss of power to the primary pump scrams, the renge switch scram and the key switch scram for a period of 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. All of these scram functions were required by the TS.

The exchange was made during troubleshooting activities that were being conducted to 4

determine the cause of a spurious reactor shutdswn earlier in the day. Although the two new mixer-driver modules appeared to be identical, they bad been altered intemally by the facility staff. A system verification (the minimally proper post modification testing) was not performed after the exchange due to an inappropriate decision by the shift supervisor. The l loss of scram function (s) were not self-revealing, so only a proper scram system check would l I

have revealed the inoperabilities. The myopic consideration of the potential effects of these l maintenance activities is evidence that a broad safety perspective was not present.  !

I A shim rod failed to fully insert into the TRIGA reactor at the United states Geolcgical l Survey (January 1996) during a normal shutdown. Shim rod 2 had been replaced during a routine control rod inspection conducted in December 1995. Prior to the installation of the new shim rod, the fuel-follower control rod had been measured and found to be about

.2 inches shorter than the rod it was replacing. Calculations at the time of installation indicated that the new rod was of sufficient length to remain below the top of the bottom grid l

29

plate when retracted to its uppermost configuration. In fact, the rod did not remain below the

top of the grid plate, but instead, " caught" on the plate's edge, thereby hanging up several 1

inches above the fully inserted position. The 10 CFR 50.59 evaluation of this modification was not adequate to identify this potential condition. The method by which this modification was implemented reflected a less than satisfactory safety culture.

While the events at the Massachusetts Institute of Technology (March 1990, December 1993, and January 1995) all share the fact that they deal with the control of reactivity, they a also bring insights to the overall safety culture in place at the facility.

In the 1990 event of an improperly calculated established critical position (ECP), the console operator and reactor supervisor did not check a trainee's ECP calculation, placed excessive reliance on the ECP to identify criticality, and did not closely monitor indications as the reactor was approaching criticality.

In the 1993 event, the reactor automatically scrammed while a technician was 1

investigating why one of two low-range neutron flux power level safety channels had failed.

l The facility was operated without a capability to test the circuitry without removing the input signal cable.

In the 1995 event, the reactor was operated for a short period of time without a core low flow scram. An operator had addressed a core temperature pin oscillation on a recorder during a shutdown by inadvertently turning off the core flow and temperature recorder instead of just the temperature pin. Although the restart procedure contained a step to restart any instrument which had been secured, the operators did not have a list itemizing which instruments had been secured.

30

l l

Having a self-critical approach to assuring the maintenance of an appropriate safety I culture at any nuclear facility and within the NRC is a goal whose merit is without question. l l

The Panel, in reviewing the technical issues took into consideration a broad perspective of the factors related to reactor safety and radiological consequences at non-power reactors. As has l

l been noted, the safety significance of events which were reviewed at these non-power reactor 1

facilities is minimal. "In non power reactors, a scram does not challenge the safety of the reactor or cause any undue strain on any systems or components associated with the reactor" (Ref. 23). Additionally, the previously mcntioned findings of the ASLAB (Columbia l

l University,1972) support a conclusion that the radiological consequences of a non-power i

reactor event are also limited.

l The Panel concluded that more regulations are not needed. Instead, the issue is whether l

l

\

the agency's inspection program, as implemented, is enforcing an appropriate level of compliance. In light of the lessons being learned from the agency's review oflicensing and compliance issues at Millstone and other rower reactor facilities, the need for a more l

compliance-oriented regulatory philosophy must be considered. Operational safety and regulatory compliance are not exclusive concepts. The Panel believes that, as with power reactors, non-power reactor licensees should be required to comply with the requirements of the regulations, their licensing bases, and the technical specifications. The agency's inspections and enforcement posture should be so focused. The Panel, therefore, has the following recommendation:

l l

l t

31 l

l l

1 1 Panel Recommendation #6: The NRC should review its enforcement philosophy .

concerning non-power reactors. Compliance with the regulations, licensing bases, and technical specifications is an essential component of safety regulations.

\

Table 2 Notices of Violation l University of Missouri (Columbia): Several NOVs which collectively were categorized as a severity level II with $4000 civil penalty (1986). The violations resulted from the licensee failing to adequately assess the hazards of radiation exposure associated with the handling of thulium-170 pellets. The oversight led to an unplanned extremity overexposure of 115 rem to an individual's hands.

University of Virginia: Several NOVs which collectively were categorized as a severity level III with $2500 civil penalty (July 1987). The licensee failed to perform surveys necessary to identify a high radiation area and to take appropriate action to provide written procedures for the installation, operation, modification, and surveillance of experimental facilities, resulting in an individual's exposure of up to 270 mrem, and had the potential for more significant exposure.

Texas A & M: Several NOVs which collectively were categorized as a severity level III with

$5000 civil penalty for failure to provide dosimetry to personnel and to establish proper controls and failure to use and wear personnel monitoring equipment in high radiation areas (March and April 1987). ALARA principles were not employed when working in high radiation areas.

University of Missouri (Rolla): NOV severity level IV fcr bypassing frisker station when leaving the reactor bay area (October 1987). Several individuals occasionally ate, drank, or smoked in the bay area.

University of Texas: NOV severity level IV for failure to have available records to document the results of radiation surveys performed to determine dose rates (June 1990).

Massachusetts Institute of Technology: NOV severity level IV for failure to conduct quarterly inspections of radiation safety activities from 1988 to 1991 (January 1991). In this period, the licensee did not conduct or record refresher training for health physics technicians. Also the licensee failed to record radionuclides on a shipment burial manifest for a December 1990 waste shipment.

J University of Maryland: Two NOVs severity level IV and one NOV severity level V for failure to perform adequate radiation .;urveys necessary to determine that individuals were not exposed to airborne concentrations in excess of 10 CFR 20.102 (October 1992).

32

.__ - - _ _ - .___ _ __ - _ _m _ __M + * -w -- 1.-

University of Michigan: NOV severity level IV for failure to follow health physics procedures in accordance with their TS (August 1993).

Geornia Institute of Technolony: NOV severity level IV for failure to make a proper evaluation of the extent of neutron radiation present following a survey underestimating the dose rate by a factor of 100 (August 1994).

NOV severity level III with $5000 civil penalty (December 1987 and January 1988). Failure to follow or have approved procedures during a topaz irradiation resulting in a contamination event.

l I

l n

33 1

i

l 4 Conclusions, Recommendations, and Observations .

1 i'

General l

This chapter contains conclusions; resummarizes the specific reconunendations from l

i Chapters 2 and 3; and then offers some historical perspectives on NPR safety from the former l

AEC Chairman Thompson as written in his textbook more than 30 years ago (Ref. 2). i l

l 4.1 Conclusions  !

This study identified some important lessons teamed on NPR safety which need to be included in the licensing and regulatory process. It appeared to the Panel tha.t, even though this class of reactors is significantly more safe than the power reactor community class, there may not be sufficient oversight on event management, reporting, and followup, either by the licensee management or by the NRC. The Panel recommendations are intended to help close this gap.

4.2 Recommendations In Chapters 2 and 3 the Panel reviewed selected NPR safety analysa and recent operating events or conditions, made a number of observations, and arrived at six specific recommendations:

Panel Recommendation #1: The NRC should assure that:

a. If the likelihood of an unanalyzed event is determined to be much higher than previously thought (viz, the inlet flow blockage at UVA) then the licensee should

. demonstrate that this credible scenario does not have consequences which exceed those of the event previously considered bounding; and, 34

. _ _ ____---__----__L

b. When the facility is due for license renewal, the safety analysis should be reviewed in depth, taking into account the lessons of the last 10 years, and updated as needed.

i Panel Recommendation #2: The NRC should review its requirements for startup checks, l

l on a plant-specific basis, and implement license amendments where needed. This same philosophy should apply to tests and :naintenance on the RPS, in order to assure that the system is returned to operable status, after test or maintenance.

1 Panel Recommendation #3: The NRC should ensure that a training course is developed -

by the NPR community or by individual licensees, for use by reactor operators and their l

supervisory chain. The purpose of this course would be to instill an understanding of l

hazards of this family of reactors during postulated transients and accidents. Inasmuch '

as AEOD has already developed a course along these lines for power reactors (R-800,

" Perspectives on Reactor Safety"), AEOD should provide advice and assistance. The course would be most effective if given by the NPR community itself. Every operator i

and supervisor should, in the fullness of time, be required to take the course. The I course should also be mandatory for NRC staff who work in the licensing and inspection areas.

l Panel Recommendation #4: The NRC should review the plant-specific procedures for '

1) preventing extraneous material from entering the pool or cooling system for the plants listed in Table 1, and 2) licensee inspections of the core prior to start-up or l l

closure of the facility. If the procedures are deficient (or do not exist) then improvements should be sought.

l 35

~

Panel Recommendation #5: .

+

b

a. The NRC should review the reporting criteria for events and make such I

modifications as are needed to assure that important events are reported on a timely basis; and,

b. AEOD should include in its annual report an assessment of the prior year's NPR experiences, or else publish them in a separate annex to its report. This work product should be disseminated widely to the NPR community.

Panel Recommendation #6: The NRC should review its enforcement philosophy concerning non-power reactors. Complianc'e with the regulations, licensing bases, and technical specifications is an essential component of safety regulations.

4.3 Observations The Panel during its review renewed its acquaintance with the Thompson and Beckerly textbook which was written more than 30 years ago as material for the MIT summer course on reactor siety (Ref. 2). In Chapter 6 (Volume 1) of Ref. 2, there were found a number of conclusions and recommendations which reminded the Panel that in some cases if the lessons of history are ignored, the problems will recur. The following quotations from that chapter l

illustrate the point:  ;

i

"(5): Accidents usually occur because of multiple and often apparently unrelated causes. I It is not enough to place reliance on one simple safety barrier or procedure; i l

(6): Procedural control is at best a poor substitute for design ingenuity in setting up the I first line of defense. That is to say, procedural controls should not be relied upon as the only, or even primary, safety barriers. Whenever possible interlocks and positive mechanical barriers should be designed into the system to prevent unsafe actions...

36

(10): It should be impcssible to withdraw by hand or other means in an unpremeditated manner control rods, the withdrawal of which could lead to criticality. This can be prevented by appropriate interlocks or by other design methods.

l (11): In the US it has become common practice to provide a shutdown margin sufficient to allow for the failure of a single control rod.

l l (21): Experiments and tests must be carefully and conservatively planned. Plans should be written out, appropriate calculations made, appropriate instrumentation l prepared, and personnel roles reviewed and rehearsed for the tests....

(22): The goal of reactor instrumentation should be to supply information to operators and control units which correctly represents the true picture of the core under all conditions and at all times.

(38): The effectiveness of shutdown systems should always be checked as a part of the startup procedures."

The Panel thought that most of the 42 recommendations in the Thompson text would be useful in the training of NPR operators and their supervision, and also thought the above listed recommendations merited explicit listing in this report.

l l

i 37 l

l

5 References .

1. Kosmeyer, R.B., Westinnhouse Testinn Reactor Incident. Nuclear Safety, Vol. 2 No. 2 (December 1960).
2. Thompson, T.J. and Beckerly, J.G., The Technology of Nuclear Safety, Vol 1, MIT Press (1964).
3. Colomb, A.L., and Sims, T.M., ORR Fuel Failure Incident, Nuclear Safety, Vol. 5, No. 2 (Winter 1963-64).
4. Dietrich, J.R., Exoerimental Investination of the Self-limitation of Power During Reactivity Transients in a Subcooled. Water-moderated Reactor, AECD-3668.
5. Silver, E.G., SPERT Program Status Report, Nuclear Safety, Vol. 5, No.1 (Fall 1963).
6. Silver, E.G., Status Reoort on SPERT Program. Includinn PBE. Nuclear Safety, Vol. 6, j No. 3 (1965).
7. SL-1 Project, Idaho Test Station, Final Reoort of SL-1 Recovery Ooeration. ID)-19311 (July 27,1962). .
8. Mosey, D., Reactor Accidents. September 1989.

1

9. Georgia Institute of Technology application to the NRC, December 1994.
10. U.S. Nuclear Regulatory Commission Order Modifying Licensee Georgia Institute of Technology, June 1995.

I 1. Safety Evaluation Report related to the renewal of the operating license for the training and research reactor at the University of Michigan; NUREG-1138, Docket No. 50-2, July 1985.

12. Massachusetts Institute of Technology Safety Analysis Report (MITR-II);

October 22,1970.

13. U.S. Nuclear Regulatory Commission Docket No. 50-20 MIT Notice of Issuance of Amended Facility License, July 1975.
14. Final Safety Analysis Report on the National Bureau of Standards Reactor, Addendum 1, November 1980, U.S. Department of Commerce, NBS. i
15. Final Safety Analysis Report on the National Bureau of Standards Reactor - NBSR9, July 1996.

38

i

.- 16. SER Related to the License Renewal and Power Increase for NBSR (NUREG-1007),

September 1983, U.S. Nuclear Regulatory Commission.

1
17. Issuance of Order Modifying License No. R-95 to Convert from High to Low-Enriched Uranium (Amendment o.17), Rhode Island Atomic energy Commission, March 17,

!, 1993.

! 18. SAR for the Low Enriched Fuel Conversion of Rhode Island Nuclear Science Center Research Reactor, November 1991.

19. University of Missouri Research Reactor Facility (Columbia), Submittal in Reply to Questions by the AEC Letter February 23,1973; October 1973; MURR Addendum 4 Hazards Summary Report.
20. Safety Evaluation Report related to the renewal of the operating license for the
University of Virginia Open-Pool Research Reactor; NUREG-0928; Docket No.50-062; September 1982.

i 21. U.S. Nuclear Regulatory Commission, " Guidelines for Preparing and Reviewing i

Applications for the Licensing of Non-Power Reactors," NUREG-1537, Part 2, February 1996, p. xiv. l 1 l i 22. U.S. Nuclear Regulatory Commission, " Guidelines for Preparing and Reviewing

Applications for the Licensing of Non-Power Reactors," NUREG-1537, Part 2, February

, 1996, p. xix. '

23. U.S. Nuclear Regulatory Commission, " Guidelines for Preparing and Reviewing
Applications for the Licensing of Non-Power Reactors," NUREG-1537, Part 2, February j 1996, p. 4-5.

i l i

l 1

4 l

4 39 l 4

l l

O 6

APPENDIX 1

s

. _ _ _ _ _

Retrieved from "https://kanterella.com/w/index.php?title=ML20132B244&oldid=3539718"