ML20154J326
| ML20154J326 | |
| Person / Time | |
|---|---|
| Issue date: | 04/30/1988 |
| From: | Szukiewicz A NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| REF-GTECI-A-47, REF-GTECI-SY, TASK-A-47, TASK-OR NUREG-1217, NUREG-1217-DRFT, NUREG-1217-DRFT-FC, NUDOCS 8805260301 | |
| Download: ML20154J326 (73) | |
Text
-
NUREG-1217 Evaluation of Safety Implications of Control Systems in LWR Nuclear Power Plants Technical Findings Related to Unresolved Safety issue A-47 Draft Report for Comment P
U.S. Nuclear Regulatory .
Commission Office of Nuclear Regulatory Research A. J. Szukiewicz I
Q Y(
NhfY gp -% ,
1 1
l l
l NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Of fice, Post Office Box 37082, Washington, DC 20013 7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and cooying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepareo by other federal agencies and reports prepared by the Atomic Energy Commission, fererunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, aro transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draf t reports are available free, to the extent of supply, upon written request to the Division of Information Support Services. Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatofy process are maintained at the NRC Library, 7920 No folk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the Arierican National Standards Institute,1430 Broadway, New York, NY 10018.
NUREG-1217 Evaluation of Safety Implications of Control Systems in LWR Nuclear Power Plants Technical Findings Related to Unresolved Safety issue A-47 Draft Report for Comment E
Manuscript Completed: March 1988 Date Published: April 1988 A. J. Szt kiewicz Division of Engineering Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555
. ~.w, hh
ABSTRACT This report summarizes the work performed by the Nuclear Regulatory Commission staff and its contractors, Idaho National Engineering Laboratories (INEL), Oak Ridge National Laboratory (0PNL), and Pacific Northwest Laboratory (PNL), lead-ing to the proposed resolution of Unresolved Safety Issue (USI) A-47, "Safety Implications of Control Systems." The technical findings and conclusions pre-sented in this document are based on the technical work completed by the con-tractors. The principal documents that contain the technical findings and conclusions of the contractors for USI A-47 are summarized in Appendix B.
An in-depth evaluation was performed on non-safety grade control systems (see I Section 1) that are typically used during normal plant operation on four nuclear steam system (NSS) plants: a General Electric Company (GE) boiling-water reactor (BWR), a 3-loop Westinghouse (W) pressurized-water reactor (PWR) design, j a once-through steam generator PWR designed by Babcock and Wilcox Co. (B&W),
( and a Combustion Engineering (CE) PWR design. A study was also conducted to determine the generic applicability of the results to the class of plants repre-sented by the specific plants analyzed. Generic conclusions were then developed.
Steam generator and reactor vessel overfill events and reactor vessel overcool events were identified as major classes of events having the potential to be more severe than previously analyzed. Specific subtasks of this issue were to study these events to determine the need for preventive and/or mitigating design measures.
The impact of the Rancho Seco event (December 26,1985) which involved a loss of power to the integrated control system (ICS) is also discussed. This effort is closely coordinated with the USI A-47 effort, but is being evaluated sepa-rately by the B&W Owners Group and the NRC staff. Any requirements developed will be imposed independently of USI A-47.
This report describes the technical studies performed by the laboratories, the i NRC staff assessment of the results, the generic applicability of the evalua-tions, and the technical findings resulting from these studies.
l l
l NUREG-1217 iii
TABLE OF CONTENTS
.P_ag ABSTRACT............................................................. iii A C KN0W L E D G EM E NT S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix ABBREVIATIONS........................................................ xi 1 STATEMENT OF THE ISSUE.......................................... 1-1 2 APPR0ACH........................................................ 2-1 2.1 Selection of P1 ants........................................ 2-1 2.2 Limitations and Assumptions of the Study................... 2-1 2.3 USI A-47 Program 0verview.................................. 2-3 2.4 Review Procedures.......................................... 2-5 2.4.1 Criteria Development................................ 2-5 2.4.2 Systems Level Failure Mode and Effects Analyses..... 2-6 2.4.3 Thermal-Hydraulic Transient Analyses................ 2-6 2.4.4 Literature Search................................... 2-8 i 2.4.5 Failure Analyses of Significant Control System l Failures............................................ 2-8 1 3 RESULTS OF THE INEL AND ORNL STUDIES............................ 3-1 1
3.1 Potentially Significant Control System Failure l Scenarios.................................................. 3-1 l 3.1.1 GE BWR P1 ant........................................ 3-1 3.1.2 W 3-Loop PWR P1 ant.................................. 3-1 3.1.3 H&W PWR P1 ant....................................... 3-2 l 3.1.4 CE PWR P1 ant........................................ 3-2 3.2 Literature Search.......................................... 3-3
[
l 3.2.1 GE BWR P1 ants....................................... 3-3 3.2.2 W PWR P1 ants........................................ 3-4 3.2.3 B&W PWR P1 ants...................................... 3-4 3.2.4 CE PWR P1 ants....................................... 3-4 4 GENERIC APPLICABILITY........................................... 4-1 4.1 GE BWR P1 ants.............................................. 4-2 4.1.1 Overfill Events at Power Resulting From Failures l in the Reactor Vessel High-level Feedwater Trip I System.............................................. 4-3 l 4.1.2 Overfill and Overcool Events During low-Pressure Startup and Shutdown Operations..................... 4-5 NUREG-1217 v
TABLE OF CONTENTS (Continued)
4.2 W PWR P1 ants............................................... 4-6 4.2.1 Overfill Events Resulting From a Sustained Operation of the Auxiliary Feedwater Flow........... 4-6 4.2.2 Overfill Events Resulting From Failures in the Steam Generator, High-level, Feedwater, Trip System.............................................. 4-8 4.2.3 Overcool Events During Hot Shutdown and Full-Power 0peration..................................... 4-9 4.2.4 Overpressure Events During Low-Temperature and Low-Pressure Shutdown or Startup Operating Conditions.......................................... 4-11 4.2.S Control System Failures Aggravating a Steam Generator Tube Rupture Event........................ 4-13 4.3 B&W PWR Plants............................................. 4-14 4.3.1 Overf011 Events Resulting From Failures in the Steam Generator, High-Level, Main-Feedwater, Trip System.............................................. 4-14 4.3.2 Overheat Events Resulting From Steam Generator 0ryout.............................................. 4-16 4.4 CE PWR Plants.............................................. 4-17 4.4.1 Overfill Events Resulting From Operator Errors During a Stea.n Generator Overfeed Event. . . . . . . . . . . . . 4-18 4.4.2 Overheat Events and Possible Pressurized Thermal Shock Events Rest.1 ting From Operator Errors During Small-Break Loss-of-Coolant Accidents........ 4-19 5
SUMMARY
AND CONCLUSIONS......................................... S-1 6 REFERENCES...................................................... 6-1 APPENDIX A: 0THER RELATED STUDIES, PROGRAMS, AND ISSUES APPENCIX B:
SUMMARY
OF THE PRINCIPAL DOCUMENTS USED FOR USI A-47 STUDY NUREG-1217 vi
LIST OF TABLES Page 2.1 Control system screening criteria used by INEL to identify potentially significant control system failures on the GE BWR reference plant design...................................... 2-10 2.2 Control system v reening criteria used by INEL to identify potentially significant control system failures on the W PWR reference plant design...................................... 2-11 2.3 Control system screening criteria used by ORNL to identify potentially significant control system failures on the B&W and CE PWR reference plant designs.......................... 2-12 3.1 Potentially significant failure scenarios in a representative GE BWR.......................................................... 3-5 3.2 Potentially significant failure scenarios in a representative W PWR........................................................... 3-7 3.3 Potentially significant failure scenarios in a representative B&W PWR......................................................... 3-12 3.4 Potentially significant failure scenarios in a representative CE PWR.......................................................... 3-15 NUREG-1217 vii
a ACKNOWLEDGEMENTS The technical findings relevant to Unresolved Safety Issue A-47, "Safety Impli-cations of Control Systems," which are presented in this report, represent the combined efforts of staffs at the Nuclear Regulatory Commission, INEL - Idaho, ORNL - Tennessee [and ORNL's subcontractor Science Applications Inc. (SAI)], and PNL - Richland, Washington. The following individuals deserve special mention for their participation and contributions:
N. Anderson NRC/RES W. Bickford PNL S. Bruske INEL W. Hodges NRC/NRR E. Lantz NRC/NRR A. McBride SAI C. Ransome INEL R. Stone ORNL 9
NUREG-1217 ix
ABBREVIATIONS ADV atmospheric dump valve AE00 Office for Analysis'and Evaluation of Operational Data AFW auxiliary feedwater ATWS anticipated transients without scram B&W Babcock and Wilcox Co.
BWR boiling-water reactor CE Combustion Engineering CFR Code of Federal Regulations CSF control system failure CSI core spray injection CSS core spray system ECC emers,ency core cooling ECCS emergency core cooling system EFW emergency feedwater FMEA failure mode and effects analysis FSAR final safety analysis report GE General Electric Co.
HPI high pressure injection IEEE Institute of Electrical and Electronics Engineers i INEL Idaho National Engineering Laboratories i LC0 limiting condition for operation LER licensee event report LOCA loss-of-coolant accident LPCI low pressure coolant injection LTOP low-temperature overpressure MFW main feedwater HMS modular modeling system MSIV main steam isolation valve i4 SIB main steam line break NRC U.S. Nuclear Regulatory Commission NSS nuclear steam system NSSS nuclear steam supply system i ORNL Oak Ridge National Laboratory I
PNL Pacific Northwest Laboratory J
l PORV power-operated relief valve NbREG-1217 xi l
l .
ABBREVIATIONS (Continued)
PRA probabilistic risk analysis PTS pressurized thermal shock PWR pressurized-water reactor RCS reactor coolant system SAI Science Applications Inc.
.. SAR safety analysis report SBLOCA small-break LOCA SGTR steam generator tube rupture SIAS safety injection actuation signal SRV safety / relief valve TBV turbine _ bypass valve s TMI Three Mile Island UCLA University of California at Los Angeles USI' Unresolved Safety Issue W Westinghouse Corp, NUREG-1217 xii
1 STATEMENT OF THE ISSUE Nuclear power plant instrumentation and control systems comprise safety grade protection systems and non-safety grade control systems. The safety grade pro-tection systems are designed to satisfy the general design criteria (GDC) identified in 10 CFR Part 50 and are used to (1) trip the reactor whenever cer-tain specific parameters exceed al'owable limits, (2) protect the core from overheating by initiating the emergency core cooling systems, and (3) actuate other safety systems such as the clos 1re of main steam isolation valve or opening of the safety or relief valves to maintain the plant in a safe condition. Non-safety grade control systems are used to maintain a nuclear plant within pre-scribed pressure and temperature limits during shutdown, startup, and normal power operation. Non-safety grade control systems are not relied on to perform any safety functions during or following postulated accidents. They are used to control plant processes tha. ould have a significant impact on the plant dynamics.
Non-safety-grade control systems include, but are not limited to: (1) reacti-vity control systems, (2) reactor coolant pressure, temperature, level, and flow control systems, and (3) inventory control systems (such as feedwater and borated water controls). In addition, they include secondary system pressure and flow controls (pressurized-water reactor) as well as associated support systems, such as electric, hydraulic, and pneumatic power supply systems. The non-safety grade control systems are not required to be designed to satisfy the GDC.
During the licensing review processes, the NRC performs an audit rev:ew on the non-safety grade instrumentation and control systems, on a case-by-case basis.
Although this audit review is not conducted to the same degree as the review of the safety systems, the reviews provide confidence that an adequate degree of separation and independence is provided between these non-safety grade systems and the safety grade protection systems. The audit reviews also provide con-fidence that misoperation or failure of non-safety grade control systems does not result in transient conditions more severe than conditions assumed in the bounding analyses reported in the plant Safety Analysis Report (SAR).
Events that licensees are required to address are specified in Chapter 15 of the Standard Review Plan (NRC, NUREG-0800). These events include, but are not limited to:
(1) feedwater system malfunctions that result in a decrease or an increase in the feedwater flow (including the loss of normal feedwater flow)
(2) steam pressure regulator malfunctions or failures that result in an increase or a decrease in the steam flow (including the turbine trip event)
(3) spectrum of reactivity addition events (4) chemical and volume control malfunctions that increase the reactor coolant inventory or decrease the boron concentration NUREG-1217 1-1
Because non-safety grade control systems are only audited as part of the licens-ing review, there may exist some potentiai (which an audit review did not dis-close) for accidents or transients developing into more severe events than previously analyzed, if compounded by non-safety grade control system failures.
These system failures or malfunctions may occur independently or as a result of an accident or transient. Concerns have previously been identified [NRC (AE0D),
1980, NUREG-0153) in which a failure or malfunction of the non-safety grade con-trol system can (1) potentially cause a steam generator or reactor vessel to overfill (see AE0D report) or (2) can lead to a transient (in pressurized-water reactors) in which the vessel could be subjected to severe overcooling (see NRC, SECY-82-465). In addition, the potential exists for a single failure (such as a loss-of power supply, a short circuit, an open circuit, a control sensor fail-ure) or for multiple failures resulting from a common-cause failure to cause a malfunction of one or more control systems which could lead to an undesirable control system response, or could provide misleading information to the plant operator.
The purpose of the Unresolved Safety Issue (USI) A-47 study is to perform a more in-depth review of the non-safety grade control systems and to (1) evaluate the need for modifying control systems in operating reactors, (2) verify the adequacy of current licensing requirements identified in Section 7.7 of the Standard Review Plan (NRC, NUREG-0800), and (3) evaluate the need for additional guidelines and criteria to ensure that non-safety grade control system failures do not pose unacct.ptable public risk. To this end, tasks were established to identify control systems whose failure could (1) cause transients or accidents to be potentially me.e severe than those identified in the final safety analysis report (FSAR) and previously analyzed, (2) adversely affect any assumed or anti-cipated operator action during the course of transients or accidents, (3) cause ;
technical specification safety limits to be exceeded, or (4) cause transients or accidents to occur at a frequency in excess of those established for abnormal operational transients and design-basis accidents.
It should be noted that the focus of the USI A-47 review was directed to identify and evaluate control system failures that could cause transients or accidents to be potentially more severe than those identified in the FSAR. Control system failure-induced transients that were bounded by the FSAR analysis were not con-sidered significant failures for this review. These transients were evaluated, i but if they were determined to be adequately mitigated by safety grade systems 1 or if sufficient time was available for the transients to be mitigated by sub-sequent operator action and not exceed the bounding analyses, they were not considered to pose an important risk to public health and safety.
Because control systems are an integral part of plant operations, failures in these systems have historically caused plants to shut down or to actuate safety systems. Challenges to the safety systems could represent a small but poten-tially significant fraction of the overall plant risk. This fact has been demonstrated in plant probabilistic risk assessments that have been performed to date. As a result of plant-specific analyses that have exposed unique vul-nerabilities to severe accidents, some plants have modified their designs.
Generally, undesirable contributions to risk have been reduced to acceptable levels by changing procedures or modifying designs. The Commission plans to i NUREG-1217 1-2
formulate an integrated systematic approach to examine the design of each nuclear power plant now operating or under construction for significant risk contribu-tors. Once NRC and the nuclear industry have developed a method of analysis, every nuclear power plant that has not yet been appropriately examined will be studied, and any changes that are needed will be made to ensure that there is no excessive risk to public health and safety (NRC, NUREG-1070).
The section that follows, "Approach," describes (1) the approach used to review non-safety grade control systems, (2) the limitations and assumptions made, and (3) the methods developed and the activities performed. Section 3 describes the results of the individual plant reviews and identifies the control system failure scenarios determined to be potentially safety significant. Section 4 discusses the generic applicability of tt.e plant-specific reviews of the reference plants, Section 5 presents the staff's conclusions, and Section 6 lists the references cited in this report. Appendix A provides a summary of other NRC and industry studies, programs, and issues related to USI A-47. In Appendix B, the principal documents underlying the proposed resolution of USI-A-47 are summarized.
I s
l NUREG-1217 1-3 g , . _ _ - . _ _ _ _ - - _ _ - - . - - -
2 APPROACH 2.1 Selection of Plants Three pressurized-water reactor (PWR) plant designs and one boiling-water reac-tor (BWR) plant design were selected for the review of non-safety grade control systems. These reference plants are specific designs from each of the four major nuclear steam supply system (NSSS) suppliers: Babcock and Wilcox Co.
(B&W), Westinghouse Corp. (W), Combustion Engineering Co. (CE), and General Electric Co. (GE). A major factor in the selection of the reference plants was the quality and quantity of plant-specific design information available to the NRC staff. In addition, the three PWR designs were already being evcluated in the study of USI A-49, "Pressurized Thermal Shock," and a significant amount of information obtained in that study could be utilized. The BWR plant was selected because a considerable amount of design information was available from other NRC projects. Also, an existing thermal-hydraulic computer model was available for this plant.
The reference plant designs were reviewed by two national laboratories. Two of the PWR plants, representing B&W and CE designs, were evaluated by Oak Ridge National Laboratory (ORNL) (NRC, NUREG/CR-4047, -4265 (Vols. 1 & 2), -4449).
The other two plant designs, a GE BWR and a W PWR design, were evaluated by Idaho National Engineering Laboratory (INEL)~[NRC, NUREG/CR-4262 (Vols. 1 & 2),
-4326 (Vols. 1 & 2)]. The risk analyses for potentially significant control system failures were performed by Pacific Northwest Laboratory (PNL) (NRC, NUREG/CR-4387,-4385,-4386,-3958). Appendix B summarizes the content of the principal documents used for this review.
2.2 Linitations and Assurnptions of the StuGy To perform a systematic review of control system failures, it became quickly evident that the scope of the review had to be confined. The type of events and the type, number, and combinaticos of possible control system failures were therefore limited. In order to limit the review to a marageable 1cvel, limi-tations and assumptions had to be made. These limitations and assumptions and their bases are discussed below.
(1) Non-safety grade control system failures would not cause simultaneous fail-ure of both redundant trains of safety grade protection systems. This as-sumption implies that a minimum number of safety grade protection systems would be available for (a) actuation of the reactor trip system, (b) actua-tion of the overpressure protection system, and (c) initiation of the mini-mum number of required emergency core cooling (ECC) systems, if needed during a control system failure transient. This assumption is considered valid on the basis that adequate separation and independence is required to be provided between the non-safety grade control systems and the safety-grade protection systems. Independence is provided by verifiable isolation devices located between safety grade and non-safety grade systems and/or by physically locating the safety systems in separate areas and routing the electrical cables in separate raceways throughout the plant. The staff NUREG-1217 2-1
audits the safety grade systems (audit reviews) as part of the licensing review process to ensure that an adequate degree of separation and inde-pendence has been provided. Also, as part of the A"47 program, a liter-ature search was conducted to review the operating history of control system failures. The purpose of the review, in part, was to identify any control system failures that could cause a failure in both safety grade protection systems. The staff's review (see Section 3.2 of this report) did not identify any such failures. T.n addition, as part of the USI A-17, systems interactions program, spatiai interactions between safety grade sys-tems and non-safety grade systems were considered. Any identified inter-actions between safety grade systems and non-safety grade control systems were evaluated.
(2) External events such as earthquakes, floods, fires, and sabotage have not been considered in this study. Multiple control system failures were eval-uated to assess some effects of common-cause failures on the plant. How-ever, the review was limited to a selected number of centrol system failure combinations. Not all control system failures that could occur as a result of these external events were reviewed in detail. An attempt was made to select those failure scenarios that would bound the dynamic effects of a number of control system failures. System failures were evaluated for automatic and manual modes of operation and at different reactor power levels that included low , intermediate , and full power operation.
It should be noted that evaluations by the staff and the utilities have been performed to assess the plant's ability to achieve safe shutdown during these external events. Fire protection reviews for all operating plants have also been performed to assure conformance to 10 CFR Part 50 Appendix R and to evaluate the plant's ability to cope with fires and flooding in different cable trays as well as in different areas of the plant. These reviews evaluated the effects of fires and flooding in control grade as well as protection grade equipment.
Also, as part of the USI A-46 activities, control grade and protection grade equipment are evaluated to assess their seismic ruggedness and assure that plants have the ability to achieve safe shutdown after a design-basis seismic event (see item 2 in Appendix A to this report).
(3) Operator errors of omission or commission were not addrassed in this re-view. Operating procedures for the important transients were reviewed.
An assessment was made to determine whether operating procedures (to miti-gate the transients of concern) were written so that the operator could accomplish the task in the time allowed. An evaluation was also performed to determine whether there was sufficient information (i.e., alarms and/or indications) available in the control room for the operator to assess the conditions in the plant at the time of the event. In some cases, early t recognition of transients was necessary. Given early recognition, there were actions that the operator could take to mitigate these events. For the purposes of developing the failure scenarios and analyzing resulting transients on the plant model, two of the four reviews assumed no operator action for the first 10 minutes of the transient. The other plant reviews evaluated operator action on the basis of available time for action during each transient. For the risk analysis phase evaluating the core-melt NUREG-1217 2-2
frequency, operator action for all plants reviewed was determined on the basis of available time for action during each significant transient identified.
(4) Transients resulting from control system failures during limiting condi-tions for operation (LCOs) (for example, systems deliberately disabled for a short time for testing and/or maintenance) were not considered in the review.
(5) The processes used to modify and to maintain control systems were not con-sidered in this review. ,
(6) Anticipated transients without scram (ATWS) were not considered in the re-view. A separate generic study (NRC, NUREG-0460) was conducted to address this issue. On July 26,1984, Title 10 of the Code of Federal Regulations (CFR) was amended to include Section 50.62 (ATWS Rule) which requires speci-fic improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients and to mitigate the consequences of an ATWS envent.
(7) Control system failures that could lead to failures of liquid tanks located outside containment and to fuel handling accidents (for example, spent fuel or accidents involving waste disposal systems) were not considered in this review. These systems do not usually interface with control systems that are used during normal plant operations.
(8) Individual utilities had to address IE Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control Power System Bus During Operation," and to modify their plants appropriately in order to ensure that the operator would be able to achieve cold shutdown conditions after a loss of power of a single bus to instrumentation and controit in systems used in attaining cold
- shutdown. A reevaluation of IE Bulletin 79-27 regarding the consequences of a l'ss of power tn the instrumentation and control systems is currently being performed for all B&W-designed operating plants (see item 5 in Appen-dix A to this report).
(9) The items of NUREG-0737, "Clarification of TMI Action Plan Requirements" (November 1980), were implemented or committed to be implemented on indivi-dual plant designs, including but not limited to Items II.E.1.1, II.E.1.2, II.K.2.2, II.K.2.9, and II.G.I.
- 2. 3 USI A-47 Program Overview Figure 2.1 summarizes the A-47 program and identifies that program's major ac-tivities. Both INEL and ORNL concentrated on identifying control system failures that could lead to:
- (1) steam generator (reactor vessel) overfill events (2) reactor vessel overcooling events (3) reactor core overheating events (4) events or accidents that could be more severe than those previously ana-lyzed in the FSAR NUREG-1217 2-3
l Steam generator and reactor vessel overfill and reactor vessel overcool events have been identified previously as potentially significant transients that could lead to unacceptable consequences. Review of how control system failures contribute to these events was, therefore, a major part of the program. The methodology developed during this phase of the review was then applied to identifying and evaluating control system failures contributing to reactor core overheating events and events or accidents that could be more severe than those previously analyzed in the FSAR.
The goal of the review was to identify the non-safety grade control systems whose failure or misoperation could:
(1) cause t.ransients or accidents identified in the FSAR analysis of the ref-erence plants to be potentially more severe than previously analyzed, (2) adversely affect any assumed or anticipated operator action during the course of a particular event, (3) cause technical specification safety limits to be exceeded, (4) cause transients or accidents to occur at a frequency in excess of the values established for abnormal operational transients and design-basis .
accidents, (5) cause frequent challenges to the protection systems.
INEL and ORNL developed similar approaches for evaluating control systems.
Each approacn consisted of several activities conducted in parallel:
(1) Selection criteria for choosing important systems and irtportent failure sequences t<ere developed.
(2) Failure mode and effects analyses were performed for all control systems in each reference plant to (a) identify systems that had the potential to aff ect the events of concern (that is, overfill, overcool, overheat, etc.)
and (b) identify the failure modes that would aggravate the events.
I (3) A literature search was conducted to review the operating nistory of se-lected plants and identify system failures that adversely affected plant safety.
(4) Thermal-hydraulic computer models (for each reference plant design) were developed with sufficient detail of the plant systems and control systems design to simulate the dynamic responses of the plant during transient conditions.
t (5) Analysis was verified by comparing selected transient response calcula-tions with actual plant data and other independent analyses using accepted and verified codes.
Credible combinations as well as some highly unlikely failure combinations of systems were analyzed to identify important control system failure sequences and to evaluate their consequences. Non-safety grade control system failures were evaluated for automatic and manual modes of operation and at different ,
r NUREG-1217 2-4
reactor power levels (low , intermediate , and full power operations) in order to determine the bounding conditions. The sequences thrt satisfied the selection criteria were analyzed to identify component failures (including component failures in support systems). Failure mechanisms were identified and estimates of failure frequencies were derived from generic failure rate data. Estimates of failure frequencies were also related to specific plant failure data when available.
Safety-significant' control system failures identified by INEL and ORNL are de-scribed in Section 3.
PNL performed a probabilistic risk analysis on all significant failure sequences that were identified. The importance of these sequences was determined accord-ing to their expected contribution to risk.
For the more risk-significant failure sequences, plant modifications were eval-uated and the potential risk reduction and cost for these modifications were estimated. A typical steamline configuration was analyzed (insofar as stress) to evaluate the dynamic effects of overfill events. These studies were per-formed by INEL through secontracts with CREARE R&D Inc.
Evaluations were made to assess the generic applicability of the review. This review was conducted in two steps: (1) assessing whether the thermal-hydraulic characteristic of different plants (of the same vendor) were similar to the reference plants and (2) assessing whether control and safety systems of dif-ferent plants (of the same vendor) are sufficiently sim:lar.
2.4 Review Procedures Similar methods and procedures were employed by INEL and ORNL to review the con-trol systems. Differences were noted in the initiating cer.han n m for each type of transient evaluated, and in the number of control system failure combina-tions analyzed. These differences ar2 attributed to the collective judgments made by the reviewers conducting the evaluations at each laboratory and the iterative proceu used to select the failure scenarios. These procedural dif-1 ferences are not significant.
2.4.1 Criteria Development The following events for BWRs and PWRs were considered in identifying poten-tially significant control systems. These events were selected using the collective experience and judgment of the NRC staff and its consultants. Con-trol systems whose failure could contribute to the listed events were identi-fied by performing systems level failure mode and effects analyses (FMEAs) and were selected for detailed review as described in the following sections.
(1) BWR Events (a) reactor coolant inventory increases and decreases (b) reactor heat removal increase (c) cactor vessel pressure increase (d) reactor core positive reactivity increase (e) reactor core recirculation flow increase and decrease NUREG-1217 2-5
l (2) PWR Events (a) steam generator inventory increase and decrease (b) increase and decrease in heat remnval by the secondary system (c) reactivity and power distribution anomalies (d) decrease in reactor coolant system flow rate (e) reactor coolant system inventory increase and decrease Tables 2.1, 2.2, and 2.3 identify the screening criteria used by INEL and ORNL to identify potentially significant control systems.
2.4.2 Systems Level Failure Mode and Effects Analyses A syst3ms level FMEA was performed on all major plant systems for each refer-ence plant design to identify systems and their failure modes that could poten- i tially cause or contribute to the events listed above [Section 2.4.1(1) and (2)]. Systems that did not contribute to these events were deleted from fur-ther review. During this stage of review, non safety grade systems as well as safety grade systems were addressed. A broad interpretation of the criteria (Tables 2.1, 2.2, and 2.3) was applied during the selection process to ensure that all systems that could contribute to the events of concern were identi- ,
fied, regardless of their relative effect. The effects of the failure of support systems (i.e., loss of air and loss of power supply, etc.), were also considered in this phase of the review. !
2.4.3 Thermal-Hydraulic Transient Analyses -
Thermal-hydraulic transient analyses were conducted using computer models de-veloped for each of the reference plant designs.
Computer models included the nuclear steam supply systems, the balance of plant systems, the safety grade reactor protection systems, and the major non-safety-grade control systems designed to control pressure, temperature, flow, and flux.
The control logic necessary to automatically actuate the safety grade and control-grade protection systems and/or components was included.
For the INEL analysis, RELAP 5/ Mod 1.6 was used for both the GE and the W ref- i erence plant designs.
For the ORNL analysis, the computer model used for the B&W reference plant con-sisted of an analog model of the integrated control system coupled to a digital thermal-hydraulic model of the major reactor components and systems. This hy-brid model (NRC, NUREG/CR-4449) utilized a number of different codes to model the various components and subsystems in the design. The codes most widely uti-lized were the RETRAN and RELAP codes.
For the CE reference plant design review, ORNL utilized the following plant models:
(1) a RETRAN model of Calvert Cliffs Nuclear Power Plant, Unit 1 [ developed principally by CE for the Baltimore Gas and Electric Company and modified by ORNL (NRC, NUREG/CR-4758) to include the necessary control and balance of plant system designs], and NUREG-1217 2-6
(2) a modular modeling system (MMS) computer code adapted to the Calvert Cliffs design.
The MMS model was developed as a backup in the event the RETRAN model might not be available. Subsequently, it was used for several transient simulations but was not needed for the design review.
Control system failures identified during the FMEA were represented in the thermal-hydraulic analysis. Single failures as well as multiple failures of systems such as loss of power to the control systems were evaluated to assess their effect on the transient behavior of the plant. It was not necessary in all cases to use the thermal-hydraulic model to evaluate the effects of every system failure identified by the FMEA. Engineering judgment limited the number and kind of transients that were performed. Selection of the type and number of system failures evaluated was an iterative process. That is, the selection of system failures was highly dependent on the results of previous analyses.
In selecting credible single-failure and multiple-failure scenarios for analysis, engineering judgment prevailed. In some cases (more extensively in the reviews of the GE and the W designs), highly unlikely combinations of multiple failures were selected for analysis. These combinations were chosen to select system failure combinations that could have the most significant effect on the events of concern. If these selected multiple failures resulted in acceptable plant transients, many other (less severe) failure combinations could be eliminated from consideration. They were also selected to assess the effects of potential common mode failures of the more important systems.
If unlikely failure combinations resulted in significant plant transients, the failure modes were then analyzed to determine how credible these failure com- c binations were and to estimata the frequency of such failures.
Combinations of system failures under various normal plant conditions (i.e.,
startep, shutdown, and power operation) and accident conditions were analyzed. ,
Failures that were considered for selecting worst-case or bounding transients #
.ncluded the following:
(1) single and multiple failure of safety grade protection systems (evaluated only on GE and W designs)
Some single failures in safety grade protection systems could produce more severe transients than those caused by combined failures of various non-safety grade control systems. In many cases, including tne effects of safety grade protection, failures bounded the effects of a number of non-
> safety grade control system failure combinations and therefore minimized the number uf non-safety-system failure combinations that needed to be analyzed by computer simulation.
(2) single failures of non-safety grade systems (3) multiple dependent failures of safety grade prottction systems and non-safety grade systems resulting from a single event such as loss of a sup-port system (4) multiple independent system failures NUREG-1217 2-7
I Loss of ac and dc electric power supply systems and air systems were considered l
in the review. When multiple control system failures were identified that could l occur as a result of a loss of a single electrical bus or a single air supply system or common sensing lines, they were analyzed. For certain systems, if it was not apparent from the available information whether or not they could fail simultaneously as a result of loss of power, multiple (dependent) failures were postulated. If these failures resulted in significant plant transients, the failure modes would then be analyzed to determine if these failures were credible.
For certain events, multiple independent failures of non-safety grade systems (and safety grade systems for the GE and the W review) were also evaluated.
These analyses were performed in part to verify the dynamic plant response to failures that were assumed in the FSAR analysis (that is, a single failure of a safety grade system concurrent with loss of a single non-safety grade system) and in part to assess combinations of control system failures that might occur on other plants as a result of a common-cause failure resulting from unique design configurations. The number of control system failure combinations that were analyzed were minimized by selecting only those combinations that would have the greatest impact on plant parameters (i.e., flow, pressure, level, etc.).
These combinations were judged to be the "worst case" scenarios. If these combinations resulted in acceptable plant transients, other (less severe) fail-ure combinations could be eliminated from consideration.
2.4.4 Literature Search The literature was searched to identify and evaluate transients or accidents initiated by failures relat9d to co:strol and instrument systems. Licensee event reports (LERs) and nuclear plant experience reports were reviewed to identify and select candidate scenarios for transient analysis. Control system failures from these reports wera screened to identify thosa failures that could (a) ad-versely affect cperator actions, (b) result in the actuation of protection sys-tems, (c) cause technical specification safety limits to be exceeded, and (d) cause transients or accidents designated as moderate or infrequent events to occur more frequently than prescribed. Also, the LERs were used to assess if control system failu.cs (shown by analysis not to be a problem on the refererce plant) might be of concern on other plants. Data on control and instrument failures from 1969 through 1985 were reviewed by the laboratories. ORNL data were supplemented by additional data provided by the University of California at Los Angeles (UCLA) (Alter, 1983). UCLA staff visited seven plant sites, gathering operating experience and reviewing station records.
2.4.5 Failure Analyses of Significant Control System Failures Failures that met the selection criteria (refer to Tables 2.1, 2.2, and 2.3) were considered to be safety significant. Analyses were performed to identify the credible failure mechanisms that could cause the events of concern. Proba-bility estimates were also made for each identified failure mechanism, and for '
the resulting failure scenarios that could cause the events of concern. The results of these reviews are described in Section 3.
NUREG-1217 2-8
Select events cf potential safety concern (overfill, overcool, overheet. FS AR design basis occidents, and enticipated operational occurrences)
I I _
I Identify control systems Develop plant Model that have potential to thermel-hydraulic h verification effect the events models of concern lderitif y f ailures in Perform those control systems literature
- that w3uld adversely h eserch of effect or contribute control system to events of concern failure Select important Develop systems and f ailure -
criteria sequences that need to f or selection be evaluated in detail g th
- Perform thermel-hydraulic _
g transient analysis -
g k of consequences of control system f ailure t t Determme j identify f ailure Estimate w..ter t he r mal-hydr a ulic mechanisms and estimate ,
hamrior putcutlelin dif f errences in failure f requency of '
.sens i steamlirees from d ff erent plant significent control Pystem overfill events design for each NSSS f ailure scenarios 1f I Develop probability Perf orm prebabilistic
- Determine contro,. risk assessment of - estirnates of system differences in significant control different plant designs system f ailure scenarios l steJrr.line damage dua to overfill I
identify possible Determine differences plant modifications in stea mline end develop cost configi,,retions estimetes Assess genvric opplicability of the review I f 1 f Develop etstf positions Figure 2.1 USI A-47 program overview NUREG-1217 2-9 I
Table 2.1 Control system screening criteria used by INEL to identify potentially significant control system i failures on the GE BWR reference plant design (1) Any control grade system or component failure, either initiating or aggra- I vating, that results in an undesired increase in reactor coolant inventory j to the point at which moisture enters the main steamlines, will be selected for a detailed review. For this study, the point of overfill is defined as that level which, if exceeded, could cause significant water to carry over into the main steamlines.
(2) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired decrease in reactor vessel inventory beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review.
(3) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired increase in heat removal beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review. System failures that could lead to cooldown rates in excess of 100 F in an hour were identified as potentially significant failures during the transient analysis phase of the review.
(4) Any control grade system or component failure, either initiating nr aggra-vating, that results in an undesired increase in reactor vessel pressure beyond the bounds of the Browns Ferry FSAR analysB , will be selected for a detailed review.
(5) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired increase or decrease in reactor core coolant flow beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review.
(6) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired increase in positive reactivity be-yond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review.
(7) Any control grade system or component failures projected to cause tran-sients identified as incidents of moderate frequency (anticipated opera-tional occurrences) to occur more frequently than once a year, or failures which are projected to cause transients identified as infrequent incidents to occur more than once during the lifetime of a plant, or failures which 1
are projected to cause limiting faults (design-basis accidents) will be selected for a detailed review.
(8) Any control grade system or component failures that would adversely affect any assumed or anticipated operator action or operation of automatic pro-tection systems during the course of a particular event, or that woeld result in frequent manual or automatic actuation of engineered safety fea-tures, including the reactor protection system, or that would result in exceeding any technical specification safety limit, will be selected for a detailed review.
WREG-1217 2-10 1
s
Table 2.2 Control system screening criteria used by INEL to identify potentially significant control system 6 failures on the W PWR reference plant design (1) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired increase in steam generator water level to the point at which moisture enters the main steamlines, will be selected for a detailed review. For this study, the point of overfill is defined as that level which, if exceeded, could cause significant water to carry over into the main steamlines.
(2) Any control grade system or component failure, either initiating or aggra- >
vating, that results in an undesired increase or decrease in reactor coolant :
inventory beyond the bounds of the H. B. Robinson FSAR analysis, will be
- selected for a detailed review.
(3) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired decrease in reactor coolant water temperature beyond the bounds of the H. B. Robinson FSAR analysis, will be selected for a detailed review. System failures that could lead to cooldown rates in excess of 100 F in an hour were identified as potentially sig- i nificant failures during the transient analysis phase of the review. i (4) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired increase in nuclear system pressure ,
beyond the bounds of the H. B. Robinson FSAR analysis, will be selected i
for a detailed review. i (5) Any control grade system or component failure, either initiating or aggra-vating, that results in an undesired decrease in reactor c >re coolant f'_ow beyond the bounds of the H. B. Robincon FSAR analysis, will be selected for a detailed review.
(6) Any control grade system or component failure, either initiating or aggra-i vating, that results in an undesired increase in rc:,itive reactivity be-
! yond the bounds of the H. B. RobinsonT64R analyiiU will be selected for a detailed review.
(7) Any control grade system or component failure, aggr3vating a steam 7
gener6 tor tube rupture causing a release of radioactive material to tho atmosphere greater than the FSAR analysis calculated, will be selected for a detailed review.
(8) Any control grade system or component failures projected to cause tran-sients identified as incidents of moderate frequency (anticipated opera-1 tional occurrences) to occur more frequently than once a year, or failures which are projected to cause transients identified as infrequent incidents to occur more than once during the lifetime of a plant, or failures which are projected to cause limiting faults (design-basis accidents) will be selected for a detailed review.
l (9) Any control grade system or component failures that would adversely affect i
any assumed or anticipated operator action during the course of a particu-i lar event, or that would result in frequent manual or automatic actuation of engineered safety features, including the reactor protection system, or that would result in exceeding any technical specification safety limit, will be selected for a detailed review.
NUREG-1217 2-11
Table 2.3 Control system screening criteria used by ORNL to identify potentially significant control system failures on the B&W and CE PWR reference plant designs (1) Identify nuclear plant systems with potential to initiate or aggravate overfilling the steam generator. Such systems would be those whose fail-ure or misoperation can introduce feedwater in amounts sufficient to fill the steam generator to the degree that water enters the steam lines.
(2) 7dentify nuclear plant systems with the potential to initiate or aggravate overcooling the primary system. Such systems would be those whose failure or misoperation can lead to uncontrolled primary heat removal at rates Greater than the rate of heat production to the extent where safety limits are challenged. System failures that lead to extended cooldown rates in excess of 100 F in an hour were identified as potentially significant failures during the transient analysis phase of the review.
(3) Identify nuclear plant systems with potential te initiate or aggravate core damage through overheating.
(4) Identify nuclear plant systems with potential to degrade the performance of safety systems.
1 l
l NUREG-1217 2-12 l
3 RESULTS OF THE INEL AND ORNL STUDIES 3.1 Potentially Significant Control System Failure Scenarios a
Using the methods and screening criteria described in Section 2, potentially l significant control system failure scenarios were identified for each reference plant design. The results are summarized in the following sections.
3.1.1 GE BWR Plant Three failure scenarios that could lead to reactor vessel overfill events were
. identified (NRC, NUREG/CR-4262, Vols. 1 & 2). Two of the three failure scenarios could also lead to overcool events during low pressure startup or shutdown operation. All other failure scenarios that were identified were determined to i be bounded by the plant FSAR analyses.
For these events, an assumption was made that no operator action would be initi-ated for the first 10 minutes following any postulated failure. This guideline
- applies to operator response to a specific failure regardlass of the time at which the failure occurs during the course of an ovent.
1 The onset of overfill was predicted to occur very quickly (i.e. , between 20 and
, 300 second> into the event). The reactor vessel was assumed to overfill when
, moisture enters the main steamlines and is sustained. Moisture carryover was defined 3r a significant change in steam quality and was indicated by the steam-1 line vapor void fraction and the dowacomer water level. The transient analyses
' were terminated after the vapor void fraction in the steamline continued to de-crease at a steady rate, indicating that more water was entrained in the steam.
Transients that resulted in the downtomer fluid temperature decreasing at a
, steady rate greater than 100 F in an hour were defined as overcool transients.
1 Table 3.1 summarizes the failure scer.arios and the failure mechanisms that were idw tified as safety significant, and summarizes failure probabilities of
{ control system failure sequences initiating the events of concern.
3.1.1 W 3-Loop PWR Plant f
4 f Eight failure scenarios were identified that could potentially lead to undesir-l able events (NRC, NUREG/CR-4326, Vols. 1 & 2). Two of these scenarios were l
identified as contributors to overfill events, two other scenarios contributed to overcool events, and two contributed to reactor coolant system overpressure events. The remaining two failure scenarios contributed to a radiation release during a steam generator tube rupture event, by causing greater break flow con-ditions than were assumed in the FSAR accident analysis.
l Transient studies showed that the limiting mode of operation for one of the two identified overcool transients occurred during hot shutdown conditivns. The two j overpressure transients occurred during cold shutdown operation, and one of the
- overfill transients occurred during low power operations. For the other failure
' scenarios, mid-range to full power operation produced more r9pid and severe i transients.
f NUREG-1217 3-1
For these events, an assumption was made that no operator action was initiated for the first 10 minutes following any postulated failure. This guideline I applies to operator response to a specific failure regardless of the time at which the failure occurs during the course of the event.
I Results of the thermal-hydraulic transient analysis indicated that:
J (1) The onset of overfill (via the main feed water system) could occur very quickly (between 20 and 205 seconds).
(2) Plant cooldown transients reached cooldowns of 100 F within 125 to 230 seconds.
(3) Overpressure limits (10 CFR 50, Appendix G curves) can be exceeded in 15 to 162 seconds. -
Table 3.2 summarizes the failure scenarios and the failure mechanisms that c were identified as safety significant, and summarizes the failure probabili- '
ties of control system failure sequences initiating the events of concern, i
3.1.3 B&W PWR Plant Three potentially safety-significant failure scenarios were identified (NRC, l NUREG/CR-4047,-4449). One leads to a steam generator overfill event and two ;
lead to a reactor core overheating event. The analysis indicates that the onset ;
of overfill associated with main feedwater flow can occur very quickly (i.e., ;
approximately 3 minutes) at power levels between 50% and 100% when both feed- '
water pumps are in operation. Overfill events associated with the auxiliary .
feedwater system and the startup feedwater systerr were predicted to occur at a '
much slower rate, so that the operator would be expected to have sufficient !
1 time to identify the event and terminate the flow before overfill conditions ,
j could occur. The onset of overfill was determined by a very low vapor void '
4 fraction fluid entering the steam generator downcomer and main steamlines, i a This guideline was similar to that discussed in Section 3.1.1 for the BWR review. ;
! For the overheat events, it was predicted that the core could be severely dam- l aged if the operator did not take proper corrective action within 30 to 60 ;
minutes, i
1 Other control system failure scenarios were identified in NUREG/CR-4047 and i
NUREG/CR-4449, but were determined to be either bounded by transients or acci- :
4 dents analyzed in the FSAR, or it was determined that the operator would have I sufficient time to terminate the event before it became a safety-significant l
! event; therefore they are not discussed here. Table 3.3 summarizes the failure i i scenarios and the failure mechanisms that were identified as safety significant, !
, and summarizes failure probabilities of control system failure sequences ini- l j tiating or contributing to the events of concern. i
l i Four potentially safety-significant failure scenarios were identified (NRC, ;
j NUREG/CR-4265). Two lead to overfilling the steam generator vessel via the j I !
l NUREG-1217 3-2 i t a
i I
j l
--_ - ._, -. - - .l
main feedwater system; one leads to overheating the reactor core; and one over-cooling event could lead to a possible pressurized thermal shock event in a plant with a vulnerable pressure vessel. Two categories of such overfill events were investigated: rapid and slow. Slow overfeed transients occur via the feedwater bypass valves after the main feedwater regulating valves are closed and were not considered safety significant because of the long time it took to overfill. Overfill with main feedwater systems was predicted to occur very quickly (that is, onset of overfill could occur in 2 reinutes). Onset of over-fill was assumed when low quality steam entered the main steamlines. This guideline is similar to that discussed in Section 3.1.1 for the BWR review.
For the other two failure scenarios, the analysis indicated that for a very narrow range of break sizes of small-break LOCA (SBLOCA) events, overheating of the core or possible pressurized thermal shock can occur if the operator fails to take the plant to safe-shutdown conditions. Other failure scenarios were identified in NUREG/CR-4265 but were determined to be bounded by the events analyzed in the FSAR accident analysis, or it was determined that the operator would have sufficient time to terminate the event. Therefore they are not dis-cussed here.
Table 3.4 summarizes the failure scenarios and the failure hechanisms that were identified as safety significant, and summarizes failure probabilities of control system failure sequences initiating or contributing to events of concern.
i 3.2 Literature Searcn Licensee event reports (LERs) and nuclear plant experience reports were reviewed to identity control system failures that could (1) adversely affect operator actions, (?) result in the actuation of protection systems, (3) cause technical specification safety limits tt be exceeded, or (4) cause transients or accidents designated as m::Jarate or infrequent events to occur more frequently than de-scribed. Data on control and instrument failures from 1969 thrcugh early 1985
. were reviewed. The following sections summarize that review and the conclusions.
3.2.1 GE BWR Plants The literature review for BWR plants evaluated all reported control system failure events for the Browns Ferry Nuclear Power Stetion, Units 1, 2, and 3, during a 3 year period (1980 through 1982). This review was expanded to include all other BWR plants for the same period. The data vere further expanded to include potentially significant events occurring as early as 1970 (NRC, NUREG/
CR-4262, Vols. 1 & 2).
l Review of the operating experience did not identify ary control system failures that satisfied the above criteria.
Three reactor overfill events did occur in the early 1970s. Two occurred at Dresden Nuclear Power Station, Units 2 and 3, and one at Nine Mile Point Nuclear Station, Unit 1. At the time of these events, the design did not provirie a high reactor vessel level feedwater trip system. A trip system was later l incorporated.
! Four overcooling events were also identified [Edwin I. Hatch Nuclear Plant, Unit 2 (1978); Brunswick Steam Electric Plant, Unit 1 (1977); Peach Bottom NUREG-1217 3-3
.W
Atonic Power Station, Unit 3 (1979); and Cooper Nuclear Station (1980)]. These a events were used as precursors to the transients evaluated in the plant model.
3.2.2 W PWR Plants A similar review of the W PWR plants was conducted for the same 3 year period '
i.e, 1980 to 1982 (NRC, RUREG/CR-4326, Vols 1 & 2). The review included the reference plant and five other W PWR plants. The review did not identify any control system failures that satisfied the criteria stated above.
3.2.3 B&W PWR Plants A review of the operating experience was conducted for the reference plant and '
all other B&W PWR plants (NRC, NUREG/CR-4047). The period ranged from January 1975 through early 1985. On the basis of this review, there were no abnormal events at the reference plant that led to potentially severo accidents or unsafe conditions. One steam generator overfill event occurred at Oconee Nuclear Sta-tion, Unit 3, in 1981.
The operating history data on other B&W PWR plants revealed the following:
(1) Two steam ganerator overfill events occurred at Rancho Seco Nuclear Generating Station, Unit 1 (March 1978 and December 1985).
(2) Operator errors could cause violations of technical specifications. l (3) Inadvertent malfunctions occurred infrequently.
(4) Unnecessary scrams that challenge the protection system occur. StW PYR 3 plants have a lower-then-average. industry record for th:: number of scrams t (i.e., three per year) 3.2.4 CE PWR Plants I i
A review similar to the B&W review was conducted for CE PWR plants ;
(NRC,NUREG/CR-4449). t A number of steam generator overfeed events were identified; none progressed to an overfill condition. In all cases, the overfeed events were terminated by the control system or by operator action. Maintenance and testing problems resulted in the most frequent challenges to the protection systems. The review did not identify any control system failures that satisfied the criteria stated in Tables 2.1, 2.2, and 2.3.
I l
l I
NUREG-1217 3-4 1
L
g Table 3.1 Potentially significant failure scenarios in a representative GE BWR r"3 Estimated
$ Frequency events / year y event Failure scenario Failure mechanism i
w Failure in the feedwater control system A leak or rupture of the primary sen- 3.4E-3* (
l Overfill '
event #1 can cause an increase in feedwater flow sing line common to two of the three and disable the feedwater trip system, reactor vessel water level sensors, and the operator fails to trip the causing false low-level signals feedwater pumps.
Common cause failure (e.g., maintenance Condition for Operation: 67% full load error) of two of the three reactor ves-operation sel level sensors (or sensor circuitry),
causing false low-level signals l
Independent failures of two of the three level sensors (or sensor circuitry)
I causing false low-level signals.
l w E A failure in the control circuit that regulates the feedwater pump speed and a second failure of two of the three high-level trips Control system failure can cause an A single control system failure can 2.5E-5t Ove rfill event #2** increase in the condensate flow an_d cause any one of the three motor oper-the operator fails to tenninate ated feedwater pump discharge valves
)
) condensate flow. to open, resulting in full condensate flow Condition for Operation: Low pressure startup or reactor shutdown operation. A single failure of a startup feedwater low pressure bypass valve (failing open) can cause an increase in the condensate flow rate A single failure of a condenser by-pass valve (failing closed) can cause an increase in the condensate flow rate See footnotes at end of table.
g Table 3.1 (Continued) 5
? Frequency Estimated
[ro event Failure scenario Failure mechanism events / year u
Overfill Failure in the protection system which Failure in a one-of-two-taken-twice 1.6E-3tt event #3** results in inadvertent low pressure reactor low water level logic circuit coolant injection (LPCI) or core spray injection (CSI) and the operator fails Failure in one of the two high dry-to terminate flow. well pressure logic circuits Condition for Operation: Low pressure Common cause failure of two drywell startup or reactor shutdown operation pressure switches (failing closed)
Common cause failure of two reactor vessel low water level switches (failing closed) w Two independent failures of drywell a pressure switches or two independent low reactor water level switches (failing closed)
- Includes probability estimate (0.52/ demand) that the operator fails to trip the feedwater in time to prevent overfill following a rapid overfeed transient.
- This event can also cause an overcool transient. )
tIncludes probability estimate (0.3/ demand) that the operator fails to trip the condensate flow to prevent overfill.
ftIncludes probability estimate (0.4/ demand) that the operator fails to trip the LPCIs or CSIs.
I
g Table 3.2 Potentially significant failure scenarios in a representative W PWR A,
c Estimated a Frequency Failure scenario Failure mechanism events /ycar event Overfill A single control system failure can A false steam generator low-level sig- 1E-4*
event #1 lead to excessive feedwater flow (e.g., nal to the feedwater controller could overfeed). When the feedwater flow cause overfeed of a steam generator is automatically terminated by the high steam generator level trip system, A leak or rupture in the primary sens-the auxiliary feedwater system (which ing line of the controlling steam is automatically initiated when the generator level instrument could cause main feedwater pumps are tripped) can overfill cause a steam generator overfill con-dition if the operator does not take A single failure could cause the feed-proper action to mitigate the transient. water regulating valve to open and cause an excessive overfeed transient I Condition for Operation: Very-low power y operation (i.e., 5% power). A failure in the steam genearator water N level controller circuitry could cause a steam generator overfeed transient Overfill A control system failure causing an A failure in the controlling steam gen- 3E-8**
event #2 increase in main feedwater flow and a erator level instrument (causing it to second failure of a high steam gener- indicate low) and a concurrent (or sub-ator water level trip system could sequent) second failure of another level cause an overfill event if the opera- channel (sticking or failing as is) tor fails to terminate flow.
A leak or rupture in the primary sensing Condition for Operation: 67% full- line of the controlling steam generator
$ power operation level instrument and a second failure of another level channel (sticking or failing as is)
A failure in the main feedwater valve (causing it to open) and a failure of two of the three steam generator level instruments (fail in the mid-range position)
See footnotes at end of table.
g Table 3.2 (Continued)
E ^
[ Frequency Estimated y event Failure scenario Failure mechanism events / year u
Overfill A failure of a steam generator level i event #2 controller and a failure of two of the (cont'd) three steam generator water level in-struments failing to respond to a high-level condition The controlling steam generator level inste m nt fails low and the high steam. generator water. level trip 1ogic circuitry fails to trip the feedwater pumps A leak or rupture of the primary sens-y ing line of the controlling level in-co strument (causing the sensor to read low) and a failure of the high-level trip logic circuit j A failure of a feedwater valve (in the open position) and a failure of the high-level trip logic circuitry Failure of the steam generator water
) level controller and a failure of the l high-level trip logic circuitry Overcool A failure that results in an inadver- The T temperature instrument fails 1.4E-8t event #1 tent steam dump operation with the reactor at power (all steam dump valves high nd a second failure in the steam fail open and the operator fails to dump valve arming circuit initiate bTock valve). A single failure in the temperature Condition for Operation: 102% full- controller and a second failure in the power operation (this failure scenario steam dump valve arming circuit requires that the reactor trips during the early stage of the transient)
E Table 3.2 (Continued)
A, c Estimated
/., Frequency events / year event Failure scenario Failure mechanism g
Overcool Control system failure that results in Single failure in the steam dump con- IE-3t event #2 inadvertent opening of steamline relief troller that sends a signal to one valves. or more steam dump valves Condition for Operation: Hot shutdown A single failure in a steam dump valve J (T ave less than 547"F) that results in opening of the valve A single failure in the steam dump con- l troller that sends an open signal to I
one or more PORV (atmospheric dump l
valves)
A steamline PORV control circuit (or y switch) fails u>
A failure that results in a loss of A loss of power that feeds both the 2E-8tt Over-pressure letdown flow and a loss of pressure letdown valve and one of the PORVs so event #1 relief (both PORVs) and the operator that the pressurizer letdown valve goes fails to terminate the event. to its closed position capability and renders the PORV inoperable and a sec-Condition for Operation: Cold shutdown ond active failure of the other PORV Independent failure of a letdown valve in the closed position and failure to open both PORVs Over- A failure that results in inadvertent A single failure in the logic circuit 4E-Stt pressure safety injection initiation when the that results in the actuation of the event #2 reactor is being heated from cold safeguards sequence shutdown. (During this operation both pressurizer PORV setpoints are shifted Independent failures that would ini-from the "low temperature" setpoint to tiate high pressure safety injection the "normal" setpoint. If there is a and open the accumulator isolation failure causing inadvertent operation valves See footnotes at end of table.
gj Ttble 3.2 (Continued)
- =
E J. Frequency event Estimated O! Failure scenario Failure mechanism events / year.
u Over- of safety injection, overpressure A single failure in one of the two pressure conditions can occur if the operator safety injection actuation pushbuttons event #2 fails to terminate the event). (that actuates the safeguards sequence)
(Cont'd)
Condition for Operation: Heating up from cold shutdown SGTR Failure that results in opening one of A failure of a component in the steam- 2E-3 event #1 the steamline relief valves concurrent line PORV control circuit that causes (7E-6 with an l
with a steam generator tube rupture in the valve to open and remain open) SGTR event) the af fected steam generator.
3> A mechanical failure of a steamline g; Condition for Operation: 102% power PORV (i.e., atmospheric dump valve) operation with one steam generator tube that causes the valve to stick open ruptured (adjacent to the cold-leg tube-sheet) and a simultaneous loss of off- A failure of a component in the steam site power dump controller causes a steamline PORV to open and remain open A mechanical failure of a safety valve causes it to stick open SGTR Failure that results in opening of For PORV and SRV failure mechanisms, 3E-3 event #2 steamline safety valves (SRVs) or steam- refer to steam generator tube rupture (IE-5 with an line relief valves (PORVs) and a high event #1 above SGTR event) feedwater rate concurrent with a rup-ture of a steam generator tube. For feedwater overfeed events, the following failure mechanisms were Condition for Operation: 102% power considered:
with one steam generator tube rupture (adjacent to the cold-leg tubesheet) -
A failure of a steam generator level instrument controlling the feedwater flow See footnotes at end of table.
l
~_ __ _____ r - -
ai Table 3.2 (Continued)
E c>
- f. Frequency Estimated event Failure scenario Failure mechanism ' events / year
{'
SGTR - A leak or rupture of the sensing event #2 line of the level instrument (Cont'd) controlling the feedwater flow
- Inadvertent opening of the feedwater control valve
- A circuit failure of the steam gen-erator water level controller
- Includes probability estimate (0.1/ demand) that the operator fails to terminate the auxiliary feedwater system to prevent overfill.
32 ** Includes probability estimate (0.5/ demand) that the operator fails to terminate the flow.
~
>" tIncludes probability estimate (0.05/ demand) that the operator fails to initiate the block valve.
ftIncludes probability estimate (0.1/ demand) that the operator fails to terminate the event.
3 Table 3.3 Potentially significant failure scenarios in a representative B&W PWR M
c>
4 Frequency Estimated N event Failure scenario Failure mechanism events / year u
Overfill Failure in the main feedwater control Failures that can cause main feedwater 6E-3*
event system (or valves) that could result in pump trip system to fail are:
overfeeding one of the two steam gener-ators and a concurrent (possibly long- -
Either of two high steam generator present but undetected) failure of the (operate range) level transmitters main feedwater pump trip system which failing low terminates feedwater flow on high steam generator level and a failure cf the -
Either of two steam generator level operator to detect and manually trip function generator modules failing the main feedwater pumps or isolate the feedwater flow. -
Either of two multiplications modules failing.
[ Condition for Operation: Normal power -
Either of two signal monitors failing m operations j Feedwater pump trip relay (FTPX) failure Feedwater pump trip solenoid valve failures Feedwater pump turbine inlet inter-cept valve failures Failures that can cause main feedwater ,
overfeed are: l l l Main feedwater control valves fail open or control valve signal fails demanding valve to open Miscellaneous failures of control modules associated with the feed-l water control system l
, See footnotes at end of table
E Table 3.3 (Continued)
A c>
4 Frequency Estimated g event Failure scenario Failure mechanism events / year Overheat A loss of electric power to the inte- A loss of "auto" power to integrated 1.4E-6**
event #1 grated control system branch circuits control system branch circuit "H" or "H" or "H1" when the control system is "H1".
operating in the automatic mode would result in control stations for different control systems transferring to a manual mode of operation. This transfer could occur without upsetting plant operation.
Power could be restored before any plant perturbations could occur. If, however, plant perturbations resulted in a reac-tor trip, feedwater overfeed conditions m could occur if the operator does not man-4 ually throttle the feedwater flow. The w feedwater pumps would eventually trip on ;
high steam generator level if the feed-water flow was allowed to continue and safe-shutdown operations would be initiated.
If, however, the operator takes action early in the transient in throttling the feedwater to prevent overfeed, but subse-quentially does not restore the necessary flow to the steam generator or initiate high pressure injection (HPI), severe reactor core overheating can occur.
Condition for Operation: Normal operat-ing range See footnotes at end of table. ,
g Table 3.3 (Continued)
A
[ Frequency Estimated y event Failure scenario Failure mechanism events / year u
Overheat A failure of the "hand" power to the feed- Loss of "hand" power to the integrated 9E-6t event #2 water control system would result in the control system branch circuits (HX or main feedwater pump run back to minimum H1X) speed. If the feed pumps were not tripped L t allowed to operate at minimum speed, the steam gener ator water level would even-tually be depleted. Unless the operator manually initiates the auxiliary feedwater i
system or restores the main feedwater flow, I the steam generator would boil dry and 3 steam generator cooling would be lost. The operator has about 30 minutes to reestab-j lish the main or auxiliary feedwater flow.
T After 30 minutes, establishing feedwater
% flow would not be effective to establish i the necessary steam generator cooling. The high pressure injection pumps would provide the necessary long-term core cocling if the operator manually initiates this system within 60 minutes.
l Condition for Operation: Normal power j operations
)
- Includes probability estimate (0.7/ demand) that the operator fails to trip the feedwater in time to prevent overfill following a rapid overfeed transient.
l tIncludes probability estimate (0.3/ demand) that the operator fails to reinstate main feedwater or initiate emergency feedwater within 30 minutes, and includes a probability estimate of 0.01/ demand that the operator fails to initiate high pressure injection within 60 minutes.
i
- .. - . . - - _ - _ - . _ . ._- .. __ _ _ 1
u ,. ,, _ _.,, _ , , -
!! Table 3.4 Potentially significant failure scenarios in a representative CE PWR A
c>
,', Fregoency Estimated 0; event Failure scenario Failure mechanism events / year u
Overfill A single failure which causes the main The following failures can cause the 9E-3*
event #1 feedwater regulating valve to fail in main feedwater regulatory valves te the "as is" or in the fully open fail:
position and the operator fails to terminate the overfeed event. -
Loss of electrical bus (1YO9)
Condition for Operation: Transient -
Air solenoid valve controlling air conditions following a reactor trip to the feedwater regulatory valve fails closed Mechanical failure of the main feed-water regulating valve i'
EA Failure in the hand / auto station to the regulating valve Failure of the electrical to pneu-matic convertor to the main feed-water regulating valve Overfill Given an overfeed condition, if the An overfeed condition can occur if 4E-4*
event #2 turbine trip signal to the feedwater the feedwater demand signal fails high regulating circuit fails and the oper- and the following failures occur to ator fails to terminate the feedwater cause the turbine trip signal to fail flow, a system generator overfill to close the regulating valves:
event can occur (multiple failures would be required). -
Logic circuit failure Condition __for Operation: Normal power -
Relay failure operation Cable failure See footnotes at end of table.
g Table 3.4 (Continued)
A
? Frequency Estimated y event Failure scenario Failure mechanism events / year u
Overheat Given a specifically sized small-break A failure to initiate or maintain 9E-6**
event loss of-coolant accident (LOCA), a reactor coolant system cooldown can failure te initiate reactor coolant be caused by atmospheric dump valves system cooldren via the steam generator, (ADVs) and/or the turbine bypass and/or depressurize the reactor via valves (TBVs) failing to open on the pressurizer power-operated relief demand, or closing indirectly as a valve (PORV) or the auxiliary spray result of a safety injection actua-system can potentially cause core tion signal and an operator error uncovery.
Condition for Operation: Shutdown after A failure of the instrument air sys-a small-break LOCA tem or a loss of power to bus YO9 can prevent the ADVs and TBVs from T opening (these have much lower prob-5 abilities than the mechanism above)
A failure to depressurize the reactor coolant system can result from the lack of procedural instructions to ini-tiate this mode under saturated RCS conditions Overcool Given a small-break LOCA and reactor Operator error or a failure of the 1.5E-4t event coolant system cooldown is initiated, pressurizer PORVs or auxiliary spray if the operator fails to open either system pressurizer PORV or initiate auxiliary spray, a pressurized thermal shock could result in damage to a vulnerable pres-sure vessel.
Condition for Operation: Shutdown after a small-break LOCA See footnotes on next page.
o n
- ~ - ~ - - - _ ___ _ ___ ________
. u gg Table 3.4 (Continued)
- n Sf
- Includes 0.1/ demand probability that the operator fails to manually trip the main feedwater pumps in time
- to prevent overfill.
U$ ** Includes multiple operator failure probabilities (that is, failure to initiate reactor coolant system (RCS) cooldown via the steam generator (0.01/ demand) and failure to depressurize the RCS via pressurizer PORVs or auxiliary spray system (0.5/ demand).
tIncludes 0.01/ demand probability that the operator fails to open the pressurizer PORV when indicated. It does not include the conditional probability of vessel failure due to pressurized thermal shock (PTS',
conditions.
l t
f
4 GENERIC APPLICABILITY Reference plants were selected on the basis of (1) the quality and quantity of design information available to conduct a review and (2) the belief that any weaknesses in control system designs were more likely to be identified in older plants.
A number of control system failures were identified at the reference plants that had the potential for causing undesirable events. To determine if the results obtained for the reference plants were applicable to other plants (for the same vendor), similarities in the thermal-hydraulic parameters and similar-ities in control systems of other plants were evaluated. This evaluation of control systems (similarity review) of other plants focused primarily on those design characteristics identified as contributing to the events of concern.
Sensitivity studies were selectively performed to evaluate if the differences were significant. The significant transients analyzed for the reference plants
, were also evaluated to determine (1) if similar transients could occ.ur in other plants and (2) if the transients analyzed for the reference plant represented a more severe or bounding transient.
Results of the review of the reference plants were considered generically appli-cable to other plants of the same vendor if:
(1) Major fluid systems of other plants were functionally similar to the refer-ence plant.
(2) Power-to-volume ratios and various volume-to-flow ratios of other plants were similar to the reference plant.
(3) Thermal-hydraulic transients analyzed at the reference plant were similar or would bound transients on other pir.ats of the same class.
(4) Control systems at other plants were sufficiently similar to control sys-tems at the reference plant that any differences in the design were not significant enough to sut,stantially alter the events of concern.
(5) Reactor protection systems (that is, the reactor trip systems and the engi-neered safety features systems) at other plants are functionally similar to the systems of the reference plants so that any differences in the design of the reactor protection system vere not significant enough to substan-tially alter the events of concern.
3 A large number of single and multiple control systes failures were analyzed en the reference plants. It was not necessary or practical to evaluate all possible control system failure combinations that could occur in any one plant. Engi-3 neering judgment and the FMEA conducted on each plant were used to limit the number and kind of transient analyses performed. Selection of the type and number of system failures evaluated for the plant model was an iterative process highly dependent on the knowledge gained from responses to the failure sequences i
NUREG-1217 4-1 i
L siculated in previous analyses. In some cases, highly unlikely combinations of ;
multiple failures were evaluated to assess worst-case or bounding scenarios.
On the basis of the combinations and number of control system failures analyzed, it Decame apparent that as long as the protection systems were not compromised and performed their intended design functions, the events (except those noted ;
below) induced by control failures were satisfactorily mitigated. On the basis of the number of credible and unlikely failures evaluated, the staff concluded ,
that other control system failures that could occur on the reference plant (but l have not been analyzed in this review) would also be mitigated by the protection
- systems. Since the designs of the reactor protection systems of other plants .
(of the same vendor) are functionally similar to the reference plant design, the same degree of protection to mitigate multiple control systems failures is l provided in other plants.
It should be noted that a few plant designs vary significantly from the rs'erence plant designs. These plants incorporate unique design features in major fhid systems and/or instrumentation and control systems, power systems, or reactoi protection systems which have not been evaluated in detail. For BWRs these plants are: Oyster Creek Nuclear Power Plant, Unit 1; Big Rock Point Nuclear Plant; Nine Mile Point Nuclear Station, Unit 1; La Crosse Nuclear Generating Station; Millstone Nuclear Power Station, Unit 1; and Dresden Nuclear Power i Station, Units 2 and 3. For the W PWRs, the plants are: Yankee Rowe Nuclear
- )
Power Station, Haddam Neck Plant, and San Onofre Nuclear Generating Station, J Unit 1. For CE PWRs, the plants are: Arkansas Nuclear One, Unit 2; San Onofre 1 Nuclear Generating Station, Units 2 and 3; Maine Yankee Atomic Power Plant; and i Palo Verde Nuc1 car Generating Station, Units 1, 2, and 3. For B&W PWRs, the i plants are Arkansas Nuclear One, Unit 1; Crystal River Nuclear Plant; Rancho Seco Nuclear Generating Station, Unit 1; and Davis-Besse Nuclear Power Station, ;
Unit 1 The major differences in these designs and their effects on the signifi- L cant events are discussed below. Most of the events identified during the USI :
A-47 review were found to be generically applicable to most other reactors of the same clast. Some events, however, were determined to be applicable only to !
the reference plant.
The following discussions assess the generic applicability of the events deter- i mined to be safety significant during the review. Design features of other ;
plants that could potentially modify failure scenarios or transients analyzed in i this review are described and the criteria used to assess generic applicability are identified. This assessment is based on fundamental engineering principles, the generic evaluations conducted by ORNL and INEL (see reference NRC reports i and Letter Report), and staff judgment. !
Several control system failures that could contribute to reactor vessel overfill and reactor overcool events were identified as potentially safety significant.
All other control system failures that were evaluated were determined to be "
bounded by the FSAR analyses. The failure mechanisms contributing to these events are identified in Table 3.1. Major contributors to events that occur during power operation were multiple control system failures that initiated overfeed transients and failed the automatic feedwater pump trip system. Major ]
contributors to events that occur during startup or shutdown operation were single and multiple failures that initiated vessel overfeed.
NUREG-1217 4-2
- _. ~ _. - - -_- - _ _ _ _ _ _ _ _ . . _ - . _
The following discussions summarize the design features of other plants and ,
assess the generic applicability of the major everts identified for the refer- ;
ence plant.
1 4.1,1 Overfill Events at Power Resulting From Failures in the Reactor Vessel High-Level Feedwater Trip System (1) Control Systems Differences !
l Review of the plant-specific safety analysis reports (SARs) and the docket !
i files ident.ified variations in the reactor vessel high-level feedwater trip systems which terminate reactor vessel everfill events in BWRs during power
, operation. i Most operating BWR plants proviae commercial, non-safety grade reactor vessel overfill protection identical to the reference plant; that is, a 2-out-of-3, ,
high-level trip system with separate and independent electrical power supplies for each level sensor. Several plants however have overfill protection designs 3
i
- with less independence and reliability. These designs vary from a 1-out-of-1 !
< or a 1-out-of-2, to a 2-out-of-2 reactor high-level feedwater pump trip. On i some plants, logic separation and electrical power independence could not be ,
verified. More recent designs provide improved flexibility and redundancy by !
- including a four-level sensor logic system, that is, a 1-out-of-2 taken twice. '
Three plants (Big Rock Point, Lacrosse, and Oyster Creek) have no automatic isolation of feedwater on a high reactor vessel water level signal and rely
- solely on the operator to mitigate an overfeed event. t The relative benefits of the different high-level trip logic provisions were evaluated using the reference plant as a model. The risk reduction associated
' with the different trip systems was estimated (NUREG/CR-4387).
Safety benefits gained by providing additional reactor vessel level redundancy and independence to some existing feedwater trip systems are not significant. ,
! The estimated redu: tion in frequency of overfill events between plants that have some sort of automatic reactor vessel high-level feedwater trip system was ,
not significant. For plants with no automatic feedwater trip system, the over- l J
fill frequency was estimated to be about 15 times more likely than for plants '
. with automatic feedwater trip systems. In actual practice, the three BWR plants l with no trip system have demonstrated better reliability because of the opera- )
i tor's role in controlling feedwater. Results and conclusions of analyses of the r
- reference plant apply to other BWR plants if they meet the following criteria !
with respect to control system design. l (a) The plant must have an automatic reactor vessel high-water-level feedwater i trip system, t I
(b) The trip system must be operable during power operation or administra-tive procedures must be implemented to ensure that manuaTfeedwater trip l i can be accomplished in time to prevent overfill when the automatic feed-
! water trip system is not operable, i
i i
i NVREG-1217 4-3 !
h i
i ;
.- .. , , , - - _ _ . _ _ , . - . - . - . . _ - - . _ - - _ , . . - - _ - _ - _ . , _.. . .. _ J
(2) Thermal-Hydraulic Differences Most BWR plant systems that could contribute to reactor vessel overfeed and vessel overfill events are functionally similar. Although variations in the !
design exist in some plants, such as the number, type, and capacity of valves l or pumps and the size of reactor vessels, these variations are not significant when the overall size of the plant is considered. Major systems are designed with roughly similar proportions so that the time to overfill on other BWR plants is expected to be very similar to or bounded by the time predicted for the reference plant. Several BWR plants identified above (p. 4-2) incorporate designs that differ from the reference plant design. These differences include:
(1) different recirculation flow systems, (2) use of isolation condensers, (3) different power supply designs, and (4) use of different reactor vessel capacities.
These design differences (except for vessel size) would not change the results of the overfill transients analyzed for the reference plant. Although reactor vessel capacity (i.e., size) can affect plant response for overfill events, the feedwater flow to reactor vessel volume ratio for these plants is smaller than the ratio for the reference plant so that the overfill transients on plants with larger reactor vessel volumes (like La Crosse) are expected to be slower than predicted for the reference plant.
The following criterion was used to assess the generic applicability of this overfill event at other plants: Power to flow, power to volume, and reactor feedwater flow to reactor vessel volume ratios for other plants should be simi-lar to the ratios for the reference plant. If the ratios vary, they should vary in the direction to cause the overfill transients to occur more slowly.
Plants with thermal-hydraulic characteristics that satisfied this criterion wer2 determined to be similar to the reference plant.
(3) Conclusions (a) Most BWR plants provide automatic feedwater pump trip systems on high reactor vessel level. (Only three plants do not have automatic feedwater pump trip on high reactor vessel level).
(b) Variations in the design of the control system for automatic overfill pro-tection exist in other BWRs. For plants with automatic overfill protection systems, variations in the design do not significantly modify expected failure estimates to reduce the frecuency of overfill events that could result from control systen failures. ,
1 (c) For plants with no automatic overfill protection, overfill events are estimated to be Ib times more likely than for plants with automatic over-fill protection. Operator action can significantly reduce this estimate.
J (d) Power to fiow, power to volume, and reactor feedwater flow to reactor vessel volume ratios for other BWR plants are sufficiently similar to j these ratios for the reference plant that the analysis conducted on the )
reference plant is considered a bounding analysis and is generically applicable to other BWR plants.
NUREG-1217 4-4
4.1.2 Overfill and Overcool Events During Low-Pressure Startup and Shutdown Operations (1) Control System Differences Various failures in the condensate system and in the low pressure coolant injec-tion (LPCI) and core spray (CS) systems were identified that could cause reactor vessel overfeed events during low pressure startup and shutdown operations.
Most BWR plants provide LPCI, CS, ar.d condensate systems similar to systems in the reference plant design. Although variations in some control system designs exist, all plants rely on the operator to terminate flow from these systems once they are initiated.
(2) Thermal-Hydraulic Differences Several plants provide fluid system design: that are different from the reference plant oesign. These differences are discussed in Section 4.1.1.
The differences in the major fluid systems in these plants (except for reactor vessel size) do not affect the overfill transients analyzed for the reference plant. For plants with larger reactor vessels, because the ratio of condensate flow and/or emergency core cooling system (ECCS) flow to the reactor vessel volume is smaller than these ratios for the reference plant, overfill transients i for these plants are expected to be slower and less severe than the transients predicted for the reference plant.
' The following criteria were used to assess the generic applicability of this event on other plants:
(a) Power to flow, power to volume, and condensate flow or low pressure ECCS flow to reactor volume should be similar to the values for the reference plant.
(b) The fill rate of the condensate system or the ECCS is less than or about equal to the reference plant flow rates.
(c) Administrative procedures are implemented to help ensure tt...t manual trip can be accomplished to terminate condensate or ECCS flow in time to prevent overfill.
j Plants that had thermal-hydraulic characteristics and administrative procedures satisfying these criteria were determined to be similar to the reference plant.
The risk associated with control failures that could lead to overfill events (estimated for the reference plant) was small. Because the variations in con-trol system design for other plants were not significant enough to substantially increase these estimates, sensitivity studies of control systems contributing to this event at other BWR plants were not performed.
(3) Conclusion Power to flow, power to volume, and condensate flow or low pressure ECCS flow to reactor volume ratios at other BWR plants are similar enough to the reference NUREG-1217 4-5
plan?. so that the analysis conducted on the reference plant is considered a bounding analysis and is generically applicable to other BWRs.
4.2 W PWR Plants The review of a W PWR plant identified several control system failures that could contribute to steam generator overfill, reactor vessel overcool, and reactor overpressure events. Several failures were also identified that could contribute to undesirable release [i.e., releases in excess of those calculated in the FSAR analysis for steam generator tube rupture (SGTR)] of radioacti'ity during an SGTR. All other control system failures that w?re evaluated were determined to be bounded by the FSAR analysis. The failure mechanisms that contribute to these events are identified in Table 3.2. Overfill events could be caused by either sustained operation of the auxiliary feedwater system or the main feedwater system. Overcool events could be caused by failures in the steam dump control systems (i.e., steamline atmospheric dump valves or con-denser steam dump system). Overpressure events could be caused by failures in the pressurizer power-operated relief valve (PORV) control system, failures of the letdown valves, and failures in the ECCS circuitry. Failures in the steam-line pressure relief control systems could also contribute to excessive release of radioactivity during an SGTR.
The following discussions summarize the generic applicability of other W PWR plants to the major events identified in the reference plant.
4.2.1 Overfill Events Resulting From a Sustained Operation of the Auxiliary Feedwater Flow (1) Control Systems Differences On all W PWR designs, auxiliary feedwater (AFW) flow is automatically initiated when the main feedwater pumps are tripped. There are no automatic interlocks to terminate AFW flow when the level reaches a high steam generator level (except for Virgil C. Summer Nuclear Station, Unit 1). An overfill event similar to the reference plant event can occur unless the operator manually terminates the AFW flow. Analysis performed on the reference plant predicts onset of overfill occurring so rapidly that quick operator response is needed to terminate the AFW flow.
4 Results and conclusions of analysis performed on the reference plant apply to l other W PWR plants if they do not meet the following criteria with respect to '
controT system design.
(a) Automatic reduction of the AFW flow on steam generator high level is provided, or (b) Administrative procedures are implemented to give reasonable assurance !
that manual throttling of the AFW can be accomplished in time to prevent )
overfill.
If other W PWR plants meet the above criteria, the analyzed failure modes would be less severe than for the reference plant and should not result in a steam generator overfill.
I l
l NUREG-1217 a-6 l
(2) Thermal-Hydraulic Differences Variations exist in the design of the AFW systems in other W PWR plants that would change the time to overfill.
New 4-loop designs and some 3-loop designs have devices (orifices or throttling valves) installed in the AFW lines. These devices restrict the flow into the steam generators so that a less severe overfeed transient would result than analyzed for the reference plant. In addition, most 4-loop designs have split AFW headers, so only 50% of total AFW could flow into the faulted steam generator instead of 100% flow for the 3-loop reference plant design.
The following criterion was used to assess the generic applicability of this event on other plants: The ratio of steam generator volume to main feedwater flow rate and the ratio of steam generator volume to the auxiliary feedwater flow rate should be similar to or greater than these ratios for the reference plant.
Plants with thermal-hydraulic characteristics satisfying this criterion were determined to be similar to the reference plant.
Some W PWR plants identified above incorporate designs that are different from the reference plant. These design differences include: (a) large cooling capac-i ity of the reactor coolant system so that the ratio of the steam generator volume to the main or auxiliary feedwater flow is significantly greater than the reference plant design; (b) the use of charging pumps which have a higher pressure capability than the reference plant design; and (c) the use of charging pumps which have no main steam isolation valves. These design dif7erences would not change the results of the overfill events analyzed for the reference plant with the exception of plants with larger reactor vessel volumes. For those plants, less severe overfill events are expected.
Although other differences, such as operator training ar.d procedures and the t design of the level indication system and alarms available to the operator, will alter the operator response time to address an overfeed event, the review :
did not identify any plants that would have more severe overfill transients.
(3) Conclusion (a) Overfill events via the AFW system can occur at other W PWR plants under
! similar conditione analyzed in the reference plant (except for the Virgil C. Summer plant which has automatic termination of AFW). l (b) The overfill transients via the AFW system at other W PWR plants are de-termined to be equal to or less severe than those analyzed for the ref-erence plant (except for the Virgil C. Summer plant which has automatic
! termination of AFW).
(c) Steam generator volume to main feedwater flow rate and steam generator volume to AFW flow rate ratios at other W PWR plants are so similar to
~
reference plant ratios that the overfill analysis conducted at the refer-ence plant is considered a bounding analysis applicable to other W PWR ,
plants, Although several plants provide different designs, so that some l
l NUREG-1217 4-7
-+---..p._- --9, - . _ _ . _ _ . - - _ - _ _ _ m ,, -.-w --- -
of the thermal-hydraulic characteristics mentioned above are different from the reference plant, the differences are such that the transients would be equivalent to or less severe than the results of the overfill events analyzed for the reference plant.
4.2.2 Overfill Events Resulting From Failures in the Steam Generator, High-Level, Feedwater, Trip System (1) Control System Differences '
All of the overfill protection system designs at W PWR plants (except for three !
very early plant designs, i.e. , Haddam Neck, Yankee Rowe, and San Onofre 1) have either a 2-out-of-3 or a 2-out-of-4 steam generator, high-water-level, trip sys-tem to terminate the feedwater flow during a feedwater overfeed event. These systems are redundant and designed to satisfy safety requirements. The newer de-signs incorporate a more flexible and redundant 2-out-of-4 system that provides additional improvements for testing and fully satisfies all the prescribed safety requirements of IEEE Std. 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations." San Onofre 1 and Yankee Rowe plants do not have automatic overfill protection. The Haddam Neck plant provides an overfill pro-tection system consisting of a safety grade, 1-out-of-2, steam generator high-water-level interlock which automatically shuts the main feedwater control valves to the steam generator. Results and conclusions of the reference plant apply to other W PWR plants if they meet the following criteria with respect to control system design:
(a) The plant must have an automatic steam generator, high-water-level, feed-water, trip system similar to or better than the reference plant design has.
(b) The trip system must be operable during power operation o_r administrative procedures must be implemented to provide reasonable assurance that a manual feedwater trip can be accomplished in time to prevent overfill when the automatic feedwater trip system is inoperable.
(2) Thermal-Hydraulic Differences i
The following criterion was used to assess the generic applicability of this event to other W PWR plants: Steam generator volume to main feedwater flow '
rate ratio shouTd be similar to or greater than that of the refdrence plant.
Plants with thermal-hydraulic characteristics satisfying this criterion were determined to be similar to or bounded by the reference plant.
Some W PWR plants identified above (p. 4-2) incorporate designs that differ I from the reference plant. These differences would not adversely change the results of the overfill events analyzed for the reference plant. Less-severe ,
overfill events are expected for plants with larger steam generator volumes. '
Although other differences, such as operator training and procedures, the de-sign of the level indication system, and alarms available to the operator, can !
alter the operator response time to an overfeed event, the review did not iden- i tify any plants that would have more severe overfill events.
NUREG-1217 4-8 i
{
1
I (3) Conclusions (a) Variations in the design of the automatic overfill protection system i i exist in other W PWR plants. The designs are the same as or better than ,
i the reference pTant design (except as noted for three very early plant 1
designs). {
(b) Overfill transients in other W PWR plants are judged to be equal to or f less severe than those analyzed for the reference plant.
- (c) The ratio of steam generator volume to main feedwater flow rate at other .
W PWR plants are so simil u to the reference plant ratio that the overfill !
! analysis conducted on the reference plant is considered a bounding analy- t
- sis applicable to other W PWR plants. (Although several plants provide ;
a different designs - so that some of the thermal-hydraulic characteristics {:
discussed above are different from the reference plant characteristics -
these differences do not change this conclusion.) !
1 r 4.2.3 Overcool Events During Hot Shutdown and Full-Power Operation l 1 ;
- (1) Control System Differences 1
(
Several control system failures were identified that could cause the condenser ;
steam dump valves or the atmospheric dump valves (ADVs) to open. These fail-ures can result in reactor vessel overcool events during full power operation or hot-shutdown conditions.
]
l All W PWR plants utilize similar ADV and condenser-steam dump valve control i systems. Although the number of valves and valve capacities of these systems i may differ at other W PWR plants, the overall valve capacity for 2 , 3 , and 4- i 4 loop plant 6 are proportional to the plant power level. Transients resulting i
- frc: failures in these systems at other W PWR plants were determined to be d
similar to those analyzed for the reference plant.
I l A majority of operating plants ar.d plants under review for an operating li-cense (i.e., 37 out of 52 W PWR plants) have incorporeted lead / lag-compensated !
! steamline pressure measurement in the steamline break protection systems. This !
l control system can termim te steam flow through the condenser-steam dump valves l
by isolating thd main steamlines on a low steamline pressure signal, This con-l trol design feature is not provided for the reference plant and is an improve- !
j ment over the reference plant design. For W PWR plants utilizing this feature, !
overcool transients resulting from inadvertent opening of steam dump valves l l
downstream of the main steam isolation valves (MSIVs) will be less severe than !
l transients predicted for the reference plant. [
l
! In addition, most operating plants as well as plants of newer designs utilize >
l arming circuits in the steam dump valve control system similar to circuits in ;
the reference plant design. Multiple independent failures in these systems f similar to those postulated for the reference plant, are needed to fail open i all the steam dump valves. The initiating failure frequency for such events is ,
, very low.
I
! I l
i NUREG-1217 4-9 ,
! l l
- i I
l
__ j
i
(
Although one plant design (San Onofre Nuclear Generating Station, Unit 1) does !
not have MSIVs or a lead / lag-compensated steamline pressure control system, it i i
does utilize arming circuits similar t.o those of the reference plant to prevent !
inadvertent opening of the dump valves.
I Results and conclusions of analyses of the reference plant apply to other W PWR 1 plants if they meet the following criteria with respect to control system - l designs: t (a) Must automatically terminate the steam flow through the condenser steam !
dump valves by isolating the main steamliner on low steamline pressure ,
(that is, must have a lead / lag-compensated steamline pressure control :
system, or equivalent) o_r !
(b) Multiple independent control failures are needed to open all condenser ,
steam dump valves (that is, provide arming circuits ir, the steam dump valve contro' systems similar to those in the reference plant).
(c) Administrative p*ocedures are implemented to ensure that manual isolation of the ADVs can be accomplished in time to prevent severe overcooling, or l
i multiple independent failures are required to open more than one ADV. ;
l (2) Thermal-Hydraulic Differences I 1
Most V 9WR plant systems that can contribute to reactor vessel overcool tran- I sients are functionally similar. Although variations in the design exist at !'
some plants (such as the number, type, and capacity of valves, and the number I
of steam generators), the variations are not significant when one considers the '
1 size of the plant. Major systems are sized in roughly the same proportions so '
that the overcool transients on other W PWR plants are expected to be similar ;
to or bounded by transients analyzed for the reference plant. Several W PWR ;
plants identified above (p. 4-2) incorporate designs that differ from the re- !
ference plant. Plants that have larger reactor vessel and steam generator !
j volumes, like Yankee Rowe Nuclear Power Station, have larger cooling capacities ;
and larger ratios for reactor coolant system volume to atmospheric-dump-valve '
1 (or steam-dump-valve) capacity and steam generator volume-to-atmospheric-dump- i j valve (or steam-dump-valve) capacity. Overcool transients resulting from inad- i
! vertent opening of the steamline PORV or condenser steam dump valves at these l' 1
l plants would be less severe than transients analyzed at the reference plant.
)
The following criteria were used to assess the generic applicability of this !
- event at other W PWR plants
- (a) Reactor coolant system volume to atmospheric !
or condenser steam dump valve capacity and (b) steam generator volume to atmo-spheric or condenser steam dump vahe capacity ratios should be similar to or 3
greater than these values for the reference plant, i Plants with t%rmal-hydraulic characteristics satisfying these criteria were 1
- determined to be similar to or bounded by the reference plant. l
- (3) Conclusions (a) All W PWR plants provide adequate control systems to prevent overcool transients resulting from inadvertent opening of the steam dump valves to NUREG-1217 4-10 (
i i 1 l k ,
i ;
i' i I
, l the condenser. Most plants provide overcool transient protection better !
l than that of the reference plant. l i 1 (b) Transients that could occur as a result of inadvertent opening of the con- I
. denser steam dump valves or atmospheric dump valves are expected to be '
j equal to or less severe than those analyzed for the reference plant.
4 (c) Reactor coolant system volume to atmospheric dump valve or steam dump valve
! capacity and steam generator volume to ADV or steam dump valve capacity ratios at other W PWR plants are sufficiently similar that the overcool .
analysis conducted for the reference plant is a bounding analysis applic- l'
- able to other W PWR plants.
- Although several plants provide such different designs that some of the thermal- ;
hydraulic characteristic discussed above are different from those for the refer-i ence plant, the differences would cause less severe transients and therefore do ,
not adversely change the results of the overcool events analyzed for the reference plant. ,
4.2.4 Overpres'sure Events During Low-Temperature and Low-Pressure Shutdown or Startup Operating Conditions Several control system failures were identified that could prevent pressurizer i
PORVs from opening. These failures in conjunction with events that would in- :
crease reactor coolant system (RCS) pressure can result in reactor vessel over- l l pressure events.
(1) Control System Differences Pressurizer PORV control systems at all W PWR plants are designed to conform !
l to NRC Branch Technical Position RSB 5-2-(Denton, July 23, 1985) which requires '
! the control systems for the pressurizer PORV valves to satisfy the single- i i failure criterion, and to be powered from reliable independent power supplies
! (not necessarily Class 1E). Some new plants provide additional control system f t
I improvements over the reference plant design by offering pressurizer PORV con- !
l trol system designs that conform fully to all the requirements of safety-related l
! systems, so that additional failures would be needed to produce the transients l
! analyzed for the reference plant. Control system designs on other W PWR plants ;
are, therefore, very similar to or better than the reference plant Besigns. l (a) Results and conclusions of the analysis of the reference plant apply to !
! other PWR plants if they meet the following criteria with respect to r l
control system design: [
. Pressurizer PORVs must be powered by reliable and independent power j
' supplies and must be designed se that multiple independent failures i
! are required to disable both PORVs. t I
l
' - Administrative procedures are implemented to ensuN that when one of !
the redundant pressurizer PORVs is rendered inoperable for a limited ;
period of time during low-temperature operations, the remaining PORY can be opened manually.
' i i ;
NUREG-1217 4-11 l
{
l !
l i !
- . _ _n
l i
Operator-induced procedural failures could also prevent both PORVs from opening ,
during low-temperature and low pressure conditions. These procedural failures '
are dependent on the adequacy of p.ocedures used. Operating procedures at other '
~
plants were not reviewed to determine how many plants may be susceptible to the kind of procedurally induced conditions analyzed in the reference plant review.
Variations in procedures at other plants could affect the frequency and severity of this procedurally induced transient. The emphasis on PORV-related events since the THI-2 accident, however, has resulted in more operators becoming more '
aware of this type of transient.
(b) Results and conclusions of the analysis of the reference plant apply to
- other PWR plants if they meet the following criteria
The low-temperature overpressure (LTOP) system is removed from service j
during plant heatup before the RCS temperature is at or near the mini-mum pressurization temperature so that an LTOP condition can occur, ,
PE The ECCS is enabled during plant heatup before the RCS temperature is at or near the minimum pressurization temperature for the reactor vessel, or No other automatic pressure reduction capabilities exist to limit overpressure transients during low-temperature operations. .
i Under certain conditions, PWR plants are allowed to operate under limiting con- ,
, ditions for operation (LCOs), wherein redundant pressurizer PORV may be rendered j inoperable for a finite period. If, during this time, the system is subjected to a pressure transient, the plant may be vulnerable to an overpressure event
, if a single failure in the available PORV control system can render the over-pressure protection system inoperable. This scenario has been identified as a safety issue. Generic Issue 94 was identified to reevaluate the existing LTOP l designs and to assess the need for additional improvements to the low-temperature '
overpressure protection system. This study is applicable to all PWRs with PORVs
! (Denton, July 23, 1985). By resolving this issue, insights may be gained to
, warrant modifications.
I (2) Thermal-Hydraulic Differences Because the major systems at W PWR plants are of roughly the same proportions, the overpressure transients at all W PWR plants are expected to be similar to ,
or bounded t,y transients analyzed for the reference plant. Several W PWR plants j identified above (p. 4-2) incorporate some designs that dif fer from the refer- l ence plant design. These differences, discussed in Section 4.2.1(b) (except for plants that have high capacity charging pumps), would not adversely change the results of the overpressure transients analyzed for the reference plant, i For plants that utilize high-capacity charging pumps (higher than the reference plant design, like San Onofre Nuclear Generating Station, Unit 1), the over- i J pressure transients induced by inadvertent initiation of the high pressure in-l jection could produce a more severe overpressure event than analyzed. Addi- ,
i tional administrative procedures are used at these plants to lock out the isola-l tion valves to the high-head pumps during shutdown conditions to preclude such i j
NUREG-1217 4-12 !
i
) !
i >
I
! I 4
events so that additional independent failures would be required to cause sim- i l ilar or more severe events than analyzed for the reference plant. The following }
i criteria were used to assess the generic applicability of these events to other j
! W PWR plants a t
{ (a) The ratio of RCS volume to normal cold shutdown letdown flow rate should (
4 be similar to or greater than that of the reference plant. !
i !
1 (b) Administrative procedures are implemented during startup or low-temperature, i low pressure operation to ensure that the pressurizer PORV low pressure !
setpoint is not changed to the higher setpoint for normal operation before [
j reaching the minimum pressurization temperature, of j (c) Other automatic pressure-reduction capabilities exist to limit the over- .
- pressure transients during LTOP 1peration. j
! (3) Conclusion !
I i j (a) Most pressurizer PORV control system designs at other W PWR plants are !
- very similar to designs of the reference plant. The designs provide !
- similar electrical independence. !
t j (b) A few plants have better PORV control systems than the reference plant !
has, so additional multiple independent failures would be needed to pro- !
) dut.e similar scenarios analyzed for the reference plant.
- [
i !
(c) The thermal-hydraulic analyses conducted for the reference plant are !
) applicable to other W PWR designs. [
l I
! (d) Plants whose high-head injection pumps have a capacity higher than that of j j the reference plant provide additional lockout devices to prevent inad- t vertent initiation of the injection pumps during low-temperature operation. }
f 4.2.5 Control System Failures Aggravating a Steam Generator Tube Rupture Event l l l Several control system failures were identified that could cause inadvertent i opening (or failure to close once challenged) of the atmospheric steamline dump !
valves during an SGTR event. An ADV that fails to reclose during an SGTR event f can result in more severe transients than those pceviously analyzed by W for an f SGTR event, t
! All W PWR plants provide steamline ADV designs similar to that of the reference f
! plant design. They rely on the operator to isolate the flow through these valves l
! should the valves fail to close during an SGTR event. Although variations in l l the design of the ADVs may exist at other plants, these variations are not [
sufficient to modify the analysis performed for the reference plant design.
l {
! Results and conclusions of analysis of the reference plant apply to other W PWR f plants if they meet the following criteria with respect to control system Besign: I
{
! (1) must have electrically initiated, air-operated ADVs [
! (2) require manual operator action to isolate flow through the ADVs I
NUREG-1217 4-13 I
- l
f 9
Conclusion Transients at other W PWR plants that could occur as a result of inadvertent ;
opening of the steamTine ADVs are expected to be equal to or less severe than
- those analyzed at the reference plant.
4.3 B&W PWR Plants The review of the B&W FWR reference plant identified potentially significant control system failures that could contribute to steam generator overfill events and reactor core overheating events. All other control system failures that l
I were evaluated were determined to be bounded by the FSAR analysis. The failure mechanisms that contribute to these events are identified in Table 3.3.
The major contributors to these events were single and multiple control system failures that (1) initiated overfeod transients and failed the automatic feed-water pump trip system that would have terminated an overfill event and (2) caused a loss of electrical power to various sections of the integrated feedwater control system resulting in a feedwater underfeed condition that could lead to core overheating if proper operator action were no'. initiated.
It should be noted that about half of the B&W PWR plants currently' operating incorporate aa "820" integrated control system rather than a "721 integrated ,
control system design utilized by the reference plant. Although the 820 and the 721 control systems are functionally similar, they differ significantly in the power supply configuration. Design differences, such as providing addi-tional independence and power supply separation, were implemented by the indi-vidual utilities on the 820 systems in order to improve system reliaM lity on a loss of power. However, for this review, the 721 and the 820 system were ,
not compared in depth. To address the different transients resulting from a loss of powtr to the integrated control system (and other control systems),
Bulletin 79-27 was issued by NRC's Office of Invection and Enforcement to all ,
licensees. The bulletin required all licensees to take certain action to ensure the adequacy of plant procedures for accomplishing cold shutdown upon a Ws of power to any Ciass IE or non-Class 1E bus supplying power for instrument
- and controls in systemt, used in attaining cold shatdown. The licensee's response and design modifications to comply with Bulletin 79-27 were considered and evaluated in the review of the reference plant. The staff did not verify satisfactory compliance with this bulletin for all other plants.
The following discussions summarize the generic applicabili / of the major ,
transients identified in the reference plant to other B&W PWR plants. 1 4.3.1 Overfill Events Resulting From Failures in the Steam Generator, High-Level, Main-Feedwater, Trip System (1) Control System Differences Review of the main feedwater control systems at all B&W operating NR plants and all new ft&W designs currently under review for an operating license indicates that the 2-out-of-2, steam generator, high-level, main feedwater, trip system provided on the reference design is plant unique and not generically applicable.
NUREG-1217 4-14 l
l ,
All other B&W operating PWR plants have installed or have committe'd to install a safety grade overfill protection system that will satisfy the single-failure criterion. (Arkansas Nuclear One, Unit 1, has committed to implement the new design by mid-1986; Rancho Seco h elear Generating Station, Unit 1, has committed to install its system by mid-1988; Three Mile Island Nuclear Station, Unit 1, will install its system in 1987; and Crystal River Nuclear Plant, Unit 3, has installed its system but has not yet implemented the trip system.) The initiating logic for these designs is either a 2-out-of-4 or a 1-out-of-2-taken-twice, steam generator, high-level, main feedwater, trip system. The trip sys-4 tem actuates redundant main feedwater isolation systems consisting of a main feedwater pump trip and a main feedwater isolation or control valve trip. One plant design currently under review for an operating license will use a safety-grade, 2-out-of-3, high-level, main feedwater, trip system. These plants provide (or will provide) additional redundancy, independence, and testing flexibility in their steam generator overfill protection system and they are expected to represent a significant improvement over the reference plant design when the installation is complete.
Results and conclusions of analyses of the reference plant apply to other B&W PWR plants if they meet the following criteria with respect to control system design:
(a) The automatic overfill protection is at least as reliable as the reference plant design. A single failure in the overfill protection syctem for the reference plant can negate the automatic overfill protection system.
(b) The main feedwater trip system must be operable during power operation, or administrative procedures must be implemented to ensure that manual feed-water trip can be accomplished in time to prevent overfill when the auto-matic feedwater trip system is not operable. .
(2) Thermal-Hydraulic Differences Most B&W PWR plant systems that could contribute to steam generator overfeed and overfill events are functionally similar. Variations in the designs exist at some plants, such as the type and capacity of main feedwater valves or pumps; these variations are not significant when considering to the overall size of the plant. Major systeas are sized in roughly the same proportions so that the time to overfill on other B&W PWR plants is expected to be very similar or is bounded by the time predicted for the reference plant.
The following criterion was used to assess the generic applicability of this event on other plants: The ratio of steam generator volume to main feedwater flow rate and the ratio of steam generator volume to the auxiliary feedwater flow rate should be similar to or greater than those of the reference plant.
! Plants with thermal-hydraulic characteristics satisfying this criterion were determined to be similar to the reference plant.
l (3) Conclusions (a) Control systems for overfill protection for the main feedwater system '
for the reference plant is plant specific to the Oconee Nuclear Station NUREG-1217 4-15
design (i.e., Units 1, 2, and 3). The control systems for overfill protection are not as reliable as those provided or planned to be provided at all other B&W PWR plants.
t (b) All other B&W PWR plants provide (or have committed to provide) improved safety grade control systems for steam generator overfill protection systems for the main feedwater system. These systems consist of either a i
2-out-of-4 or a 1-out-of taken-twice or a 2-out-of-3 steam generator, high-leve? trip. Although there are theoretical reliability differences between these systems, they are outweighed by the improvements in overall reliability and operational flexibility allowed by such systems. All are thus adequate for overfill protection. It should be noted that until these :
modifications are completed some of the plants are currently operating with no overfill protection.
(c) Steam generator volume to main feedwater flow rate and steam generator volume to auxiliary feedwater flow rate ratios on other B&W PWR plants are similar to the reference plant ratios; thus the overfill analysis conducted on the reference plant is a bounding analysis applicable,to other B&W PWR plants.
4.3.2 Overheat Events ResultinD From Steam Generator Dryout Several control system failure scenarios were identified that could result in steam generator dryout on a partial loss of electrical power to the feedwater control system. Such events could lead to reactor core overheating if adequate i feedwater flow is nct established within 30 minutes of a steam generator dryout and high pressure injection (HPI) is not initiated within 60 minutes. Losses of electrical power to the "hand control" (i.e., manual control) circuit during manual mode of operation or to the "auto control" circuit during the automatic mode of operation were identified as major contributors.
(1) Control System Differences I Half of the operating B&W PWR plants have an 820 integrated control system rather than a 721 integrated control system used at the reference plant. Only -
four plants (0conee Nuclear Station, Units 1, 2, and 3, and Three Mile Island i Nuclear Station, Unit 1) use 721 systems. Electric power distributions in the 820 system are different from the distributions in 721 system. A detailed review of the 820 system was not performed to determine if a credible partial loss of power to the integrated control system could cause similar events; how-ever, all other plants (including IMI-1) incorporate separate control circuits ,
that automatically initiate auxiliary feedwater flow on low steam generator level. These circuits represent an improved design that mitigates a steam ;
generator dryout scenario that is postulated for the reference plant.
l Results and conclusions of analyses of the reference plant apply to other B&W PWR plants if they meet the following criterion with respect to control system j design: Auxiliary feedwater flow is not automatically initiated on low steam l
generator water level. (Plants in which AFW is automatically initiated on low i steam generator level are less susceptible to steam generator dryout and, therefore, represent an improvement over the reference design.)
a i
NUREG-1217 4-16
l l
(2) Thermal-Hydraulic Differences l Variation in the designs exist at some plants, such as type and capacity of the feedwater valves or pumps. These variations are not significant when consider-ing the overall size of the plant. Major systems are sized in roughly the same proportions so that the time of steam generator dryout at other B&W plants is expected to be similar to or bounded by the time to dryout predicted for the reference plant. The following criteria were used to assess the generic appli-cability of this event to other B&W plants:
(a) The ratio of_ steam generator volume to main feedwater flow rate and the ratio of steam generator volurre to the auxiliary feedwater flow rate should be similar to these values for the reference plant.
(b) Power to volume ratios should be similar to these values for the reference plant.
Plants with thermal-hydraulic characteristics satisfying these criteria were judged to be similar to the reference plant.
(3) Conclusions (a) All other B&W PWR plants provide control system designs to initiate aux--
iliary feedwater on steam generator low water level to prevent steam gener-ator dryout on loss of main feedwater. This design feature represents an improvement over the reference plant design.
(b) Power to flow, power to feedwater flow rate, and steam generator volume to main feedwater flow ratio at other B&W PWR plants are similar to values for the reference plant, thus the steam generator dryout analysis conducted ,
for the reference plant is similar to or is a bounding analysis for other B&W PWR plants.
(c) The overheating event scenario analyzed for the reference plant is not i directly generically appli:able but bounds overheating events at other B&W PWR plants.
The review of the CE PWR reference plant identified several potentially signif-icant control system failures that could contribute to (1) steam generator over-fill events,(2) a reactor core overheat.ing event, and (3) an overcooling event that could lead to a potential pressurized thermal shock event in a plant with a vulnerable pressure vessel.
All other control system failures that were evaluated were determined to be l bounded by the FSAR analysis. The failure mechanisms that contributed to these events are identified in Table 3.4.
The major contributors to these events were single and multiple control system failures that initiated overfeed transients or prevented atmospheric dump valves or Turbine bypass valves from opening on demand, and incorrect operator actions to open the pressurizer PORVs when needed.
NUREG-1217 4-17
The following discussions summarize the generic applicability of the major tran-sients identified in the reference plant to other CE PWR plants.
l 4.4.1 Overfill Events Resulting From Operator Errors During a Steam Generator Overfeed Event l
(1) Control System Differences l On all CE PWR plant designs, no automatic, steam generator, high-water-level signals trip the main feedwater pumps. In the event of an overfeed, a steam generator, high-water-level signal will automatically trip the main steam turbine.
A turbine trip signal will trip the reactor, shut the feedwater valves, and open the startup feedwater valves to 5% flow.
1 This trip system can limit the frequency of steam generator overfill events, I but operator action is still required to trip the main feedwater pumps to pre- I vent overfill. If the operator does not manually trip the feedwater pumps, a single failure in the feedwater control system can cause the steam generator to overfill.
I The results and conclusions of analysis on the reference plant apply to other CE PWR plants if they meet the the following criterion with respect to control system design: All main feedwater flow is not automatically isolated on a steam generator, high-water-level signal. Plants with automatic overfill control circuits would be more resistant to overfill than the reference plant would be.
(2) Thermal-ijydraulic Differences Variations in design exist at some plants. These variations include type and capacity of feedwater valves and pumps. These variations are not significant with regard to steam generator fill times when considering the relative size of the plants. Major systems are sized in roughly the same proportion so that the time to overfill at all other CE PWR plants is expected to be similar or bounded by the time to overfill predicted for the reference plant.
Several CE PWR plants incorporate designs that are different from the reference l plant design. These design differences include (a) the use of charging pumps with a discharge head higher than the reference plant design and (b) no pres-surizer PORVs. These design differences would not change the conclusions for overfill events analyzed for the reference plant. Although other differences, such as operator training and procedures and design of the level indication system and alarms available to the operator, will alter operator response time to respond to an overfill event, the review did not identify any plants with characteristics that would cause more severe overfill events.
The following criterion was used to assess the generic applicability of this event to other CE PWR plants: The ratio of steam generator volume to main feedwater flow rate and the ratio of steam generator volume to the auxiliary i
feedwater flow rate siiould be similar to or greater than these values for l the reference plant.
Plants with thermal-hydraulic characteristics satisfying this criterion were determined to be similar to the reference plant.
l l NUREG-1217 4-18 l
l (3) Conclusions (a) The feedwater control system designs on all CE PWR plants are similar to feedwater control system design for the reference plant.
(b) There are no automatic steam generator, high-level, feedwater pump, trip systems; manual operator action is required to trip the feed pumps or close isolation valves to prevent overfill.
(c) The ratios of steam generator volume to main feedwater flow rate at all CE PWR plants are similar to such ratios at the reference plant, thus the overfill analysis conducted for the reference plant is considered applicable to other CE PWR plants.
4.4.2 Overheat Events and Possible Pressurized Thermal Shock Events Resulting From Operator Errors During Small-Break Loss-of-Coolant Accidents Several failure scenarios were identified for specifically sized, small-break, loss-of-coolant accidents (SBLOCAs) that could lead to eventual core dryout and fuel damage if the operator does not take proper action to depressurize the reactor coolant system to (1) maintain adequate high pressure injection flow or (2) avoid reaching R T NDT (reference temperature nil ductility transition) limits.
(1) Control System Differences For the reference plant, manual operation of the atmospheric dump valves (ADVs) or the turbine bypass valves (TBVs) or both may be required to depressurize the primary system during SBLOCAs to maintain adequate high pressure injection flow.
Operator use of the pressurizer PORVs or pressurizer auxiliary sprays could also be used to depressurize the primary system if the ADVs or the TBVs or both are not available or if the R NDT T limits for the reactor vessel are exceeded. '
Failures that could keep the ADVs or the TBVs frca opening on demand include loss of power or loss of instrument air to the valves. For the reference plant under LOCA conditions, a safety-injection signal isolates service water flow to the air compressors that supply operation air to the ADVs and the TBVs. Loss of service water could result in a failure of the air system. This design is similar to the design of other CE PWR plants. Although an operator of the reference plant can manually transfer control of the ADV to the auxiliary shut-down panel and can provide air to the valves from the salt-water-cooled air compressor, emergency procedures for the reference plant do not instruct the operator to perform this task.
Results and conclusions of analysis of the reference plant apply to other CE PWR plants if they meet the following criteria with respect to administrative procedures or control system design:
(a) Air supply to ADVs or to the TBVs is lost during SBLOCA conc:itions. (At the reference plant, automatic isolation of service water to instrument air compressors is initiated during LOCA conditions so that the ADVs or the TBVs are rendered inoperable. Plants that continue to supply instru-ment air to the ADVs under LOCA coniitions are protected against this type of event.)
NUREG-1217 4-19
(b) Administrative procedures do not clearly instruct the operators to provide operating air to the ADV or the TBVs from an alternate source in the event I
that service water flow is isolated to the main instrument air compressors (if administrative procedures exist, plants are less susceptible to over-heat events of this type), and (c) An alternate, compressed-air source to the ADVs or TBVs is available.
(2) Thermal-Hydraulic Differences Several CE PWR plants incorporate designs that are different from the reference plant design. These design differences include (a) the use of high-head, safety-injection pumps with higher heads than the reference plant has and (b) some CE PWR plants do not have pressurizer PORVs. The use of higher head injection pumps will significantly change the analyzed failure scenarios. Higher head pumps will be able to inject water into the reactor vessel at higher pressures, so that specifically sized SBLOCA events analyzed for the reference plant would be significantly less severe.
The following criterion was used to assess the generic applicability of this event on other CE PWR plants: The shutoff pressure of the high-head pumps should be similar to or less than the reference plant design safety injection.
Plants satisfying this criterion were determined to be similar to the reference plant. Plants with higher head safety injection pumps were determined to have less severe transients than analyzed.
(3) Conclusions (a) Seven of the fif teen CE PWR plants have similar high-head pressure injec-tion pump systems, thus failure scenarios analyzed on the reference plant are generically applicable.
(b) Eight of the fifteen CE PWR plants have substantially higher high-head pressure injection pumps, so that administrative procedures to depressurize the primary system are not as critical for these eight plants as for the reference plant.
(c) Seven of the eight CE PWR plants that have high-head pressure injection pumps do not have pressurizer PORVs. For these plants, auxiliary pres-surizer spray systems are used to control pressurizer pressure. This design difference does not significantly change the conclusions reached in item b, above.
4 I
NUREG-1217 4-20
5
SUMMARY
AND CONCLUSIONS The resolution of any safety issue requires that the nature of the concern be clearly described. Concerns described as general subject areat (such as common-cause failures, operator errors, sabotage, and undetected failures) can prove to be so broad that almost every conceivable safety issue could fall within the concern, and thus an issue would prove to be unmanageable. Therefore, to pro-ceed with a resolution of the concern expressed as "safety implications of con-trol systems," the NRC staff developed a set of limitations and assumptions to attempt to focus on the safety concern. The staff also decided to take ad-vantage of other ongoing efforts. Thus, if some aspects that might be considered to have control system safety implications were better addressed by these other efforts, the scope of USI A-47 was modified, avoiding duplication of effort.
As a result, a number of concerns (such as: (1) effects of seismic events on control systems, (2) dynamic effects on plant safety resulting from water enter-ing the main steamlines, and (3) reduction in the frequency of integrated-control-system-induced transients in B&W PWR plants) were left to be addressed outside USI A-47. The limitations and assumptions identified in this report are crucial to understanding the scope of the issue and its resolution.
On the basis of the limitations and assumptions, a number of tasks were dafiiied.
These tasks were structured to: (1) make use of the operating exp rience of actual events, (2) take advantage of previous control system stuaies, (3) take advantage of the staff requirements identified in the TMI-2 Action Plan (NUREG-0660), (4) evaluate the safety significance of control system failures, and (5) evaluate the safety benefit and cost effectiveness of potential correc-tive measures.
Because the initiating events and the frequency of control system failures are for the most part plant specific, the risk estimates that are used to avaluate safety significance were difficult to extrapolate to other plants. The safety benefit derived for the reference plant and extrapolated to other plants is based both on qualitative insights and quantitative analysis. The generic applicability analysis is also based on qualitative analysis and deterministic arguments.
On the basis of the technical work completed by the staff and NRC contractors, the following conclusions have been reached:
(1) Control system failures are dependent on individual plant characteristics such as power supply configurations and maintenance. The control system designs between the plants supplied by the same nuclear steam supply system (NSSS) vendor are functionally similar enough that the transients result-ing from the failure of the same type of non-safety grade system on the different plants will produce similar transients (see Section 4, "Generic Applicability," for exceptions).
NUREG-1217 5-1
l (2) Control system failures have occurred that resulted in complex transients.
Improvements made after the TM1-2 accident in the design of the auxiliary i feedwater system and in operator information and training should greatly aid in the recovery actions in the future. I (3) Plant transients resulting from control system failures can be adequately mitigated by the operators provided the failures do not compromise proper operation of the minimum number of protection system channels required to trip the reactor and initiate the safety systems if such initiation is required.
(4) Control system failure scenarios have been identified that could poJen-tially lead to reactor vessel / steam generator overfill events, core w er-heat events, and overpressure events.
(5) Transients or accidents resulting from or aggravated by control system failures (except those noted in this report that can contribute to reactor vessel / steam generator overfill or core overheat events) are less severe and therefore are bounded by the transients and accidents identified in the FSAR analysis.
(6) PWR plant designs having redundant commercial grade (or better) overfill protection systems that satisfy the single-failure criterion are considered to adequately preclude water ingress into the main steamlines.
(7) BWR plant designs with commercial grade (or better) overfill protection systems are considered to adequately preclude water ingress into the main steamlines.
(8) PWR plant designs that provide automatic initiation of the auxiliary feed-water flow on low steam generator level are considered to adequately preclude core overheating.
l l
l
! NUREG-1217 5-2 l
1 l
6 REFERENCES Alter, J. , and D. Okrent, "The Contribution of Control Systems in LWR Safety,"
University of California, Los Angeles, 1983.
Babcock and Wilcox Owners Group, BAW 1564, "Integrated Control System Relia-bility Analysis," August 1979.
Denton, H. , NRC, Memorandum to R. Bernero, "Schedule for Resolving and Complet-ing Generic Issue No. 94, ' Additional Low Temperature Overpressure Protection for Light Water Reactors'," July 23, 1985.
Denton, H., Memorandum to V. Stello, "Staff Actions Resulting from the Investiga-tion of the December 26, 1986 Incident at Rancho Seco (NUREG-1195)," April 25, 1986.
Dircks, W., NRC, Memorandum to NRC Directors, "Staff Actions Resulting from the Investigation of the June 8, Davis-Besse Event (NUREG-1154)," August 5,1985.
Miraglia, F., NRC, Memorandum to NRR Directors, "Staff Actions Resulting from the Investigation of the December 26, 1986 Incident at Rancho Seco (NUREG-1195),"
September 4, 1986.
Stello, V. , NRC, Memorandum to H. Denton, "Staff Actions Resulting from the Investigation of the December 26, 1986 Incident at Rancho Seco (NUREG-1195),"
March 13, 1986.
Tucker, H., BWOG, Letter to D. Crutchfield, NRC, "B&W Owners Group Plant Reassessment," May 15, 1986.
-- , NUREG-0153, "Staff Discussions of Twelve Additional Technical Issues Raised by Responses to November 3, 1976 Memorandum From Director, NRR, to NRR Staff," December 1976.
-- , NUREG-0460, "Anticipated Transients Without Scram for Light Water Reactors,"
Vols. 1 and 2, April 1978; Vol. 3, December 1978; Vol. 4, March 1980.
-- , NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident,"
Vols. 1 and 2, May 1980.
-- , NUREG-0667, "Transient Response of Babcock & Wilcox-Designed Reactors,"
May 1980.
-- , NUREG-0737, "Clarification of TMI Action Plan Requirements," November 1980.
-- , NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," LWR Edition, July 1981.
NUREG-1217 6-1
-- , NUREG-0933, "A Prioritization of Generic Safety Issues," Main Report and Supplements 1-6, August 1987.
-- , NUREG-1070, "NRC Policy on Future Reactor Designs," July 1985.
l -- , NUREG-1154, "Loss of Main and Auxiliary Feedwater Event at the Davis-Besse t
Plant on June 9, 1985," July 1985.
l -- , NUREG-1177, "Safety Evaluation Report Related to the Restart of Davis-Besse Nuclear Power Station, Unit 1, Following the Event of June 9, 1985," June 1986.
-- , NUREG-1195, "Loss of Integrated Control System Power and Overcooling Tran-sient at Rancho Seco on December 26, 1985," February 1986.
-- , NUREG-1218 (Draft for Comment), "Regulatory Analysis for Proposed Resolu-tion of USI A-47, Safety Implications of Control Systems," April 1988.
-- , NUREG/CR-3958 (PNL-5767), "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Combustion Engineering Pressurized Water Reactor," March 1986.
-- , NUREG/CR-3991 (0RNL/TM-9383), "Failure Modes and Effects Analysis (FMEA) of the ICS/NNI Electric Power Distribution Circuitry at the Oconee-1 Nuclear
, Plant," October 1985.
-- , NUREG/CR-4047 (0RNL/TM-9444), "An Assessment of the Safety Implications 4
of Control Systems at the Oconee 1 Nuclear Power Plant, Final Report,"
March 1986, j -- , NUREG/CR-4262 (EGG-2394), "Effects of Control System Failures on Transients and Accidents at a General Electric Boiling Water Reactor," Vols. 1 and 2, May 1985.
-- , NUREG/CR-4265 (0RNL/TM-9640), "An Assessment of the Safety Implications of Control Systems at the Calvert Cliffs-1 Nuclear Plant," Vol. 1, Main Report, April 1986; Vol. 2, Appendices, July 1986.
-- , NUREG/CR-4326 (EGG-2405), "Effects of Control Systera Failures on Transients and Accidents at a 3-Loop Westinghouse Pressurized Water Reactor," Vol.1, August 1985; Vol. 2, October 1985.
-- , NUREG/CR-4385 (PNL-5543), "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Westinghouse Pressurized Water Reactor," November 1985.
-- , NUREG/CR-4386 (PNL-5544), "Effects of Control System Failures on Transients, )
Accidents, and Core-Melt Frequencies at a Babcock and Wilcox Pressurized Water ,
Reactor," Pacific Northwest Laboratory, December 1985.
l
-- , NUREG/CR-4387 (PNL-5545), "Ef fects of Control System Failures on Transients, Accidents, and Core-Melt Frequencies at a General Electric Boiling Water Reactor," '
December 1985.
1
)
NUREG-1217 6-2 i l i
i
_ .- . -_ .. -__._ ,. - , ~ _ -
-- , NUREG/CR-4449 (0RNL/TM-9868), "A PWR Hybrid Computer Model for Assessing the Safety Implications of Control Systems," March 1986.
-- , NUREG/CR-4758 (0RNL/TM-10236), "A RETRAN Model of the Calvert Cliffs-1 Pressurized Water Reactor for Assessing the Safety Implications of Control Systems," March 1987.
-- , Office for Analysis and Evaluation of Operational Data, "AE00 Observations and Recommendations Concerning the Problem of Steam Generator Overfill and Combined Primary and Secondary Blowdown," December 17, 1980.
-- , Office of Inspection and Enforcement, Bulletin 79-27, "Loss of Non-Class 1E Instrumentation and Control Power System Bus During Operation,"
November 30, 1979.
-- , SECY-82-465, "Pressurized Thermal Shock (PTS)," November 23, 1982.
-- , ORNL/NRC/LTR-86/19, Letter Report, "Generic Extensions to Plant Specific Findings of the Safety Implications of Control Systems (0RNL) Program."
NUREG-1217 6-3
i APPENDIX A OTHER RELATED STUDIES, PROGRAMS, AND ISSUES A number of ongoing NRC and industry programs are related to USI A-47. These programs are discussed here and summarized in Table A1.
(1) Generic Issues in NUREG-0933 As specifically identified in NUREG-0933, Generic Issues 70 and 94 dealing with overpressure protection may require modifications to existing control systems.
The staff concluded that resolution of these issues should proceed via the more focused review specified for these generic issues.
(2) Seismic Qualification of Equipment in Operating Plants, USI A-46 Ongoing NRC and industry programs are evaluating the seismic ruggedness and operability of control and protection grade design equipment during basis seismic events. Data from actual experience during seismic events (including recent earthquakes in Chile and Mexicc) are being evaluated to assess the seismic capability of electrical and mechanical equipment needed to safely shut down the plant. Equipment used in non-safety grade control systems that interface with safety grade equipment or that are used in achieving and maintaining hot shutdown are being evaluated to assure that their operability (or lack thereof) does not compromise the plant's ability to achieve and maintain hot shutdown during or after a seismic event. All control system components and instruments are included in the USI A-46 scope by type if not explicitly reviewed. As part of the USI A-46 scope, the current review is evaluating two plant designs (i.e.,
Zion and Nine Mile Point Unit 1), focusing on equipment installation, its func-tion, and its actual location. Once the methodology and review procedures are established, the review will extend to all other operating plants in the USI A-46 scope (which includes 70 operating plants).
(3) Reactor Vessel / Steam Generator Overfill In separate evaluations, staff is investigating the consequences of water ingress in the main steamlines resulting from ove-feed transients or steam generator tube rupture (SGTR) events. These evaluations include (a) analysis of the potential waterhammer conditions that could degrade steamline integrity, (b) assessment of the adequacy of existing emergency procedures for operator actions needed to mitigate SGTR and prevent overfill, and (c) radiological offsite dose calculations from an SGTR event. These activities are being evaluated under Generic Issue 135.
(4) B_abcock and Wilcox Design Reexamination A comprehensive B&W Owners Group study (Tucker, May 15,1986) has been initiated to reassess all B&W PWR plant designs including, but not limited to, the inte-grated control system, support systems such as power supplies, and maintenance.
NUREG-1217 A-1
l The purpose of this reexamination is to improve the reliability of the B&W PWR plants by (a) reducing the number of reactor trips caused by non-safety grade control and support systems or by operator or maintenance errors and (b) improv-ing response to plant transients. The NRC staff is monitoring this comprehen-sive study. Recommended actions for design modifications (if any), for mainten-ance, and for changes to operating procedures developed for the utilities by the owners group will be coordinated with the staff through NRC's Division of Engi- '
neering and System Technology. This ei fort is closely coordinated with the USI A-47 effort, but is proceeding independently. Any requirements developed will be implemented independent of USI A-47.
(5) Staff Actions Resulting From the Investigation of the December 26, 1985 Incident at Rancho Seco Generic and plant specific actions resulting from the investigation of the Rancho Seco incident (see NRC, NUREG-1195) were identified in part in a memorandum from V. Stello to H. Denton, dated March 13, 1986, and in a subsequent response memo-randum, dated April 25, 1986. Several other memoranda have been issued subse-quent to the April 25, 1986 response related to the identified issues. These memoranda are listed in the September 4, 1986 memorandum from F. Miraglia to the various directors of NRR. The activities discussed in these memoranda are being pursued by the NRC staff and are currently being reevaluated by the B&W Owners Group (BWOG). The major activities are summarized below, and are being resolved on a separate schedule independent from USI-A47.
(1) Regarding completeness of actions taken with respect to BAW-1564 (Failure "
Modes and Effects Analysis of the ICS) and the ORNL review of it, the BW0G has been asked to reevaluate BAW-1564 and to describe its plans to address the ORNL concerns. The staff will ensure that the recommendations in BAW-1564 and the ORNL review are reconsidered regarding their applicability, appropriateness, and implementation status at each B&W-designed operating reactor.
(2) The staff has asked the BWOG, and BWOG has agreed, to reevaluate IE Bulle-tin 79-27 regarding the consequences of a loss of power to the instrumenta-tion and control systems for all of the B&W-designed operating plants.
In retrospect, the staff could have done more in reviewing licensee responses to Bulletin 79-27 by focusing its resources on a more detailed
- review of the B&W-designed plants. The staff is now giving more attention and resources to problem plants. The staff will thoroughly review the BWOG reevaluation of Bulletin 79-27.
(3) With regard to atmospheric dump valves (ADVs) and turbine bypass valves (TBVs) opening on loss of integrated control system (ICS) power, the staff has met with the BWOG and determined that only Rancho Seco has the ADV problem and only Rancho Seco and Arkansas Nuclear One Unit 1 (ANO-1) have the TBV problem. Rancho Seco has already redesigned the ADV and TBV con-4 trols to eliminate the problem, and the staff will review the modifications before Rancho Seco restarts. AN0-1 modified its TBV controls during the August 1986 refueling. The modified design prevents the TBV from automati-cally opening on a loss of power in the ICS.
NUREG-1217 A-2
._ - - -. - _ . . --. - . ._ - =. - - - - -
l (4) The staff has conducted a survey of completeness of actions taken with !
l respect to NUREG-0667 recommendations by the staff and by licensees of j each B&W-designed operating reactor. The survey shows that 90% of the l l related staff requirements have been implemented; the rest will be complete I i
by the end of 1987. The staff is planning to review the prioritization of certain lower priority recommendations that were not required earlier.
- she Rancho Seco licensee and the BWOG are reviewing the recommendations
, as part of the Rancho Seco recovery and B&W-design reassessment programs,
! respectively, i (5) In connection with the partial loss of the non-nuclear instrumentation (NNI) ;
system at Rancho Seco in 1984, in the near future the staff plans to com-plete its review of the BWOG submittal (dated January 1985) evaluating the ,
generic aspects of that event. In addition, Rancho Seco staff and the BWOG are reviewing this event as part of the recovery and design reassessment programs, respectively.
(6) Staff Actions Resulting From the June 6, 1985 Incident at Davis-Besse i
Generic and plant-specific actions resulting from the investigation of the Davis-Besse incident (see NRC, NUREG-1154) have been identified in a memorandv;a from W. Dircks to the Directors of NRC, dated August 5, 1985. Short-term, plant-specific items have been addressed and the resolution is described in the "Safety Evaluatinn Report Related to Restart of Davis-Besse Nuclear Power Station" (see NRC,NUREG-1177). A number of potential generic issues were also identified.
. These issues include possible deficiencies in the desigr., construction, or operation of several or a class of nuclear power plants. The staff did not identify a need for any immediate staff action of a generic nature related to these issues. They have, however, been designated for review as part of Gen- '
eric Issues 122 through 125. These issues are to be evaluated and resolved on a schedule consistant with their priority designation. Currently, the staff is completing the prioritization of these issues. Their status and priority level
- is provided in NUREG-0933. Resolution of these issues is being pursued on a separate schedule independent from USI A-47. !
(7) SystemsInteractions(USIA-17_1 l
Potentially undesirable interactions between plant systems, components, and structures were evaluated under USI A-17. These evaluations include identifi-cation of interdependencies between safety grade protection systems and systems not related to safety, including non-safety grade control systems, t
1 NUREG-1217 A-3 6
-r-m ,.q---- ----...gr , yyq- w.-wy-,me> y.wpy ,g s,-ym ,g,,7,pw---y-- r-e-., .-,+w,.- -+-y-y,.+&y , , - - y,w *---y. .,-my
Table Al Summary of USI A-47 related studies, programs, and issues Estimated Issue Subject completion schedule GI-70 PORV_and block valve reliability late 1988 1
GI-94 Low-temperature overpressure Late 1988 protection for light-water reactors USI A-46 Seismic qualification of Mid 1991 components (plant-specific implementation)
GI-135 Water ingress to main Late 1989 steamlines (overfill)
B&W plant BWOG reevaluation to Early 1988 reexamination minimize challenges to protection systems and improve mitigation of complex transients Staff actions result- Included as part of Early 1988 ing from Rancho Seco BWOG reevaluation Dec. 26, 1985 incident Staff actions NUREG- 1177 Completed resulting from (short-term actions) June 1986 Davis-Besse June 6, 1985 incident GI-122 Mid 1988 (initiating feed and bleed)
GI-124 (AFW system Mid 1988 reliability)
GI-125 (reevaluate design Mid 1989 design to automatically isolate feedwater from
- the steam generator USI-A-17 Systems interactions Mid 1989 NUREG-1217 A-4
APPENDIX B
SUMMARY
OF THE PRINCIPAL DOCUMENTS USED FOR USI A-47 STUDY The following are summaries of the principal documents underlying the proposed resolution of USI A-47.
(1) Draft NUREG-1217, "Evaluation of Safety Implications of Control Systems in LWR Nuclear Power Plants, Technical Findings.Related to Unresolved Safety Issue A-47."
This report presented the technical findings and summarizes the work performed on USI A-47 by the U.S. Nuclear Regulatory Commission (NRC) and its contractors: Pacific Northwest Laboratory (PNL), Idaho National Engineering Laboratory (INEL), and Oak Ridge National laboratory (ORNL).
Summaries and staff conclusions regarding other related work, such as generic applicability and operating experience survey, are also presented.
From the technical findings presented in this report, the staff formulated the resolution of USI A-47.
(2) Draft NUREG-1218, "Regulatory Analysis for Proposed Resolution of USI A-47 Safety Implications of Control Systems."
This report presents a summary of the regulatory analysis conducted by the NRC staff to evaluate the value impact of alternatives for resolution of USI A-47. The proposed resolution presented in this USI A-47 study is based on these analyses.
(3) NUREG/CR-4262, "Effects of Control System Failures on Transients and Accidents at a General Electric Boiling Water Reactor" (Vols.1 and 2).
(See summary for NUREG/CR-4326.)
(4) NUREG/CR-4326, "Effects of Control System Failures on Transients and Acci-dents at a 3-Loop Westinghouse Pressurized Water Reactor" (Vols. 1 and 2).
These two reports (numbers 3 and 4) summarize the work performed on USI A-47 by INEL. Summaries of failure modes and effects analysis, computer analysis, recorded plant occurrences, and probabilistic assessment of significant con-trol system failure frequencies are provided. In addition, the contractor presents its conclusions and recommendations.
From the technical findings presented in these two reports, the staff for-mulated the resolution of USI A-47 for General Electric and Westinghouse plants.
(5) NUREG/CR-4047, "An Assessment of the Safety Implications of Control at the Oconee 1 Nuclear Plant." (See summary for NUREG/CR-4265.)
NUREG-1217 B-1
(6) NUREG/CR-4265, "An Assessment of the Safety Implications of Control Systems at the Calvert Cliffs 1 Nuclear Power Plant" (Vols. 1 and 2). i l
These two reports (numbers 5 and 6) summarize the work performed oa USI A-47 l by ORNL. Summaries of failure modes and effects analysis, computer analy-sis, recorded plant occurrences, and probabilistic assessment of significant control system failure frequencies are provided. In addition, the contrac- j tor presents its conclusions and recommendations. '
From the technical findings presented in these two reports, the staff for-mulated the resolution of USI A-47 for Babcock and Wilcox Company and Combustion Engineering plants.
(7) NUREG/CR-4385, "Effects of Control System Failures on Transients, Accidents, and Core-Melt Frequencies at a Westinghouse Pressurized Water Reactor."
(See summary for NUREG/CR-3958.)
(8) NUREG/CR 4386, "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Babcock and Wilcox Pressurized Water Reactor."
(See summary for NUREG/CR-3958.)
(9) NUREG/CR-4387, "Effects of Control System Failures on Transients, Accidents, and Core-Melt Frequencies at a General Electric Boiling Water Reactor."
(See summary for NUREG/CR-3958.)
(10) NUREG/CR-3958, "Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Combustion Engineering Pressurized Water Reactor."
These four reports (numbers 7-10) summarize the work performed on A-47 by PNL. Probabilistic risk analyt,;s and estimates of core-melt frequencies and public risk associated with control system failures in Westinghouse, Babcock and Wilcox, General Electric, and Combustion Engineering reactors are presented. In addition, value/ impact analyses of possible modifica-tions to prevent control system failures are presented. These analyses are l based on the control system failures identified by INEL and ORNL.
From the technical findings presented in these four reports, the staff developed the regulatory analysis for USI A-47.
l l
NUREC-1217 B-2
U S huCLG A2 KIGUL ATOAV C0eswiss+0m i a t *om f %vwst n ,Au sw e, r,0c. een von he, ,r e ,i frac FCAM 338 (2 edi
' NUREG-1217 IA',"3E BIBLIOGRAPHIC DATA SHEET
$10 ' $7muCTIO%S ON Y ntyt alt 2 fifle .NO $w9 f sT(8 Jtt.vt3(.%a Evaluation 01 Safety Implications of Control Systems in LWR Nuclear Pt er Plants Technical Pindi gs Related to Unresolved Safety Issue A-47 a o't t at'ofco**"o Draft Report fo Comment fl I
$ Av'"o"
March / 1988
'Y'""'',E.%
A. J. Szukiewicz uo%v 7 l April / 1988 7Dt880*WiNGOmG.%s2 1soNN.WE. W.rLiNG.OO#tSSH w eet ,Cosei 8 PROJECT 7. wonav%t%vpsta Division of Engineer 1 g ^ " ''"**'"
Of fice of Nuclear Regt atory Research U.S. Nuclear Regulator, Commission Washington, DC 20555 io s,ossoa+ooao.elar,o%%. E.%Dw.,o 0c.E si ,, 8, i, Coe,, p.,,,4c.ai, var Draft Report for Comment Same as 7, above. ,,,,, _ ,,,,,, _
12 $VPFLiwt%T.4v NOTES f) .8 $f R.CT 120'0 stores er mi This report summarizes the work erformed b the Nuclear Regulatory Commission staf f and its contractors, Idaho National gineerin Laboratories (INEL), Oak Ridge Na tional Labora tory (ORNL), and Pacific No thwe s t abora tory (PNL), leading to the proposed resolution of Unresolved Safe ty Is ue ( I) A-47, "Safe ty Implica tions of Control Sys-tems".
An in-depth evaluation was performe )n non-safety-grade control systems (see Section
- 1) that are typically used during ' ;r al plant operation on four nuclear s team system (NSS) plants: a General Electric mpu y (CE) boiling-wa ter reac tor (BWR), a 3-loop We s t in ghouse (W) pressurized-wa r reat or (PWR) design, a once-through steam gener a tor PWR designed by Batack 6 Wile Co. (B i'), and a Combus tion Engineering (CE) PWR design.
This report describes the t anical studi s performed by the laboratories, the NRC staf f assessment of the re alts, the gene 'c applicability of the evaluations, and the technical findings resul ng from these s tt lies.
l l >....m..,,,.
..Doce .%1.%.6,3 .. :.0.cisc..10..
St.ftwi%f Unresolved S ty Issue l Unlimited
- A-4 7 6 SI Cunit T CL.$5,s ic.t>0%
l
<r..,
Control ',, stems
. .ci st.. .t i - ~t=ceoa*' Unclassified
' , r . . .orn Unclassified i r % < wet a ce p.G al l
s pa ci l
l
- W. S.CQvt 8h4 4 7 Pelt!!G Cf f ICE i1999-702 79?stMll
l l-l UNITED STATES ng NUCLEAR REGULATORY COMMISSION edsSEclUn'iUIso 'g C '
o WASHINGTON, D.C. 20555 u$$ac q$I etav T wo. o n f' l OFFIC!AL BUSINESS %".
PENALTY FOR PRIVATE USE, $300 L.
+ ,
y l.
yk C
i:
1 1
2 O
m
. E
! r-h l-
> ()'
5 3'
7' l
5 i
~
u b I I
., _ . _ _, ._ ._ _ .___ _ . _ . _ _ _ . . . _ . _ . _ _ . _ _ _ _ _ . _ _ _ . _ _ _ _ . . _ _