ML20154J248
| ML20154J248 | |
| Person / Time | |
|---|---|
| Issue date: | 04/30/1988 |
| From: | Szukiewicz A NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| REF-GTECI-A-47, REF-GTECI-SY, TASK-A-47, TASK-OR NUREG-1218, NUREG-1218-DRFT, NUREG-1218-DRFT-FC, NUDOCS 8805260236 | |
| Download: ML20154J248 (82) | |
Text
-
. Regulatory Analysis for Proposed Resolution of USI A-47 Safety Implications of Control Systems Draft Report for Comment 4
U.S. Nuclear Regulatory i
Commissien Office of Nuclear Regulatory Rosearch
! A. J. Szukiewicz
~.
N. )
- !!'"e8!n 1218 R oS *PDR
F- ,
NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Of fice, Post Office Box 37082, Washington, DC 20013 7082
- 3. The National Technical information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include N RC correspondence and internal NRC memoranda; NRC Office of Inspection and Enfo-ement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase fro,n the GPO Sales
, Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Ersergy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions, federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non NRC conference -
proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draf t reports are available free, to the extent of supply, upon written request to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchawd from the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018.
NUREG-1218 Regulatory Analysis for Proposed Resolution of USI A-47 Safety implications of Control Systems Draft Report for Comment
~
Manuscript Completed: March 1988 Date Published: April 1988 A. J. Szukiewicz Division of Engineering Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washingtori, DC 20555
, .. . . s w
l
ABSTRACT This report presents a summary of the regulatory analysis conducted by the NRC staff to evaluate the value impact of alternatives for the resolution of Unre-solved Safety Issue (USI) A-47, "Safety Implications of Control Systems." The NRC staff proposed resolution presented herein is based on these analyses and the technical findings and conclusions presented in NUREG-1217.
The staff has concluded that certain actions should be taken to improve safety in light-water reactor (LWR) plants. The actions recommended that certain plants upgrade their control systems to preclude reactor vessel / steam generator over-fill events and to prevent steam generator dryout, modify their technical speci-fication to vetify operability of such systems, and modify selected emergency procedures to ensure plant safe shutdown following a small-break loss-of-coolant accident, l
l l
l NUREG-1218 iii
i I
9 CONTENTS i
Pa21 ABSTRACT.............................................................. iii ABBREVIATIONS......................................................... vii EXECUTIVE
SUMMARY
..................................................... ix 3 1 STATEMENT OF THE PR0BLEM......................................... 1-1
- 2
SUMMARY
OF LIMITATIONS, ASSUMPTIONS, AND CONCLUSIONS............. 2-1
.i
! 2.1 Limitations and Assumptions................................. 2-1
- 2.2 Conclusions................................................. 2-3 i ;
j -
- 3 ALTERNATIVES..................................................... 3-1 !
t k
3.1 GE BWR Plant Designs........................................ 3-2 i i 3.2 W PWR Plant Designs......................................... 3-3 .
3.2.1 Overfill Events...................................... 3-3 !
- 3.2.2 Overcool Events...................................... 3-3 !
3.2.3 Overpressure Events.................................. 3-4 :
3.2.4 SGTR Events.......................................... 3-4 l 1
3.3.1 Overfill Events...................................... 3-4 :
1 3.3.2 Overheat Events...................................... 3-4 i 3.4 CE PWR Plant Designs........................................ 3-5 i t 4 DISCUSSION OF ALTERNATIVES....................................... 4-1 1
j 4.1 GE BWR Plant Designs........................................ 4-1 i
- 4.2 W PWR Plant Designs......................................... 4-4 f l 4.3 B&W PWR Plant Designs....................................... 4-12 l j 4.4 CE PWR Plant Designs........................................ 4-17 l 1
r 1 5
SUMMARY
OF ALTERNATIVES.......................................... 5-1 i 4 6 PROPOSED RESOLUTION OF USI A-47.................................. 6-1 s
6.1 GE BWR Plant Designs........................................ 6-1 (
- 6. 2 W PWR Plant Designs......................................... 6-1 >
6-2 l 6.3 B&W PWR Plant Designs.......................................
l 7 APPLICATION OF THE BACKFIT RULE, 10 CFR 50.109..................... 7-1 l l 8 REFERENCES.......................................................... 8-1 ;
l i
I i
I NUREG-1218 v I i; :
CONTENTS (Continued)
APPENDIX A: REJECTED ALTERNATIVES APPENDIX B: SENSITIVITY STUDY FOR REACTOR VESSEL /
STEAM GENERATOR OVERFILL SCENARIOS APPENDIX C: CONTROL SYSTEM DESIGN AND PROCEDURAL MODIFICATION FOR RESOLUTION OF USI A-47 NUREG-1218 vi
^
P 4 ,
i ABBREVIATIONS
- ADV atmospheric dump valve 1 AE00 Office for Analysis and Evaluation of Operational Data AFW auxiliary feedwater ATW5 anticipated transients without scram B&W Babcock and Wilcox Co.
BWR boiling-water reactor CE Combusion Engineering CFR Code of Federal Regulations CSF control system failure CSI coresprayinjection
- CSS core spray system ECC emergency core cooling ECCS emergency core cooling system EFW emergency feedwater FMEA failure mode and effects analysis 4
FSAR final safety evaluation report 1
j GE General Electric Co.
1 HPI highpressureinjection IEEE Institute of Electrical and Electronics Engineers INEL Idaho National Engineering Laboratories LCO limiting condition for operation l LER licensee event report 4
LOCA loss-of-coolant accident LPCI low pressure coolant injection LTOP low-temperature overpressure MFW main feedwater i MS modular modeling system MSIV main steam isolation valve MSLB main steam line break NRC U.S. Nuclear Regulatory Commission NSS nuclear steam system NSSS nuclear steam supply system ORNL Oak Ridge National Laboratory PNL Pacific Northwest Labor:ttory NUREG-1218 vii
PORV power-operated, relief valve PRA probabilistic risk analysis PTS pressurized thermal shock PWR pressurized-water reactor RCS reactor coolant system SAI Science Applications Inc.
l SAR safety analysis report 1 SBLOCA small-break LOCA SGTR steam generator tube rupture sit.S safety injection actuation signal SRV safety / relief valve TBV turbine bypass valve 1MI Three Mile Island UCLA University of California at Los Angeles USI unresolved safety issue W Westinghouse Corp.
l l
l f
NUREG-1218 viii
EXECUTIVE
SUMMARY
The U.S. Nuclear Regulatory Commission (NRC) has conducted its technical eval-uation of Unresolved Safety Issue (USI) A-47, "Safety Implications of Control Systems." The purpose of evaluating Unresolved Safety Issue (USI) A-47 was to determine the need for modifying control systems in operating reactors, to verify the adequacy of licensing requirements identified in Section 7.7 of the Standard Review Plan (NUREG-0800) for control systems, and to determine if additional cri-teria and guidelines were needed. To do this, the staff had to identify control systems whose failure could (1) cause transients or accidents to be potentially more severe than those identified and analyzed in the final safety analysis re-ports (FSARs), (2) adversely affect any assumed or anticipated operator action during the course of a transient or accident, (3) cause technical specification safety limits to be exceeded, or (4) cause transients or accidents to occur at a frequency in excess of those frequencies established for abnormal operational transients and design-basis accidents. This report summarizes the results of the regulatory analysis conducted by the NRC staff to formulate the final re- '
solution of USI A-47. The technical findings and conclusions presented in this document are based on (1) the technical findings and conclusions presented in NUREG-1217, "Evaluation of Safety Implications of Control Systems in LWR Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-47," and (2) the probabilistic risk analysis performed by Pacific Northwest Laboratory (PNL) and presented in NUREG/CR-4385, 4386, -4387, and -3958.
A concise set of limitations and assumptions was developed to confine the USI A-47 investigation to a manegeable scope and to focus attention on the more safety-significant potential control system failures. These limitations and :
r assumptions include the following; (1) A minimum number of saf.ity grade protection systems would be available to trip the reactor and initiate overpressure protection systems or emergency core cooling (ECC) systems, if needed, during transients initiated by fail-ures in the non-safety grade control systems.
(2) Control system failures resulting from common-cause events such as earth-quakes, floods, fires, and sabotage, or operator errors of omission or commission are not addressed in this review. Multiple control system failures in non-safety-grada equipment were, however, studied in a limited way.
(3) Transients resulting from control system failures during limiting condi-tions for operation (LCOs) or anticipated transient without scram (ATWS) events are not addressed in this review.
(4) The plant-specific designs were appropriately modified to comply with IE Bulletin 79-27 and NUREG-0737.
On the basis of the firdings identified during this review, a number of alter-natives for possible regulatory action are presented and discussed. The proposed NUREG-1218 ix
resolution was selected after considering the safety benefits derived in terms >
of risk reduction and the cost of implementation. '
The alternatives were selected on the basis of their potential for reducing the !
frequency of the initiating failure or reducing the consequences of control sys-tem failures found to be significant. The following alternatives were selected '
as the proposed resolution for A-47. These alternatives are discussed in Sec-tion 4 of this report.
1 (1) Upgrade plant designs with no automatic reactor vessel overfill protection to a 1-out-of-1 (or better) automatic reactor vessel high-level feedwater trip system.
(2) Modify technical specifications for all plants to include provisions to l periodically verify the operability of the overfill protection system and ,
ensure that automatic overfill protection is provided at all times during power operation.
(3) Issue an information letter to all applicants and licensees informing them of the evaluation results of the failure analysis conducted for USI A-47.
V PWR Plant Designs 1
(1) Take no action to upgrade existing main feedwater overfill protection sys-tems on plants that have installed redundant, steam generator, high water l
level, overfill protection systems consisting of a 2-out-of-3 (or better) !
steam generator, high water level, feedwater trip, isolation system. '
(2) Modify technical specifications for all plants to include provisions to i periodically verify the operability of the overfill protection system and ensure that automatic overfill protection is provided at all times during power operations.
(3) Take no action to upgrade existing reactor overpressure protection systems. :
(4) Issue an information letter to all applicants and licensees informing them of the evaluation results of the failure analysis conducted for USI A-47. ;
B&W PWR Plant Designs (1) Modify plants similar to the reference plant (i.e., Oconee 1, 2, and 3) to either:
(a) Provide additional instrumentation to limit or terminate main feedwater !
flow on steam generator high water level. (The instrumentation should !
be separate from the existing main feedwater pump trip instrumentation.
A system that initiates closure of main feedwater block valves on (
steam generator high water level is acceptable); or ,
l l
(b) Modify the existing ovarfill protection system to minimize undetected failures in the system and facilitate online testing; or c) Upgrade the existing overfill protection system to a redundant high water level trip system that satisfies the single-failure criterion for overfill protection. (A 2-out-of-4, steam generator, high water level, trip system actuating redundant feedwater isolation equipment is acceptable.)
(2) Install Class 1E instrumentation in plants similar to the reference plant (i.e., Oconee 1, 2, and 3) to automatically initiate auxiliary (emergency) feedwater to minimize the potential for loss of steam generator cooling under any condition of operation (including a loss-of power event).
(3) Take no action on other plants that have installed or have committed to install an emergency feedwater initiation and control (EFIC) system (or its equivalent) incorporating redundant, steam generator, high water level, overfill protection.
(4) Modify technical specifications for all plants to include provisions to periodically verify the operability of the overfill protection system and ensure that automatic overfill protection is provided at all times during power operation.
(5) Issue an information letter to all applicants and licensees informing them of the evaluation results of the failure analysis conducted for USI A-47.
It should be noted that on December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear Generating Station, Unit 1. The overcooling event occurred as a result of a loss of power to the integrated control system (ICS) (see NUREG-1195). As part of the A-47 review, failure scenarios resulting from a loss of power to control systems were evaluated for each of the reference plants.
In addition, two other B&W plant designs using the ICS 820 model were also reviewed in order to identify any significant loss-of power transients that may not have been identified on the Oconee reference design (which has an ICS 721 model). These alternatives reflect the staff's findings.
As a result of the Rancho Seco event, however, a comprehensive study by the B&W Owners Group has been initiated to reassess all B&W plant designs. The reassess-ment includes, but is not limited to, the ICS and the support systems such as the power supply systems and maintenance (Tucker, May 15, 1986). Recommended actions for design modifications, for maintenance, and for changes to operating procedures (if any) developed for the utilities by the B&W Owners Group will be coordinated with the NRC staff and are outside the scope of this study.
CE PWR Plant Designs (1) Modify all plants to provide additional instrumentation to automatically terminate main feedwater flow on steam generator, high water level. The instrumentation should provide sufficient redundancy to satisfy the single-failure criterion for overfill protection.
NUREG-1218 xi
(2) Modify technical specifications for all plants to include provisions to periodically verify the operability of the overfill protection system and ensure that automatic overfill protection is provided at all times during power operations.
(3) Reassess emergency procedures and operator training programs at plants with low-head, safety-injection pumps and modify those procedures and programs if necessary to ensure safe shutdown during small-break loss-of-coolant accidents (SBLOCAs).
(4) Issue an information letter to all applicants and licensees informing them of the evaluation results of the failure analysis conducted for USI A-47, l
l i
NUREG-1218 xii
j 1 STATEMENT OF THE PROBLEM j Instrumentation and control systems utilized at nuclear power plants are com-1 prised of safety-grade protection systems and non-safety grade control systems.
3 Safety grade protection systems tre used to (1) trip the reactor whenever cer-tain parameters exceed allowable limits, (2) protect the core from overheating by initiating the emergency core cooling (ECC) systems, and (3) actuate other safety systems, such as closure of main steam isolation valves (MSIVs) or open-ing of the safety / relief valves, to maintain the plant in a safe condition.
Non-safety-grade control systems are used to maintain a nuclear plant within i
prescribed pressure and temperature limits during shutdown, startup, and normal t power operation. Non-safety-grade control systems are not relied on to perform any safety functions during or following postulated accidents, but they are used
- to control plant processes that could have a significant impact on plant dynamics.
The purpose of studying Unresolved Safety Issue (USI) A-47 was to evaluate the need for modifying control systems in operating reactors, to verify the adequacy of licensing requirements identified in Section 7.7 of the Standard Review Plan (NUREG-0800) for control systems, and to determine if additional criteria and guidelines were needed. To do this, the staff had to identify control systems whose failure could (1) cause transients or accidents to be potentially more j severe than those identified and analyzed in the final safety analysis reports (FSARs), (2) adversely affect any assumed or anticipated operator action during the course of a transient or accident, (3) cause technical specification safety 4 limits to be exceeded, or (4) cause transients or accidents to occur at a fre-quency in excess of those frequencies established for abnormal operational transients and design-basis accidents.
l Included in the program established to resolve USI A-47 (NUREG-1217) was an i investigation of the effects of control system failures on four reference plant j designs subjected to single and multiple control system failures during auto-matic and manual modes of operation. Failures at different reactor power levels including low , middle , and full-power operating conditions were evaluated.
The review concentrated on identifying control system failures that could lead J to:
) (1) steam generator (reactor vessel) overfill events (2) reactor vessel overcooling events (3) reactor core overheating events (4) events or accidents that could be more severe than those previously analyzed in the FSAR.
Steam generator and reactor vesst.1 overfill and reactor vessel overcooling events have been identified previously as potentially significant events that could lead to unacceptable consequences such as a steamline break, steam genera-tor tube rupture, or reactor vessel damage. (See NRC, "AE0D Observations and Recommendations Concerning the Problem of Steam Generator Overfill and Combined Primary and Secondary System Behavior," December 17, 1980). A number of specific control system failure scenarios were identified that could potentially lead to such events.
NUREG-1218 1-1
i t
i i
4 2 Supt 4ARY OF LIMITATIONS, ASSLHPTIONS, AND CONCLUSIONS j The limitations, assumptions and conclus!ons presented here are based on the !
j scope and results reported in NUREG-1217.
- 2.1 Limitations and Assumptions ;
i A clear and concise set of limitations and assumptions had to be established j l
4 to confine the investigation to a manageable scope and to focus attention on !
- the more safety-significant aspects of control system failures. The limitationt .
and assumptions used for USI A-47, and their bases are discussed below: l F
(1) Non-safety-grade control system failures would not cause simultaneous i; failure of both redundant trains of safety grade protection systems,
- This assumption implies that a minimum number of safety grade protection systems would be available for (a) actuation of the reactor trip system, f i
a (b) actuation of the overpressure protection system, and (c) the initiation i
of the minimum number of required emergency core cooling (ECC) systems, l j if needed during a control system failure transient. This assumption is !
considered valid on the basis that adequate separation and independence l
'l are requhad to be provided between the non-safety grade control systems j and the safety-grade protection systems. Independence is provided by
! verifiable isolation devices located between safety grade and non-safety- l 1 grade systems and/or by physically locating the safety grade systems in l separate areas and routing the electrical cables in separate raceways j throughout the plant. The staff performs audit reviews of the safety- i j
grade systems as part of the licensing review process to ensure that an adequate degree of separation and independence has been provided. Also, i as part of the A-47 program, a literature search was conducted to review i
the operating history of control system failures. The purpose of the review, in part, was to identify any control system failures that could cause a failure of both safety-grade protection systems. The staff's i l
review (see Section 3,2 of NUREG-1217) did not identify any cuch failures. i In addition, as part of the USI A-17 "Systems Interaction," program, j j
i spatial interactions between safety-grade protection systems and non-safety- !
j j grade control systems were considered, I
l External events such as earthquakes, floods, fires, and sabotage were not !
! (2)
I considered in this study. Multiple control system failures were evaluated ;
to assess some effects of common-cause failures on the plant. However, the !
j review was limited to a selected number of combinations of control system {
- failures. An attempt was made to select control system failure scenarios y i that would bound the dynamic effects of a number of control system failures. [
System failures were evaluated during automatic and ranual modes of opera- j
]
j tion and at different reactor power levels that include low , intermediate , e
- and full power operation. l
! It should be noted that the staff and utilities have performed evaluations >
i to assess the plant's ability to achieve safe shutdown during these external I
i NUREG-1218 7 3
' l l - - . - - - - - - - _ - ---i
i events. Fire protection has been ieviewed at all operating plants to onsure conformance to 10 CFR 50 Appendix R and to evaluate the plant's ability to cope with fire and flooding in different cable trays as well as in different areas of the plant. These reviews evaluated the effects of fires and flood-ing in control grade as well as in protection grade equipment. Also, as part of the USl A-46 activities, non-safety grade and protection grade equipment are evaluated to assess their seismic ruggedness and ensure that plants have the ability to achieve safe shutdown after a seismic event.
(see item 2 in Appendix A of NUREG-1217).
(3) Operator errors of omission or commission were not addressed in this review. Operating procedures for the important transients were reviewed.
An assessment was made to determine whether operating procedures (to miti-gate the transients of concern) were written in such a way that the opera-tor could perform the task in the time alloted. The staff also determined whether there was sufficient information, i.e., alarms and/or indications, available in the control room for the operator to assess the conditions in the plant at the time of the event. In some cases, early recognition of transients was necessary. Given early recognition, there were actions that the operator could take to mitigate these events. For the purpose of developing the failure scenarios and analyzing the resulting transients, twe ' the four plants were assumed to have operators take no action for th, fu *t 10 minutes of the transient. The other plant reviews assumed ope c
- cetion could be taken on the basis of available time for action during each transient. For the risk analyses in evaluating the core-melt frequency, operator action for all plants reviewed was determined on the basis of available time for action during each significant transient identified.
(4) Transients resulting from control system failures during limiting condi-tions for operation (LCOs) (for example, systems deliberately disabled for a short time for testing and/or maintenance) were not considered in the review.
(5) The processes used to nodify and to maintain control systems were not
- onsidered in this review.
(6) Anticipated transient without scram (ATWS) events were not considered in the review. A separate generic study has been conducted to address this issue (NUREG/CR-4385). On July 26, 1984, the Code of Federal Regulations (CFR) was amended to include 10 CFR 50 f4 (ATWS Rule) which requires spec-ific improvements to be made in the design and operation of commercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients, and to mitigate the conse-quences of an ATVS event.
(7) Control system failures that could lead to failures of (a) tanks containing liquid located outside containment and (b) fuel handling accidents (for example, spent fuel or waste disposal systems accidents) were not considered in this review. These systems are designed to be separated from control systems that are used during normal plant operations.
(8) Individual utilities had to address If Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control System Bus During Operation," and to modify NUREG-1218 2-2
-. - -- -. . . _ . . - . . . . ~ . _ -
their plants appropriately in order to ensure that the operator would be able to achieve cold shutdown conditions following a loss of power of a single bus to instrumentation and controls in systems used in attaining cold shutdown. It should be noted that on December 26, 1985, a reactor vessel overcooling event occurred at Rancho Seco Nuclear Generating Station, Unit 1. The overcooling event occurred as a result of a loss of power to the integrated control system (ICS) (NUREG-1195). As part of the A-47 review, failure scenarios resulting from a loss of power to control systems were evaluated for each of the four reference plants. In addition two B&W plant designs using the ICS 820 model were reviewed. As a result of the Rancho Seco event, the B&W Owners Group (BWOG) has initiated a comprehen-sive study to reassess all B&W plant designs, including, but not limited to, the ICS and support systems such as power supplies and maintenance (Tucker,May 15, 1986). In addition, the BWOG is currently reevaluating IE Bulletin 79-27 in terms of all B&W-designed operating plants. Recom-mended actions for design modifications, for maintenance, and for changes to operating procedures (if any) developed for the utilities by the BWOG will be coordinated with the NRC staff and are outside the scope of this study.
(9) The requirements of NUREG-0737, "Clarification of TMI Action Plan Require-ments," dated November 1980, were implemented or committed to be implemented on individual plant designs, including, but not limited to, Items II.E.1.1, II.E.1.2, II.K.2.2, II.K.2.9, and II.G.1.
2.2 Conclusions On the basis of the technical work completed by the NRC staff and its contrac-tors, the following conclusions have been reached:
(1) Control system failures are dependent on such individual plant characteris-tics as power supply configurations and maintenance. The control system designs between the plants supplied by the same nuclear steam supply system (NSSS) vendor are functionally similar enough that the transients resulting from the f ailure of the same type of non-safety grade system on the differ-ent plants will produce similar transients.
E (2) Control system failures have occurred that resulted in complex transients.
Improvements made after the THI-2 accident in the design of the auxiliary
- feedwater system and in operator information and training should greatly aid in the recovery actions in the future.
' (3) Plant transients resulting from control system failures can be adequately '
mitigated by the operators provided the failures do not compromise proper operation of the minimum number of protection system channels required to
- trip the reactor and initiate the safety systems if such initiation is required.
- (4) Transients or accidents resulting from or aggravated by control system failures (except those noted in this report that can contribute to reactor l
vessel / steam generator overfill or core overheat events) are less severe '
and, therefore, are bounded by the transients and accidents identified in l
! the FSAR analysis.
j NUREG-1218 2-3
- ve s e , ~ , r,w w erm-,,,,~~~-s-r- -,-- ~-,- ---r- -~w-w w,--
m ver w n- e e ,v , .,,,,wn ,m v,-,,r-,---v_w,r,m,rm,- ,m,---,1,--p~,~wv
(5) Control system failure scenarios have been identified that could poten-tially lead to reactor vessel / steam generator overfill events, core over-heat events, and overpressure events.
(6) PWR plant desigr.s having redundant, commercial grade (or better), overfill-protection systems for the main feedwater system that satisfy the single-failure criterion are considered to adequately preclude water ingress into the main steamlines.
(7) BWR plant designs with commercial grade (or better) overfill protection systems are considered to adequately preclude water ingress into the main steamlines.
(8) PWR plant designs that provide automatic initiation of the auxiliary feed-water flow on low steam generator level are considered to adequately pre-clude core overheating.
I r
k NUREG-1218 2-4 i
_-_,____r... - . _ . - . , - - . _.
3 ALTERNATIVES On the basis of technical findings presented in NUREG-1217 and the probabilistic risk analysis performed by Pacific Northwest Laboratory and presented in NUREG/
CR-4385, -4386, -4387, and -3958, a number of alternatives for possible regula-tory action are presented and discussed 11. the following sections. The selec-tion of the alternatives for possible reguittory action identified in Section 5 is based on the value of the alternatives it. terms of the safety benefits de-rived, that is, the risk reduction achieved ind the cost of implementing the alternative. These alternatives focus on reucing the initiating failure fre-quency or eliminating the failure mechanism of the control systems that were found to be major contributors to events of corcern.
Best estimates for equipment failure probabilities were used whenever possible in the analysis for core melt and risk associated with the control system fail-ures identified. The risk reduction resulting from the proposed alternatives is represented by the difference between the base case before action is taken and the adjusted case that results from implementing the alternatives. The core melt frequency and risk calculations were performed for a generic plant.
Adjustments were then made to factor in vendor-specific or plant-specific design considerations associated with the particular alternative. The release cate-gories in NRC's "Reactor Safety Study" (WASH-1400) most representative of those core-melt scenarios were used to estimate risk. The computer program CRAC-2 was used for the generic risk calculations applied to a typical midwest site.
Assumptions and parameters used in the calculations are:
(1) Dose consequeaces represent whole-body population dose commitment (person-rems) receive.J within 50 miles of the site.
(2) Exclusion area of 1/2-mile radius was assumed, with a uniform population density of 340 persons per square mile beyond the 1/2-mile distance. (This is the projected average 50-mile-radius population density around U.S.
LWRs for the year 2000.)
(3) Evacuation was not considered.
(4) Meterological data were taken from the U.S. Weather Service station at Moline, Illinois.
(5) The core inventory at the time of the accident was assumed to be represented
, by a 3412-MWt (1120-MWe) plant.
(6) A remaining 30 years of plant life was assumed for each unit (except as noteo).
(7) For core-melt sequences, all exposure pathways except ingestion were included.
(8) The guidelines and procedures identified in the Value-Impact Handbook (NU'tEG/CR-3568) were used.
NUREG-1218 3-1
The analysis is conservative. In the factors contributing to conservatism are:
(1) Operator error: The probability assumeu for operator failure to diagnose and terminate the scenarios ranged from 0.5 for scenarios with misleading or conflicting information or rapid progression (i.e., overfill in several minutes) to 0.1 for scenarios with non-conflicting information and alarms.
Actu
- operator response might be better, particularly in plants with simulator programs stressing proper diagnosis of failures.
(2) Steamline break: The conditional probability of a main steamline break (MSLB), given spillover into the steamlines at power, was conservatively assumed to be 0.95, decreasing to 0.5 for the probability of an MSLB given spillover after shutdown. This conservative assumption was based on a few overfill events in foreign plants where some umage to the main steamlines was reported. Although several spillover events resulting in support da-
.aage have occurred to date in U.S. commercial plants, no steamline failures have occurred.
For this analysis, break location was also assumed to occur (i.e. , 50 percent probability) upstream of the main steam isolation valves (MSIVs), making isola-tion impossible.
For the PWR analysis, the MSLB was also assumed to have a probability of induc-ing a steam generator tube rupture (SGTR). The values were taken from the results of USI A-3, A-4, and A-5 studies (NUREG-0844), and varied from 0.017 to 0.003, depending on the number of tubes ruptured. The combination of SGTR and unisola-table MSLB was therefore used as the major contributor to core damage for PWRs.
For the purpose of estimating the release of radionuclides, severe core damage resulting from MSLB and SGTR was taken from the relevant plant-specific probabil-istic risk assessments (PRAs), modified to include control system failures.
Severe core damage was conservatively assumed to be equivalent to core melt.
Although a large number of alternatives were evaluated (NUREG/CR-4385, -4386,
-4387, and -3958), only those alternatives that are thought to be more important and could significantly reduce risk are discussed in detail in Section 4 of this report. The rest of the alternatives that were considered but rejected on the basis that the risk reduction in implementing these alternatives was insig-nificant are included in Section 3, for completeness. These alternatives are summarized in Appendix A to this report, but they have not been included for detailed discussion in Section 4.
3.1 GE BWR Plant Designs Review of the GE BWR design identified three failure scenarios that could poten-tially lead to reactor vessel overfill events (NUREG-1217).* Two of the three failure scenarios could also contribute to overcool events during low pressure startup or shutdown operation. Table 3.1 of NUREG-1217 identifies the failure scenarios and the failure mechanisms contributing to these events.
The following alternatives, aiscussed in more detail in Section 4, consider mod-ifications to some BWR plants in order to improve the overfill protection system.
They are:
- See also Appendix B, Section A.
NUREG-1218 3-2
(1) Modify plants designed with overfill protection similar to the reference plant (2-out-of-3) to upgrade their reactor vessel high water level feed-water trip system. ,
(2) Modify plants designed with less reliable overfill protection systems (1-out-of-1, 2-out-of-2, etc.) to be upgraded to a reference plant equivalent.
(3) Issue an information letter to all utilities with BWR plants informing them of the analytical results regarding overfill protection.
3.2 W PWR Plant Designs Review of the W PWR design identified eight failure scenarios that could poten-tially lead to undesirable events (NUREG-1217). Two of these scenarios were identified as contributors to overfilling events, two others contributed to overcooling events, two contributed to reactor coolant system overpressure events at low temperature and pressure startup and/cr shutdown conditions, and two con-tributed to release of radioactive material during a steam generator tube rupture (SGTR) event. Table 3.2 of NUREG-1217 identifies the failure scenarios and the failure mechanisms contributing to these events.
The following eight alternatives are discussed in more detail in Section 4.
These alternatives consider actions to be taken at different W plants in order '
to improve the overfill protection system (Section 3.2.1), prevent overcool transients (Section 3.2.2), and prevent overpressure transients (Section 3.2.3). l An additional ninth alternative considers action to minimize potential control i system failures that could cause an SGTR event to be more severe than previously analyzed (Section 3.2.4).
3.2.1 Overfill Events * ,
(1) Include automatic shutoff of the auxiliary feedwater system on steam gen- i erator, high water level. l i (2) Issue an information letter to all utilities with W plants informing them of the evaluation regarding overfill transients via auxiliary feedwater.
i '
- (3) Modify plants with overfill protection designs similar to the reference plant to upgrade the steam generator, high-water-level, main feedwater, j trip system.
I (4) Take action to change the steam generator, high-water-level, main feedwater l
trip system. +
i 3.2.2 Overcool Events
! (1) Include automatic actuation of the steam isolation block valves to the atmospheric dump valves (ADVs) and for the isolation vahes to the con- ;
denser steam dump valves. t
. 1 i !
- See also Appendix B, Section 8.
- NUREG- H18 3-3 ;
- - , --- - - , , ~ ~ ~ - .- ,... _. - _-... _..,_- , , .-__ _%,._,-.m.,._,_.y - _.~,.-_-_,,,..,,,__m,y-_ _ - - - .r.y--y,- ,y--_-,,, ,-2-,.,,-,-w,.__-,_.
(2) Modify the ADV controller logic to reduce the frequency of spurious
- opening of the ADVs.
3.2.3 Overpressure Events (1) Take no action for additional modifications to the oesign of the control system for pressurizer, power-operated, relief valves (PORVs).
(2) Issue an information letter to all utilities with W PWR plants about the potential overpressure vulnerabilities resulting from operating procedures at low-temperature and low pressure, shutdown conditions.
3.2.4 SGTR Events Issue an information letter to all applicants and licensees with W PWR plants informing them of the potential for non-safety grade, control system 'ailures to occur that could make SGTR events more severe than previously analyzed. This alternative is also discussed in detail in Section 4.
3.3 B&W PWR Plant Designs Review of the B&W PWR design identified three failure scenarios that could potentially lead to undesirable events (NUREG-1217). One failure scenario could lead to steam generator overfill and two failure scenarios could lead to reactor-core overheating. Table 3.3 of NUREG-1217 identifies the failure sce-narios and the failure mechanisms contributing to these events. The following alternatives are discussed in more detail in Section 4.
3.3.1 Overfill Events *
(1) Test the steam generator, high water level, main feedwater, trip system
! monthly to reduce the likelihood of undetected failures.
(2) Test the steam generator, high water level, main feedwater, trip system monthly and also modify the existing trip logic to preclude undetected failures of the trip circuit and facilitate online testing.
(3) Improve the steam generator, high water level, main feedwater, trip system.
3.3.2 Overheat Events Provide automatic protection to prevent steam generators from drying out j on loss of "hand" and/or "auto" power to the integrated control system.
1 On December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear ;
Generating Station, Unit 1. The overcooling event occurred as a result of a i loss of power to the integrated control system (ICS) (NUREG-1195). As part of the USI A-47 review, failure scenarios resulting from a loss of power to control systems were evaluated for each of the reference plants. In addition two B&W plant designs using the ICS 820 model were reviewed.
As a result of the Rancho Seco event, however, the B&W Owners Group (BWOG) has initiated a comprehensive study to reassess all B&W plant designs, including,
- See also Appendix B, Section C.
NUREG-1218 3-4
~. _
but not limited to, the ICS and support systems such as power supplies and maintenance (Tucker, May 15, 1986). Recommended actions for design modifica-tions for maintenance and for any changes to operating procedures (if any) developed for the utilities by the BWOG will be coordinated with the NRC staff and are outside the scope of this study.
3.4 CE PWR Plant Designs Review of the CE PWR design identified four failure scenarios that could poten-tially lead to undesirable events (NUREG-1217): Two could lead to steam genera-tor overfilling,* one could lead to reactor core overheating, and one could lead to an overcooling event. The overcooling event could potentially result in a possible thermal shock event in a plant with a vulnerable pressure vessel.
Table 3.4 of NUREG-1217 identifies the failure scenarios and the failure mech-anisms contribLting to these events. The following alternatives are discussed in more detail in Section 4. These alternatives are intended to improve over-fill protection and prevent overheat or possible pressurized thermal shock events during shutdown operations following a small-break, loss-of-coolant accident (SBLOCA).
(1) Include an automatic steam generator high water level main feedwater pump or main feedwater isolation valve trip system.
(2) Improve operator procedures to manually depressurize the primary system following an SBLOCA.
Several other alternatives were also considered (NUREG/CR-3958), but the risk reduction associated with implementing them was not found to be significant.
These other alternatives focused on (1) different design modifications to the existing feedwater control system to improve the overfill protection capabili-ties and (2) improving administrative procedures to preclude possible pres-surized thermal shock events during shutdown operations following an SBLOCA.
It was also concluded that the frequency of the failure scenario leading to a possible pressurized thermal shock event and eventual vessel failure was extremely small (estimated to be 1 x 10 8 event per year) and, therefore, not judged to be a significant concern. These other alternatives were, therefore, not considered practical and are not discussed in this report.
t .
t 4
e d 9
i I
l l *See also, Appendix B, Section D.
i NUREG-1218 3-5
4 OISCUSSION OF ALTERNATIVES Ali.ernatives for possible regulatory actions are discussed in the following ses. ions. These alternatives focus on design modifications that could reduce the frequency of the initiating failure or could eliminate the mechanisms of control system failure that the staff found to be major contributors to events of concern. Only those alternatives judged to be important are discussed here.
4.1 GE BWR Plant Designs The following alternatives propose methods to minimize the frequency of reactor vessel overfill. The detailed risk analyses and value impact analyses are presented in NUREG/CR-4387.
(1) Modify plant designs with overfill protection similar to the reference plant (i.e. , 2-out-of-3) to upgrade their reactor vessel, high-water-level, feedwater-trip system.
Such modifications would upgrade plants with a 2-out-of-3 reactor vessel, high-water-level, feedwater-trip system to a 2-out-of-4 system. Implementing this alternative would minimize the effect of equipment failures that could lead to reactor vessel overfill.
The reference plant design has a commercial grade, 2-out-of-3, reactor vessel, high-water-level, feedwater-trip system. The level sensors are powered by independent power sources. Two of the three water-level instru-ments, however, share a common tap for the reference leg. Implementing this alternative would add another high-water-level, trip channel and logic to improve the reliability and increase the redundancy of the existing design.
(a) Safety Benefit In NUREG/CR-4387, the core-melt frequancy is estimated to be reduced by 7 x 10 7 per reactor year by changing the exicting 2-out-of-3 system to a 2-out-of-4 system. The estimated risk reduction is 123 man-rem over the life of the plant.
(b) Cost i Adding another channel and modifying the logic circuits is estimated to cost between $150,000 and $1,300,000 per plant. This variation in cost depends on whether additional containment penetrations and electrical cabinets are needed. It is estimated that 50 percent of these plants would require additional penetrations and electrical cabinets. Therefore, implementing this alternative is estimated to cost utilities a total sum ranging from !
$3,000,000 to $13,000,000. It is estimated that it would cost NRC less than $75,000, based on a 0.5 staff-month effort per plant, to review the design modifications.
NUREG-1218 4-1
--. . .- .. . - . ~
(c) Value Impact This alternative is not considered viable, considering the questionable safety benefit of adding another channel, and the high cost for changing the reference plant design from a 2-out-of-3 system to a 2-out-of-4 system.
(2) Upgrade plant designs with less-reliable, overfill protection systems (1-out-of-1, 2-out-of-2, etc.) to a reference plant equivalent.
Most operating BWR plants provide commercial grade protection against reac-tor vessel overfill identical to the protection provided for the reference plant (that is, a 2-out-of-3 high-water-level, pump-trip system with sepa-rate and independent electrical power supplies for each level sensor).
Several plants, hnwever, have overfill protection designs with less inde-pendence and less reliability. These designs vary from 1-out-of-1, or 1-out-of-2, to a 2-out-of-2 reactor vessel, high-water-level, feedwater pump trip. On some designs, logic separation and electrical power independence could not be verified. Three early plants do not have any overfill protec-tion systems that automatically isolate feedwater on a reactor vessel, high-water level, and rely solely on the operator to mitigate overfeed ;
events (see Table Al in Appendix A).
The relative safety benefits afforded by the different combinations of high-water-level, trip logics were evaluated using the reference plant as a model. The risk associated with the different trip systems was also estimated (NUREG/CR-4387).
(a) Safety Benefit Although some safety benefit could be gained by providing additional reactor vessel, water-level redundancy and independence to the existing designs for BWR overfill protection systems that are less reliable than the reference plant design, the benefits are not considered significant for plants that have some sort of automatic, reactor vessel, high-water-level, feedwater-trip system. In NUREG/CR-4387, however, it is estimated, that for plants <
with no automatic, feedwater trip, the overfill frequency is 15 times greater than estimated for the reference plant. For plants with no auto-matic, feedwater trip on high water level in the vessel, except for the early vintage, very-low power-rated plants located at low-density popula-tion sites, it is estimated that implementing (as a minimum) a single reac-tor vessel, high-water-level, trip system would reduce the risk by 3600 man-rem over the life of the plant. Implementing a 2-out-of-4 reactor vessel, high-water-level, trip system would reduce the overall risk by 3800 man-rem over the life of the plant. Althcugh the difference in the risk reduction '
between these two designs is not significant, the additional redundancy provided in the 2-out-of-4 design provides operational flexibility during '
maintenance and online testing. It also minimizes spurious actuation of the feedwater-trip system. For the early vintage, low power-rated plants -
located in hw-density population sites such as Big Rock Point and Lacrosse, the risk reo ction to implement overfill protection is insignificant (i.e.,
less than 0.4 man-rem over the life of the plant).
NUREG-1218 4-2
(b) Cost The cost of adding a single, high-water-level, pump trip or a 2-out-of-4 high-water-level, pump trip to plants that have no existing automatic trip logic could not be accurately determined, but is estimated to cost between
$100,000 and $500,000, per plant. Of the three plants that do not have automatic, high-water-level, feedwater-trip systems, one plant (i.e. , Oyster Creek) warrants an upgrade. Therefore, implementing this alternative is estimated to cost utilities approximately $100,000. For a more versatile design that would facilitate online testing, the estimated total industry cost would be approximately $500,000 (for this plant, additional penetra-tions are not needed to complete the modifications). It is estimated that it would cost NRC $5000, based on a 0.5 staff-month effort per plant, to review the design modification.
(c) Value Impact This is a viable alternative, considering the safety benefit that can be gained by upgrading certain plants that have no overfill protection to a 1-out-of-1, high-water-level, trip configuration or better and the relatively low cost estimated for implementing the designs. It should be noted that
> although a single, high-water-level, feedwater-trip system is adequate, a more redundant design that facilitates online testing, minimizes spurious actuation, and permits bypass capabilities during equipment inoperability is preferred. It should also be noted that for early vintage, low power-rated plants located in remote areas (i.e., Big Rock Point and Lacrosse),
this alternative is not viable.
(3) Issue an information letter to all utilities that have BWR plants informing them of the evaluation results regarding overfill protection.
The review evaluated o 'arge number of BWR plant designs and identified variations in the overTill protection design for BWR plants (see Table Al in Appendix A). Seisitivit,v studies were performed to determine if the differences in the c signs were significant. Although the staff concluded l
that only trivial sr/ety benefit could be gained by providing additional, redundant, water-le, vel sensors for the feedwater-trip system of plants that t l
I have overfill pre;ection 'iystems, variations in these designs can exist that may have not been considered in this review because of the assumptions made in utilizinc the reference plant design as a base model. Plant-specific differences (such as power supply interdependencies, sharing of sensors between control and trip logic, operator training and procedures, and design for indication and alarms available to the operator) may exist.
However, the staff believes that plant-specific differences will not signi-ficantly alter the estimate of failure rate utilized in the staff study.
It is proposed that the staff issue an information letter to all utilities whose BWR plants have automatic, overfill protection systems, advising them of the potential failure mechanisms for overfill and associated consequences.
(a) Safety Benefit Implementing this alternative would provide licensees with information l
that could allow them to identify potential improvements in plant designs l NUREG-1218 4-3
, , . - . _ - , _ _ - - - - _ - ._. . _ . - . - - - -~-- , , - - - - - , -
and minimize potential common-mode failures that could increase the like-
, lihood of overfill events.
S. Some safety benefit could be gained by modifying existing overfill protection designs if the designs are susceptible to common-cause ;
' failures associated with the plant-specific design. It is difficult, however, to determine this safety benefit accurately.
(b) Cost i
The utilities would incur no appreciable cost by implementing this alternative.
(c) Value Impact No value impact is associated with implementing this alternative.
4.2 W PWR Plant Designs The following proposed alternatives are methods to minimize steam generator i
' overfill, reactor vessel overcool, and overpressure events. The detailed risk analyses and value impact analyses are presented in NUREG/CR-4385.
(1) Provide automatic shutoff (or flow restriction) of the auxiliary feedwater system on steam generator, high water level.
This alternative proposes that the existing auxiliary feedwater (AFW) sys-tem be modified to automatically restrict the AFW flow or trip the AFW pumps on steam generator, high water level.
For the reference plant study, the onset of steam generator overfill via i
the AFW system was predicted to occur in about 3 minutes. The AFW system !
is automatically initiated when the main feedwater pumps trip, and over-fill conditions would occur via AFW flow if the operator failed to man-
,' ually terminate AFW on steam generator, high water level. :
i (a) Safety Benefit
' In NUREG/CR-4385, core-melt frequency is estimated to be reduced by about 6 x 10 8 per reactor year by providing such automatic shutoff. It is ,
estimated that risk would be reduced by about 9 man rem over the life of the plant. ,
The potentially negative consequences of implementing this alternative i (i.e., increasing the potential for inadvertent isolation of the AFW sys- !
tem) has not been factored into these estimates. Inadvertent isolation of ;
, the AFW system when the system is required could decrease the overall ;
j reliability of the system and could reduce plant safety.
i
, (b) Cost i
! The switches on the steam generator that are used to control water level .
l and that are already used to trip the reactor or initiate the feedwater- !
l isolation system could also be utilized for this modification, thus i NUREG-1218 4-4
_ . _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ . , _ _ . . .- __. __l
i reducing equipment costs associated with implementing this alternative.
The estimated cost to implement a high-water-level trip or restrict flow for the AFW system is about $45,000 per 3-loop plant. Implementing this alternative is estimated to cost utilities a total of $2,300,000. This does not include the cost for electrical penetrations and electrical systems cabinets that may be needed. Assuming that 50 percent of the plants would require additional penetrations, the estimated cost to industry is
$27,000,000. It is estimated that it would cost NRC $250,000, assuming a 0.5 staff-month effort per plant, to review the design modifications.
(c) Value Impact This alternative is not considered viable because the safety benefit is questionable and because a potentially high cost may be incurred.
(2) Issue an information letter to all applicants and licensees that have W PWR plants informing them of the results of r.;lews of steam generator overfill transients via the auxiliary feedwater systems.
Review of other W PWR plants identified variations in the design of the AFW systems that couTd change the time required to overfill tM steam generators via the AFW system. Some plant designs represented improvements over the reference plant design. These improved designs utilize res.ricting orifices or flow-restricting control valves in the flow lines that p' event excessive AFW flow to any steam generator and allow more time for the operators to respond to overfeed events. This design feature would' result in less-severe transients than those postulated for the reference plant. The review did not identify any plants at which overfill transients could be more severe than at the reference plant. Although it is the staff's judgment that the analysis conducted on the reference plant is a bounding analysis, there may be some plant designs for which some safety benefit could be gained either by providing automatic shutoff or flow restriction of the AFW system on steam generator, high water level or by improving administrative procedures to preclude such overfill events. Therefore, an information letter could be issued to all utilities to provide them with the data and the results of staff analysis.
(a) Safety Benefit l By implementing this alternative, personnel could potentially identify l plant-specific designs for which some safety benefit could be gained in l
providing a steam generator, high-water-level trip to existing AFW designs I or to improve administrative procedures to preclude overfill events via the l AFW system. It is impractical, however, to quantify this safety benefit.
l l (b) Cost I
The utilities would incur no appreciable cost by implementing this alternative.
(c) Value Impact No value impact is associated with implementing this alternative.
l NUREG-1218 4-5
l I
(3) Modify plants with overfill protection designs similar to the reference plant to upgrade the steam generator, high-water-level, main-feedwater-trip system.
Implementing this alternative would upgrade designs for plants with a 2-out-of-3 steam generator, high-water-level, main-feedwater-trip system to a 2-out-of-4 system. Implementing this alternative would minimize redundant equipment failures that could lead to steam generator overfill and ensures compliance with Section 4.7(3) of IEEE Standard 279-1971 relat-ing to control and protection system interaction.
The reference plant design has a safety grade, 2-out-of-3, steam generator, high-water-level, main-feedwater-trip system. This alternative would in-clude an additional safety grade, water-level instrument and logic modifi-cation for each steam generator.
(a) Safety Benefit The estimated core-melt frequency associated with the overfill transient is extremely small (less than 10 10 per reactor year) because the high-quality, redundant, safety grade, trip system has already been incorporated into the design. Therefore, only insignificant risk reduction .ould be gained by incorporating additional redundancy. i (b) Cost ,
The estimated cost for adding another safety channel is between $250,000 and $1,300,000 per plant. The cost depends on whether additional contain-ment penetrations and electrical cabinets are needed for these modifications.
It is estimated that 65 percent of the plants would need some modification and that half of these plants could require additional penetrations and cabinets. Therefore, implementing this alternative is estimated to cost utilities a total sum ranging from $8,000,000 to $24,000,000. It is esti-mated that it would cost NRC $250,000, assuming a 0.5 staff-month effort ,
per plant, to review the design modifications. !
l (c) Value Impact '
This alternative is not considered viable because virtually no safety ;
benefit will be derived from it and because the cost of modifying the 4
existing design is potentially high. i l
(4) Change the steam generator, high-water-level, main-feedwater-trip system. '
Review of a number of operating plant designs and new designs under review for an operating license confirmed that all but three W PWR plant designs
- l (Haddam Neck, San Onofre 1, and Yankee Rowe) have either a 2-out-of-3 or a l 2-out-of-4, steam generator, high-water-level, trip system to terminate the i
, main feedwater flow during an overfill event. These systems are redundant 1 and are designed to meet safety grade requirements. San Onofre and Yankee I Rowe do not have automatic overfill protection. Haddam Neck has an over- !
fill protection system consisting of a safety grade, 1-out-of-2, steam '
generator, high-water-level interlock which automatically shuts the main feedwater control valves to the steam generator. The newer designs l NUREG-1218 4-6
. _ - - ___. .._=- __ _ _ . . - - - _ - -_. - __ -
l f incorporate the more redundant 2-out-of-4 system that gives addithnal l flexibility during testing and satisfies all the prescribed safety require-ments, including those that relate to control and protection systems inter-actions addressed in Section 4.7(3) of IEEE Standard 279-1971. The licensee event report (LER) review of operating history of W PWR plants, revealed that no steam generator-overfill events have occurred as a result of feed-water overfill transients. The staff, therefore, concludes that sufficient design features are provided on all but three W plants for feedwater iso-lation and for operator training to mitigate overfeed transients in suffi-cient time to prevent steam generator-overfill events.
(a) Safety Benefit Not applicable, i (b) Cost l
The utilities would incur no appreciable cost by implementing this alternative.
(c) Value I.apact This alternative is not viable. The existing designs provide an adequate degree of protection for overfeed transients to prevent steam generator-overfill events; therefore, no additional requirements are recommended.
(
(5) Provide automatic actuation of the steam-isolation, block valves to the 9
atmospheric dump valves (ADVs) and for the isolation valves to the condenser-steam dump valves.
The following control system failure modes were identified that could lead 1 to reactor overcool transients: Case 1 - Inadvertent opening of all five condenser-steam dump valves during full power operation, and Case 2 -
Inadvertent opening of the atmospheric dump valves, condenser to steam l
i dump valves, or main turbine, stop valves during hot-shutdown conditions.
i This alternative requires that the control system design be modified to automatically close the isolation block valves to the steamline, power-l operated, relief valves (i.e., atmospheric dump valves (ADVs)) and to the condenser-steam dump valves. This modification would isolate the steam flow resulting from inadvertent opening of these valves, and would mitigate overcooling events resulting from such failures.
l l
For Case 1, multiple independent failures are needed to open all five condenser-steam dump valves. A special arming circuit installed at most W ~
plants would have to fail or be disabled, in addition to another single l
failure in the coi. trol circuit, for all valves to fail open. The failure
! frequency to open all the condenser-steam dump valves is, therefore, esti-l mated to be very low. In addition, most operating plants and plants under review for operating licenses have systems designs that represent an improve-i ment over the reference plant design. These designe will automatically terminate steam flow by isolating the steamlines via the MSIVs on a low-steamline pressure signal. For those plants in which a control system
' failure results in inadvertent opening of relief valves downstream of the MSIVs, the overcooling transient should be less severe than for the reference plant design.
NUREG-1218 4-7
For Case 2, the major control system contributors in terms of the frequency of initiating failures to an overcooling event were failures associated with inadvertent opening of the ADVs. The contribution associated with condenser-steam dump valve failures (i.e., failure frequency) is estimated to be a factor of 10 less than the ADVs and the contribution associated with the turbine stop valve failures is estimated to be a factor of 100 less than the ADVs. For Case 2, only ADVs are considered.
(a) Safety Benefit In NUREG/CR-4385, public risk associated with Case 1 failures has been estimated. The estimated core-melt frequency associated with this failure scenario is extremely small (less than 10 10 per reactor year). This is due to a combination of the low, initiating frequency and the low prob-ability of subsequent fuel damage or core-melt following an accident on the steam side of a PWR. The estimated public risk is less than 0.003 man-rem for the life of the plant. For those plants that provide automa-tic MSIV closure on a low steamline pressure signal, the core-melt fre-quency contribution would be even smaller than predicted for the reference plant. For Case 2, a higher core-melt frequency was calculated because of potent!al single failures that could open the ADVs. The estimated core-melt frequency associated with such overcooling events is 8 x 10 7 per reactor year. The estimated public risk is 118 man-rem for the life of the plant. The estimated reduction in core-melt frequency associated with implementing automatic actuation of the block valves (for ADVs only) is 1.4 x 10 7 per reactor year. The estimated risk reduction was 20 man-rem for the life of the plant.
(b) Cost For Case 1: The estimated cost of providing instrumentation for automatic isolation valve closure logic for the condenser-steam dump valves is
$65,000 per plant. Implementing this alternative is estimated to cost utilities a total of $3,400,000. If additional valves are needed to re-place the existing valves, the cost would be significantly greater and would vary from plant to plant, depending on how many steam dump valves the plant has.
For Case 2: The estimated cost of providing automatic block valve closure logic for ADVs is between $123,000 and $1,200,000 per plant. The variation in cost depends on whether additional containment penetrations and electri-cal cabinets are needed. It is estimated that 50 percent of the plants could require additional penetrations and cabinets. Therefore, implement-ing this alternative is estimated to cost utilities a total sum between
$6,500,000 and $37,000,000. It is estimated that it would cost NRC
$250,000, assuming a 0.5 staff-month effort per plant, to review the de-sign modifications.
(cT Value Impact For Case 1: This alternative is not considered viable because virtually no safety benefit will be derived from implementing automatic isolation of the condenser steam dump valves.
NUREG-1218 4-3
For Case 2: This alternative is not considered viable because the safety benefit is insignificant and the cost of modifying the existing design to provide automatic isolation of the ADVs is potentially high.
It should be noted that Generic Issue 70 (Bernero, April 30, 1985) was established to assess the need for improving the reliability of the PORVs and block valves in light of plant protection and accident-mitigation re-quirements. This study will be applicable to all PWRs that have PORVs.
Once that issue is resolved, additional insight may warrant reconsideration of the existing designs.
(6) Modify the ADV controller logic to reduce the frequency of spurious open-ing of the ADVs.
This alternative also deals with false ADV lifts resulting from cor. trol system failures (same as Case 2 nf Alternative 5). This alternative would not eliminate mechanical failures, but is intended to minimize the ADV failure rate resulting from electrical faults. It was assumed that an enable circuit to the existing design would be required.
(a) Safety Benefit In NUREG/CR-4385, the estimated reduction in tne frequency of core melt from implementing this alternative is 1.5 x 10 7 per reactor year. The estimated risk reduction is about 20 man-rem for the life of the plant.
(b) Cost The estimated cost to the utilities of modifying the ADV controller logic is between $123,000 and $1,200,000 per plant. The variation in cost depends on whether additional penetrations and electrical cabinets are needed. It is estimated that 50 percent of the plants could need additional penetra-tions and cabinets. Therefore, implementing this alternative is estimated to cost utilities a total ranging from $6,500,000 to $37,000,000.
(c) Value Impact This alternative is not considered viabie because only a very small safety benefit could be gained, and because the cost of implementing this modifi-cation is potentially high.
(7) Upgrade the design of the control system for pressurizer PORVs.
Although
- number of alternatives were considered in Section 3 to minimize overpres.ure events, the alternative for additional modification for over-pressure protection was not considered appropriate for the following rea-sons:
(i) The pressurizer PORVs in W PWR plants are powered frcm independent, safety grade, power supp1Tes in essentially the same configurations as in the reference plant de,ign. Some plants provide independent, non-Class 1E, battery-backec, power supplies, which the staff has also found acceptable. This design minimizes the potential of a common-mode failure resulting from a loss of electric power and minimizes NUREG-1218 4-9
. -. ._ .~ - . . _ -
the potential for an overpressure event resulting from control system failures.
(ii) A large number of plant designs contain additional improvements over the reference plant design. These improvements consist of overpressure-relief capability through the residual heat removal (RHR) system (during cold-shutdown operations) which allows more time for the operator to respond to overpressure events. This design feature results in less severe transients than are produced on the reference plants.
, Only a few plant designs were identified as being identical to the reference plant design in which additional, pressure-relief capability !
via the RHR system was nt,. provided. The staff believes, however, that sufficient reviews were conducted previously (NUREG-0371, -0748) to conclude that all the W designs provide a design system equivalent to or better than the design system of the reference plant. -
In addition, two major ongoing generic studies are determining the r need for additional modifications to existing pressurizer PORV systems l
[i.e., Generic Issue 70 (Bernero, April 30, 1985) and Generic Issue 94 (Denton, July 23,1985)]. Conditioned on the satisfactory resolu-tion and completion of these generic issues, this alternative is con- i sidered a viable option. ;
(a) Safety Benefit In NUREG/CR-4385, the contribution of frequency of core melt for the over-pressure event on the reference plant design is less than 1 x 10 10 per !
reactor year. This is due primarily to the low initiating frequency esti-mated for the identified failure mode. Because most of the plants provide j equivalent or better designs than the reference plant provides, the core- i melt frequency contributions for other plants are expected to be as low.
]
No safety benefit would be gained by instituting additional requirements.
(b) Cost 1
The utilities would incur no appreciable cost by implementing this 4 alternative.
1 (c) Value Impact J
! Not applicable.
(8) Issue an information letter to all applicants and licensees that will operate W PWR plants about the potential overpressure vulnerabilities j resulting from operating procedures at low-temperature and low pressure, shutdown conditions.
l This alternative was considered because variations in plant procedures i could exist that could create the potential for the operator to cause
! reactor vessel, overpressure conditions by prematurely transferring the
- PORV setpoints to a higher value during shutdown or startup operations.
4 The staff did not review the appropriate plant procedures to determine which plants are susceptible to this problem. The nuclear steam supply NUREG-1218 4-10 i
^
i system vendor stated (Westinghouse, WCAP-10797) that most W PWRs have procedural and administrative controls that would make the pressure transients at these conditions less severe than conditions analyzed for the reference plants, primarily because of the capability of the RHR system to relieve pressure. The adequacy of this capability is currently being reevaluated under Generic Issue 94.
(a) Safety Benefit i
In NUREG/CR-4385, the overpressure consequences for this scenario have been estimated. The estimated contribution of this overpressure event (frequency This is due pri-of core melt) is less than 1 x 10 10 per reactor year.
marily to the low, initiating frequency estimated for the identified fail-ure mode. A reduction in the frequency of core melt for any modification to the procedures would, therefore, be insignificant.
g (b) Cost The utilities would incur no appreciable cost by implementing this alternative.
(c) Value Impact 4
This alternative is not considered viable because essentially no safety benefit is to be gained from implementing this alternative. The resolution l of Generic Issue 94 may result in additional changes which have not been considered here.
l (9) Issue an information letter to all applicants and licensees with W PWR plants informing them of the potential for non-safety grade, control-system failures to occur that could make SGTR events more severe than previously analyzed.
T-o control-system failure scenarios were identified during the review.
One was an inadvertent opening of a ADV (or safety grade relief valve) coincident with a loss of offsite power. The other was an instantaneous, main feedwater, overfeed transient coincident with an inadvertent opening of the ADV (or safety / relief valve).
Staff analysis indicates that the contribution of these events to the fre-quency of core melt is extremely small, primarily because of the low, esti-mated, initiating frequency for the combination of failures identified.
This alternative was considered, however, because the designs of the of f-site power systems on different plants vary and because the reliability of these systems can alter assumptions made in this report about the frequency of accidents. Such variations could change the calculations on core-melt frequency.
l (a) Safety Benefit
,l In NUREG/CR-4385, the safety benefit of informing applicants and licensees about this potential was estimated. The estimated contribution of the event to the frequency of core melt, involving a simultaneous failure of the
I feedwater control system coincident with an inadvertent opening of the ADV, j is less than 1 x 10 20 per reactor year. Therefore, any design modifica-tion would reduce the frequency of core melt only insignificantly. The contribution to the frequency of core melt for the event involving an in-advertent opening of the ADV ccincident with a loss of offsite power, how-ever, is estimated to be 1 x 10 8 per reactor year. The estimated public risk associated with this event is about 2 man-rem for the life of the plant.
(b) Cost Not applicable.
(c) Value Impact This alternative is not considered viable. Variations in the reliability of offsite power for different plant designs may modify the frequency of l loss of offsite power (up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) by a factor of 30 (NUREG-1032). Such variations would not change the contribution to the frequency of core melt enough to warrant modifications to the design.
4.3 B&W PWR Plant Designs The following alternatives propose methods to minimize steam generator overfill ,
and reactor vessel overheat events. The detailed risk analyses and value impact analyses are presented in NUREG/CR-4386.
(1) Test the steam generator, high water-level, main-feedwater-trip system every month to reduce the likelihood of undetected failures. l The design of the reference plant (0conee Nuclear Station, Unit 1) calls for a non-safety grade, main-feedwater pump trip utilizing a 2-out-of-2 steam generator, high water-level, trip system from each steam generator.
The design is subject to a number of single failures, each of wilich can prevent a feedwater trip on high water level. The system is designed in an "energized to trip" configuration in such a way that a loss of control power (i.e., 125-V dc) to the control system would not trip the feedwater pumps. A loss of power to the level sensors with available 125-V dc con-trol power would cause the main feedwater pumps to trip. This alternative was considered in order to reduce the frequency of undetected failures which could lead to steam generator overfill events. Only three plants (0conee Nuclear Station, Units 1, 2, and 3) utilize this design. Other B&W designs are discussed below.
(a) Safety Benefit In NUREG/CR-4385, the safety benefit of such monthly testing was estimated.
The estimated reduction in the frequency of core melt as a result of per-forming monthly inspections is 3.2 x 10 6 per reactor year. The estimated -
reduction of risk is 450 man-rem for the life of the plant. An increased test frequency, however, could increase the likelihood of inadvertent loss-of-feedwater (LOF) events. The challenges to the protection systems re-sulting from these inadvertent LOF events could potentially lead to adverse d
NUREG-1218 4-12
I E
) system vendor stated (Westinghouse, WCAP-10797) that most W PWRs have procedural and administrative controls that would make the pressure transients at these conditions less severe than conditions analyzed for the reference plants, primarily because of the capability of the RHR system to relieve pressure. The adequacy of this capability is currently
> being reevaluated under Generic Issue 94.
(a) Safety Benefit In NUREG/CR-4385, the overpressure consequences for this scenario have been estimated. The estimated contribution of this overpressure event (frequency of core melt) is less than 1 x 10 10 per reactor year. This is due pri-marily to the low, initiating frequency estimated for the identified fail-ure mode. A reduction in the frequency of core melt for any modification to the procedures would, therefore, be insignificant.
(b) Cost l
) The utilities would incur no appreciable cost by implementing this alternative.
(c) Value Impact c
This alternative is not considered viable because essentially no safety I benefit is to be gained from implementing this alternative. The resolution of Generic Issue 94 may result in additional changes which have not been considered here.
(9) Issue an information letter to all applicants and licensees with W PWR plants informing them of the potential for non-safety grade, control-system failures to occur that could make SGTR events more severe than previously analyzed.
Two control-system failure scenarios were identified during the review.
One was an inadvertent opening of a ADV (or safety grade relief valve) coincident with a loss of offsite power. The other was an instantaneous, main feedwater, overfeed transient coincident with an inadvertent opening of the ADV (or safety / relief valve).
Staff analysis indicates that the contribution of these events to the fre-quency of core melt is extremely small, primarily because of the low, esti-mated, initiating frequency for the combination of failures identified.
This alternative was considered, however, because the designs of the off-site power systems on different plants vary and because the reliability of these systems can alter assumptions made in this report about the frequency of accidents. Such variations could change the calculations on core-melt frequency.
(a) Safety Benefit In NUREG/CR-4385, the safety benefit of informing applicants and licensees about this potential was estimated. The estimated contribution of the event to the frequency of core melt, involving a simultaneous failure of the
feedwater control system coincident with an inadvertent opening of the ADV, is less than 1 x 10 20 per reactor year. Therefore, any design modifica-tion would reduce the frequency of core melt only insignificantly. The contribution to the frequency of core melt for the event involving an in-advertent opening of the ADV coincident with a loss of offsite power, how-ever, is estimated to be 1 x 10 8 per reactor year. The estimated public risk associated with this event is about 2 man-rem for the life of the plant.
(b) Cost Not applicable.
(c) Value Impact This alternative is not considered viable. Variations in the reliability of offsite power for different plant designs may modify the frequency of loss of offsite power (up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) by a factor of 30 (NUREG-1032). Such i variations would not change the contribution to the frequency of core melt enough to warrant modifications to the design.
4.3 B&W PWR Plant Designs The following alternatives propose methods to minimize steam generator overfill ,
I and reactor vessel overheat events. The detailed risk analyses and value impact analyses are presented in NUREG/CR-4386.
(1) Test the steam generator, high-water-level, main-feedwater-trip system every month to reduce the likelihood of undetected failures.
The design of the reference plant (0conee Nuclear Station, Unit 1) calls for a non-safety grade, main-feedwater pump trip utilizing a 2-out-of-2 steam generator, high-water-level, trip system from each steam generator.
The design is subject to a number of single failures, each of which can prevent a feedwater trip on high water level. The system is designed in an "energized to trip" configuration in such a way that a loss of control power (i.e., 125-V dc) to the control system would not trip the feedwater pumps. A loss of power to the level sensors with available 125-V dc con-trol power would cause the main feedwater pumps to trip. This alternative was considered in order to reduce the frequency of undetected failures which could lead to steam generator-overfill events. Only three plants (0conee Nuclear Station, Units 1, 2, and 3) utilize this design. Other B&W designs are discussed below.
(a) Safety Benefit In NUREG/CR-4385, the safety benefit of such monthly testing was estimated.
The estimated reduction in the frequency of core melt as a result of per-forming monthly inspections is 3.2 x 10 6 per reactor year. The estimated reduction of risk is 450 man rem for the life of the plant. An increased test frequency, however, could increase the likelihood of inadvertent loss-of-feedwater (LOF) events. The challenges to the protection systems re-sulting from these inadvertent LOF events could potentially lead to adverse NUREG-1218 4-12
l t
i' 1'
l>
1 overheat transients. It wac ' . practical to estimate the risk associated with these negative contri';utions.
(b) Cost The es.imated cost of developing test procedures and inspecting the suctem on a monthly basis is about $100,000 per plant. This estimate does nov include plant downtime that could occur because of inadvertent, feedwater-pump trips caused by additional testing. Only Oconee 2 and 3 are similar in design to the reference plant. Therefore, the estimated total cost to utilities for implementing this alternative is $300,000. The NRC would i incur no costs if this alternative were implen.!nted.
(c) Value Impact This alternative is not considered viable. Considering only the benefits l derived from implementing this alternative and the relatively low cost in-curred, it would at first appear that this alternative is viable. The staff finds, however, that the likelihood of increasing the number of transients from an inadvertent loss of feedwater resulting from more testing is suffi-ciently high that potential risks outweigh any estimated safety benefits.
In addition, it may not be possible to test a complete control system cir-cuit on the present design during normal plant operation, and the utility could ine'r additional costs in providing a fully testable system.
(2) Test the steam generator, high-water-level, main-feedwater pump, trip sys-tem mon N u, and also modify the existing trip logic to preclude undetected failures the trip circuit and facilitate online testing. This alter-native is applicable only to Oconee 1, 2, and 3 plants.
This alternative would also include additional design modifications to:
(i) permit full online testing of the trip system, and (ii) provide an additional trip relay in parallel with the existing master trip relay to prevent a single failure (or an undetected failure) from initiating a trip.
This alternative differs from Alternative 1 (above) by specifying (i) additional redundancy to the existing trip logic, and (ii) additional circuit modifications to permit full test capability of the overfill protection system.
(a) Safety Benefit In NUREG/CR-4386, the safety bene 11t of implementing such modifications andinstitutingmonthlytestingasdescribedwasestimatedtoreducethe The estimated risk core-melt frequency by 7 x 10- per reactor year.
reduction is 1000 man rem for the life of the plant.
I NUREG-1218 4-13
(b) Cost The estimated cost for developing new test procedures, providing monthly inspections, and modifying existing logic is $200,000 per plant. This does not include downtime costs that could be incurred as a result of in-advertent, feedwater pump trips caused by additional testing. Only Oconee 2 and 3 are similar to the reference plant. Therefore, implementing this alternative is estimated to cost utilities a total of $600,000. It is estimated that it would cost NRC $15,000, based on a 0.5 staff-month effort j per plant, to review the design modification.
(c) V_alue Impact Even given the potential for LOF events resulting from additional testing, the risk reduction gained from these modifications makes this alternative viable. The potential uncertainty for an increased number of LOF tran-sients exists for this alternative as for Alternative 1. The improved reliability of the design as a result of implementing this alternative, however, improves the estimated risk reduction. It should be noted that other alternatives may be preferred.
(3) Upgrade the steam generator, high-water-level, main-feedwater pump, trip system.
This alternative would propose that the overfill protection system on the reference plant be upgraded to satisfy the single-failure criterion. Two cases were considered to improve the existing plant design. Case 1 would provide an additional, independent, main feedwater, trip system actuated from a separate, steam generator, high-water-level channel to isolate the feedwater flow via a trip of the main feedwater block valves. The current design provides a 2-out-of-2, high-water-level, trip system that only trips the asin feedwater pumps. Case 2 would propose that the existing design be upgraded to a 2-out-of-3 or 2-out-of-4, high-water-level, trip system. Sev-eral modifications to the trip system logic were evaluated in NUREG/CR-4386.
As a result of that evaluation, it was concluded that most of the benefits gained from implementing a 2-out-of-4 trip system rather than a 2-out-of-3 system were associated with greater flexibility and ease in testing the trip system during power operation. There was no substantial difference between the reduction in risk for a 2-out-of-3 or a 2-out-of-4 trip, logic system. These alternatives would not require additional testing beyond what is presently provided.
Only the two other B&W PWR plants (0conee 2 and 3) have overfill protection systems similar to the overfill protection system of the reference plant.
All other operating plant designs and plants currently in the licensing review stage have modified their designs or have committed to modify their designs by the time of the next refueling. These modified designs are safety grade. The initiating logic is either a 2-out-of-4 or a 1-out-of-2 taken-twice, high-water-level, trip system actuating redundant main feed-water isolation systems (i.e., closure of main feedwater isolation and control valvas). One plant design currently under review for an operat ing license will use a safety grade, 2-out-of-3 trip, logic system. The design at othtr B&W PWR plants offers, or will offer, an adequate degree NUREG-1218 4-14
y of protection for steam generator overfill events. These designs represent a substantial improvement; therefore, no additional changes are recommended for these plants. It should be noted, however, that the plants that have committed to, but have not yet implemented, these designs are more at risk than the reference plant design because they lack a high-water-level, main feedwater trip. It is recommended that these design modifications be implemented at other plants in a timely manner.
(a) Safety Benefit In NUREG/CR-4386, the safety benefit of this upgrade was estimated. For Case 1. the estimated reduction in the frequency of core melt is 9 x 10 8 per reactor year. The estimated risk reduction is 1300 man-rem o+:ar the life of the plant. For Case 2, the estimated reduction in the frequency of core melt is 8 x 10 s per reactor year. The estimated risk reduction is 1200 man-rem over the life of the plant.
(b) Cost Cost is not estimated for Case 1. It is assumed that existing steam gen-erator, water-level transmitters used for other functions (e.g., startup range transmitters) could be utilized to monitor a high-water-level condi-tion in the steam generator. The cost per plant for implementing this alternative would, therefore, be relatively low (less than $100,000). If additional electrical penetrations, electrical cabinets, and water-level transmitters are required, the cost would be higher. Only Oconee 2 and 3 are similar to the reference plant; therefore, the estimated cost per plant is $300,000. If additional penetrations, cabinets, and transmitters are needed, the cost per plant could be as high as $1,100,000 and the total cost to utilities could be as high as $3,300,000.
For Case 2, the estimated cost for modifying the design to a 2-out-of-3, high-water-level, pump-trip configuration is $300,000; the estimated cost per plant is $600,000 for modifying the design to a 2-out-of-4 system.
These estimates do not include installation of additional electrical pene-trations or control cabinets that may be needed. Only Oconee 2 and 3 are similar to the reference plant; therefore, the estimated total cost to utilities is $900,000 and $1,800,000, respectively. If additional penetra-tions and cabinets are needed, it could cost the utilities as much as
$5,000,000 to install a 2-out-of-4 system in the three plants. It is estimated that it would cost NRC $15,000 (for either case), assuming a 0.5 staff-month effort per plant, to review the design modifications.
(c) Value Impact For Case 1, this alterrative is considered viable, considering the sub-stantial risk reduction that can be gaind by implementing it and the poten-tially moderate costs that woulu be incurred. For Case 2, this alternative is also considered viable, considering the significant risk reduction that If, can be gained from implementing an upgrade and the relatively low cost.
however, additional electrical penetrations are needed, this alternative could become too expensive and of less benefit than Case 1.
NUREG-1218 4-15
(4) Provide automatic protection to prevent steam generators from drying out on loss of "hand" (manual) control or "auto" (automatic) control power to the integrated control system.
Two scenarios were identified that could potentially lead to core overheat events. These events could occur if the operator did not take proper ac-tion to ensure feedwater flow to the steam generators. Loss of hand power and loss of auto power in the integrated control system (ICS) were identi-fied as the initiators of the overheat scenarios. ,
A number of corrective cctions could be taken to avoid this dryout scenario.
They include:
(i) Provide automatic initiation of the emergency feedwater system on steam generator, low water level (preferred). 1 (ii) Provide sufficient feedwater flow at minimum pump speed to keep the steam generator from drying out.
(iii) Trip the main feedwater pumps on loss of hand power (a main [
feedwater pump trip would automatically initiate the emergency ;
feedwater systems).
(iv) Train operators to cope with a loss of hand or auto power to [
the ICS. !
l (v) Install alarms in the control room to alert operators to loss >
of hand and auto power to the ICS.
i Some of these actions take place automatically; others require operator interaction. l All B&W PWR plants, with the exception of the reference plant and Oconee 2 :
and 3 designs, provide automatic initiation of the emergency feedwater ;
system on steam generator, low water level (action i), minimizing the i potential for loss of steam generator cooling. Therefore, this concern is j plant specific and applies only to Oconee 1, 2, and 3 plants. !
i (a) Safety Benefit ;
i i
In NUREG/CR-4386, the safety benefit of implementing such automatic protec-tion was estimated. The estimated reduction in the frequency of core melt to implement the different options is between 2 x 10.s per reactor year and 9 x 10 8 per reactor year. The preferred option of the five options listed above is to provide automatic initiation of the emergency feedwater system on steam generator, low water level. The estimated risk reduction for the preferred option is between 155 man-rem and 870 man-rem over the life of the plant.
(b) Cost It is considered extremely unlikely that the cost of implementing the sug-gested corrective actions would exceed $150,000 per plant. Therefore, it NUREG-1218 4-16
would cost utilities a total of $450,000 to implement this alternative. It is estimated tnat it would cost HRC $15,000, assuming a 0.5 staff-month effort per plant, to review the design modifications.
(c) Value Impact t
t This alternative is considered viable because some safety benefit could l be gained with minimal modifications, i 4.4 CE PWR Plant Designs l
The following alternatives propose modifications to minimize steam generator l
overfill events and reactor vessel overpressure events. The detailed risk analyses and value impact analyses are presented in NUREG/CR-3958.
l (1) Provide an automatic, redundant, steem generator, high-water-level, main feedwater pump or feedwater isolation valve, trip system.
l Implementation of this alternative would mean that all CE PWR plant designs have a 2-out-of-4, steam generator, high-water-level, feedwater-isolation system. Tbc reference plant design currently utilizes a 2-out-of-4, steam generator, high-water-level signal to trip the main steam turbine. A tur-bine trip signal will, in turn, trip the reactor, shut the main feedwater I valves, and open the startup feedwater valves to 5 percent of rated flow.
! Although the current feedwater runback system does reduce the frequency of
- steam generator overfill events should an overfeed transient occur, the operator is still needed to manually trip the feedwater pumps or the feed-water isolation valves to prevent overfill if a failure renders the feedwater-water runback system inoperable. This design is similar to the design of other CE PWR plants.
The main feedwater isolation system should be initiated at a higher, steam I generator, water-level setpoint than is used for the runback control. This would permit the existing control system to perform its function and would
- minimize the need to automatically terminate main feedwater.
i i (a) Safety Benefit In NUREG/CR-3958, the safety benefit of such a system was estimated. The estimated reduction in the frequency of core melt is 4 x 10 8 per reactor-year. The estimated risk reduction is 570 man-rem over the life of the l plant.
(b) Cost i
It was assumed that existing instrumentation to generate the high-water-level signal and the existing motor-operated feedwater isolation valves i could be used. The c.ost for implementing this alternative (i.e. , a l
2-out-of-4, steam generator, high-water-level, feedwater isolation) would, therefore, be relatively low (less than $100,000 per plant). It would cost utilities a total of $1,500,000 to provide this automatic-trip system. If additional electrical penetrations and electrical cabinets were required, the cost would be higher. It is assumed that existing penetrations and l
NUREG-1218 4-17 l
I.
cabinets can be used for implementing this alternative. It is estimated that it would cost NRC $75,000, assuming a 0.5 staff-month effort p v plant, to review the design modifications.
(c) Value Impact This alternative is considered viable, considering that a moderate safety benefit can be gained and considering the potentially low cost of modifying the existing designs.
(2) Improve operator procedures for manually depressurizing the primary system following en SBLOCA.
This alternative would specify to those utilities that were operating plants with low-head, high pressure injection pumps having limited dis-charge flow capacities at pressures greater than or equal to 1275 psi, to ievise their emergency procedures and operator training programs to ensure that the operators can safely depressurize the secondary (steam) system via the atmospheric dump valves or the turbine bypass valves and can cool the plant down during any SBLOCA. This preferred cooldown via the second- ,
ary system would, in turn, depressurize the primary system. The primary i PORV would provide additional backup. The procedure should clearly de- l scribe any transfers the operator performs in the event that a loss of instrument air or loss of electric power prevents manual operation of the valves. The use of the pressurizer PORVs and spray valves to depressurize the plant during an SBLOCA and to ensure that the R NDT limits are not ;
T compromised should also be clearly described. !
(a) Safety Benefit l
' In NUREG/CR-3058, the safety benefit of such improved procedures was esti-mated. The estimated reduction in the frequency of core melt is 8 x 10 8 )
per reactor year. The estimated risk reduction is 850 man-rem over the life of the plant.
(b) Cost The cost of revising both procedural changes and operator training programs to implement the alternative is not expected to exceed $10,000 per plant.
Seven plants (Calvert Cliffs Nuclear Power Plant, Units 1 and 2; Fort Calhoun Station, Unit 1; Millstone Nuclear Power Station, Unit 2; Palisades Nuclear Plant Unit 1; and St. Lucie Plant, Units 1 and 2) use high pressure, i safety-injection pumps that have discharge heads less than or equal to 1275 psi. It is estimated to cost utilities no more than a total of $70,000 to implement this alternative. No NRC staff costs are anticipated.
(c) Value Impact
(
i This alternative is considered viable, considering the moderate safety bene-fit that can be gained and the very low cost to implement this alternative.
NUREG-1218 4-18
I 1
1 1
I i
5
SUMMARY
OF ALTERNATIVES l i
Table 5.1 sumarizes the alternatives considered during this study.
l l
NUREG-1216 5-1
_ . _ = - -- .- .
4 E Table 5.1 Summary of Alternatives 55 m
J. Estimated risk reduction D! Cost Core-melt Is frequency Man-rem Utility option j Alternative (plant year) (30 years) Per plant total viable?
- 1. Upgrade overfill protection from 6 x 10 7 123 $150K $3M-$13M No 2-out-of-3 to 2-out-of-4 $13M
- 2. Upgrade overfill protection to a -
45-123 $150K- $1.2M- No reference plant design (i.e., $1.3M 510M (2-out-of-3)
- 3. Upgrade plants with no overfill -
3600-3800 $100K- $100K- Yes*
trip to a 1-out-of-1 or better $150K $500K (f (2-out-of-4) ro
- 4. Issue information letter regarding - -
None None Yes results and assumption of overfill protection For W PWR Plants
- 1. Provide automatic shutoff of AFW on 6 x 10 8 9 $45K $2.3M No l steam generator, high-water level
- 2. Issue information letter regarding - -
None None Yes results and assumptions of overfill protection
- 3. Upgrade overfill protection from <1 x 10 10 Insignifi- $250K- $8M- No 2 out-of-3 to 2-out-of-4 cant $1.3M $24M
- For instrumentation only. If additional isolation valves are needed to replace or modify the existing valves, the cost would be substantially greater.
_ ~. ... _ . _ . . _ _ ~ __ . _ . _- _ __ _ - _ - . -. ~_. -
~ - _. --
EE Table 5.1 (Continued)
A c2
/. Estimated risk reduction D! Cost
- Core-mel t Is frequency Man-rem Utility option Alternative (plant year) (30 years) Per plant total viable?
- 4. Upgrade overfill protection (except) - - - -
No for three very early plant designs)
- 5. Provide automatic closure of steam block valves Case 1 - For steam dump to con- <1 x 10 20 Insignifi- $65K* $3.4M* Ho denser cant Case 2 - For atmospheric dump 1 x 10 7 20 $123K- $6.5M - No on $1.2M $37M E
- 6. Modify ADV controller logic 1.5 x 10 7 20 $123K- $6.5M - No
$1.2M $37M
- 7. Upgrade pressurizer PORV system - - - -
No
- 8. Issue information letter on poten- - -
None None No tial overpressure vulnerabilities
- 9. Issue information letter on con- 1 x 10 s 2 None None Ho trol system failures that could exacerbate SGTR
- For instrumentation only. If additional isolation valves are needed to replace or modify the existing valves, the cost would be substantially greater.
!! Table 5.1 (Continued) i 5,5 c
J. Estimated risk reduction m Cost e*
OS Core-melt Is frequency Man-rem Utility option Alternative (plant year) (30 years) Per plant total viable?
- 1. Test overfill protection system 3 x 10 8 450 $100K $300K No**
monthly
- 2. Test overfill protection system 7 x 10 8 1000 $200K $600K Yes**
monthly and provide logic modification
- 3. Upgrade overfill protection u' Case 1 - Provide an additional inde- 9 x 10 8 1300 $100K - $300K - Yes**
4= pendent feedwater flow termination $1.1M $3.9M Case 2 - Provide a 2-out-of-3 8 x 10 8 1200 $300K - $1M - $2M Ma ginal**
or a 2-out-of-4 system $600K ($5M max.)
Upgrade overfill protection on None None No
- 4. - -
plants that provide redundant overfill protection 4
- 5. Provide automatic initiation of AFW 2 x 10 8 to 155 - 870 $150K $450K Yes**
to minimize loss of steam generator 9 x 10 8 cooling on loss of blast power
- Applicable to Oconee plants.
, - - _ . _._---s
- -- _ - , ..~ ._. ~ . . - - _- . _ . ~ _ - . - . - ~_ . .,,....,__-1
_._m E Table 5.1 (Continued)
A c)
J. Estimated risk reduction
?! Cost
- Core-melt Is frequency Man rem Utility option Alternative (plant year) (30 years) Per plant total viable?
- 1. Provide automatic overfill protec- 4 x 10 8 570 <$100K $1.5M Yes tion (feedwater pump or feedwater isolation valve closure trip)
- 2. Improve operator procedures to per- 8 x 10 6 850 $10K $70K Yes mit safe shutdown following an SBLOCA v
I i
1 1
4 6 PROPOSED RESOLUTION OF USI A 47 The following alternatives represent recommended actions for resolution of unre-solved Safety Issue A-47. Appendix C details the control system design and procedural modification for resolving USI A-47.
(1) Upgrade plant designs with no automatic reactor vessel overfill protection to a 1 out-of-1 (or better) reactor vessel, high-water-level, feedwater-trip system (except Big Rock Point and Lacrosse plants).
(2) Modify technical specifications on all plants to include provisions to periodically verify the operability of the overfill protection system and ensure that automatic overfill protection is provided during power Operation.
(3) Issue an information letter to all epplicants and licensees informing them of the results of the overfill analysis. Because design variations exist in individual plants (e.g., in the overfill trip logic, in the power sup- l plies for the trip logic, in operator training, in plant procedures, and in the design of plant alarms and indication systems), the failure rate estimates for the initiating events assumed in the staff's evaluation may '
vary from plant to plant. The information letter would allow individual applicants and licensees to assess the consequences of overfill transients on their plants.
6.2 W PWR Plant Designs
- (1) Take no action to upgrade existing main feedwater, overfill protection
( systems on plants that have installed redundant, steam generator, high- '
l water-level, overfill protection systems consisting of 2-out-of-3 (or better), steam generator, high-water-level, feedwater-trip, isolation system.
7 l
l (2) Modify technical specifications on all plants to include provisions to
! periodically verify the operability of the overfill protection system and '
l ensure that automatic overfill protection is provided during reactor power operation.
3 (3) Take no action to upgrade existing reactor, overpressure systems.
l (4) Issue an information letter to all applicants and licensees informing them i of the results of the overfill analysis. Because plant-specific differences l
exist (described in item 6.1(3) above), failure-rate estimates for initiat- -
ing events assumed in the staff's evaluation may differ from plant to plant.
The information letter would allow individual applicants and licensees to assess the consequences of potential, overfill transients.
NUREG-1218 6-1 l
l l
(1) Modify plants that are similar to the reference plant (i.e., Oconee 1, 2, and 3) to eitner:
(a) Provide additional instrumentation to limit or terminate main feed-water flow on steam generator, high-water level. The instrumentation :
should be separate from the existing main feedwater pump, trip instru-mentation. A system that initiates closure of main feedwater isola-tion valves on steam generator, high-water level is acceptable; or (b) Modify the existing overfill protection system to minimize undetected failures in the system and facilitate online testing; or (c) Upgrade the existing overfill protection system to a redundant high-water-level, trip system that satisfies the single-failure criterion for overfill protection. A 2-out-of-4, steam generator, high-water-level, trip systen activating redundant, main feedwater isolation equipment is acceptable.
(2) Plants similar to the reference plant (i.e., Oconee 1, 2, and 3) should install Class IE instrumentation to automatically initiate auxiliary (emergency) feedwater to minimize the potential for loss of steam generator cooling (including during a loss-of-control-power event).
(3) Take no action on other plants that have installed or have committed to install an emergency feedwater initiation and control (EFIC) system (or its equivalent) incorporating a redundant, steam generator, high-water-level, overfill protection.
(4) Modify technical specifications on all plants to include provisions to periodically verify the operability of the overfill protection system and ensure that automatic overfill protection is provided at all times during reactor power operations.
(5) Issue an information letter to all applicants and licensees informing them of the results of the overfill analysis.
6.4 CE PWR Plant Designs (1) Modify all plants to provide additional instrumentation to terminate main feedwater flow on steam generator, high-water level. The instrumentation should provide sufficient redundancy and satisfy the single-failure crite-rion for overfill protection. J (2) Modify technical specifications on all plants to include provisions to periodically verify the operability of the overfill protection system and -
ensure that autcmatic overfill protection is provided during reactor operation.
(3) Reevaluate plant designs similar to the reference plant (i.e, Calvert Cliffs Nuclear Power Plant, Units 1 and 2; Fort Calhoun Station, Unit 1; )
Millstone Nuclear Power Station, Unit 2; Palisades Nuclear Plant, Unit 1; and St. Lucie Plant, Units 1 and 2) to modify, if necessary, their NUREG-1218 6-2
~ ,, , _
l l
emergency procedures and operator training program to ensure that the operators can safely shut down the plant during any SBLOCA utilizing the ADVs or the TBVs. The reassessment should ensure that a single failure would not negate the operability of the valves needed to achieve safe shutdown.
(4) Issue an information letter to all applicants and licensees informing them of the results of the overfill analysis.
l l
NUREG-1218 6-3
emergency procedures and operator training prcgram to ensure that the operators can safely shut down the plant during any SBLOCA utilizing the ADVs or the TBVs. The reassessment should ensure that a single failure would not negate the operability of the valves needed to achieve safe shutdown.
(4) Issue an information letter to all applicants and licensees informing them of the results of the overfill analysis.
1 l
l l
r 1
NUREG-1218 6-3 l
l 1
7 APPLICATION OF THE BACKFIT RULE, 10 CFR 50.109 The staff finds that the supporting analyses documented in this regulatory analy-sis comply with the provisions of 10 CFR 50.109. The following information is provided in answer to the specific requirements in paragraph (c) of 10 CFR 50.109.
(1) Statement of specific objectives that the proposed backfit is designed to achieve.
The specific objective of the proposed A-47 actions identified in Section 6 is to enhance the safety of operating nuclear power plants by: ,
(a) minimizing the potential for water ingress into the steamlines, thereby dtcreasing the potential to damage the main steamline or the equip-ment associated with the steamlines (such as valves, pumps, and sens-ing lines);
(b) minimizing the potential for a loss of steam generator cooling under any condition of operation that could cause a significant reduction in flow of main feedwater; (c) ensuring that the operators can safely depressurize the primary system and cool down the plant during any small-break, loss-of-coolar.t accident.
(2) General description of the activity that would be required by the licensee
- or applicant in order to complete the backfit.
The resolution of USI A-47 is based mainly on providing:
(a) or upgrading existing control systems to ensure automatic overfill protection of the main steamlines in the event of a main feedwater, overfeed transient, and to periodically verify its operability to ensure that overfill orotection is operable at all times during reac-tor operation; (b) automatic initiation of auxiliary (emergency) feedwater under any con-dition of operation that results in a significant reduction in the main feedwater flow; (c) a reevaluation and modification, if necessary, of selected CE plant emergency procedures and operator training to ensure that operators can safely depressurize the primary system (via the atmospheric dump valves or the turbine bypass valves) and cool down the plant during any small-break, loss-of-coolant accident.
(3) Potential change in the risk to the public from the accidental offsite release of radioactive material.
NUREG-1218 7-1
Quantifying the net safety benefit in terms of risk for requiring techni-cal specifications to include periodic verification of overfill protection operability proved to be impractical. Justification for the technical specification requirement is based on the fact that overfill p~ tection is needed to mitigate a design-basis accident (DBA) (i.e., fee ter mal-functions that result in increased feedwater flow). This requi. ament is consistent with the proposed Commission policy statement of what is needed in technical specifications.
The safety benefit for providing an upgrading existing, automatic, overfill protection for different NSSS vendors and the safety benefits for the other proposed requirec,ents are estfmated and discussed in Section 4 of this report. They are also summarized below.
For GE BWR plants, design change to upgrade existing, overfill protection systems does not significantly reduce risk. Modifications to only one plant that does not have any overfill protection (i.e., Oyster Creek) is however warranted. It is estimated that providing automatic, overfill protection can potentially result in reducing the risk by as much as 3600 man-rem over plant life.
, For Westinghouse plants, changes to upgrade existing, overfill protection systems from a 2-out-of 3 to a 2-out-of 4 steam generator, high-water-level trip does not significantly reduce risk. Modification to two plants that do not have any overfill protection is, however, warranted For Babcock and Wilcox plants, upgrading overfill protection on three plants (i.e., Oconee 1, 2, and 3) is warranted. The estimated risk reduction to provide additional redundancy in the existing, overfill-protection system
- could be as much as 1200 to 1300 man-rem over the plant life for each of the three plants.
To provide automatic initiation of auxiliary (emergency) feedwater on i
loss of, or significantly reduced, main feedwater flow, the risk reduction is estimated to be between 155 to 870 man-rem over the life of the plant for each of the three Oconee plants that warrant a design modification. i For Combustion Engineering plants, the risk reduction to provide automatic overfill protection is estimated to be 570 man-rem over the life of each plant.
To improve operating procedures on CE plar.ts to manually depressurize the primary system following an SBLOCA, an estimated risk reduction of 850 man-rem over the life of each plant is estimated.
(4) Potential impact of radiological exposure of facility employees. )
i No estimate was made. However, it would add to the estimated public risk given in Section 4 of this report. Modifications could be made during plant shutdown, thereby reducing radiological exposure to employees.
(5) Installation and continuing costs associated with the backfit, including '
the cost of facility downtime or the cost of construction delay; l
1 NUREG-1218 7-2
The estimated costs to the licensees for complying with the proposed reso-lutions of USI A-47 are presented in Section 4 of this report and are sum- ,
marized below. The cost of facility downtime is not included in the esti- '
mates. The implementation schedule will be negotiated with the licensees in accordance with the NRC policy on integrated schedules for plant modi-fications stated in Generic Letter 83-20, dated May 9,1983. The proper integration of the proposed work scope into each plant's schedule may allow -
for the modifications to be conducted during plant outages.
For BWRs, the cost to incorporate overfill protection on Oyster Creek is estimated at $100,000. For a more versatile design that facilitates online testing and repair, the estimated cost is $500,000. The cost to incorporate testing requirements into the technical specifications is about $15,000 per plant. It should be noted that most BWR plants that comply with the Stand-ard Technical Specifications already incorporate testing of overfill protection.
For Westinghouse plants, most technical specifications incorporate testing t The estimated cost to incorporate the testing of overfill protection.
requirements into the technical specifications for the remaining plants is
$15,000 per plant.
For Babcock and Wilcox plants, the cost to upgrade the Oconee overfill pro-tection systems is estimated to be $100,000 per plant. For a more versatile desiga that incorporates more redundancy, the estimated cost is $600,000 per plant. If additional penetrations are needed to complete the modifica-tions, an additional $1,000,000 per plant is needed. The estimated cost to incorporate testing requirements into the technical specifications is ,
$15,000 per plant. The cost to provide automatic initiation of auxiliary (emergency) feedwater on the three Oconee plants is estimated not to exceed
, $150,000 per plant.
For Combustion Engineering plants, the cost to provide automatic overfill protection is estimated to be $100,000 per plant. It was assumed that exist- '
ing instrumentation to generate the high-water-level signal and existing motor-operated feedwater isolation valves could be used, and that existing penetrations and cabinets can be utilized. The estimated cost to incorpo-rate testing requirements into the technical spefications is $15,000 per plant. The cost to reassess and modify, if necessary, the emergency proce-i dures and operator training to ensure that the operator can safely shut down j the plant during any SBLOCA is estimated not to exceed $10,000 per plant.
(6) The potential safety impact of changes in plant or operat%nal complexity including the relationship to proposed and existing regulato j requirements. ,
None.
(7) The estimated resource burden on the NRC associated with the proposed back-fit and the availability of such resources.
l The cost to the NRC for implementing the proposed resolution of USI A-47 is estimated and discussed in Section 4 of this report.
NUREG-1218 7-3
-e. . , . . , . . - . .
i i
The principal cost to NRC would be the cost for reviewing the designs sub- [
1 mitted by the individual licensees. It is estimated that a review of 22 i
plant design modifications and a review of the emergency procedure modifi- ;
cations on 7 plants would be needed. It is estimated that 0.5 staff-month will be needed to review each of these changes, for a total expenditure of
! 14.5 staff-months. In addition, it would require 0.1 staff-month per plant i to verify the modified technical specification, for a total expenditure of '
- 12 staff-months. At an estimated rate of $120,000 per staff year, the
- total cost would be $265,000.
(8) The potential impact of differences in facility type, design, or age on the
- relevancy and practicality of the proposed backfit. l
! The proposed backfit is plant specific. Differences in facility type
, design or age have been considered, t
. (9) Whether the proposed backfit is interim or final and, if interim, the
! justification for imposing the proposed backfit on the interim basis.
3 The proposed backfit represents the final staff position on USI A-47.
The proposed method of implementation is issuance of a generic letter under the provisions of 10 CFR 50.109. The staff is racommending imple-mentation through issuance of a generic letter rather than through a standard review plan revision or issuance of a regulatory guide because the proposed requirements apply only to the operating plants. The more-recent plant designs incorporate improvements that embody the proposed i requirements. It is recommended, however, that the appropriate sections j in the standard review plan be revised to reflect the staff requirements l (as discussed in the generic letter) for future plants.
f f
l I
i 1
l l NUREG-1218 7-4 i
j
= _ _ _ _ _ - _ _ _ _ - _ _ _ _ _ . _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ .
t 8 REFERENCES
, Bernero, R., NRC, Memorandum to T. Speis, April 30, 1985, "Generic Issue 70, PORV and Block Valve Reliability - Task Action Plan (TAC 5526)."
1 Denton, H. NRC, Memorandum to R. Bernero, July 23, 1985, "Schedule for Re-solving and Completing Generic Issue No. 94, Additional Low-Temperature Over-pressure Protection for Light Water Reactors."
Institute of Electrical and Electronics Engineers, Standard 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," 1971.
Tucker, H. (Chairman-BWOG), Letter to D. Crutchfield, NRC, May 15, 1986, "B&W Owners Group Plant Reassessment."
U.S. Nuclear Regulatory Commission, Generic Letter 83-20, "Integrated Scheduling for Implementation of Plant Modification at Duane Arnold," May 9, 1983.
-- , NUREG-0371, Vol. 1, No. 1, "Approved Category A Task Action Plans,"
November 1977.
-- , NUREG-0737, "Clarification of TMI Action Plan Requirements," November 1980.
-- , NUREG-0748, Vol. 4, No. 8, "Operating Reactors Licensing Actions Summary,"
October 1984.
-- , NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," LWR Edition, July 1981.
! -- , NUREG-0944 (Draft for Comment), "NRC Integrated Program for Resolution oi Unresolved Safety Issues A-3, A-4, and A-5 Regarding Steam Generator Tube Inte-grity," April 1985.
-- , NUREG-1032 (Draft for Comment), "Evaluation of Station Blackout Accidents l
at Nuclear Power Plants," May 1985.
-- , NUREG-1195, "Loss of Integrated Control System Power and Overcooling Tran-sient at Rancho Seco on December 26, 1985," February 1986.
l l -- , NUREG-1217 (Draft for Comment), "Evaluation of Safety Implications of Con-l trol Systems in LWR Nuclear Power Plants, Technical Findings Related to Unre-solved Safety Issue A-47," April 1988.
-- , NUREG/CR-3568 (PNL-4646), "A Handbook for Value-Impact Assessment," Pacific Northwest Laboratory, December 1983.
, -- , NUREG/CR-3958 (PNL-5767), "Effects of Control System Failures on Transients,
! Accidents and Core-Melt Frequencies at a Combustion Engineering Pressurized Water Reactor," March 1986.
NUREG-1218 8-1
-- , NUREG/CR-4385 (PNL-5543), "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Westinghouse Pressurized Water Reactor,"
November 1985.
-- , NUREG/CR-4386 (PNL-5544), "Effects of Control System Failures on Transients, Accidents, and Core-Melt Frequencies at a Babcock and Wilcox Pressurized Water Reactor," December 1985.
-- , NUREG/CR-4387 (PNL-5545), "Effects of Control System Failures on Transients, Accidents, and Core-Melt Frequencies at a General Electric Boiling Water Reactor,"
December 1985.
-- , WASH-1400 (NUREG-75/014), "Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," October 1975.
-- , Office for Analysis and Evaluation of Operational Data, "AEOD Observations and Recommendations Concerning the Problem of Steam Generator Overfill and Com-bined Primary and Secondary System Blowdown," December 17, 1980.
-- , Office of Inspection and Enforcement, IE Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control System Bus During Operation," November 30, 1979.
-- , Office of Inspection and Enforcement, Information Notice 80-70, "Reliance on Water Level Instrumentation With Common Reference Leg," September 4, 1984; Supplement 1, August 26, 1985.
Westinghouse Corp., WCAP-10797, "Westinghouse Comments on EG&G Idaho, Inc.,
Report - Effects of Control System Failures on Transients and Accidents at a 3-Loop Westinghouse Pressurized Water Reactor (August 1984)," February 1985.
l 1
l l
I NUREG-1218 8-2 l
APPENDIX A REJECTED ALTERNATIVES In this appendix are discussed other alternatives that were considered for pos-sible regulatory action but were rejected because the risk reduction in imple-Centing these alternatives was extremely small.
GE BWR Plant Designs Several alternatives were considered that could minimize potential failures (e.g., pipe cracks, leaks) in the primary sensing lines of the common reference leg of the reactor vessel, water-level instruments associated with the vessel, overfill protection system. They include:
(1) Inspect the instrument s.nsing lines annually.
(2) Replace the existing sensing lines with stronger materials.
(3) Provide independent sensing lines for each vessel, water-level instrument associated with the vessel, overfill protection system.
Reactor vessel, water-level, primary-sensing-line installations on all BWR plants were not reviewed. A review of the overfill protection, logic systems on other plants (Table A1), however, determined that most BWR designs (18 to 20 plants) provide a 2-out-of-3, high-water-level, main-feedwater-trip system similar to the reference plant. The staff finds that the installation of the water-level instruments on these other plants is also similar, so that 2-out-of-3, water-level instruments have a common, reference leg.
Considering the very small reduction in the overall risk and the substantial cost in implementing these alternatives however, it was determined that implementing such alternatives is not practical.
I It should be noted that IE Information Notice 80-70 was issued to all nuclear reactor facilities holding an operating license or a construction permit. This notice alerted the utilities to the potential degradation of safety associated t]ith operator reliance on water-level instruments that share a common, reference leg. Recipients were expected to review the information for applicability to their own plants and to consider actions, if appropriate, to prevent problems occurring at their own facilities.
l l Two additional alternatives summarized in this section were also considered, but l were rejected on the same basis (i.e. , very small, risk-reduction estimates asso-ciated with implementing these alternatives). These alternatives were considered in order to minimize reactor vessel overfill via the condensate system or via the low pressure coolant injection (LPCI) or the core-spray system (CSS). They include:
(1) Provide automatic isolation of condensate flow on reactor vessel, high-l water level.
l NUREG-1218 A-1 Appendix A
l l
(2) Provide automatic trip of the LPCI or the CSS on reactor vessel, high-water level.
These alternatives were rejected because implementing such automatic-trip fea-tures could cause other potentially significant problems that could reduce the reliability of the condensate-fecdwater system during startup or shutdown opera-tion or negate the LPCI snd the CSS safety function, if required.
W PWR Plant Designs Several alternatives similar to those discussed for the GE BWR plant designs i were considered for the W PWR plants. They include: !
(1) Inspect the instrument-sensing lines annually.
(2) Replace the existing, primary, sensing 1ines with stronger materials.
As in the case of the GE design, the estimated high cost and very small reduc-tion in risk associated with implementing these alternatives precluded them from serious consideration.
i Several other alternatives to minimize overpressure events were also considered.
In these cases, however, the failure scenarios contributing to the events were caused by multiple, independent failures of such low probability that the over-all risk associated with these scenarios is insignificant and implementing these alternatives is not considered practical. These alternatives are sum-marized below.
(3) Provide independent power sources to the letdown valve and to the pres-surizer PORVs.
A single loss of power to the letdown valve and to one pressurizer PORV was identified as a dominant failure that could potentially contribute to a reactor-coolant pressure transient during low-temperature and pressure shutdown or startup operating conditions. An additional independent failure in the second pressurizer PORV, however, would be needed to cause an overpressure transient.
Because all of the pressurizer PORV designs (including the reference plant) are designed to conform to NRC Branch Technical Position RSB 5-2 (NUREG-0800),
similar failure scenarios with similar initiating frequencies identified in the review of the reference plant could occur at other W plants. Some new plants have improved the reference plant cesign by providing separate Class 1E power to each of the PORVs.
Such designs could further reduce the initiating frequency of the identified failure scenarios, thereby further reducing the overall risk contribution of this event.
It should be noted that during certain periods plants are allowed to operate under limited conditions for operation (LCOs), where one, redundant, pressurizer PORY may be rendered inoperable for a limited period of time. Under these conditions, if the system is subjected to a pressure transient (such as the one identified in this review), the plant is vulnerable to an overpressurization event. A single failure in the available, pressurizer, PORV system can render NUREG-1218 A-2 Appendix A
t j the overpressure protection system inoperable. This concern and additional '
low-temperature, overpressure protection concerns for light-water reactors are being evaluated separately under Generic Issue 94 (Denton, July 23, 1985).
Any requirements resulting from that study will be furnished at the completion i of that activity, j i
(4) Provide positive indication of low-temperature, low pressure, mode switch, position selection, t A failure to properly realign the setpoints in the pressucizer PORV control logic when transferring from normal operating mode to the cold-shutdown mode or vice versa was identified as a potential common-mode failure that could prevent both pressurizer PORVs from opening when required. This alternative would provide an indicator light for each switch position, allowing positive indica-tion of the circuit connection in each pressurizer PORV's control logic. A failure of the pressurizer PORVs to open because of incorrect setpoint setting would then need both a switch failure and an operator failing to notice an :
improper connection. This alternative was considered to minimize system failures that could lead to an overpressure event during cold-shutdown condi- +
tions. Similar failure scenarios with similar initiating frequency could occur at other W plants. A large number of plant designs, however, offer additional 1 improvements over the reference plant design. This improvement is by way of overpressure-relief capability through the RHR system during the low-temperature operation of shutdown. This overpressure-relief capability allows more time for ,
the operator to respond to overpressure events, resulting in less-severe tran- '
i sients than postulated for the reference plant. As a result of a low-temperature, overpressurization event at Turkey Point Plant, Unit 4, in 1981, the staff is reevaluating the adequacy of this RHR overpressure relief capability (Denton, July 23, 1985). Any requirements resulting from that study will be furnished when that study is complete. <
- (5) Modify the pressurizer PORV control circuitry to reduce the frequency of component failures that could lead to overpressure events. ,
The potential negative effects of increasing the complexity of the existing l control circuits is not considered a practical alternative.
(6) Modify the high pressure, safety-injection system.
Additional enable circuits were considered to prevent spurious initiation of the injection pumps during low-temperature startup or shutdown conditions.
It was estimated that a plant was vulnerable to overpressure transients during low-temperature and low pressure conditions for a few hours during each cool-down/heatup sequence when the PORV setpoint is switched to the higher setpoint, ,
thus restricting the operation of the PORV to a much higher, pressure-relief ,
capability.
In addition to the low-risk contribution of such cn event, the possible adverse i consequences of reducing the reliability of the safety-injection system by irrplementing this alternative could significantly af fect the overall safety of the plant. This alternative is, therefore, not considered a viable option. :
I NUREG-1218 A-3 Appendix A t i
i
.i l
(7) Modify the manual safety-injection, actuation switches.
l This alternative was considered to minimize operator error that could lead to j overpressure events as a result of a single action during startup or shutdown I conditions. '
The present design has two switches in parallel; either switch is capable of l
- initiating safety injection. The present design ensures that the failure of a ,
j single switch would not prevent actuation of the safety-injection system. !
4 In addition to the low-risk contribution of such an event, the staff believes that changing the switch logic to actuate both switches to initiate safety injection would increase the potential for the safety-injection system to fail.
I This failure could be more detrimental to plant safety. Changing the logic of
~
the manual switches would presume that inadvertent actuatien of the safety injection system presented a greater safety hazard than failure on demand, which '
has not been shown to be the case. ,
)
- l ;
i
. I
- I 3 !
4 i
l l !
i l ;
.I l r b l 4
t
- I i
I i !
I :
l !
i i t
- NUREG-1218 A-4 Appendix A 4
Table Al Reactor vessel overfill protection systems BWR plants with no automatic, overfill protection Big Rock Lacrosse Oyster Creek BWR plants with eutomatic, overfill protection equivalent to or better than the reference plant design
- La Salle 1, 2* - Nine Mile Point 1, 2*
Shoreham* - Hatch 1, 2*
WNP-2* -
Duane Arnold ***
Browns Ferry (1, 2, 3)* - Cooper ****
Susquehanna 1, 2* -
Grand Gulf **
- Hope Creek 1, 2* - Limerick 1, 2**
- River Bend 1, 2* -
Fermi 2**
BWR plants with automatic, overfill protection, but with less independence and reliability than the reference plant
- Dresden 2, 3++++ -
Pilgrim +++
- Quad Cities 1, 2++++ -
Vermont Yankee +
Peach Bottom ++ - Monticello+
Brunswick 1, 2+++ - FitzPatrick 1+
- 2-out-of-3, high-water-level trip - separate power supplies
- 1-out-of-2 taken twice power supply separation unknown
- 2-out-of-3 high-water-level trip power supply separation unknown
- 3-level system - logic and power supply separation unknown
+ 1-out-of-1 high-water-level feedwater trip
++ 2-out-of-2 high-water-level feedwater trip - separation of power unknown
+++ 2-out-of-2 high-water-level feedwater trip - common power supply
++++ 2-level system - logic and power supply separation unknown NUREG-1218 A-5 Appendix A
APPENDIX B SENSIT,TVITY STUDY FOR REACTOR VESSEL / STEAM GENERATOR OVERFILL SCENARIOS A number of postulated reactor vessel and steam generator overfill events were evaluated and their contribution to plant risk was estimated. Most overfills of the reactor vessel or steam generator were initiated by failures in the main feedwater control and high-water-level trip circuits. If these events were not terminated by the operator, they could lead to water filling the steamlines and could possibly result in steamline damage or a total steamline failure. A large uncertainty exists concerning this potential and, therefore, a high probability of main steamline break (MSLB) given a spillover of water into the steamlines was conservatively assumed in the analysis summarized in Sections 3 and 4 of the present report.
For overfill events to impact public safety significantly and contribute to risk, the events must at some point make a transition to a main steamline break coupled with failures leading to core melt.
In modeling the risk contribution, dominant accident sequences identified in the probabilistic risk assessments (PRAs) of the reference plant (or PRAs of similar plants if none were available for the reference plant) were modified by estimat-ing the frequency of control :,ystem failure-induced overfill transients leading to main steamline break. This frequency is dependent on the estimated frequency of overfeed events initiated by control system failures, the operator's likeli-hood of manually terminating the event, and by the probability of the main steamline break given an overfill event, for boiling-water reactors (BWRs), or by the probability of a main steamline break and a steam generator tube rupture, for pressurized-water reactors (PWRs).
This appendix evaluates the sensitivity of the overfill event to core-melt fre-quency and plant risk when these parameters are varied.
The sections that follow discuss the sensitivity analysis for overfill events resulting from control system failures of the main feedwater control system for each of the four nuclear steam supply system (NSSS) vendors.
On the basis of this sensitivity analysis, it is concluded that the probability
, estimates used for operator action to terminate overfill eutnts and for steam-line break accidents given steam generator or reactor vessel overfill are in line with operating experience for precursors to such events. This sensitivity analysis, which uses more-realistic probability estimates (derived from operat-
! ing experience) for overfill scenarios and steamline damage (given overfill j events), supports the proposed staff resolution.
I NUREG-1218 B-1 Appendix B
A. General Electric (GE) BWR Plants The overfill-induced, loss-of-coolant s acident (LOCA) frequency P LOCA was calcu-lated using the following relationship; P
LOCA=(P0F)(P0A)(PFP)(PMSLB) where: P0F = frequency of ove-feed events induced by control system failures (based on the reference plant design)
P0A = probability of operator failure to manually terminate an overfeed event Ppp = probability that the main feedwater pump will continue to operate after water enters the steamlines PMSLB = probability of a main steamline break after water enters the steamlines l
The risk contribution was estimated by multiplying the modified dominant LOCA sequences by the appropriate release factors.
The sensitivity to variations in the assumptions for overfeed events and to variations in the conditional probability estimates for main steamline breaks given overfill is discussed below.
The estimated probability of control system, failure-induced, overfill events via the main feedwater and the condensate control system was calculated to be 3.3 x 10 3 events per reactor year. The actual number of overfill events iden-tified by the licensee event report (LER) search for BWR plants is 6 in approxi-mately 415 reactor years or 14.5 x 10 3 events per reactor year. This is 4.2 times greater than the probability calculated from scenarios on control system failure.
The estimated values for the conditional probability of a main steamline break (MSLB) during an overfill event was conservatively assumed to be 0.95 in the analysis summarized in Sections 3 and 4 of the present report. On the basis of a literature scarch of operating history, there were two events in Europe in the early 1960s in which steamline damage resulted from water entering the steamline. The damage was limited to components mounted on the steamlines (i.e., valve standpipes, instrument connections, etc.); no damage was reported to the main steamline piping. On the basis of actual experience, the condi- ,
tional probability (of an MSLB occurring during an overfill event) of 0.13 was, l therefore, used for all plants (i.e. , BWRs and PWRs) as a best estir.iate (i.e. , !
two events, in which damage occurred, out of a total of 15 overfill events identified); this probability would be 7.3 times smaller than the probability used in thc initial estimates. l Utilizing these operating experiences, the overfill-induced LOCA frequency would then be (14.5 x 10 3)(0.9)(0.13) = 1.88 x 10 3 events per reactor year.
This includes failure of the operator to take timely action to terminate the event. This is a factor of 1.5 less than the initial estimate of 2.88 x 10 3 events per reactor year. Steamline damage was also equated to steamline break NUREG-1218 B-2 Appendix B
in these estimates. The risk reduction to implement (as a minimum) a single reactor high-water-level trip system on selected plants that do not have any automatic overfill protection would, therefore, be reduced by a factor of 1.5, to a new estimated value of 2400 man-rem over the life of a plant. Cost estimates for the proposed design modification is about $100,000 per plant.
Utilizing $1000 per man-rem saved as a guideline, design modifications that approach $2 400,000 would still be justified.
3 Reducing the conditional probability of an MSLB event given reactor vessel over-fill by as much as two orders of magnitude from the initial estimates, the risk reduction would be reduced by a factor of 23 to 157 man-rem over the life of the plant. Even with this sizable reduction in the conditional probability estintes for a steamline break (given overfill) and using overfill frequency estimates that are more in line with operating experience, the proposed staff resolution is still warranted for plants that do not have any automatic overfill protection.
Table B.1 summarizes the sensitivity of the risk estimates to changes in over-fill frequency estimates and the probability estimates for MSLB events (given overfill conditions).
B. Westinghouse (W) Plants In the BWR analysis, vessel overfill leading to an MSLB was the major contributor to risk. In PWRs, however, the core-melt frequency contribution associated with the overfill scenarios with only an MSLB is less significant. The major contri-butors to core-malt frequency for PWRs are overfill events that lead to an MSLB and a steam generator tube rupture (SGTR). In order to determine the ,nrobabil-ity for SGTR given a steamline break [PSGTR given an MSLB], the probabt:ity estimates addressed as part of the staff's evaluation of USI A-3, A-4, and A-5 were used. There estimates were modified by the MSLB frequencies associated with the overfill-event frequencies developed by this review. The total risk contribution associated with the overfill event scenarios was calculated by the following:
P pp Risk =(KP0F)(P0A)(P MShPSGTR) given MSLB where K is the risk contribution estimated for the reference plant and the other terms are as defined previously in this appendix.
The estimated probability of control system, failure-induced, overfill events via the main feedwater control systems was calculated to be 2.7 x 10 8 event per reactor year. This number is very low because of the highly reliable and redundant trip system that is used by all but three of the oldest Westinghouse-designed plants. This value is not contradicted by actual experience since there have been no identified, overfill events on Westinghouse plants to date.
Although there was one overfill event at the Ginna plant in 1982, that event occurred as a result of a steam generator tube rupture, and not because of a control system failure. For the W PWR analysis, the estimated conditional probability of an MSLB during an overfill event was conservatively assumed to be 0.5 compared to a best-estimate value of 0.13 based on actual experiences for all BWR and PWR plants (i.e., 2 plants damaged /15 overfill events). Utiliz-ing this operating experience, the overfill-induced MSLB frequency would be NUREG-1218 B-3 Appendix B i_
=
(2.7 x 10 8)(0.9)(0.13) = 3.2 x 10 9 event per reactor year instead of 1.2 x 10 8 event per reacter year used in the initial analysis summarized in Sections 3 and 4 of the present rn ort. That is, the frequency is a factor of 3.75 less than the staff's initial estimat3s. The risk reduction to improve the existing overfill protection system (i.e., 2-out-of-3, steam generator, high-water-level system) would, therefore, also be reduced by a factor of 3.75.
Because of the already insignificant risk reduction estimated for adding an additional independent channel, this additional reduction in risk strengthens the proposed resolution that no action i', required to modify the existing W designs for overfill protection.
Even increasing the probability estimates for the overfill frequency by four orders of magnitude, the risk contribution would still not warrant any action and, therefore, would not change the proposed resolution for overfill protection for Westinghouse plants.
Table B.2 summarizes the sensitivity of the risk estimates to changes in over-fill frequency estimates and the probability estimates for MSLB events (given overfill conditions).
C. Babcock and Wilcox (B&W) Plants The methodology used on the Westinghouse plants (Section C) was applied to the B&W analysis. The estimated probability of control system, failure-induced, overfill events via the main feedwater, control systems was calculated to be 6.0 x 10 3 event per reactor year. The actual number of overfill events iden-tified by the LER search for B&W plants is 3 in approximately 110 reactor years (or 2.7 x 10 2 event per reactor year). This is 4.5 times the initiill estimates used in the analysis summarized in Sections 3 and 4 of the present report.
The probability of an MSLB (given overfill) was initially conservatively assumed to be 0.95. On the basis of actual experience, the best-estimate probability of an MSLB (given overfill) was determined to be 0.13, which is 7.3 times smaller than used in the initial estimates.
Using estimates based on actual plant experience, the overfill-induced LOCA fre-quency would be (2.7 x 10 2)(0.13) = 3.5 x 10 3 event per reactor year instead of 5.7 x 10 3 event per reactor year, or a factor of 1.6 less than the initial estimates. The risk reduction to implement an additional independent feedwater I trip on a steam generator, high water level or to modify the existing design to I incorporate a 2-out-of-4, steam generator, high-water-level, feedwater-trip system would therefore be reduced by a factor of 1.6 to 820 man rcm over the ;
life of the plant. This change is not considered significant enough to modify '
the proposed resolution. Staff cost estimates for the proposed design modifi-cation are about $100,000 to $600,000 per plant, depending on which option the utility chooses. On the basis of the modified estimates, design modifications l that cost $820,000 would still be justified. I It should be noted that if the probability of an MSLB (given an overfill) was I further reduced by as much as 2 orders of magnitude, the risk reduction would not be significant enough to warrant a design change. For a 1-order-of-magnitude reduction in the MSLB probability, however, justification for a design modifica-tion would be narginal.
NUREG-1218 B-4 Appendix B
f i
! Table 8.3 summarizes the sensitivity study.
O. Combustion Engineerina (CE) Plants The methodology used on the W plants (Section B) was also applied to the CE anal-ysis. The estimated probabiTity of control system, failure-induced, overfill l i
events via the main feedwater, control systems was calculated to be 9.0 x 10 8
- event per reactor year for one of the two overfill scenarios identified in Sec-2 tions 3 and 4 of the present report and 4.4 x 10 4 event per reactor year for t tr4 other. The actual number of overfill events identified by the LER search !
for CE plants is 1 in approximately 125 reactor years (or 8.0 x 108 event per i j
1 reactor year) which was essentially the same as initially estimated for one of j
the events and 18 times greater than initially estimated for the other event. [
f The estimated probability of an MSLB (given overfill) was conservatively assumed
- to be 0.5. On the basis of actual experience, the best-estimate conditional !
probability of an MSLB (given overfill) was determined to be 0.13. This is 3.85 l I
times smaller than used in staff estimates. .
4 Using estimates based on operating experience, the overfill-induced LOCA fre-quency for each scenario would then be (8.0 x 10 3)(0.13) = 1.04 x 10 3 event !
i
- per reactor year instead of 4.7 x 10 3 event per reactor year, or a factor of +
2.3 less than the initial estimates used in Sections 3 and 4 of the present J report. The risk reduction to modify the existing design and incorporate a i 2-out-of-4, steam generator, high-water-level, feedwater-trip system would, therefore, be reduced by a factor of 2.3 to a new estimated value of 248 man- [
rem over the life of the plant. This change is not considered significant enough to modify the proposed resolution. The estimate for this design modifi-cation is less than $100,000 per plant. On the basis of th*se estimates, design ,
modifications that cost $248,000 would still be justified. I l
f i It should be noted that if the probability of an MSLB event (given overfill) was l further reduced by an additional order of magnitude, the proposed design changes [
]
]
could not be justified. l 3
Table B.4 summarizes the sensitivity of the risk estimates to changes in over- !
fill and MSLB frequencies. !
i f J
l 1 ,
) i j -
4 i
- i i
[
- i I I
, t a f B-5 Appendix B
. NUREG-1218 1 !
l
- 1 i !
t Table B.1 GE plants I
! i i I Condition Case 1 Case 2 Case 3 -
i Overfill frequency l events per year 3.38 x 10 8 14.5 x 10 8* 14.5 x 10 8*
l
,' MSLB probability 9.5 x 10 1 1.3 x 10 1* 9.5 x 10 8 (given overfill) !
i l
Risk reduction (man-ree/ry) 3600 2400 157
- Cost of proposed design fix $100K $100K $100K [
t Proposed fix warranted Yes Yes Yes !
- 0perating experience data: Case 1 - initial analysis; Case 2 - modified to
[
reflect operating experience; Case 3 - reducing conditional MSLB failure prob-ability by 2 orders of magnitude.
i,
}
j Table B.2 W plants [
Condition Case 1 Case 2 Case 3 i
- i Overfill frequency !
! events per year 2.7 x 10.s 2.7 x 10.s 2.7 x 10 4 ;
s MSLB probability i
(given overfill) [
5.0 x 10 1 1.3 x 10 1* 5.0 x 10 8 :
Risk reduction (man-rem /ry) <1.0 x 10 4 <1.0 x 10 4 <1.0 x 10 2 ;
L j Cost of proposed design fix N/A N/A N/A l.
4 Proposed fix warranted No No No l
- 0perating experience data: Case 1 - initial analysis; Case 2 - modified to l 1 reflect operating experience; Case 3 - reducing conditional MSLB failure l
, probability by 2 orders of magnitude and increasing overfill frequency esti- :
, mates by 4 orders of magnitude. !
l 1
l l
l 2
j NUREG-1218 B-6 Appendix B i i j i I
l Table 8.3 B&W plants i l
Condition Case 1 Case 2 Case 3 I
, i Overfill frequency i events per year 6.0 x 10 3 0.7 x 10 2* 2.7 x 10 2*
MSLB probability (given overfill) 9.5 x 10 1 1.3 x 10.t* 1.3 x 10 3 Risk reduction (man-rem /ry) 1340 to 1170 818 to 696 7.8 to 6.7 Cost of proposed design fix $100K to $100K to $100K to l
$600K $600K $600K '
Proposed fix warranted Yes Yes No
- 0perating experience data: Case 1 - initial analysis; Case 2 - modified to i
i reflect operating experience; Case 3 - reducing conditional MSLB failure prob-ability by 2 orders of magnitude.
1
- Table B.4 CE plants i
Condition Case 1 Case 2 Case 3 Overfill frequency 9.0 x 10 8(OF1) 8 x 10 8(0F1)* 8 x 10 8*
events per year 4.4 x 10 4(OF2) 8 x 10 8(0F2)* 8 x 10 8* ,
MSLB probability (given overfill) 5.0 x 10 1 1.3 x 10 1* 1.3 x 10 8 f
Risk reduction (man-rem /ry) 570 248 2.48 j Cost of proposed design fix $100K $100K $100K Proposed fix warranted Yes Yes No
- 0perating experience data: Case 1 - initial analysis; Case 2 - modified to reflect operating experience; Case 3 - reducing conditional MSLB failure probability by 2 orders of magnitude.
l' i
l NUREG-1218 B-7 Appendix B i t
APPENDIX C CONTROL SYSTEM DESIGN AND PROCEDURAL MODIFICATION FOR PROPOSED RESOLUTION OF USI A-47 As part of the resolution of USI A 47, "Safety Implications of Control Systems,"
the staff investigated control system failures that have occurred, or are postulated to occur, in nuclear power plants. The staff concluded that plant transients resulting from control system failures can be adequately mitigated by the operator, provided that the control system failures do not also compro-mise operation of the minimum nuftber of protection system channels required to trip the reactor and initiate safety systems. A number of plant-specific designs have been identified, however, that do not provide adequate protection from transients leading to reactor core overheating or reactor vessel or steam gen-erator overfill.
Reactor vessel or steam generator overfill can affect the safety of the plant in several ways: The more-severe scenarios could potentially lead to a steam-line break and a steam generator tube rupture. The basis for this concern is the following: (1) the increased dead weight and potential seismic loads placed on the main steamline and its supports should the main steamline be flooded; (2) the loads placed on the main steamlines as a result of the potential for rapid collapse of steam voids resulting in water hammer; (3) the potential for secondary safety valves sticking open followir.g discharge of water or two phase flow; (4) the potential inop?rability of the main steamline isolation valves (HSIVs), main turbine stop or bypass valves, feedwater turbine valves, or at-mospheric dump valves from the effects of water or two phase flow; and (5) the potential for rupture of weakened tubes in the once-through steam generator on B&W nuclear steam supply system (NSSS) plants due to tensile loads caused by the rapid thermal shrinkage of the tubes relative to the generator shell. These concerns have not been adequately addressed in plant designs because overfill transients normally have not been analyzed.
To minimizd some of the consequences of overfill, early plant designs provided commercial grade protection for tripping the turbine or relied on operator action to control water level manually in the event the normal-water-level, con-trol system failed. Later designs, including the most recent designs, provide overfill protection which automatically stops main feedwater flow on vessel, high-water-level signals. These designs provide various degrees of coincident logic end redundancy, to initiate feedwater isolation, and to ensure that a single failure would not inhib't isolation. A large aumber of plants also pro-vide safety prade designs for this protection.
On the basis of the technical studies conducted by the staff and its contractors, the staff has concluded that certain actions should be taken by some plants to improve plant safety. These actions are described in the material that follows.
NUREG-1218 C-1 Appendix C
i l (1) GE Boiling-Water-Reactor Plants '
(a) All GE boiling-water-reactor (BWR) plant designs should provide automatic, !
reactor vessel, overfill protection to mitigate main feedwater (MFW),
overfedd events. The design for the overfill protection system should be sufficiently separate from the MFW control system to ensure that l l the MFW pump will trip on a reactor, high-water-level signal when l required, even if a loss of power, or a loss of ventilation, or a '
fire in the control portion of the MFW control system should occur.
Common-mode failures that could disable overfill protection and the ,
feedwater control system, but would still cause a feedwater pump r trip, are considered acceptable failure modes.
i Plant designs with no automatic, reactor vessel, overfill protection should !
I either:
f (i)
Upgrade their design by providing a commercial grade (or better) l 1
MFW isolation system actuated from at least a 1-out-of-1 reactor :
1 vessel, high-water-level system, or ;
(ii) Demonstrate that the risk reduction in implementing an automatic,
) overfill protection system is significantly less than the risk reduction estimated utilizing a generic plant, in determining the risk reduction, f*ctors such as low plant power and population density should be considered.
In addition, all plants should also reassess their operating proce-1 dures and operator training and modify them if necessary to ensure !
4 that the operators can mitigate reactor vessel, overfill events !
j that may occur via the condensate booster pumps during reduced j pressure operation of the system.
i
- (b) Technical specification for all SWR plants with main feedwater, overfill I protection should include provisions to verify periodically the operabil-
! ity of overfill protection and should ensure that automatic, overfill pro-tection to mitigate main feedwater, overfeed events h operaule during
{ power operation. The instrumentation should be demonstrated to be operable f j by the performance of a channel check, channel functional testing, and j channel calibration, including setpoint verification. The technical spe-i cifications should include appropriate limiting conditions for operation
, (LCOs). These technical specifications should be commensurate with the requirements of existing plant technical specifications for channels that initiate protective actions. Plants that have previously approved tech-nical specifications for surveillance intervals and limiting conditions ,
for operation (LCOs) for overfill protection are considered acceptable.
t
- Designs for Overfill Protection l
Several different designs for overfill protection have already been incorporated into a large number of operating plants. The following discussion identifies ;
the different groups of plant designs and provides guidance for acceptable l designs.
l i' 1
NUREG-1218 C-2 Appendix C i 6
l l
l Group I: Plants that have a safety grade or a commercial grade overfill protec- l tion system initiated on a reactor vessel, high-water-level signal based on a 2-out-of-3 or a 1-out-of-2 taken twice (or equivalent), initiating logic. The system isolates MFW flow by tripping the feedwater pumps.
This design is acceptable, provided that (1) the overfill protection system is separate from the control portion of the MFW control system so that it is not powered from the same power source, not located in the same cabinet, and not routed so that a fire is likely to affect both systems and that (2) the plant technical specifications include requirements to periodically verify operabil-ity of this system and identify the LCOs. Licensees of plants that already support these design features that have previously been approved by the staff should state this in their response. No additional staff review will be re-quired for plants that fully conform to these guidelines. Licensees that need to modify their design and/or modify their technical specifications to conform to these guidelines should also state this in their response and should provide the modified design and or their modified technical specifications for review.
Group II: Plants that have safety grade or commercial grade, overfill protection systems initiated on a reactor vessel, high-water-level signal based on a 1-out-of-1,1-out-of-2, or a 2-out-of-2, initiating logic. The system isolates MFW
, flow by tripping the feedwater pumps.
e These designs are acceptable provided conditions (1) and (2) stated for Group I are met. Plant designs with a 1-out-of-1 or a 1-out-of-2, trip logic for over-fill protectien should provide bypass capabilities to prevent feedwater trips during channel functional testing when at power operation.
Group III: Plants without automatic overfill protection.
The licensee should provide a design to prevent reactor vesse overfill. The adequacy of the design or its exclusion should be justified. Thejustification should include verification that the overfili protett',on system is separated from the feedwater control system so that it is not powered fro.a the same power source, not located in the same cabinet, and not routed so that a fire is likely to affect both systems. Common-mode failures that could disable overfill pro-tection and the feedwater control systera, but would still cause 1 feedwater pump trip are considered acceptable failure modes. The design should be submitted for staff review along with the appropriately modified proposed technical specifications. ,
(2) Westinghouse-ibsigned PWR Plants (a) All Westinghouse plant designs should provide automatic, steam generator, '
overfill protection to mitigate MFW overfeed events. The design for the overfill protection system should be sufficiently separate from the MFW control system to ensure that the MFW pump will trip on a reactor, high-water-level signal when required, even if a loss of power, or a loss of ventilation, or a fire in the control portion of the MFW control system should occur. Common-mode failures that could disable overfill protection and the feedwater control system, but still would cause the feedwater pumps to trip are considered acceptable failure modes.
NUREG-1218 C-3 Appendix C
- ~ ., _ __ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _
___ _ __ _j
1 1
I (b) Technical specifications for all Westinghouse plants should include provi-sions to periodically verify the operability of the MFW overfill protection and ensure that the automatic, overfill protection is operable during reac-tor power operation. The instrumentation should be demonstrated to be operable by the performance of a channel check, channel functional testing, and channel calibration, including setpoint verification. The technical specifications should include appropriate LCOs. These technical specifi-cations should be commensurate with existing plant technical specification requirements for channels that initiate protective actions. Plants that have previously approved technical specifications for surveillance inter-vals for overfill protection are considered acceptable.
Designs for Overfill Protection Several different designs for overfill protection are already provided in most operating plants. The following discussion identifies the different groups of plant designs and provides guidance for acceptable designs.
Group I: Plants that have an overfill protection system initiated on a steam generator, high-water-level signal based on a 2-out-of-4 initiating logic which is safety grade or a 2-out-of-3 initiating logic which is safety grade but uses one out of the three channels for both control and protection. The system isolates MFW by closing the MFW isolation valves and tripping the MFW pumps.
The design is acceptable, provided that (1) the overfill protection system is sufficiently separate from the control portion of the MFW control system so that it is not powered from the same power source, not located in the same cabinet,_and not routed so that a fire is likely to affect both systems, and that (2) the plant technical specifications include requirements to periodically verify operability of this system and identify the LCOs. Licensees of plants that already have these design features and the associated approved technical specificocions should state this in their response. No additional staff review will be required for plant designs that conform fully to these guidelines.
Licensees that need to modify their design and or their technical specifications to conform fully to these guidelines should also state this in their response and provide their modified design and/or todified technical specifications for review.
Group II: Plants with a safety grade or a commercial grade overfill protection system initiated on a steam generator, high-water-level signal based on either a 1-out-of-1, 1-out-of-2, or 2-out of-2 initiating logic. The system isolates MFW by closing the MFW control valves.
The staff finds that only one early plant falls into this group and, therefore, a risk assessment was not conducted. Considering the successful operating his-tory of the plant regarding overfill transients (i.e., no overfill events have been reported), this design may be found acceptable, provided that (1) justifi-cation for the adequacy of the design on a plant-specific basis is provided and l (2) technical specifications are modified to include requirements to periodically i verify operability of this system and identify the LCOs. As part of the justi-
! fication, the licensee should include verification that the overfill protection system is separate from the feedwater-control system so that it is not powared from the same power source, not located in the same cabinet, and not routed so l
NUREG-1218 C-4 Appendix C l
that a fire is likely to affect both systems. Common-mode failures that could disable overfill protection and the feedwater-control system, but would still cause a feed,<ater pump trip are considered acceptable failure modes.
Licensees should provide their justification and their modified technical specifications for staff review.
Group III: Plants without automatic overfill protection.
The licensee should provide a design to prevent steam generator overfill. The adequacy of the design or its exclusion should be justified. The justification should include verification that the overfill protection system is separated from the feedwater-control system so that it is not powered from the same power source, not located in the same cabinet, and not routed so that a fire is likely to affect both systems. Common-mode failures that could disable overfill pro-tection and the feedwater-control system, but would still cause a feedwater pump trip are considered acceptable failure modes. The design should be submitted for staff review along with the appropriately modified proposed technical specifications.
(3) Babcock and Wilcox-Designed PWR Plants (a) All Babcock and Wilcox plant designs should provide automatic, steam genera-tor, overfill protection to mitigate MFW overfeed events. The design for the overfill protection system should be sufficiently separate from the MFW cnntrol system to ensure that the MFW pump will trip on a steam gener-ator, high-water-level signal when required, even if a loss of power, or a loss of ventilation, or a fire in the control portion of tne main feed-water control system should occur. Common failure modes that could dis-able overfill protection and the feedwater-control system, but would still cause a feedwater pump trip, are considered acceptable failure modas.
Plants that are similar to the reference plant design (i.e., Oconee Units 1, 2, and 3) should provide a steam generator, high-water-level, feedwater-isolation system that satisfies the single-failure criterion. An accept-able design would be to provide automatic MFW isolat#on by either (1) providing an additional system that terminates MFW flow by closing an isolation valve in the line to each steam generator (this system is to be independent from the existing overfil! protection which trips the r.iain feedwater pumps on steam generator, high-water level) g (2) modifying the existing overfill protection system to precl Ce undetected failures in the trip system and facilitate online testing, or (3) upgrading the existing overfill protection system to a 2-out-of-4 [or equivalent), high-water-level, trip' system that satisfies the single-failure criterion.
(b) Technical specifications for all B&W plants should include provisions to periodically verify the operability of overfill protection and ensure the automatic, main feedwater, overfill protection is operable during reactor power operation. The instrumentation should be demonstrated to be operable by the performance of a channel check, channel functional testing, and channel calibration, including setpoint verification. Technical specifica-tions should include appropriate LCOs. l i
NUREG-1218 C-5 Appendix C
Designs for Overfill Protection Several different designs for overfill protection are already provided on most operating plants. The following discussion identifies the different groups of plant designs and provides guidelines for acceptable designs.
Group I: Plants that provide a safety grade, overfill protection system initi-ated on a steam generator, high-water-level signal based on either a 2-out-of-3 or a 2-out-of-4 (or equivalent), initiating logic. The system isolates main feedwater (MFW) by (1) closing at least one MFW isolation valve in the MFW line to each steam generator and (2) tripping the MFW pumps.
This design is acceptable, provided that (1) the overfill protection system is sufficiently separated from the feedwater control system so that it is not powered from the same power source, not located in the same cabinet, and not routed so that a fire is likely to affect both systems. Common-mode failures that could disable overfill protection and the feedwater control system, but still trip the feedwater system are considered acceptable failure modes; and (2) the plant technical specifications include requirements to verify operabil-ity of this system periodically and identify LCOs. Licensees of plants that already have these design features and the associated approved technical speci-fications should state this in their response. No additional staff review will be required for plant designs that fully conform to these guidelines. Licensees that need to modify their design and or modify their technical specifications to conform fully to these guidelines should also state this in their response and provide their modified design and or modified technical specifications for review.
Group II: Plants that have a coitnercial grade, overfill protection system ini-tiated on a steam generator, high-water level based on coincident logic that minimizes inadvertent initiation. The system also isolates MFW by tripping the MFW oumps.
This design may be fouad acceptable, provided that (1) the overfill protection system is sufficiently separate from the feedwater control system so that it is not pcwered from the same power source, not located in the same cabinet, and not routed so that a fire is likely 'co affect both systems and (2) the design modifications are implemented per the guidelines identified above and that the plant technical specifications include requirements to periodically verify operability of this system and identify LCOs.
Licensees of plants that need to modify their design and or modify their tech-nical specifications or design to conform fully to these guidelines should state this in their response and provide their modified design and technical specifi-cations for review.
Plant designs that provide additional 1-out-of-1 or a 1-out-of-2, trip logic for overfill protection should provide bypass capabilities to prevent feedwater trips during channel functional testing when at power or during hot-standby operation. These technical specifications should be commensurate with existing plant technical specification requirements for channels that initiate protection actions.
Plant designs with no automatic protection to prevent steam generator dryout should upgrade their design and provide an automatic, protection system to NUREG-1218 C-6 Appendix C
l l
l prevent steam generatcr dryout on loss of power to the control system. Auto-matic initiation of auxiliary feedwater on steam generator, low-water level is considered an acceptable design (the staff believes that only three B&W plants, i.e., Oconee 1, 2, and 3, do not have automatic, auxiliary feedwater initiation on steam generator, low water level).
On December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear Gen-erating Station, Unit 1. This event occurred as a result of loss of power to the integrated control system (ICS). Subsequently, the B&W Owners Group initi-atea a study to reassess all B&W plant designs, including, but not limited to, the ICS and support systems such as power supplies and maintenance. As part of the USI A-47 review, failure scenarios resulting from a loss of nower to control systems were evaluated and the results were factored into these requirements.
However, recommended actions for design modifications, for maintenance, and for any changes to operating procedures (if any) developed for the utilities by the B&W owners group will be coordinated with the NRC s+.aff and provided separately.
D. Combustion Engineering-Designed 2 Plants (a) All Combustion Engineerig plants should provide an automatic, steam gener-ator, overfill protection to mitigate main feedwater (MFW), overfeed events.
The design for the overfill protection system should be sufficiently sepa-rate from the MFW control system to ensure that the MFW pump',ill trip on a steam generator, high-water-level signal when required, even if a loss of power, or a loss of ventilation, or a fire in the control portion of the MFW control system should occur. Common failure modes that could disable overfill protection and the feedwater control system, but would still cause a feedwater pump trip are considered acceptable failure modes.
(b) Technical specifications for ali Combustion Engineering plants should include provisions to verify periodically the operability of overfill protection and ensure that autcmatic, MFW, overfill protection is operable during reactor power operation. The instrumentation should be demonstrated to be operable by the performance of a channel check, channel functional testing, and channel calibration, including setpoint verification, and by identifying the LCOs. These technical specifications should be commensu-rate with existing plant technical specifications requirements for channels that initiate protection actions.
! (c) All utilities that have plants designed with high pressure-injection, pump-discharge pressures less than or equal to 1275 psi should reassess their emergency procedures and operator training programs and modify them, as needed, to ensure that the operators can handle the full spectrum of possible small-break, loss-of-coolant accident (SBLOCA) scenarios. This may include the need to depressurize the primary system via the atmospheric l dump valves or the turbine bypass valves and cool down the plant during some SBLOCA. The reassessment should ensure that a single failure would not negate the operability of the valves needed to achieve safe shutdown.
The procedure should clearly describe any actions the operator is required l
to perform in the event a loss of instrument air or electric power prevents remote operation of the valves. The use of the pressurizer PORVs to depressurize the plant during an SBLOCA, if needed, and the means to ensure
! that the RT NDT (reference temperature, nil ductility transition) limits are not compromised should also be clearly described. Seven plants have NUREG-1218 C-7 Appendix C
been identified that have high pressure, injection pump, discharge pressures less than or equal to 1275 psi that may require manual pressure-relief capabilities using the valves to achieve safe shutdown. They are: Calvert Cliffs 1 and 2, Fort Calhoun, Millstone 2, Palisades, and St. Lucie 1 and 2.
Designs for Overfill Protection CE-designed plants do not provide automatic, steam generator, overfill protec-tion that terminates MFW flow. Therefore, the utility should provide a separate and independent safety grade or commercial grade, steam generator, overfill-protection systere that will serve as backup to the existing, feedwater, runback, control system initiated from steam generator, high-water-level sensors. Exist-ing water-level sensors may be used in a 2-out-of-4 initiating logic to isolate MFW flow on a steam generator, high-water-level signal. The utility should submit a proposed design and the associated proposed technical specifications ;
for staff review. The proposed design should ensure that (1) the overfill-protection system is separate from the feedwater-control system so that it is not powered from the same power source, is not located in the same cabinet, and is not routed so that a fire is likely to affect both systems (common-mode fail-ures described above are considered acceptable) and (2) the plant technical specifications include requirements to periodically verify operability of the system and identify the LCOs. The information that should be addressed in the technical specifications is provided above.
I I
l l
NUREG-1218 C-8 Appendix C
I atPoa T Nvvsta sA*paea y fsDC eds vee = , d ears U S kUCL E Aa a tGUL ATOa v CO4.MatSiON haCFOaM335 12 541 BIBLIOGRAPHIC DATA SHEET NUREG-1218 Eo'" 'E Sit 1%57 aVChC%5 0% i atvtait 3 Lt AVE SL A%E 2 flTLE A%D SL9187LE Regulatory An- sis for Proposed Resolution of USI A-47 Safety Implicat ons of Control Systems . o., j ,oa, coo,ttyto Draft Report fo Comment oo~r- vi.a l
- '"o"* March 1988 f . cart atroar issuta w ,- vt.a A. J. Stukiewicz A 1 l 1988 e i t 5. woa= v%.1 %vw.t a
, *t oau.~a oa t,*m,2 1 o% .aut *~ v .L.%o .ooa t ss e,~w e. c ,
Division of Engineerit >
j[
Of fice of Nuclear Regu tory Research U.S. Nuclear Regulatory .ommission Washington, DC 20555 f its f vPt O. atPoni 10 5PoNSonimG onGa%ilaf TON 4 AVE &%D Walks %Q Doat b$ f tacmroe l, Cope, San as 7, above. . *E moo Co,t a to ... a. ,
12 $4*PLE Wt %f Aa v NoTil 13 AS5TR ACT f130 me,es se ev., E This report presents a summary of he re guf tory analysis conducted by the NRC staf f to evaluate the value impact of alterr atives Jor the ;esolution of Unresolved Safe ty Issue (USI) A-47, "Safety Implications of on 01 Sys tems ." The NRC staff proposed resolution is based on these analyses and the tc ical findings and conclusions presented in NUREG-1217 The s taf f has concluded that certa' ac ions should be taken to improve safety in light-water reactor (LWR) plants. The tions recommended that certain plants upgrade their control sys tems to preclude rea or vesse / steam generator overfill events and to prevent steam generatar dryout, modify icir tech ' cal specification to periodically verify op-erability or these systems, a modify sel teo emergency procedures to ensure plant safe shutdown following a sr 1-break loss- -coolant ace'Jent.
$otgasto43 ,,,,,,L,gb,7, 14 DCaCbut%f A% A L v5 3 . e s t ik stattunt Unresolved Safety Issue A-47 Unlimited Control System Regulatory A lysis . . .t eva , , c us.. . ,c.,,o ,
,r..,,,
. ient...las Cm uottav$ Unclassified
< r . , ,..m
'Jnclassified 1 % wet a o, ..a.
' b P a -( 4
'u. 5,40 4 s huqE h? Pa t h f t t crr gtt e g gg g.202.?9 7,0 0057 I
,, .. . - , - ~ , ,- . .-. .. .- .. .
W UNITED STATES roar cess .iArt l' ' NUCLEAR REGULATOP.Y COMMISSION. ' @[
'0"^8,',* "ecs ram .gg WASHINGTON, D.C. 20555 PinMIT No. 047 ' 4o
- - 3 .T.
^
OFFICIAL BUSINESS ~
PENALTY FOR PRIVATE USE, $300 *M 1 1a01AI1901IS es '
12 0 g,g} 0 7,{[,7 A0M S 1-
, y 0F ,OU!j[ VC T 84-poq NUREG p0LICY '-
. l O-a
~
3
- 4
.-. . - -. - ..