Text

Implications of the Accident at Chernobyl for Safety Regulation of Commercial Nuclear Power Plants in the United States.Draft for Comment
	ML20237J713
Person / Time
Site:	Pilgrim
Issue date:	08/31/1987
From:	; NRC
To:	;
References
	CON-#487-5057 2.206, NUREG-1251, NUREG-1251-DRFT, NUREG-1251-DRFT-FC, NUDOCS 8709040049
	Download: ML20237J713 (98)
	v • d • e

..

, , . )

NUREG-1251 i

Implications of the Accident 1 at Chernoay1 for Sa"ety Regulation of Commercial Nuclear Power Plants '

i in the United States Draft for Comment l

1 U.S. Nuclear Regulatory l

Commission

,.~,,,

l'\ff a kJ 7c8 2 ER' A888 PDR 1251 R m

f

> l .,

I l i NOTICE l Availability of Reference Materials Cited in NRC Publications l Most documents cited in N RC publications will be available from one of the following sources:

1. The NRC Public Document Room,1717 H Street, N.W.; ,

I Washington, DC 20555

2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, f

Washington, DC 20013-7082 .

3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Public Docu.

ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and I censee documents and correspondence.

The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC Docklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of .

Federal Regulations, and Nuclear Regulatory Commission issuances.

I Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic l Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.

Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of information Support Services, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.

l l

1

NUREG-1251 Implications of the Accident at Chernobyl for Safety P.egulation of Commercial Nuclear Power Plants in the United States Draft for CommeM

$ateYuNEs*heug s 158 s is'n7n"o"to T o F 2 % T " "

l

ABSTRACT This draf t report issued for comment was prepared by the Nuclear Regulatory Commission (NRC) staff to assess the implications of the accident at the Chernobyl nuclear power plant as they relate to reactor safety regulation for commercial nuclear power plants in the United States. The facts used in this assessment have been drawn from the U.S. fact-finding report (NUREG-1250) and its sources.

iii

~

! 1. f

( ,

1

m. l

^

e

> - l

'l ! : , C0hTENTS

' i' P.892 i ,ei ,

A35 TRACT................. .,..,......................................... iii l h'T R0 30 C T I O N . . . . . . . . . . . . . . . . . . ., . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 ,

511MM :>.Kf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 t

la < ,

Lhapter I

., ,. 1

./ le ADMINISTRATIVE CONTROLS AND OPERATIONAL PRACTICES...................

1-1

/

1.1 Administrative Contro?s To Ensure That Procedures Are Followed *

, ana ' That Procedures Are Adequate. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

< 1.2 Approval of Tests and Other Unusual Operations. . . . . . . . . . . . . . . . . 1-7

< 1.3 Bypassing Safety Systems...... ............................ ... 1-10

/ 1.4 Availability of Engineered Safety Features. . . . . . . . . . . . . . . . . . . . . 1-15 j 1.5 Operating Staff Attitudes Toward Safety........................ 1-18 l 1.6 Management Systems..o. ........................................ 1-21 1.7 Accident Managenent....................... .................... 1-22 l 0 DESIGN ........... ................................................. 2-1 l

=

2.1 Reactivity Accidents................... ....................... 2-1 2.2 Accidents at low Power and at Zero Power....................... 2-8

2. 3 Mul ti pl e-Uni t Protecti on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.4 F i re P ro t e c t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 14 3 CONTAINMENT......................................................... 3-1 3.1 Containment Performance During Severe Accidents................ 3-2 3.2 F i l t e re d Ve n t i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3- 4 4 EME RG E N CY P LAN N I NG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4- 1 4.1 Size of the Emergency Planning Zones..................... ..... 4-1

,. 2 Me d i c ai S e rv i ce s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4- 4 4.3 Ingestion Pathway Measures..................................... 4-7 4.4 Decontamination and Relocation................................. 4-8 5 SEVERE-ACCIDENT PHENOMENA.... .............. ..................... 5-1 l

5.1 Source Term.................................................... 5-1 5.2 S t e am Exp l o s i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5- 10 5.3 Combustible Gas................. ............................. 5-14 6 G RAPHITE-MODEC'IED REACT 0RS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

(

l

' 6.1 The Fort St. Vrain Reactor and the MHTGR....................... 6-2 6.2 Assessment..................................................... 6-2 6.3 Concl usions and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 REFERENCES......................................... ................... R-1 v

INTRODUCTION This report was prepared by the staff of the U.S. Nuclear Regulatory Commission (NRC) to assess the implications of the April 1986 Chernobyl accident in the Soviet Union as they relate to commercial nuclear reactor safety regulation in the United States. Most of the assessment focuses on light-water-reactor power plants. A final chapter addresses graphite-moderated reactors. ,

With respect to studying the Chernobyl accident, U.S. government agencies have l axpended their energies on determining the facts, as well as on assessing those I facts in terms of how the accident may affect U.S. policies and practices in the nuclear power field.

l The work was divided into two major phases. The first phase, fact finding, was !

a coordinated effort among several U.S. Government agencies and some private '

groups; this phase was completed in January 1987 and has been reported in NUREG-1250, " Report on the Accident at the Chernobyl Nuclear Power Station."

The second phase, an assessment of the implicar. ions of that accident with re-gard to U.S. policies and practices, is being pursued separately by each organi-zation that participated in NUREG-1250. The present report, as part of this second phase, addresses the safety regulation of commercial nuclear reactors under NRC regulatory jurisdiction. (Department of Energy reactors, not subject to NRC regulation, are not addressed in this NRC study.)

In developing the assessments presented in this report (NUREG-1251), the NRC staff depended on NUREG-1250 and its two major source documents (USSR, 1986; INSAG, 1986) for the facts of the Chernobyl accident. The Soviet document (USSR, 1986) is an official Soviet report to the International Atomic Energy Agency (IAEA) Experts' Meeting held in Vienna August 25-29, 1986; the second (INSAG, 1986) is the report to the IAEA prepared by the International Nuclear Safety Advisory Group at a second meeting in Vienna on August 30 to September 5, 1986.

The assessment of the implications of the Chernobyl accident with regard to commercial nuclear reactor safety regulation in the United States is supported by detailed assessments of a number of particular issues, grouped in six subject areas. The particular issues selected for evaluation were those that are asso-ciated with significant factors that led to or exacerbated the consequences of the Chernobyl accident.

1 1

F l

SUMMARY

General Conclusions A study of the Chernobyl accident has led the NRC staff to the following gen-

! eral conclusions about its effect on safety regulation of commercial nuclear j power plants in the United States:

(1) No immediate changes are needed in the NRC's regulations regarding the design or operation of U.S. commercial nuclear reactors.

l Nuclear design, shutdown margin, containment, and operational controls at i U.S. reactors protect them against a combination of iapses such as those l experienced at Chernobyl. Although the NRC has alwavs acknowledged the possibility of major accidents, its regulatory requirements provide ade-quate protection against the risks, subject to continuing vigilance for l any new information that may suggest particular weaknesses, and also sub-ject to taking measures to secure compliance with the requirements.

Assessments in the light of Chernobyl have indicated that the causes of the accident have been largely anticipated and accommodated for commercial U.S. reactor designs.

Yet, the Chernobyl accident nas lessons for us. The most important lesson is that it reminds us of the continuing importance of safe design in both concept and implementation; cf operational controls, of competence and motivation of plant management and operating staff to operate in strict compliance with controls; and of backup features of defense in depth against potential accidents.

Although a large nuclear power plant accident somewhere in the United States is unlikely because of design and operational features, we cannot relax the care and vigilance that have made it so. Accordingly, further considera-tion of certain issues is recommended, as discussed.

(2) Some aspects of requirements and regulations that already exist or are being developed will be reexamined, taking into account the accident at Chernobyl.

Areas that may warrant further study include operator training, emergency planning, and containment performance.

(3) Study of areas related to certain aspects of the Chernobyl accident will be extended and will provide a basis for confirming or changing existing regulations.

These areas include reactivity accidents, accidents at low power or at zero power (when the reactor is shut down), and characteristics of radionuclides release.

3

l f4) The Chernobyl experience should remain as part of the background informa-tion to be taken into account when dealing With reactor safety issues in the future.

Conclusions About Specific Areas The accident at Chernobyl suggests that the following specific areas be examined )

in direct response to that event. (Cross-references in parentheses refer to l correspondingly numbered detailed assessments in the body of this report.)

(1) Administrative Controls Over Reactor Operations (Chapter 1)

In general, regulatory provisions at nuclear plants in the United States are adequate with respect to administrative controls to ensure that reac-tor operations are conducted within a safe range of operating conditions.

These controls address procedural adequacy and compliance, approval of tests and other unusual operations, bypassing of safety systems, avail-ability of engineered sa'fety features, operating staff attitudes toward safety, management systems, and accident management.

However, the benefits of the following additional provisions should be examinea:

(a) The assignment to each plant of a high-level onsite manager whose sole responsibility is nuclear safety.

(b) Programs for accident management, including training and the develop-ment of procedures for coping with severe core damage and for the effective management of the containment. This provision will be I addressed and resolved as part of the implementation of the Commis-sion's Severe Accident Policy.

1 (c) The review of administrative controls to seek ways of strengthening l technical reviews and the approval of changes, tests, and experiments. 1 (d) The review of safety system status displays and the availability of engineered safety features for potential worthwhile improvements.

(2) Reactivity Accidents (Section 2.1)

Positive void reactivity coefficients, which are a characteristic of the RBMK graphite-moderated water-cooled reactors, played a central role in determining the severity of the Chernobyl accident. Commercial reactors in the United States are designed very differently from the RBMK reactor at Chernobyl, and have generally a negative void reactivity coefficient.

This provides assurance that the kind of superprompt critical excursion that took place at Chernobyl will not occur. However, the NRC should reconfirm that vulnerabilities and risks from possible accident sequences have been adequately factored into safety analysis reports on which design approvals are based.

4

(3) AccidentsatLowPowerandatZeroPower(Shutdown)(Section2.2]

Regulations for commercial nuclear power plants in the United States re-quire that potential accidents that could occur during all conditions of operation (full, low, and zero power) be considered and provided for in the plant design. Such provisions are considered in safety analyses re-quired in support of licensing. Often, analyses assuming full power opera-tion are found to be limiting cases--bounding accident risks at low power operation or when the reactor is shut down. The Chernobyl accident suggests that accident sequences beginning at low power and under shutdown conditions should be reviewed, particularly for situations in which not all engi-neered safety features are considered necessary to be available.

(4) Multiple-Unit Protection (Section 2.3)

For multiple-unit plants that are operating or are under construction, the Chernobyl experience should be considered in assessing the adequacy of pro-tection of control rooms in the event of an accident at one of the units.

This assessment should be performed on the basis of recent research infor-mation on radionuclides release.

New multiple-unit plants should not share systems required for shutting down each unit unless designed to enhance the overall level of safety.

(5) Fires (Section ?.4)

Provisions for fighting fires when radiation levels are high should be reviewed to confirm that the current provisions are adequate.

(6) Containment (Chapter 3)

The Chernobyl accident demonstrated the importance of containment perfor-mance for mitigation of the risks of nuclear power plant operation. Even before the Chernobyl accident, research programs and regulatory initiatives in the United States addressed the issue of containment performance during severe accidents. A systematic search for plant-specific vulnerabilities (i.e., potential failures that result in unacceptably high risk) is sched-uled to begin in 1987, as part of the implementation of the Commission's Severe Accident Policy. This search will include reviews of containment design. The Chernobyl experience should be taken into account in these reviews wherever that experience is relevant.

Filtered venting of containment as a meant of limiting offsite consequences of core-melt accidents is being pursued in a number of countries and is being examined in the United States. Anticipated international technical exchanges will enhance U.S. research and evaluation efforts concerning this potential measure.

(7) Emergency Planning (Chapter 4)

Partly because the radionuclides release in the Chernobyl accident is specific to the RBMK design, the size of the 10 mile plume exposure path-way emergency planning zone, which specifically includes the concept of 5

)

i protective actions outside it if necessary, continues to be viewed as adequate. However, in light of new research information (NUREG-0956,

" Reassessment of the Technical Bases for Estimating Source Terms," and NUREG-1150, " Reactor Risk Reference Document"), the planning bases for relocation and decontamination and for protective measures for the food ingestion pathway are being reexamined in cooperation with the Federal Emergency Management Agency.

l (8) Severe-Accident Phenomena (Chapter 5)

The phenomena of the Chernobyl accident were greatly influenced by the design features and materials in the RBMK reactor, which differ in many basic respects from those of U.S. reactors. The only radionuclides release ;

aspects identified to date that are not currently considered in U.S. ana-lytical models involve two mechanisms of fission product release from fuel debris' . These are mechanical dispersal and chemical stripping (removal of the fuel surface layer, as through chemical change of the uranium oxide).

Although it is not clear that these mechanisms will have any effect on accident sequences relevant to U.S. reactors, it is recommended that the need for additional research be assessed.

(9) Graphite-Moderated Reactors (Chapter 6) l The Fort St. Vrain high-temperature gas-cooled reactor (HTGR) is the only l licensed and operating cominercial graphite-moderated reactor in the United States. A study of the potential for a Chernobyl-type fire and explosion at Fort St. Vrain was initiated immediately after the Chernobyl accident.

Although the only shared features between the HTGR concept and the Chernobyl design are the use of a graphite moderator and gravity-driven control rods, the 330-MWe Fort St. Vrain HTGR and a proposed modular HTGR concept were reviewed against the Chernobyl candidate issues and the con-l clusions presented in this document for light-water reactors (LWRs). This

! assessment confirms that the concept of the HTGR (because it uses helium coolant in a fully ceramic core, has an overall negative reactivity coeffi-cient, and has completely diverse alternate shutdown and cooling systems) has no direct association with the identified weaknesses of the Chernobyl design. In the areas at issue of operations, design, containment, emergency i planning, and severe-accident phenomena, NRC assessments conclude that the l implications of the accident at Chernobyl generate no new licensing concerns for HTGRs and both the overall and specific-area conclusions are the same as for LWRs. The assessment did not raise any new concerns regarding HTGR severe-accident phenouena but did reinforce the desirability of undertaking a probabilistic risk assessment of Fort St. Vrain and conducting experiments in graphite thermal stress. ,

l l

l

CHAPTER 1 ADMINISTRATIVE CONTROLS AND OPERATIONAL PRACTICES In the United States, administrative controls over plant operations include NRC rules and regulations, facility license conditions, Technical Specifications (TS), and plant procedures. The overall administrative control framework requires that safety-related activities at nuclear power plants be conducted in accord-ance with approved written procedures. These activities include, for example, operations, tests, inspections, calibrations, maintenance, experiments, modifi-l cations, safety review and approval functions, and audits. The safety design basis of the plant is based on assumed initial conditions for. transients and emergencies. These assumed initial conditions (e.g., temperatures, pressures, control rod positions, and equipment availability) establish a " safe operating envelope." Effective administrative controls are needed to ensure that reactor operations are conducted within this safe operating envelope. Clearly, for administrative controls to be effective they must be technically accurate and complete, they must be understood by those responsible for implementing specific procedures, and management must ensure that they are enforced. A key finding from the Chernobyl accident is that such administrative controls in place at Chernobyl were not effective in maintairiing conditions within the safe.operat-ing envelope.

i In this chapter, the NRC staff reviews the administrative contrcis over plant l operations in the United States to determine if adequate controls are in place to maintain plant conditions within the safe operating envelope. This review includes an assessment of procedural adequacy and compliance, approval of tests, bypassing of safety systems, availability of engineered safety features, operat- ,

ing staff attitudes toward safety, management systems, and accident management. l The results of these detailed reviews are reported in the following sections. l The staff confirmed that some ongoing activities with a nexus to the Chernobyl l accident should continue. In addition, a few new issues requiring staff atten-tion were identified and are presented below.

Emergency Operating Procedures (E0Ps) are intended to ensure safe shutdown and to mitigate the effects of accidents and transients. Facility E0Ps are designed for coping with accidents and transients that initiate from within tha safe operating envelope. The ability of operators to successfully impleme it E0Ps depends upon plant safety parameters initially being within the safe operating envelope. As a result of the Three Mile Island (TMI) accident, NRC required that new symptom-based E0Ps be developed. These new procedures have not been implemented at all facilities, and NRC audits have identified deficiencies in implementation at several facilities. Thus, licensees must expend significant effort to complete implementation of new E0Ps.

Operator training needs to stress fundamentals of reactor safety, how the plant should function, and the underlying danger if plant conditions move outside the safe operating envelope. With adequate training and knowing the possible 1-1

consequences, personnel would be less likely to succumb to pressures to speed up, take shortcuts, or defeat safety functions. 0perating experience and the Chernobyl event indicate that more training is needed in the areas of mainte- !

nance of safety parameters and plant conditions within the safe operating l envelope, E0Ps, and accident management. l The Chernobyl accident has emphasized the need for contingency planning assuming core damage has occurred to ensure that appropriate contr.ols, training, and planning have prepared the plant staff to manage plant assessment activities, response actions, and emergency actions. Significant effort has been expended to prepare for events involving degraded-core cooling and to upgrade emergency planning. However, more work needs to be done in training and procedure devel-opment for coping with severe core damage and for effective management of containment.

Management attention and diligence are required to ensure that plant operations, testing, and maintenance are conducted within the safe operating envelope. Man-agement must focus on ensuring that all of the administrative control systems are effective and enforced. To obtain feedback on the quality of safety activi-ties, the operating staffs must continue to perform audits, internal inspections, and reviews of operating data and events. Qualified and informed individuals must control reviews of changes, tests, and procedures. Experience has shown that some of these reviews have not been of consistently high quality and, in some instances, design changes have been made and testing has been conducted that place the plant outside the safe operating envelope. Industry has acted to improve the review process required by NRC; however, more needs to be done to narrow the focus on responsibility for safety. All plant personnel have a safety responsibility, but this responsibility is coupled with other functions.

The staff believes that the benefits of a high-level, onsite nuclear-safety manager, who has no other responsibilities or duties, should be examined.

1.1 Administrative Controls To Ensure That Procedures Are Followed and That Procedures Are Adequate Are controls at U.S. reactors adequate to ensure that operations and other activities at nuclear power plants are performed in accordance with approved written procedures?

When, in order to complete the test, the operators deviated from the approved test procedures and the established administrative procedures, they initiated i the Chernobyl accident. Although the test procedure called for the test to be run at 700 to 1000 MWt, the operators could only achieve 200 MWt, but decided to conduct the test anyway. In addition, they violated the fundamental admin-istrative requirement to maintain enough control rods at the proper degree of insertion to be effective in an automatic scram. The operators should not have raised the control rods beyond their administrative limits so that the reserve shutdown ieactivity margin limits were violated; they should have terminated the test and shut the reactor down. This violation resulted in the inability to insert enough negative reactivity in the required time by a scram to over-come certain reactivity transients.

The operators violated another administrative procedural limit when they acti-vated and operated two additional main circulating pumps while the other main i

1-2 I

l

circulating pumps were running. Such actions (1) violated -limits protecting against pump cavitation damage and (2) yielded an abnormally high core flow rate.

The conditions created by running all of the main circulating pumps would also have caused an automatic scram if the operators had not intervened and defeated the scram function. Subsequent operation with the high flow rate resulted in voids being swept from the fuel element channels. This caused a large reactivity loss which was compensated for by control rod withdrawal to an extent that the rods were initially less effective when scrammed.

Other deviations from administrative procedures occurred, such as bypassing safety systems. These are discussed separately. Such deviations and procedures violations are influenced by operator attitudes (also discussed separately). ,

This issue coacerns (1) controls by licensees and regulators to ensure that pro- l cedures are appropriately written, known to the operators, placed at the work-site, and followed and (2) the adequacy of these controls for some safety func-tions. Such controls involve plant policies and procedures, industry standards, and regulatory rules and enforcement policy. The specific administrative con-trols applicable to changes, tests, and experiments are provided in Section 1.2.

1.1.1 Current Regulatory Practice (1) NRC Requirements and Guidance for Procedure Development and Use i

The NRC has a large body of guidance and requirements that includes general and specific measures for development and use of administrative procedures and con-trols. These controls govern all operating activities at nuclear power plants, and are designed to avoid the types of violations that occurred at.Chernobyl.

Procedures are violated in licensed plants, but only rarely with the knowledge that a violation is being committed. In its program to ensure safety and quality, the NRC has developed and published quality assurance requirements for activities affecting nuclear safety. Criterion V of 10 CFR 50 Appendix B,

" Quality Assurance Criteria for. Nuclear Power Plants and Fuel Reprocessing Plants," governing procedures states:

V. Instructions, Procedures and Drawings Activities affecting quality shall be prescribed by documented in-structions, procedures, or drawings, of a type appropriate to the circumstances and shall be accomplished in accordance with these instructions, procedures, or drawings. Instructions, procedures, or drawings shall include appropriate quantitative or qualitative accep-tance criteria for determining that important activities have been satisfactorily accomplished, i This criterion prescribes the general requirement for having procedures and for l following them. A second level of administrative controls for procedures is contained in each plant's Technical Specifications (TS), which are a part of the license. Plant TS require licensees to establish, implement, and maintain procedures. Both Technical Specifications and Criterion V have the force of law.

Technical Specifications require procedures to be reviewed by the Unit Review Group when initially written and before being changed, except for temporary 1

1-3

changes made on the spot that do not alter the intent. The Unit Review Group is made up of key plant supervisory personnel who are knowledgeable about plant safety, lhe objective of this review is to ensure that experts from the various technical disciplines review the procedures for operations or changes that cou!d affect safety. This review backs up the technical procedure writer and his/her supervisor's decisions on safety. There is a further screening of procedures and changes to procedures to determine whether or not they may involve an unre-viewed safety question or a technical specification, in which case prior NRC approval is required by 10 CFR 50.59. The NRC requires that all of these activ-ities, including compliance with procedures, be periodically audited, and audit results be provided to appropriate management; corrective action is required '

when deficiencies are found.

(2) Required Procedure Coverage Technical Specifications recuire that licensees commit to develop and implement applicable procedures listed in Appendix A to Regulatory Guide (RG) 1.33, l

" Quality Assurance Program Requirements Operation." Licensees make this ccm-mitment in their applications. This list of applicable procedures covers essentially all operating and administrative activities (e.g. , startup, shut-down, refueling) and requires the development of specific procedures for activi-ties, such as tests and maintenance, at the approximate time but before the test or maintenance activity is performed. Test and administrative procedures undergo the same review as other procedures.

(3) Guidance in Standards l Additional guidance on procedures is provided in f nerican National Standards I Institute /American Nuclear Society (ANSI /ANS) Standard 3.2-1980, "Administra-tive Controls and Quality Assurance for the Operational Phase of Nuclear Power Plants." The guidelines of this standard provide much more detail than other documents on the measures needed for the development, review, control of I changes, and implementation of the procedures. This standard is endorsed by the NRC through RG 1.33, and licensees have committed to comply with RG 1.33 in their license applications.

ANSI /ANS 3.2 requires that procedures be written for all plant safety activities, that they be followed, and that the requirements for use of the procedures be prescribed in 'triting. It further requires written guidance for operators to conta.' e.ements describing when a procedure is to be memorized, when it is to be in hand while the operator is conducting the operation, and when signoffs are required. It identifies situations in which temporary changes can be made and the conditions under which such changes can be made it proper controls are met.

(4) Training on Procedures ,

Operators must be licensed by the NRC. Since plant operation requires extensiva use of procedurcs, operators are trained in both the technical details of pro-cedures and what is expected of them in terms of following procedural provisions.

The NRC examines operators in these areas.

1-4

(5) NRC Inspection and Enforcement l t

Important elements in the overall regulation of nuclear power plants are the inspection of licensee activities and the enforcement actions taken when the licensee fails to comply with NRC requirements.

Since a requirement exists in the Technical Specifications that licensees fol-low procedures, licensed operators must abide by the procedures or face possible disciplinary action from their own management and possible enforcement action by the r4RC. Significant fines have been imposed on utilities for violations of procedures. Licensees' activities are inspected routinely and after each signi- I ficant event to determine compliance with procedural requirements. These inspec- !

tions are often done unannounced on backshift and during weekend periods. More '

severe actions are usually taken for violations of procedures if the act has been willfully performed. Operators are very reluctant to deliberately commit such acts. In an emergency, a licensee is permitted through 10 CFR 50.54(x) to devi-ate from a procedure or even from a technical specification if the licensed oper-ator determines such deviation is needed to protect the public.

1.1.2 Work in Progress (1) Technical Specifications Improvements l The NRC has a priority effort under way to improve Technical Specifications l through the Technical Specification Improvement Program (TSIP). Current TS have grown in volume because of lack of guidance on which requirements should j

be included in TS. A Policy Statement defining the scope and purpose of TS (52 F_R 3788) has been approved by the Commission. TS that have been revised in accordance with this Policy Statement will be more closely oriented toward the operator's job and will be rewritten to improve clarity. Bases for require-ments will be improved. TS that appear in procedures will be easier to under-stand and to follow.

(2) Symptom / Function-Based Emergency Operating Procedures One of the lessons learned from the TMI-2 accident was the need for symptom /

function-based emergency operating procedures (E0Ps) for coping with transients and accidents. The NRC has a program in place that is sponsored by vendor owners groups to develop E0Ps based on reanalyses of transients and accidents.

All licensees are required to implement symptom-based E0Ps incorporating good human factors practices. Operators are receiving training on these procedures.

The ability of operators to successfully implement E0Ps is directly related to their knowledge of whether or not the plant is initially operating within the safe operating envelope.

(3) Refocusing NRC Inspection Activities The NRC initiated an inspection program to reward good licensee performance by reducing inspections for good performers; below-average performers were in-spected more frequently.

In tne staff's judgment, a high level of overall compliance and a high level "

of compliance with procedures go hand in hand. To achieve the coveted high 1-5

performance rating, licensees will need to have (a) effective administrative controls over procedure development and use as 'well as (b) good performance in other management and technical areas.

j 1.1.3 Assessment Good administrative controls are essential for the safe operation of nuclear power plants. The staff has carefully examined these controls. The assessment of the adequacy of these controls at U.S. reactors is discussed below.

Over the past 15 years, a body of American Nuclear Society (ANS) standards has been developed and put into place to provide criteria and guidance for proce- i dures and for controls over the procedures. Several key standards have been in l use for much of this period; furthermore, these key standards have been revised and refined, becoming effective standards. They address administrative con-trols, qualifications for nuclear power plant personnel, training, and quality assurance. The NRC has encouraged such standards development, endorsing it through the NRC regulatory guide series. The standards have become the recom-mended and accepted programs in their respective areas. 1 These standards contain excellent requirements and guidance for control over administrative and technical procedures. They are geared toward ensuring that technically sound procedures are developed that have been reviewed by a multi-discipline review body, and that have management endorsement and authorization.

They also require the use of approved written procedures for essentially all activities at the plants. Required training emphasizes how these procedures are to be used and followed. Management directives and administrative proce-dures state the philosophy and expectations, i.e., procedures will be written and followed.

The NRC has published guidance and has issued plant-specific TS stating require-ments in the use of procedures. Although these procedures and specifications allow removal of a single train of redundant systems for test or repair, they prohibit defeating safety systems and prescribe minimum operability require-ments for important safety equipment. NRC personnel inspect procedural activi-ties and take enforcement action, when appropriate, against utilities and li-censed operators who violate these requirements. The industry-sponsored i Institute of Nuclear Power Operations (INP0) evaluates performance in these same areas and strives for excellence in writing, use, and control of proce-dures through its evaluation feedback process to management.

Although the staff recognizes that errors and violations will occur, the mea-sures taken by the NRC and industry should keep violations to a minimum. Since Technical Specifications containing the operability requirements for safety equipment are so prominent in operators' and management's minds, the staff be-lieves that operators, because of their concern for safety, will not willingly violate these requirements and put the reactor in jeopardy.

Recent audits by the NRC have identified deficiencies in the implementation of the new symptom-based E0Ps. In addition, NRC examinations have identified the need for additional training on the use of these E0Ps. Therefore, the staff believes work should continue to achieve full implementation of the new E0Ps and to provide associated training to operating personnel. Furthermore, 3-6

the staff believes that the concept of maintaining plant conditions within the safe operating envelope should be emphasized in operator training.

1.1.4 Conclusions and Recommendations The staff recommends that increased emphasis be placed on implementing symptom-i based E0Ps and related training. After full implementation of symptom-based E0Ps, administrative controls will be adequate to ensure that operations and other safety-related activities will be performed in accordance with approved written procedures.

1. 2 Approval of Tests and Other Unusual Operations Are administrative controls at nuclear power plants adequate to ensure that changes are made safely and that tests and experiments at plants are conducted safely and within the safe operating envelope?

The testing being performed at Chernobyl at the time of the accident was stated to have been prepared by an individual not familiar with the RBMK-1000 type of reactor. Moreover, the Soviet report (USSR, 1986) stated that "the quality of the program was poor and the section on safety measures was drafted in a purely formal way... " Even though the test program was poorly constructed, its in-tent was violated in a number of ways. The test power level was chosen to avert cont,<1 difficulties that would result from changes to the thermal, hy-draulic, and nuclear characteristics at low power levels. The test also pre-sumed an automatic trip of the reactor by closing the turbine stop valve when the test was initiated. The trip circuit for this function was defeated by the operators to expedite a retest if the original test failed. An adequately constructed test procedure would establish the prerequisites, including power level, with a warning or caution against lower power levels and would have established in advance any permissible bypasses of safety features.

U.S. standards and administrative control requirements would not allow the con-duct of a test without an adequate safety review. Multiple Federal regulations would have been violated had Chernobyl Unit 4 been a licensed U.S. plant.

In the United States, all changes, tests, and experiments planned to be per-formed in reactors licensed by the NRC are evaluated against the requirements of 10 CFR 50.59, " Changes, Tests, and Experiments." This regulation establishes which changes, tests, and experiments may be done solely under a licensee's administrative procedures and which must get prior NRC approval. The NRC staff must review, approve, and authorize any change, test, or experiment that in-volves an unreviewed safety question (USQ) or a technical specification.

If the change, test, or experiment does not involve a USQ or a technical speci-fication, but does involve reactor safety, it must be done under the administra-tive control system discussed in Section 1.1 and be submitted to that review and approval process.

The controls to ensure that changes, tests, and experiments are properly dealt with are discussed in this section. These controls are a part of the admin-istrative controls discussed in Section 1.1 and relate to operator attitudes toward safety as discussed in Section 1.5.

1-7

1.2.1 Current Regulatory Practice 10 CFR 50.59 requires Commission approval for any change to the facility or to procedures described in the Safety Analysis Report (SAR) and any test or experiment which involves a change to the TS or to a USQ. A USQ is defined as a change which increases the probability or consequences of an accident or mal-function of equipment important to safety previously evaluated, creates the possibility of an accident or malfunction of a different type than that previously evaluated, or reduces the margin of safety as defined in the basis of the plant TS. The licensee may make the change, which could consist of a new test or experiment, without prior Commission approvai if it does not involve a change to the TS or a USQ. If such a change, test, or experiment affects nuclear safety, but does not involve a USQ, the change, test, or experiment still must be pro-perly reviewed and approved before implementation. The safety evaluation re-quired by 10 CFR 50.59 is but one of several reviews required either by TS or by other plant administrative controls. Figure 1.1 charts the flow of changes, tests, or experiments required to receive proper authorization.

After authorization of the change, test, or experiment has been obtained, the test details have to be converted into a procedure. The process of converting test details into a procedure follows the controls discussed in Section 1.1 for writing, reviewing, approving, and implementing procedures.

NRC personnel inspect selected activities involving changes, tests, or experi-ments to confirm that 10 CFR 50.59 requirements were satisfied. Resident inspectors at each site stay abreast of licensed activities and periodically confirm that changes, tests, and experiments have been appropriately reviewed.

Each plant has an NRC project manager assigned to its main office who also stays abreast of licensed activities. The project manager's role has recently been expanded to include routine review of documentation summaries and selec-tive audits of 10 CFR 50.59 activities.

1.2.2 Work in Progress The Atomic Industriil Forum (AIF) has accepted a task requested by NRC manage-ment on May 27, 1966 to develop review criteria and guidelines for licensees conducting 10 CFR 50.59 reviews. Some recent reviews have been inconsistent in depth of reviews and quality of documentation. If these criteria and guide-lines are acceptable, they will be given regulatory sanction and will become the standard for the nuclear industry.

The Nuclear Safety Analysis Center (NSAC) independently began a study of design and procedure changes involving 10 CFR 50.59 reviews in nuclear power plants.

AIF joined this effort and NSAC retained the lead. This group is scheduled to present a draft set of criteria and guidelines on the quality and depth of 10 CFR 50.59 reviews to NRC management in the spring of 1987.

1.2.3 Assessment Each year licensees conduct thousands of reviews under the provisions of 10 CFR 50.59. Some of the review items should have received prior NRC review, as 'ater determined by inspections and licensee audits. Enforcement penalties ha been levied for some of these violations. Nevertheless, considering the 1-8

l CHANGES TO FACILITIES AND TESTS (OR EXPERIMENTS) 10 CFR SG 59 Change Proposal Most Technical Specifications (TS) require the Unit Review Group (1) to review all procedures and changes thereto that affect nuclear ,

m. . safety, all proposed tests and experiments that affect nucloat :,4fety, l and all proposed changes to the facility that affect nuclear safety; I and (2) to recommend in writing to the Plant Superintendent approval or disapproval of these proposals, la the S fety Analysis Report (SAR) affacted?

11) Does the proposal chan0e the facilsty or procedures from their -

description in the SAR? .

(21 Does the proposalinvolve a test or experiment not described in the SAR?

(3) Could the proposal affect nuclear safety in a way nnt previously j

evaluated in the S AR?

l l

Any answer Yes ' ' All answets No n r l

Is a change in the TS involved? i 10 CFR 60 69 no longer applies, it is still i necessary, however, to asic is a change in the TS involved?

Nol ' Yes Yes ' ' No l

l Is an unreviewed safety question involved?

(1) la the probability of an occurrence or the consequences of an accident or malfunction of equipment important to f.

safety previously evaluated in the SAR increased?

(2) la the possibiley for an accident or malfunction of a different type than any previously evaluated in the SAR created?

(31 is the margin of safety as defined in the basis for any technical specification reduced?

Most TS require the Unit Review Group to 1 m m as a sie sus render determination in writing with regard 1 to whether or not the proposed change constitutes an unroviewed safety Question.

All answers No ' ' Any answer Yes Most TS require the Company Nuclear Review Group to review proposed changes to procedures, equipment or systems, and test or experiments that involve an unreviewe'd safety question, ,

1 r 1 r 3 r Document the change, include in these !

records a written safety evaluation Submit the proposal td the 4 providin0 the bases for the determination NRC for authorization, that the change, test, or experiment does & ,

not invofve an unreviewed safety question. Y j

l Authorizet received. - l Proceed with the change E

I Most TS require the Corraany Nuclear Review Group to review the safety evaluations g, ,,,, for changes to procedures, equipment, or systems, and tests or experiments completed under the provisions of 60.59 to verify that such actions did not constitute an unreviewed safety question Figure 1.1 Approval of changes, tests, and experiments )

I i

1-9

large number of changes, tests, and experiments involved, this activity has been mostly successful. The staff has observed'some inconsistencies in the level and quality of reviews performed by licensees in making the judgment as to the identification of a USQ and thus the involvement of the NRC. Moreover, documentation associated with some of these reviews has sometimes been incon-sistent and insufficient.

On occasion, because the USQ determination was too narrowly drawn, the licensee determined incorrectly that a USQ was not involved. Therefore, the NRC did not I

review the item. As stated in a memorandum to Commissioner Asselstine (Malsch, 1986), "the Agency's regulatory scheme recognizes that it is neither necessary nor manageable for the Commission to undertake prior review and approval-to all subsequent changes to the design or operation of the facility...." It is clear that those items needing prior NRC review should be limited, but the most impor-tant items should be reviewed.

The fact that the Chernobyl accident was initiated by a test intended to assess equipment capabilities raises a concern about the balance between the benefit of testing and the risks introduced by tests. Although safety reviews are

! intended to ensure that tests are conducted within the safe operating envelope, l equipment and design deficiencies have, in a few instances, led to unaccept-l able plant conditions (e.g. , rapid cooldown during testing at Catawba). How-l ever, without such testing, these deficiencies may not have been identified.

l Therefore, tests should be evaluated to determine the potential risks associated with testing versus the benefit or need for the test.

1.2.4 Conclusions and Recommendations The NRC should review the results of the joint NSAC/AIF efforts to produce criteria and guidelines for licensee reviews of changes, tests, and experiments to ensure that (1) appropriate depth and quality of reviews will be required, f

(2) review documentation will be adequately prescribed, and (3) the distinction as to which of these should receive prior NRC review is appropriately defined.

The additional controls thus provided should ensure that operations within the I safe operating envelope are maintained. If deficiencies in this review are identified, the NRC should correct them and should publish the criteria and guidelines as the regulatory position on reviews required for changes, tests, and experiments. Also, consideration should be given to an evaluation of whether current NRC testing requirements (e.g., surveillance testing required by Technical Specifications) appropriately balance risks and benefits.

1. 3 Bypassing Safety Systems Multiple safety systems that could prevent or mitigate the consequences of the accident at Chernobyl were intentionally disabled by the plant operators before they initiated a test procedure that ultimately led to the accident.

The test procedure apparently called for the bypassing of certain safety sys-tems. It is known that the operators deviated from the test procedure in order to complete the test, and it is suspected that some of the deviations involved the bypassing of additional safety systems. It is apparent that administrative controls governing the availability of safety systems did not exist or were blatantly violated by the operators. Thus, a safe operating envelope was not maintained. In assessing the implications of the Chernobyl event with respect l l

l 1-10 1 1

I j

to U.S. commercial reactors, a question raised is whether the ability of opera-tors to override or bypass safety systems, during modes of plant operation in which they should remain operable., is a safety concern. This issue is discussed below. The scope of this discussion is limited to the typical administrative controls and hardware design features used to ensure the availability of suffi-cient safety systems to respond to transient and accident conditions. The unavailability of safety systems because of sabotage and human error (i.e.,

unintentionally disabling a safety function versus taking conscious deliberate actions based on poor judgment to override or bypass a safety function) are not within this scope.

Definition of Bypass The bypass or override of a safety or protection system is typically any action taken by the operator that inhibits or prevents the system or some portion of the system from performing its safety-related protective function (s). In gen-eral, two types of bypasses are used at U.S. commercial reactors, both of which are typically initiated manually by the operators in the control room. The first type of bypass is referred to as a " maintenance bypass" and is used to preclude inadvertent or unwanted system actuations when routine testing, main- !

tenance, repair, or calibration activities are being performed during reactor j operation. The use of maintenance bypasses allows routine surveillance testing ;

of plant safety systems to detect component failures that may have occurred, !

and to verify system operability, thus providing assurance that the system will j perform as designed when called upon to perform its safety function (s). A main- !

tenance bypass may temporarily reduce the degree of redundancy of equipment, but l will not cause the loss of a safety function. The second type of bypass is '

referred to as an " operating bypass" and is used to permit operational mode changes. An example of an operating bypass is the blocking of an engineered safety features actuation when low reactor coolant system pressure (indica- i j tive of a system break during power operation) is detected during a controlled j reactor shutdown, where pressure is intentionally reduced to below the actuation ;

setpoint and safety system actuation is not desirable. Therefore, bypasses are i necessary to prevent inadvertent actuations of plant safety systems that might otherwise disrupt plant operation or result in unnecessary challenges to safety l i systems, and if used correctly, actually contribute to the overall safety of the plant.

l 1.3.1 Current Regulatory Practice (1) Technical Specification Restrictions on the Use of Bypasses The use of bypasses at U.S. commercial reactors is controlled by plant-specific l Technical Specifications. The TS are a part of each reactor operating license, ;

and compliance with the TS is required. Before granting an operating license, the NRC requires that an analysis be performed to determine the plant response to prescribed bounding design-basis transient and accident events. This is a conservative analysis which assumes the " worst case" initial plant conditions j (i.e., the mode of operation, initial parameter values, control system status, 1 etc. tnat would lead to the most severe transient or accident) and identifies the safety systems whose successful operation is relied on to prevent or miti-gate the consequences of the events so that safety limits are.not exceeded. The 1-11 i

i

l I

l TS require the operability

of safety systems consistent with the transient and accident analysis. The TS include required actions considered appropriate when a redundant portion (or train) of a safety system is bypassed (or rendered inop-erable for any reason) during modes of plant operation for which it is normally required to be operable. These actions require that the bypassed or inoperable portion of the safety system be restored to an operable status within a specified time. This is referred to as "out-of-service time," i.e., an interval of short duration considered sufficient to allow ccmpletion of necessary repair activities without unduly restricting reactor operation, and without causing unnecessary risk because part of the system is unavailable for a prolonged time. If the repair cannot be done in the alloted time, the reactor must be shut down or 'its operation must be restricted to a condition where the system is no longer re-quired to ensure plant safety. .

The TS for many U.S. commercial reactors include a small number of special test' exceptions which permit safety systems to be bypassed by the. control room opera-tors in order to perform the tests. These are infrequently performed tests which are carefully staged with significant involvement by the licensee in the control and execution of the tests. They are usually conducted at reduced power with some reactor trip settings lowered. NRC resident inspectors often monitor these tests.

(2) NRC Criteria and Guidance Regarding Bypasses Requirements for the design of safety systems concerning the use of bypasses are i stated in 10 CFR 50.55a(h) and the Institute of Electrical and Electronics Engi- I neers (IEEE) Standard 279-1971, " Criteria for Protection Systems for Nuclear.

Power Generating Stations." Two of these requirements, applicable to all U.S.

commercial reactors, are summarized below. j 1

Where operating requirements necessitate the use of an operating bypass, 1 the design shall be such that the bypass condition is automatically removed (i.e., system operability automatically-restored) when the plant enters a mode of operation for which the safety system is required.to be 1 operable in accordance with the TS.

If the protective action of a portion of a safety system has been bypassed or deliberately rendered inoperable for any purpose, this fact shall be continuously indicated in the control room.

The first requirement ensures that a safety system bypassed to permit reactor mode changes will not remain inadvertently bypassed when the plant is returned to a mode of operation for which the system is required to be operable. The second requirement is intended to ensure that sufficient information concerning the inoperable status of safety systems is provided in the control room so that the operators will be continually aware of the status of redundant portions of the protection system. Information on the status of safety systems is typi-cally provided in the control room through a combination of administrative controls (e.g., manually updated status boards and logs) and automatic indica-tion systems (e.g., annunciators and plant computer printouts).

The state of being capable of performing their specified functions.

1-12

Additional guidance concerning the use of bypasses and the design of bypass circuits is provided in IEEE Standard 338-1975, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems," as supple-mented by RG 1.118, " Periodic Testing of Electric Power and Protection Systems,"

RG 1.22, " Periodic Testing of Electric Power and Protection System Actuation Functions," and RG 1.47, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." This guidance emphasizes the importance of provid-ing (a) sufficient redundancy within the safety system so that when a portion '

of the system is bypassed for maintenance or testing purposes, that capability still exists to accomplish the safety function if required, (b) positive means to prevent a concurrent bypass condition on redundant or diverse safety systems /

equipment, (c) automatically actuated continuous indication in the control room of each bypass condition that renders a portion of a safety system inoperable during a mode of plant operation for which the system is required to be operable, and which is expected to occur more than once a year, and (d) measures to ensure that upon completion of work activities which required the bypass condition (e.g.,

maintenance or testing), the affected systems and equipment are restored to their normal operational status.

1.3.2 Work in Progress The current effort under way at NRC to revise RG 1.47 was recommended in NUREG/

CR-3621, " Safety System Status Monitoring." NUREG/CR-3621 identifies some of the tasks associated with monitoring the status of bypassed safety systems (e.g.,

updating status boards and determining system status during all modes of opera-tion) which are prone to human errors. These human factors considerations are being reviewed for possible inclusion in RG 1.47.

Another staff effort under way is the implementation of the Maintenance and Surveillance Program Plan (MSPP). The MSPP examines the commercial nuclear industry work and control processes associated with maintenance and surveil-lance activities. This includes administrative controls used to ensure the availability of redundant safety systems / equipment.

1.3.3 Assessment (1) Bypass Design Features In most nuclear power plant designs, the bypass of safety-related equipment is initiated by the plant operators from the control room, or by plant service per-sonnel or instrument technicians from instrument or switchgear cabinets after the bypass has been approved by the control room operators. Before the bypass is effected, procedures require that the operators verify the availability of redundant safety equipment to ensure the bypass will not result in the loss of a ,

safety function. The bypass is typically accomplished by actuation of a bypass j or test switch. Operation of the switch will disable a portion of the safety j system, and will usually provide inputs to status monitoring points in the con- j trol room such as the plant annunciator and computer. j l i Typically, there are only a few approved methods of effecting safety system 1 bypasses at a given plant. In many cases, the hardware design of the bypass circuitry (for approved methods of bypassing) contains interlocks which make it impossible to bypass redundant portions of safety systems or to bypass a portion l I

i 1-13 !

I,

1 of a safety system during a mode of plant operation for which the system is required to be operable. In some designs, trying to bypass redundant portions of a safety system will cause the protective action to occur. These design fea-tures make it difficult for the operator to inadvertently or intentionally bypass safety-related functions when the systems are required to be operable. This is especially true for reactor trip systems (RTSs). The design of bypass circuits varies from plant to plant. In general, it is more difficult to bypass safety functicas, either inadvertently or intentionally, at newer plants than at older plants because of improved bypass circuit designs and improved administrative procedures for bypassing. It is also more difficult to bypass safety svstems designed to " fail safe" (i.e., the protective action occurs on loss of system i

electrical power or instrument air) than systems which require power or air to l perform their safety functions. All RTS designs at U.S. commercial reactors incorporate failsafe features (deenergize to actuate).

(2) Intentional Bypass or Override of Safety Systems Because of the multiple levels of administrative controls governing'the use of bypasses at U.S. commercial reactors and hardware design features that physi-cally restrict the misuse or abuse of bypasses, the staff considers the proba-bility of intentionally bypassing safety functions when they are required to be operable to be very remote. However, if an operator is determined to bypass a required safety function, there are many ways in which it could be accomplished.

These include installing jumpers, lif ting leads, pulling fuses, blocking relays, and " racking out" breakers

in the safety system logic or actuation circuits, or actions such as closing a normally open local manually operated valve in the safety system process piping. Since there are requirements on the minimum num-ber of control room personnel on duty at a given time, it would be difficult for an individual operator to intentionally bypass a required safety system without just cause. This would take agreement from several control room per-sonnel to deliberately violate TS safety system operability requirements. Fur-thermore, plant operation in violation of the TS is not taken lightly. The NRC's regulations require staff review and approval before any technical specification design or operating requirement can be exceeded. If plant personnel violate technical specification requirements that deal with operability of safety systems, i these actions can result in penalties and enforcement actions by the NRC; how-ever, licensee attitudes toward compliance with industry and regulatory standards designed to protect public health and safety have been and continue to be very positive.

1.3.4 Conclusions and Recommendations Even before the accident occurred at Chernobyl, the staff had identified the the need to evaluate the implications of bypassing safety systems. The acci- 1 dent simply substantiated that the evaluation needed to be done. Thus, the work under way to revise RG 1.47 should continue as planned. The staff sees no rea-son for changing the priority of this work.

l l

Physically relocating circuit breakers, thereby opening the circuit. ]

I l

1-14

1.4 Availability of Engineered Safety Features The operators at Chernobyl bypassed the emergency core cooling system and several reactor protection system setpoints during the test program, which permitted operations outside the safe operating envelope and ultimately led to the acci-dent. U.S. commercial reactors operate according to the requirements contained in their TS. These TS allow engineered safety features actuation signals and reactor protection system setpoints to be bypassed and engineered safety fea-tures to be rendered inoperable during various modes of cperation. This is necessary in order to smoothly bring the reactor to power from a shutdown con- l dition, to smoothly shut down the reactor from power operation, to protect {

equipment from conditions for which it was not designed (e.g., high neutron {

flux or high pressure), and to test the instrumentation and engineered safety features. Therefore, because it is necessary to bypass certain engineered ,

safety features under a given set of conditions, it is necessary to consider !

what assurance there is that plant conditions will be maintained in the safe oper6ing envelope and that adequate protection is still provided.

1.4.1 Current Regulatory Practice l

The approach taken in the licensing process to demonstrate that adequate pro- i tection is provided by the engineered snfety features is to postulate a series of design-basis events. These design-basis events are listed in RG 1.70,

" Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants," )

and in the Standard Review Plan (NUREG-0800). The design-basis events are analy-zed at the power level, burnup, and other conditions expected to yield the most conservative analysis with respect to the acceptance criteria. They are also analyzed with the assumption that the engineered safety features and reactor protection system functions which are available are consistent with the mode of operation of the reactor (considering the single active failure which would result l in the worst consequences from the event). For each of these design-basis events it must be demonstrated that the reactor can be brought to a safe and stable condition and that any radioactive release would be limited to an acceptable level. This is demonstrated by meeting the acceptance criteria of the Standard Review Plan for each event. It follows that this protection must be shown for l

every mode of reactor operation from full power to refueling conditions. These modes are defined in the Technical Specifications. If an engineered safety fea-ture or a reactor protection system function is not required by the TS to be operable during a certain mode, the acceptance criteria must be met without reliance on that equipment or instrumentation. Accordingly, the TS identify equipment operability requirements to provide adequate protection. As noted in Section 1.1, administrative controls are established to ensure that the TS are followed and, therefore, that appropriate engineered safety features are available.

1.4.2 Work in Progress A study is currently in progress to address inconsistencies between safety anal-yses and Technical Specifications. This study is being done for a typical, later-model Westinghouse-designed pressurized-water reactor (PWR). It is possible that inconsistencies discovered could have generic applicability. Furthermore, the TSIP will result in the development of more operator-oriented TS, improved TS

" Bases," and TS that identify equipment operability requirements for the appro-priate operational modes based on existing analyses.

1-15

1.4.3 Assessment Because of the reliance placed on the Technical Specifications to identify appropriate conditions under which equipment should be operated, the following questions must be addressed for all modes of operation:

(1) Do the TS allow engineered safety features to be inoperable during modes of operation when they may be needed?

(2) Are engineered safety features which may be needed to mitigate design-basis accidents omitted from the TS?

(3) Do the TS allow an unanalyzed condition?

In general, the response to these questions is "no." However, examples have been ider tified in which the response may be "yes."

For instance, examples of Technical Specifications that allow equipment to be inoperable in certain modes when it may be needed are:

The analyses of steam generator tube rupture assume that the operat'or iso-lates the affected steam generator by closing the main steam isolation valve on the associated steamline. The TS do not require operability of ]

the manual isolation feature in MODE 4 (hot shutdown).

l l -

The auxiliary feedwater system is not required to be operable in MODE 4, l but it is permissible to use the steam generators in MODE 4. If the main

feedwater system were to fail, makeup water to the steam generator would not be assured.

t The safety injection signal is permitted to be blocked in MODE 3 (hot standby) at less than 1985 psig (for Westinghouse reactors). Hence, safety injection will automatically actuate only on high (level Hi-1) containment pressure. However, for some plants Hi-1 may not actuate the safety injec-tion signal in MODE 3 for certain breaks.

The number of reactor coolant pumps required to be in operation in MODE 3 may not be consistent with the number assumed operable in the control rod bank withdrawal from subcritical transient.

Some equipment that may perform a safety function, that does not have operability

requirements in the Technical Specifications are

l steam generator relief valves which are required to be safety related by

! internal NRC quidelines (NUREG-0800) auxiliary building filters which are credited with reducing offsite doses An example of an unanalyzed condition not prohibited by TS follows: The TS allow both residual heat removal (RHR) pumps to be operating in MODE 4. If a loss-of-coolant accident (LOCA) were to occur and the hot leg containing the RHR suction line became uncovered, both RHR pumps could become inoperable if both were oper-ating as permitted by TS. l l l 1-16 L ;

Furthermore, the time when shutdown cooling must be maintained has been identi-fied as a time when the reactor can be placed in a relatively more vulnerable position than while in operation, since redundacy and availability of other sys-tems may not be present to the same extent as they are during operation at power, because some of the equipment is allowed to be inoperable by the TS. For example, an AE0D* study (AE0D, 1985) found that equipment associated with reactor coolant system (RCS) vessel water level monitoring during plant shutdown is " frequently inadequate and failure prone." Inadvertent and undetected reductions in RCS inventory were a significant contributor to risk when the RCS was partially drained.

Licensees typically operate their plants to avoid some of these vulnerabilities.

However, these examples indicate that consistency of the TS with accident analyses should be considered and improved where necessary, particularly for shutdown con-ditions, when the availability of equipment assumed for accident analyses was not considered in the licensing process to the same extent as that for power operation. This situation is complicated further because the TS allow more equipment to be out of service when the reactor is not in power operation.

Since the containment may not be isolated, the consequences may be exacerbated.

1.4.4 Conclusions and Recommendations Most of the research on the consistency of accident analysis assumptions with equipment availability as defined in the TS has been done using several Westinghouse designs. However, because of the differences in design and TS, even among Westinghouse-designed reactors, the staff believes that each licensee should perform a comprehensive review of its specific design (including design-basis-accident analyses) and TS to determine if, for each mode of operation defined in the TS (1) all equipment required to mitigate the design-basis acci-dents has corresponding operability requirements and (2) sufficient equipment is available to ensure that safe shutdown cooling can be maintained with redun-dancy (including reliable flow and level indication) while the reactor is shut down. If the review shows that Technical Specifications require actions that would place the reactor in a less safe mode, the staff should initiate action to change the TS. It is planned to conduct this review and make any such changes identified through the TSIP. In addition, in order to ensure that li-censees are aware of the need for consistency between TS and safety analyses, the staff recommends that future proposed changes to the TS be accompanied by a justification that the proposed change to the TS is consistent with the safety analyses. This could be done with the construction of an adequate basis for the " Bases" section of the TS, as is planned in the TSIP.

The above concerns with plant operations in the shutdown condition (MODES 4, 5, and 6) show that events with serious consequences could occur. This area should receive more scrutiny from the NRC and the nuclear power industry. The staff identified these concerns before the Chernobyl accident. The accident reinforced the need to continue this work. The staff therefore recommends that NRC continue to study this problem at the priority established and recom-m nd ways to improve safety under these conditions, if s:uch improvement is warranted.

0ffice for Analysis and Evaluation of Operational Data.

1-17

1.5 Operating Staff Attitudes Toward Safety The accident at Chernobyl raised the question whether licensed operators, senior operators, and other staff at nuclear power plants in the United States have and maintain an acceptable lev,el of vigilance toward safety when operating commercial nuclear power plants. I 1

A significant aspect of the Chernobyl accident involved operator decisions and J actions that reflected an apparent loss of the sense of vigilance toward safety 1 and ultimately led to operators allowing operations outside the safe operating envelope. The Soviet report (USSR, 1986) identified some potential causes of this unacceptable attitude: (1) pressure on the operators to complete a test during that reactor shutdown as the next opportunity would be more than a year away, (2) test delay may have aggravated operator impatience and contributed to a "mindset" that led to imprudent safety actions, (3) operators being so intent on establishing an acceptable power level for the test that they ignored the unstable state of the reactor, and (4) a clear failure to appreciate the basic ,

reactor physics of the RBMK reactor. A further contributor could have been a l

" test" mentality that dismisses violations and lack of precautions because oper-ators rationalize that "it's OK because it's only a test."

1.5.1 Current Regulatory Practice Regulations do not directly address operator attitudes or sense of vigilance.

However, there are regulatory and administrative requirements that address areas which are related to or affect human behavior, attitudes, and prepared-ness. Regulations under 10 CFR 55 require certification and testing of candi- ;

dates to ascertain physical and technical acceptability to perform licensed !

operator duties. Additionally, requalification requirements mandated under this regulation are intended to maintain a level of technical competence through continuing training and performance evaluation that would guard against a failure to appreciate basic reactor physics, systems safety, and administra-tive constraints.

Routine operational and shutdown requirements demand systematic attention to the status of the power plant equipment. This attention is focused, for exam-ple, by structuring the shift turnover process with procedures and signature checkoff sheets. The checkoff sheets include such items as current opera-tional status, identification of out-of-service equipment, status of safety systems and components, surveillance requirements, and limiting conditions for operation (LCOs) to name a few. Additionally, the shift operating personnel monitor and maintain operating logs which document plant status and changes to plant status on an "as occurring" basis to verify that parameters and equipment ;

availability are within the limits of the TS. i l

Regulations under 10 CFR 50.36 require TS which, in addition to establishing !

safety system requirements and LCOs, mandate shift manning levels. Further- /

more, maximum working hours have been specified to ensure that rested, quali-fied operators are available.

I To the extent that attitudes are affected by working conditions and environment, the NRC and the industry are involved in control room design and human factors engineering to reduce or eliminate unnecessary stress factors on the job.

1-18

Finally, NRC personnel evaluate facility applicants and licensees for compli-ance with regulations and other requirements governing their operations. When necessary, enforcement actions, such as plant shutdowns and/or fines, are im- 1 posed for failure to comply. The presence of onsite resident inspectors pro-vides first-harA observation and allows for immediate feedback on operator vigilance with regard to reactor safety.

1. 5. 2 Work in Progress Significant work is currently in progress that should have a direct effect on improving operator performance and abilities to safely control the reactor plant during abnormal and emergency events. One of the cornerstones in this effort is the recent revision to 10 CFR 55. This revision requires licensees to have simulation facilities that conform to either ANS Standard 3.5 (1985),

" Nuclear Power Plant Simulators for Use in Operator Training," or an acceptable alternative. This will allow training and evaluation of candidates and licensed operators on job performance under simulated normal and abnormal conditions.

Additionally, requalification requirements for comprehensive written and opera-tional evaluations have been strengthened in this revision to 10 CFR 55.

1 The NRC has in place a requalification evaluation process for licensed opera-tors and senior operators with a goal to evaluate licensee requalification pro- '

grams at half of the nuclear power plants annually. This program was directed by the Commission and is administered in all five NRC regions. An improvement in the quality and level of operator knowledge and performance and a signifi-cantly increased level of facility management attention to operator requalifi-cation programs has resulted.

Efforts by industry include a major initiative to accredit the training programs of licensed operators and key non-licensed plant personnel (e.g., shift technical advisors, instrumentation and control technicians, technical staff and managers, and non-licensed operators). For a program to be accredited it must contain l (1) systematic analysis of jobs to be performed, (2) learning objectives derived l from the analysis that describe desired performance after training, (3) training design and implementation based on learning objectives, (4) evaluation of trainee mastery of objectives during training, and (5) evaluation and revision of train-ing based on the performance of trained personnel in the job setting. The NRC participates in licensee training program reviews to evaluate and monitor indus-try progress in this area during and after accreditation.

Additionally, the NRC has mandated that licenseec provide engineering expertise on shift to help operators evaluate and combat abnormal and emergency occur-rences, and has required better human-factored, symptom-based E0Ps for their use in coping with emergencies. A shift technical advisor must be on site and avail-able in the control room within 10 minutes, as needed. Finally, the NRC staff has initiated the process to consider a rule requiring senior operator candidates to hold a degree in engineering or a related science.

Furthermore, as noted in Section 1.6, the NRC has endorsed industry self-improvement initiatives and is developing improved methods of monitoring licensee performance. Industry initiatives to strive for excellence will be monitored by the NRC.

1-19

1.5.3 Assessment The basic issue raises a question of operator vigilance with regard to safety at nuclear power plants. The NRC does not directly evaluate " attitudes."

However, the NRC and the nuclear industry do have in place regulations, poli-cies, and programs which require, maintain, and evaluate levels of expertise and professional behavior that could not be judged as satisfactory if vigilance with regard to safety were absent. In assessing the adequacy of an operating staff's attitude toward safety, the NRC must also be satisfied that the nuclear industry's attitude toward safety is uncompromising.

The NRC has no evidence from the Chernobyl accident that would suggest that the accident was caused by individuals affected adversely by working on the midnight shift. The present criteria established for allowable plant staff working hours and shift rotations appear adequate to ensure attentiveness and alertness of individuals working at night.

The firmly established training requirements for operator license candidates, especially as expanded by the lessons learned from the TMI accident (e.g.,

those pertaining to mitigating core damage, heat transfer, and fluid flow),

have significantly raised the operator's appreciation of.the physics and thermohydraulic phenomena at work during nuclear power generation. Operator training, administrative controls, and actual plant operations stress _compli-ance with approved directives and regulations which enforce and reinforce the appreciation of and vigilance in all aspects of safety and public health. t However, E0Ps and related operator training fall short of .the response required to handle severe core damage and to manage the containment under adverse con-ditions. Furthermore, the nexus between maintenance of the safe operating envelope and severe accidents should be stressed in training programs. Accord- ;

ingly, 60Ps and operator training should be upgraded in this area.

The requirements and guidance provided by the NRC should create an environment conducive to establishing good attitudes among the operating staff. The'pos-sibility of operating staffs at power plants developing unacceptable attitudes toward safety or unacceptable levels of technical competence is not believed'to be a serious concern when evaluated in light of the above regulatory actions and industry involvement and commitment. Furthermore, the NRC feels this vigilance with regard to safety extends to all plant personnel because of parallel requirements for training, administrative controls, and procedural j compliance, and the NRC evaluations of these items through inspections and' measurements of licensee performance.

1 1.5.4 Conclusions and Recommendations The staff believes that safeguards against unacceptable operator and plant per-sonnel attitudes toward safety are adequate. This conclusion is based on the significant increase in the quality of training, industry initiatives in accred-iting training programs, and regulatory and industry oversight inspections. When fully implemented, new symptom-based E0Ps should aid operators in coping with accidents and transients. However, more training'in their use and in severe-accident response should be provided as knowledge about severe accidents grows.

l i

1-20 i

.. _ . . . . . _ _ _ _ . _ _. __ J

e.

\

I 1.6 Management Systems

]

It is important to recognize that the effectiveness of administrative controls depends greatly on the management system supervising the operation of the plant to ensure that operations are maintained within the safe operating envelope.

Management oversight at all levels must be effective to ensure that tests, maintenance, and operations are safely conducted and that requirements are en-forced. This is also the finding of the international team that investigated the Chernobyl accident. Accordingly, the question is whether reviews should be ,

performed at all U.S. plants to ensure that mechanisms (policies, procedures,' ;

decision prerogatives) exist at all levels of management to deal effectively with non-routine operations, emergency planning, and the execution of the types of act. ion required at Chernobyl.

1.6.1 Current Regulatory Practice As noted ir several of the preceding sections, considerable reliance is placed on administ ative controls to ensure that plant operat'ons are conducted in o accordance with approved procedures and within the detired operating envelope.

The management systems required to meet NRC licensing criteria are identified in its Standard Review Plan (NUREG-0800). Typically, the qualifications, ex-perience, and training of key management personnel should comply with the ,

criteria endorsed by NRC Regulatory Guide 1.8, " Personnel Selection and Training.

1.6.2 Work in Progress Although the NRC has concluded that the management and organization of utili-ties licensed to operate nuclear power plants are primarily a responsibility of the licensee, the staff does review the organizational structure and qualifi-cations before licensing and periodically afterwards to verify that standards ~ q continue to be met. The NRC is developing improved methods of monitoring the performance of licensee management, in order to give early warning of manage-ment problems, and to employ its regulations, which are tied.to objective per-formance measures, to initiate evaluation and, where necessary, enforcement mechanisms. ,

l In keeping with this policy, the NRC has terminated work intended to provide the technical basis for formulating new requirements in the field of licensee management and organization and has undertaken (1) the development of licen-1 see performance indicators, (2) improvements in the NRC's program of Systematic Appraisal of Licensee Performance (SALP), and (3) programs to focus attention ,'

on particular licensees whose management performance has been found wanting.

The NRC has also endorsed industry self-improvement initiatives in the manage-ment area proposed by the Nuclear Utilities Management Resource Committee ,

(NUMARC) and the Institute of Nuclear Power Operations (INPO).

1.6.3 Assessment w s

It is difficult to assess the effectiveness of U.S. management systems in light of the Chernobyl accident because of the lack of information about Soviet management systems. Also, when one considers how difficult it would be to handle the immediate effects of an accident of the proportions of the one at 1-21 N

i_ - - - - -

I Chernobyl, the present U.S. method of evaluating management systems (focusing as it does on day-to-day operations) may be inadequate.

J Analysis of the Chernobyl accident points out that no one was "in charge of I safety." In the United States, safety is everyone's responsibility, but it is I a concurrent duty. No single individual can be identified at nuclear power !

plants as the person who is responsible for safety and has no other duties. A position for a dedicated high-level, onsite, nuclear-safety manager could be established to meet this need. However, the facility organizational structure must ensure that the presence of this individual does not result in a decrease j l

in the sense of responsibility with regard to safety by other site personnel.

It is not clear that the management criteria established will ensure that the !

personnel available to handle emergencies of the type experienced at Chernobyl !

are available at all times. The NRC requires an emergency management organiza- l l tion for coping with certain emergency situations. Personnel listed on on-call j duty rosters are available for assisting plant staff, and management has pro-vided a shift technical advisor to aid the operating staff during transients and accidents. However, the planning, staffing, and mitigative aspects and training provided for emergencies primarily deal with the preventive aspects of and the l radiological consequences of emergencies. Planning for the operation if plant l

controls and systems to cope with severe core damage, and training plant staff to such a task, have not been adequately addressed.

1.6.4 Conclusions and Recommendations The NRC requirements on management systems should be assessed with the following specific points in mind. Licensee management should direct its staffs to proceed diligently toward complete implementation of symptom-based E0Ps. Management should examine the scope of the work needed to cope with severe core damage in order to develop training curricula and procedures on ways of managing the core and containment systems so as to minimize public impact. Also, the assignment of a dedicated high-level, onsite, nuclear-safety manager, with no other respon-l sibilities or duties, should be evaluated.

1.7 Accident Management The accident at Chernobyl has raised the question of whether U.S. nuclear plants have an accident management program in place that can effectively cope with the prevention and mitigation of severe core damage events. Both the Chernobyl and the TMI-2 plant operators and technical teams were confronted with unexpected events for which they were only partially prepared. Their actions contributed significantly to the course of events and the consequences. !

1.7.1 Current Regulatory Practice ;

I Historically, E0Ps and operator training were based on transients and accidents J presented in the safety analysis reports and reviewed by NRC as part of the li- <

censing process. Severe accidents were not included. I 1 k The TMI-2 accident, among other things, focused attention an the importance of l severe-accident management. Plant personnel who attempted to control the TMI 1-22 1

accident had to operate beyond their E0Ps and beyond the principles covered in their training program. In the years following the accident, the NRC developed l substantial new requirements to address many of the specific weaknesses that i had been identified at TMI. These new requirements have resulted in more ex- ;

perienced and better trained personnel at the plants, improved procedures for dealing with accident situations, better plant instrumentation and diagnostic tools, and improved emergency planning and response capabilities. 1 1

Reactor vendors revised their emergency procedure guidelines (EPGs). The acci-dent management approach changed from event oriented to symptom oriented, or a combination of event and symptom oriented. The guidelines were reviewed and approved by the NRC before they were given to utilities for implementation.

This was the first time that the NRC reviewed EPGs. Most plants have begun implementing the revised guidelines, rewriting their E0Ps, and retraining their operators in using E0Ps. NRC audits revealed that implementation was deficient and that a significant amount of work needs to be done to adequately implement licensee E0P programs.

j When they are fully implemented, the new E0Ps will represent a significant improvement over those used during the pre-TMI years. However, these proce- )

g dures may fall short of addressing severe accidents in an appropriate manner. J Assessments of potential improvements in the prevention and mitigation of severe accidents, including operator actions, are now under way. It remains to be seen whether significant modifications or additions to the current proce-dures are warranted.

1.7.2 Work in Progress In August 1985, the NRC issued a policy statement on severe accidents (50 FR 32138). The policy statement provides criteria and procedural require-ments for the licensing of new plants, and sets goals and a schedule for the systematic examination of existing plants. On the basis of available informa-tion, the Commission concluded that existing plants pose no undue risk to the public, and the Commission sees no present basis for immediate action on generic rulemaking or other regulatory changes for these plants because of severe-accident risk. However, the Commission emphasized that systematic examinations of existing plants are needed, encouraged the development of new designs that might realize safety benefits, and stated that it. intends to take all reason-able steps to reduce the chances of occurrence of a severe accident and to mitigate the consequences of such an accident, should one occur.

Implementation of the Commission's severe-accident policy is under way. An in-tegral part of the implementation program is the development of an accident management program for each nuclear plant. In the case of existing plants, li-censees will be requested to systematically examine their plants for severe-accident vulnerabilities and develop the accident management program. The NRC and the Industry Degraded Core Rulemaking Proy am (IDCOR), the nuclear indus-try's organization concerned with severe accidents, have already examined four reference plants. The examinations identified dominant severe-accident s v quences for each plant type and potential design improvements and accident man-agament steps for each sequence. Considering all dominant sequences for a given plant, a set of recommended accident management actions will be selected. Diag-nostic instrumentation and safety equipment needed for the execution of these 1-23

actions will be identified. The results of the NRC assessments will be pro-vided to licensees in the form of guidance for the individual plant examination.

The l'censee's accident management program is expected to address the following:

+

accident management strategy organizational structure and responsibilities emergency operating procedures training of personnel availability and reliability of needed instrumentation and equipment The staff will review the proposed accident management programs and will com-ment on them before they are implemented.

l With respect to new plant applications, the Construction Permit Rule [10 CFR 50.34(f)] requires the performance of a probabilistic risk assessment (PRA).

For these plants, the PRA results will be used to develop the severe-accident management program. Assumptions made in the PRA relative to human actions and performance as well as insights gained from the evaluation of the various severe-accident sequences will be documented in the design stage for future use in the development of E0Ps and training programs for plant operators and emer-gency teams. Instrumentation and equipment needed to support the accident man-agement effort will be identified together with the conditions these instruments and equipment need to survive. Equipment purchase specifications will be based on these severe-accident conditions in addition to the design-basis-accident re-quirements on equipment qualification.

1.7.3 Assessment The accident management action taken at Chernobyl to a large extent contained novel approaches dictated by need and were quite successful. However, the Chernobyl operators and technical teams encountered numerous difficulties in their efforts of trying to stabilize and cool the core debris and identify the location and extent of the damage. These difficulties provide insights on evaluating approaches to accident management. Some of the more significant accident management-related events were:

The reactivity accident progressed very quickly and provided little time for operator interaction.

Operators were unsuccessful in introducing water into the reactor core in order to cooi the corr debris.

Various materials (boron carbide, dolomite, clay, sand, and lead) were dropped into the reactor well from helicopters to mitigate the release of radioactive nuclides.

To cool the core debris and to provide a blanket against oxygen, a system was installed to feed cold nitrogen to the reactor space.

Radiological measurements were complicated by the fact that the. regular measurement system in the plant had been destroyed and the output of detectors that might have survived was inaccessible.

1-24

Fire and a high radiation field existed in combination, complicating standard firefighting methods.

The Soviet experience at Chernobyl demonstrated the need for preplanning, for developing severe-accident management strategies and methods, and for having the needed tools and materials available. It also focused attention on novel methods.

The Soviet experts successfully employed two pioneering methods: the dropping of various materials and gas blanketing.

The ongoing U.S. programs, which had been started before the Chernobyl accident, are addressing the same basic questions on accident management. Never-theless, the Chernobyl experience provides additional insight-on the develop- l ment of accident management programs and increases the emphasis on the timely z development and implementation of these programs. It also focuses attention on a few specific areas where future research or development work seems to be justified. These areas are heat removal from core debris, specifically selection of strategies and materials for heat removal development of radiation-hardened diagnostic instrumentation and safety equipment Future discussions with the nuclear industry as well as formulation of NRC re-search programs should address these issues.

Firefighting considerations are discussed in Section 2.4.

1.7.4 Conclusions and Recommendations The Chernobyl event brought attention to the importance of a systematic approach to develop accident-management programs. This experience should enhance pre-vious NRC and industry commitments to develop and implement accident-management strategies at individual plants. Timely execution of the ongoing programs at existing plants and issuance of guidance for new plants will provide appropriate assurance that U.S. plants can cope with the prevention and mitigation of pos-tulated severe accidents. There is no need to increase or alter the scope of the ongoing programs. However, insights gained from the Chernobyl event should be considered in the execution of the severe-accident policy implementation pro-gram. New programs or initiatives are not needed, with the possible exception of either industry or NRC development programs on removing core debris and devel- >

oping radiation-hardened equipment, as discussed in the previous section.

l 1-25

! _ -z

CHAPTER 2 DESIGN The Chernobyl accident was a superprompt critical reactivity excursion. The accident occurred at Unit 4 because the operators had reduced the power to well below the permissible safe operating level and at the same time neglected follow-ing low power operating procedures. Unit 4 shared a site with three other units (Units 1, 2, and 3) and was contiguous with Unit 3, with which it also shared some common elements. All three of the other units, especially the contiguous one, were exposed to some danger from the accident. Fires aggravated the acci-dent and complicated the management of the accident and its consequences. In this chapter, the staff compares the design features of U.S. reactors with design features of the Chernobyl 4 reactor as it looks for possible regulatory changes implicit in the accident.

The nuclear design of U.S. reactors, notably the absence of positive void coeffi-cients and the presence of control rods that are fast acting and that offer sub-stantial shutdown margins provides assurance against a Chernobyl-type super-prompt critical reactivity excursion. Nevertheless, the staff assessed the 4 possible need for confirmatory reviews of the acceptability of risks from other low probability reactivity-event sequences.

Accident scenarios that could occur at low power and zero power (shutdown) con-ditions that may not be bounded by analyses for full power are assessed in the light of the Chernobyl accident.

The assessment of the implications for a multiple-unit site includes considera-tion of the effects of shared shutdown-related systems and the effects of radic-active release on operator safety at the other units.

The adequacy of protection provisions during fires with radiation present is assessed.

2.1 Reactivity Accidents The reactor physics characteristics of U.S. light-water reactors are very dif-ferent from those of the graphite-moderated RBMK type of reactor at Chernobyl. I Positive void (and moderator temperature) coefficients, which played a central I role in aggravating the incipient accident at Chernobyl, are generally absent in U.S. reactors and where present have a limited reactivity insertion poten- ,

tial, which precludes their causing any significant reactivity transient. 1 Substantial required shutdown reactivity margins in conjunction with fast auto-matic insertion of control rods on signals indicative of unsafe conditions pro-vide protection against the occurrence of reactivity excursions in commercial U.S. reactors.

2-1

1 l

In the Chernobyl reactor, the primary moderator is graphite. The water in the core is intended primarily as a coolant and its moderation effects are secon-dary. Its effect on reactivity is targely as a neutron absorber. Thus, a decrease in water density, e.g., from fuel coolant void increase via a power increase or flow decrease, can produce a core reactivity increase as a result of the decreased absorption. The magnitude (and sign) of the void coefficient is a function of the material characteristics of the core and depends on both the core design and operation, varying as a function of fuel burnup, core con-tent, and amount of inserted control poison. It is difficult to calculate the void coefficient in a reactor presenting such a complex core loading and burnup pattern as that which existed at Chernobyl at the time of the reactivity acci-dent. However, on the basis of information from the Soviets and some U.S. cal-culations, the Chernobyl void coefficient appears to increase (become more posi-tive) over the first year or two of operation, corresponding to the Chernobyl operating history, and alsc appears to be larger at low void and withdrawn con-trol rod conditions, corresponding to the initial conditions of the accident.

It was evidently significantly positive during the accident and possibly did not become significantly negative even at high core void content. The.possibil-ity for reactivity insertion was thus apparently maximized by the initial con-ditions for the event.

In U.S. commercial light-water (power) reactors (LWRs), the coolant water also serves as the neutron moderator. A reduction in water density, therefore, de-creases both absorption and neutron moderation. LWR fuel-to-moderator ratios are generally designed to provide an undermoderated core in the power operating range. (That is, a reduction in moderation in the core will tend to reduce reactivity in the c'.re and reduce the power.) There is, therefore, a much stronger tendency (than for RBMK designs) for negative coolant void or tempera-ture reactivity coefficients throughout the range of operating conditions.

Boiling-water reactors (BWRs) have a strongly negative void coefficient through-out the power range and, for the most part, a negative temperature coefficient below the power range. Pressurized-water reactors (PWRs) also generally have a negative temperature and a void cod ficient in the normal operating range.

Furthermore, the LWR coefficicats became more strongly negative'as the density decreases (high temperature or high void content), thus increasing the tendency to reduce excess core reacti/ity or power rise in a reactivity transient.

However, positive moderator temperature and void coefficients can exist over limited ranges of LWR operacion for small t.'me periods of core life. In a BWR at unvoided, lower temperucure conditions, the fuel-to-moderator ratio may approach overmoderation (i.e. , a reduction in the amount of moderation in the core will add reactivity to the core and tend to increase power) if few control rods are inserted (water replacing rods in the core). A critical reactor generally can only be achieved under these conditions (for some reactors) at zero power, late in a cycle, and the total amount of reactivity that could be inserted via such a coefficient could not produce a significant reactivity.

transient. In a PWR, boron in the moderator helps control reactivity; a de-crease in moderator density results in a decrease in core boron and a decrease.

in the possibility of a positive moderator coefficient. This can occur only near the beginning of a cycle (when a large boron inventory is needed) and generally only at lower power and minimal xenon and inserted control rod con-ditions. Within the range of normal extremes of reactor operating conditions, the total integrated reactivity that could be inserted via this positive temper-ature and void coefficient falls within the range already studied for control rod withdrawal or ejection events.

2-2

A quantitative indication of the effect of positive reactivity coefficients in the Chernobyl reactor and in a typical PWR at the beginning of a cycle can be made by comparing the total reactivity that can be inserted by voids in both types of reactor. At Chernobyl this total was estimated by the Soviets to be 2.5% Ak/k (USSR, 1986). For a PWR at normally allowed operating conditions, this total at the beginning of core life is limited to about 0.5% ak/k, and this limit is, in fact, generally not approached. This difference is signifi-cant in that the reactivity insertion was far in excess of prompt criticality at Chernobyl, whereas prompt criticality would not be possible with the maximum positive moderator coefficients on U.S. LWRs.

The Chernobyl reactivity event was also affected by the reactivity characteris-tics of the control rod scram system. The control rod insertion rate is normally relatively slow, taking about 15 seconds for full insertion. As in any large reactor with rods fully withdrawn, the rods must be inserted a significant dis-tance before effective negative reactivity insertion begins to occur. At I

Chernobyl more than 5 seconds passed before significant negative reactivity insertion took place. This provided time for a large power increase and excess energy insertion before the control rods could become effective. The delay occurred largely because the operators had withdrawn the control rods beyond the limits allowed. In addition, the Chernobyl operators disconnected several of the signals that would have initiated scram automatically. Scram was initi-ated by manual operator action.

The U.S. LWRs differ from the Chernobyl reactor in that they have a fast-acting scram system. Full scram insertion occurs within about 2 seconds (PWR) to 4 seconds (BWR) and effective negative reactivity insertion in about half that time. This scram speed, combined with initial fuel Doppler reactivity effects, is sufficient to limit corewide and local energy levels to within conservative values, even for the extremes of reactivity transients normally studied.

These basic design differences between Chernobyl and U.S. LWRs preclude a Chernobyl-type positive void coefficient reactivity insertion event from oc-curring from normal conditions in a U.S. LWR. There are, however, other types of reactivity insertion mechanisms which, although they have very low probabil-ity, could conceivably have consequences more severe than those already consi-dered in the accident analyses and which perhaps should receive additional consideration. There are also conceivable initial reactor conditions for which the effects of a positive moderator coefficient should possibly be further eval-uated. The issue assessed here, therefore, is whether, notwithstanding the major design differences, low probability accident sequences that could con-ceivably lead to reactivity excursions should be reassessed to verify previous judgments that their risks are acceptable.

2.1.1 Current Regulatory Practice Standard NRC practice includes the review of a large number of events that can be characterized as reactivity transients. These events are primarily driven by changes in reactivity control elements or moderator state parameters. A wide range of relevant parameters and initial conditions is explored. Param-eters and initial conditions are chosen to bound conservatively those expected to exist at the limits of permissible design and operating conditions. None of these standard events are significantly autocatalytic in nature (because 2-3

positive coefficients are not significant) and control rod response is suffi-ciently rapid [except for anticipated-transient-without-scram (ATWS) analyses]

so that all of these events are satisfactorily terminated by a scram. It is not expected that reasonable exaggeration of transient parameters would dramatically change the event sequences involved.

The principal relevant NRC criterion for reactivity insertion events, primarily applied to control rod drop (BWR) or ejection (PWR), since as a class they domi-nate high fuel enthalpy events, is that the peak fuel pellet average enthalpy not exceed 280 cal /g. (UO2 begins to melt at 265 cal /g and is fully molten at 335 cal /g.) LWRs must be designed and operated so that this limit is not exceeded in analyses using maximum allowed design and operation parameters. In practice, using modern three-dimensional (30) analysis methods, those maximum events generally do not exceed (and are usually well under) 150 cal /g. Thus, within the standard review area, LWRs are far removed from (even local) poten-tially significant destructive energy levels.

The maximun; conceivable reactivity insertion events are not included in these analyses because these extremes are judged to have very low probabilities of occurrence. The selection of events and conditions for analyses is intended to be reasonably exhaustive, and conservative parameters and initial condition:

are assumed. However, they do not extend to theoretical extremes if there is i a judgment that it would take multiple errors or equipment failures (both of low probability) to attain the extremes. The nature of the extremes is examined in this section. Not only is the positive void coefficient-type event at Cher-nobyl examined, but also other potential large reactivity events (e.g., control ;

rod removal) are assessed. Because this issue is based on an assessment of the implications of the Chernobyl accident, the extensions to be examined are not f intended to be relatively small perturbations leading, for example, to increased '

i potential for departure from nucleate boiling or to localized damage, but signif-icantly increased and extensive energy depositions with the potential for destroying primary systems.

Significant positive reactivity conceivably may be added to a BWR or PWR in three broad categories. These are (1) control absorber removal (control rods or moderator boron)

(2) moderator state change (reactivity change that results from temperature changes or from a change in steam void content)

(3) miscellaneous effects (such as xenon loss or fuel cooldown)

The reactivity possibilities of categories 1 and 2 are all appropriately ex-plored in standard safety analyses, with the exploration limited, however, by assumed boundary conditions deemed appropriate (and conservative) on the basis of judgment of probabilities involved and limiting criteria applied. The cate-gory 3 effects are generally secondary states occurring (if at all) as'a result of preceding events. They (except for fuel cooldown) play no role in analyses of standard events. They generally do not drive events but could conceivably affect terminal phases or, in the case of xenon, initial conditions (they did both at Chernobyl).

2-4

Standard practice with respect to these categories of reactivity events includes analyses of event sequences recognized as potentially having a sufficient prob-ability of occurrence to warrant providing appropriate protective measures.

The following are significant examples of events considered or analyzed:

(1) Control Rod Ejection in a BWR This event is not analyzed for standard reviews in a BWR because the control rod housing support system, provided for safety, has been judged sufficient to reduce the probability of the event to levels below those requiring standard analysis. The control rod drop accident is considered in standard reviews.

However, rod ejection has been the subject of some special studies.

(2) Moderator Boron Dilution in a PWR Analysis for subcritical modes determines that sufficient time exists to halt dilution before criticality is obtained. Transient analyses for these modes are not required. Transients' for power inodes are bounded by rod withdrawal.

Requests for N-1 loop operation have expanded the design basis for dilution events to include possible misoperation of loop stop valves, which results in mix-ing of dilute water in the loop with borated water in the core. This could result in a reactivity insertion of about 1.5% Ak/k. Since only a few plants have these stop valves, this event, where it may be pertinent, is being reviewed on a case-by-case basis.

(3) Positive Moderator Reactivity Coefficient in a PWR Some PWRs have Technical Specifications that permit operation with a positive moderator temperature coefficient (MTC). Reactors permitted to operate with such a positive temperature (and void) coefficient have all standard events (e.g., loss-of-coolant accident (LOCA), rod withdrawal) analyzed with appro-priate, conservative moderator coefficients. Generally no significant in-creases in transient effects occur. In most cases, a positive temperature and void coefficient actually exists only near the beginning of the cycle (B0C),

at lower power, and under no-xenon, minimum-rod-insertion conditions.

2.1.2 Work in Progress No work is currently being do9e on any events considered for this issue.

2.1.3 Assessment The following are significant findings on the Chernobyl event related to reactivity accidents:

(1) It was evidently driven by reactivity addition. j (2) The reactivity addition was the result of voiding of the fuel water coolant and the positive void coefficient of reactivity. !

l (3) Elements of the RBMK design and initial reactor state conditions both t contributed to the event by affecting reactivity characteristics of the ;

coolant and speed of response of the reactivity control system. l 2-5

(a) The RBMK design had an inherent positive void coefficient and operat-ing conditions (e.g. , low power, initial high flow, low void) appar-ently maximized the potential of integral reactivity insertion.

(b) The design had slow-moving control rods, and the operating conditions placed them in the least effective location for response.

(4) Multiple operational errors and departure from prescribed procedures or good practice caused or contributed to the adverse operating conditions.

Scrams, including the turbine trip scram, that might have caused timely automatic insertion of the control rods, were disconnected; the' scram was accomplished manually, too late to prevent the excursion. It is not known that any mechanical failures contributed to the initial conditions or early transient stages.

(5) The event was autocatalytic and, once the factors were in place and had j initiated the voiding, the positive void reactivity coefficient and power rise interacted to drive the event.

(6) This made possible a large reactivity addition (with no apparent signifi-cant turnaround in the positive coefficient and reactivity insertion) not compensated by control insertion, resulting in excessive fuel temperature, cladding failure, fuel and coolant interaction, excessive pressure, and destruction of the core.

No close analogies can be drawn between the Chernobyl reactor and U.S. reactors.

However, the standard areas of reactivity accident reviews can be extended to events less probable than the standard design-basis events t'y considering more extended or multiple system failures or errors of operation. Examples of such extended events follow; these expand on the previous standard examples of Section 2.1.1.

(1) Control Rod Ejection in a BWR One rod ejected could be worth as much as 2.5% Ak with an addition rated higher than that for a control rod drop. However, the consequences are not significantly different from those of a rod drop. Generally a double ejection, even if adjacent, would not, because of withdrawal patterns, have significantly greater consequences. Multiple ejection has a:!arge potential worth, and scram might not be effective if there were a multiple ejection of a tight cluster of rods. Since each control rod drive enters the vessel through a different control rod drive housing, the ejection would result from individual failures of these control rod drive housings; no mechanism, however, has been identified that could lead to simultaneous multiple' failures of the control rod drive housings during normal operation or as a result of any abnormal condition. In addition, BWR Technical Spec-ifications require control rod drive housing supports to be in place to prevent ejection from the reactor core. Thus, for control rod ejection to take place, this control rod drive housing support would have to be missing.

l l

1 l

2-6 1

(2) Moderator Boron Dilution in a PWR Studies of subcritical mode transients resulting from dilution have indi-cated that they are not severe if dilution is stopped soon af ter criti-cality is reached. Though of low probability, an extreme event would be a LOCA event (and to a lesser extent, a steamline break) with emergency core cooling system injection with unborated water. Up to approximately 10% Ak could be available for insertion. A large amount could also be available in a maxiaum dilution carried to completion early in the cycle.

PWR Technical Specifications call for weekly surveillance of boron concen-tration and water level of the refueling water storage tank (RWST). This i provides assurance that should a LOCA or a steamline break occur, the l emergency coolant added to the core would contain a sufficient concentra- J tion of boron to maintain the core subcritical. l l

(3) Positive Moderator Reactivity Coefficient in a PWR In normally allowed critical operating regions (above about 530 F), the maxi-mum integrated moderator reactivity that could be inserted is about 0.5% Ak.

Transients resulting from insertion of this amount would be bounded by rod withdrawal or ejection events. Starting a critical event from cold condi-tions (erroneously, since this is not a normally allowed critical state) might involve a maximum moderator reactivity insertion potential of about 2% Ak, and could only occur with nearly all rods withdrawn and thus avail-able for scram, at a rate fast enough to counteract the potential reactivity insertion.

This would be the closest approach to a direct analogy of the Chernobyl (autocatalytic) conditions. It would, however, lack the automatic voiding condition at Chernobyl; would have to be started by an erroneous event such as rod withdrawal or cooling failure; would have an effective, fast- ,

acting scram available at low flux levels on the source range monitor l (SRM), or higher level monitor system if needed, and an eventual coeff1- l uient sign change; and would probably not differ significantly from an '

ordinary rod withdrawal at low power.

The entire range of standard reactivity insertion events has been examined, and .

extensions such as those in the above examples have been considered. Most of l the extensions appear to be the result of assumed additional and arbitrary i failures in systems or, to a lecser extent, operations. Many of the extensions do not appear to lead to Chernobyl-type events or approach the consequences of that accident, but lead to mild or to local, limited damage at most.

On the basis of this examination, extensions have been selected which are, based on current judgment, conceivable candidates for further study because they have a potential for serious consequences, while others (e.g., BWR single rod ejec-tion) have been rejected because they do not have that poter.tial or have no ap-parent mechanism (e.g., BWR multirod withdrawal). The following events appear to be appropriate areas to receive further consideration, which likely would include system and mechanical analysis and probabilistic assessments.to better determine if the probability of such events indicates they deserve attention, and/or transient analyses to evaluate event consequences.

2-7

i PWR

- multiple rod bank withdrawal ATWS multiple rod ejection (low power) unlimited boron dilution opening of loop stop valves in a loop containing unborated water LOCA or other injection with unborated water ATWS with less negative moderator coefficient rod withdrawal, heatup, or depressurization from low temperature with positive coefficient BWR l

multiple rod ejection boron dilution during AfWS rapid boron dilution by ECCS injection during ATWS multiple safety-relief valve failure to operate ATWS with no recirculation pump trip l All of these currently appear to be events of very low probability of occurrence.

l All involve additional failures or errors, not merely extensions of initial l conditions or parameters. They generally involve additional failure mechanisms of a different type from the standard initiators of the class and thus require a diversity of failure. The preliminary judgment, therefore, is that conceiv-able reactivity accidents are not likely to lead to a Chernobyl-type event.

However, it appears useful to examine these events (and possibly some of the extended areas not currently judged significant), primarily through probability studies and associated systems, structures, and transient-consequence reviews.

These could include an examination of the potential for the effect of an opera-tor's failure to comply with administrative controls and how such human error can affect initial conditions, transient parameters, and the operation of miti- i gating systems. If any events appear to fall within the probability levels of NRC guidelines and involve a significant potential for extensive core damage, they might become a basis for changing design or operational limits.

2.1.4 Conclusions and Recommendations Positive void coefficients, which played a central role in the Chernobyl acci-dent, generally do not exist in U.S. reactors; where present, they have a limited reactivity insertion potential that precludes the occurrence of any significant reactivity transient. The nuclear design of U.S. reactors provides. I ascurance against a Chernobyl-type superprompt critical excursion. However, given the more sophisticated tools now.available, (1) earlier selections of possible accident sequences to be analyzed in safety analysis reports and (2) earlier design approvals should be reviewed again, if only to reconfirm their validity. Using NRC ground rules and an NRC review process, either the NRC or licensees could do this.

2. 2 Accidents at Low Power and at Zero Power One of the unique aspects of the Chernobyl accident is that it occurred at a relatively low power (<7%). This has caused some concern because low power l

2-8 J

operation is generally considered to be a safer condition than high- or full-power operation. The principal effect of low p'ower on the Chernobyl accident was related to nuclear /thermohydraulic stability and reactivity insertion.

These effects were addressed in Section 2.1. Another important aspect of low-power or zero-power operation is the availability of safety systems. Sec-tions 1.3 and 1.4 specifically addrers the subjects of bypassing and availabil-ity of safety systems. Different safety systems may be used to provide protec-tion for low power and shutdown (zero power) events than are used for high power i events. Technical Specifications prescribe the conditions for bypassing and activating the various systems. The completeness of such Technical Specifica-tions was also addressed in Sections 1.3 and 1.4. Another aspect of low power operation (principally zero power operation) is decay heat removal. There is nothing related to the Chernobyl accident that suggests a unique problem regard-ing decay heat removal. Nevertheless, the entire subject of decay heat removal is being addressed in Unresolved Safety Issue (USI) A-45.

Another issue related to low power operation is the subject of accident initia- l tors. The Chernobyl accident was initiated because an unusual test was per-formed at low power. Considering this, the question is posed of whether or )

i not initiators, other than those now assumed, should be considered to ensure I that current analyses of design-basis events remain valid. This is also dis-cussed in Section 1.4.

The aspect oi low power operation to be cons'dered here is whether the design-basis events currently are being evaluated at their most limiting power level or whether more attention should be given to these events at low poi ar. I 2.2.1 Current Regulatory Practice 10 CFR 50.34 requires applicants to analyze and evaluate the design and perform-ance of structures, systems, and components in order to determine their adequacy for mitigating accidents. The Standard Review Plan (NUREG-0800) requires that i this be done for all modes of operation including shutdown modes. 1 In Preliminary Safety Analysis Reports (PSARs) and Final Safety Analysis Reports (FSARs), applicants provide an evaluation of each limiting transient to deter-mine the impact of varying reactor power. This evaluation is partly prima facie and partly the result of generic or plant specific sensitivity studies. The.

results of these evaluations and the numerical results of the worst-case analy-ses also are presented in SARs. The results of a sampling of SARs and topical reports from each reactor vendor for accidents of interest are given in the following sections.

(1) Steamline Break All three PWR vendors (Westinghouse, Combustion Engineering, and Babcock &

Wilcox) have explored a range of power conditions in generic topical reports on meth.ods of analyzing steamline breaks. A steamline break can challenge con-tainment integrity, specified acceptable fuel design limits (SAFDLs), or res-surized thermal shock (PTS) limits. Recent Westinghouse FSARs provide analy-sis of the steamline break at both zero and full power. These conditions were generically determined tt, have the worst potential conse uences. q The Combustion Engineering (CE) System 80 FSAR provides an analysis of the steamline break only 2-9

at full power but refers to another report for CE standard plants that explores the effects at various power conditions,

,l The Midland FSAR provides the most comprehensive assessment of steamline breaks in a Babcock & Wilcox reactor. Sensitivity studies therein show that a steam-line break at full power presents the worst challenge.

For BWR steamline breaks, the full power case bounds all the other cases.

(2) Feedline Break Once again, all three PWR vendors have explored a range of power conditions in generic topical reports. As would be expected, the Westinghouse and CE reports show that a feedline break at full power presents the worst challenge. Thus, ,

recent CE and Westinghouse FSARs provide an analysis of feedline breaks only at t full power. In the Midland FSAR, sensitivity studies show that 55% power.is the worst case. This is because secondary-side inventory is. adjusted as' a ;

function of power level. ]

For BWRs, the full power case bounds all the other cases.

(3) Reactivity Accidents Increase in feedwater flow, control assembly withdrawals, boron dilution, PWR rod ejection, and BWR rod drop are all analyzed at zero power. These events are discussed in Section 2.1.

For BWR reactivity events resulting from void collapse, the full power case bounds all the other cases.

(4) Pump Startup or Pump Trip Operation at partial power is analyzed for certain PWRs. For these cases, less than a full complement of reactor coolant pumps may be operating. Power varies with the number of pumps operating, and inadvertent startup or trip of those pumps is appropriately analyzed.

i For BWRs, power is proportional to flow, and, therefore, the full power case 'l bounds all the other cases. .J (5) ess of-Coolant Accident The LOCA is calculated from full power (plus uncertainties) for both BWRs and l PWRs because this maximizes the stored energy in the fuel and the coolant. The j staff has been reviewing the question of whether this is bounding with respect ;

to shutdown conditions when portions of the emergency core cooling system may.

be cut of service. This is discussed in Section 1.4.

2.2.2 Work in Progress Limited NRC work in progress on the subject of regulatory measures to prevent low power accidents includes consideration of' instrumentation and procedural improvements. The consistency of accident analyses and Technical Specifica-tions in the shutdown modes is addressed in Sections 1.3 and 1.4.

2-10

)

l l

2.2.3 Assessment Recommendations concerning reactivity accidents are presented in Section 2.1. I Recommendations concerning bypassing and availability of safety systems during all modes of operation are presented in Sections 1.3 and 1.4. A survey of l accidents required to be analyzed by the Standard Review Plan (NUREG-0800) shows {

that the steamline break, feedline break, and inadvertent pump startup or shut-down have been adequately studied for an appropriate range of power conditions.

At this time it appears that accident ;nitiators at low power should be systema-tically studied (as proposed in Section 1.4). Existing probabilistic risk assessments have paid very little attention to low power conditions or testing in evaluating risk, but may be useful for this task.

2.2.4 Conclusions and Recommendations Accident initiators at low power should be systematically evaluated as proposed in Section 1.4.

2.3 Multiple-Unit Protection The radioactive gas and smoke released during the accident at Chernobyl Unit 4 spread to the other three operating units at the site. The airborne radioactive )

material was transported to the other units through a shared ventilation system as well as by way of general atmospheric dispersion paths. This raises the question of how accidents at one unit of a multiple-unit site affect the remain-ing units, and additional questions of how these effects may be compounded when structures, systems, and components are shared between units. ;

2.3.1 Current Regulatory Practice l l

The current NRC regulatory practice for protection against radioactive releases can be divided into two parts because the control room has one set of require-ments and the rest of the plant has another set of requirements.

General Design Criterion (GDC) 19, " Control Room," of 10 CFR 50, Appendix A, states:

A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident.

~

The control room protection specified in GDC 19 is implemented through Standard Review Plan (SRP, NUREG-0800) Section 6.4 reviews, as required by step 1 of Item III.D.3.4, the NRC Action Plan developed as a result of the THI-2 accident (NUREG-0660).* As a result of these criteria, control rooms are designed to

See item 4a on page III.D.3-5, NUREG-0660.

l 2-11 l

i ensure minimum leakage and generally employ a ventilation system to slightly pressurize the control room following an accident. Furthermore, ventilation systems in control rooms incorporate filtration equipment designed to reduce radioactive particulate and iodine concentrations. l l l Specific habitability requirements for areas outside the control room are speci- l fied in 10 CFR 20.202 and SRP Sections 12.3 and 12.4. TMI Task Action Plan l Item II.B.2 requires that t.ie dose criteria in GDC 19 be met for vital areas. !

It does not, however, consifer radionuclides transport and release (source terms) i greater than those from a design-basis LOCA (specified in Regulatory Guides 1.3 and 1.4) and does not require consideration of significant airborne contamina- -

tion. Physical separation of equipment may afford some radiation protection.

GDC 5, " Sharing of Structures, Systems, and Components," states:

l Structures, systems and components important to safety shall not be l shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units, l

l Many multiple-unit plants share a control room and, to ensure a safe shutdown, j l the NRC review takes into consideration the radiological effect of an accident I

! at one unit on the other. Furthermore, for those plants that have separate )

control rooms, review under SRP Section 6.4 includes an evaluation of how well j the control room protects the operator when an accident produces radioactive j releases at an adjoining unit.

It is also a relatively common practice at multiple-unit plants to share other safety-related structures and systems, including auxiliary and fuel handling buildings and the associated ventilation systems. Implementation of GDC 5, I however, is intended to provide assurance that this sharing will not inhibit 1 the ability to safely shut the plant down after an accident. GDC 5 has resulted in shared systems that have redundancy and isolation suited to maintain required safety functions.

In addition to raising concerns about radiological protection, the Chernobyl accident raised the question of smoke propagating from a burning unit to adja-cent units. Current staff guidelines [(1) GDC 3, " Fire Protection," of Appen-dix A to 10 CFR 50, (2) Appendix R to 10 CFR 50, and (3) Branch Technical Posi-tion CMEB 9.5-1 attached to 3RP Section 9.5.1] provide guidance on containing the spread of a fire beyond a single fire area. There are, however, no specific staff guidelines on smoke propagation. Generally, fire dampers are provided to ensure isolation of fire-affected areas in a short enough time to prevent fire l from propagating through shared ventilation systems. The dampers are effective to only a limited degree to control smoke spread. Smoke detectors are employed throughout the plant to provide early warning of fires. Most U.S. plants, par-ticularly newer ones, have incorporated smoke exhaust systems in certain critical areas (e.g. , control rooms, electrical equipment rooms). In addition, fire-fighting plans include the use of portable ventilation equipment to limit the consequences of the spread of smoke.

2-12

2.3.2 Work in Progress In response to concerns expressed by the Advisory Committee on Reactor Safe-guards (ALRS) about control room habitability, the NRC initiated a review of 4 the existing design and maintenance of control room ventilation systems. This i effort, designated as Generic Issue 83, involves, in part, a survey of 12 operat- 1 ing reactor plant control rooms. This survey is intended to assess whether the !

actual control room ventilation systems are performing in the manner described l by the licensee in response to the criteria of NUREG-0660, Item III.D.3.4, step 1.* The results will be available in the summer of 1987 and will form the basis for determining what further action, if any, is needed.

In addition, step 2 of NUREG-0660, Item III.D.3.4* described the NRC staff's intention to examine control room habitability requirements under degraded-core (severe-accident) conditions. Currently, the NRC has taken no action in this area and no plan has been established to do so because this issue has been assigned a low priority. However, the current NRC study of radionuclides re- l lease following severe accide'nts is continuing and may result in additional l criteria for control room habitability design. !

2.3.3 Assessment l Through the implementation of GDC 19, control rooms currently provide a degree of protection against radioactive releases from severe accidents by designing them to minimize inleakage, by incorporating pressurization ventilation systems that are intended to maintain the control room at a slight positive pressure after an accident, and by incorporating filtration systems that are effective in reducing the amount of radioactive contamination reaching the control room.

Additional efforts currently under way under Generic Issue 83 and with regard to radionuclides releases will provide sufficient additional insight on control room habitability following severe accidents.

The control room is specifically designed to protect personnel from onsite radiation following accidents; other plant areas, however, do not have this protection. In the event of an accident at a multiple-unit site, this practice could keep the plant operator from taking local corrective action should there be unanticipated failure in some equipment, or to eventually take necessary local actions to initiate cold shutdown following a severe accident. Further-more, the ability to maintain long-term plant shutdown following a severe acci-dent may be affected because an operator will eventually have to enter remote areas of the plant to perform equipment maintenance. However, to minimize the

.need for immediate local action, automation, control room features, and redun-dancies are built into the design of shutdown systems. Anticontamination cloth-ing, breathing apparatus, and other protective equipment are available to allow personnel to enter an area in order to take local actions in the longer term.

In addition, cold shutdown requires only a few simple actions to be taken; thus, access to remote areas is necessary for short periods only. Thus, no further action is needed in regard to access (following a severe accident) to plant areas outside the control room. However, new plants chould consider this concern in the design of their ventilation system and postaccident shutdown capability.

See item 4a on page 111.0.3-5, NUREG-0660.

2-13

Fire protection measures such as fire dampers, smoke detectors, smoke exhaust systems in certain areas, and portable ventilation equipment are considered to be adequate to limit the spread of smoke, particularly in view of the fire pro-tection improvements made in U.S. plants since the implementation of Appendix R to 10 CFR 50. Fire protection at U.S. nuclear power plants is discussed in Section 2.4 of this report.

Finally, although the proper design of shared systems in accordance with GDC 5 does not compromise safety system functions, and may in fact enhance safety when additional equipment can be employed in place of failed components, shar-ing may affect the ability to bring a unit not affected by an accident back to normal operation. This could occur if continued sharing is necessary in order to ensure maintaining long-term shutdown of the unit affected by the accident, or if contamination in a unit not affected by the accident is widespread because of shared structures and a shared ventilation system. Therefore, it appears appropriate that the NRC severe-accident policy for new plants, particularly standard plant designs, precludes sharing of such features at multiple-unit sites.

2.3.4 Conclusions and Recommendations In the event of a severe accident in one unit of a multiple-unit site, the con-trol room operators are adequately protected by design features that will ensure a habitable environment. Control room habitability and radionuclides release studies which will take into account recently developed release descriptions are expected to confirm this conclusion. For areas outside the control roors, shutdown system design and control room capability preclude the need for imme-diate access to remote areas, and measures are available to gain access to take the few longer term actions necessary for accomplishing cold shutdown and per-forming maintenance. When ventilation and postaccident shutdown systems are being designed for new plants, contamination outside the control room should be considered. Fire protection improvements imposed by Appendix R to 10 CFR 50 will provide effective smoke control. Because sharing may be necessary to ensure shutdown of a unit not affected by the accident and may delay the return of the unit to normal operation, severe-accident policy for new plants should restrict the sharing of systems forming part of the shutdown capability at i multiple-unit sites. Systems required for shutting each unit down should not I be shared between units, though the capability to share systems to provide added defense in depth for safe shutdown remains desirable, subject to appro-priate isolation provisions.

2.4 Fire Protection l After the accident at Chernobyl, the Soviets stressed the great importance of firefighting (USSR, 1986).

As a result of the explosion in the Unit 4 reactor, fragments of the core were ejected from the reactor building igniting about 30 fires on roofs and other plant areas. The plant operators determined that the most important action in combating the accident was to extinguish the fires. The immediate threat was that the fire would spread from Unit 4 to Unit 3. Firefighters from neighbor-ing towns responded and within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months contained the fires to Unit 4; all fires were extinguished within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Evidently plant personnel beg,n combating the fires and were soon joined by firefigh;ers from neighboring tovnt 2-14 )

i

Of particular concern was the ability to fight fires at locations above grade (i.e., roofs of buildings). The Soviets stressed the need for special equip-ment to lift firefighting equipment to roofs. Also of concern was the need for protective clothing for firefighters working in radioactive environments.

In light of these concerns, a review of firefighting capabilities at nuclear plants and fire protection measures in general is appropriate.

2.4.1 Current Regulatory Practice There have been many fires in operating nuclear power plants through September 1986. Of these, the fire on March 22, 1975 at Browns Ferry nuclear plant was the most severe. On the average, a nuclear power plant may experience one or more fires of varying severity during its operating life. Although WASH-1400 concluded that the Browns Ferry fire did not affect the validity of the overall j risk assessment, the NRC concluded that cost-effective fire protection measures !

should be instituted to significantly decrease the frequency and severity of fires and consequently initiated the development of guidelines and rules.

1 The effort after the Browns Ferry fire resulted in the new rules for fire pro- l tection contained in Appendix R to 10 CFR 50. These criteria were it. tended to amplify the already existing broad guidelines contained in GDC 3, " Fire Protec- l tion," of Appendix A to 10 CFR 50. Additional criteria are contained in SRP Section 9.5.1 (NUREG-0800). The fire protection program as promulgated by NRC for nuclear power plants consists of design features, personnel, equipment, and procedures that provide defense-in-depth protection to the public. The primary purposes of the program are to prevent significant fires, to ensure the capabil-ity to shut down the reactor and maintain it in a safe shutdown condition, and to minimize radioactive releases to the environment in the event of a significant l fire. These guidelines call for management participation in the fire protection l program and for design of fire protection features by qualified utility staff.

l The utility staff is also responsible for fire prevention activities, mainte-nance of fire protection systems, training, and manual firefighting activities.

The NRC requirements concerning fire brigade and fire brigade training are con-tained in Sections III.H and III.I of Appendix R to 10 CFR 50 and in SRP Sec-tion 9.5-1(C.3) (NUREG-0800). A summary of the requirements follows. The aforementioned concerns are addressed specifically within the context of NRC-sponsored requirements and/or guidelines.

Each reactor site is required to have a fire brigade that is trained and equipped for fighting fires. The fire brigade was established to ensure ade-quate manual firefighting capability for all areas of the plant containing structures, systems, or components important to safety (this includes roofs, high-radiation areas, and remote plant locations). The fire brigade is typically organized as follows:

Five members must be on each shift.

l -

Brigade leader and at least two brigade members must have sufficient training or knowledge of plant safety-related systems to understand the

, effects of fire and fire suppressants on safe shutdown capability.

The shift supervisor is not a member of the fire brigade.

2-15 l

The minimum protective equipment provided for the brigade consists of such items as turnout coats, boots, gloves, hard hats, emergency communications equipment, portable lights, portable ventilation equipment, and portable extinguishers.

Self-contained breathing apparatus with full-face, positive pressure masks is provided for fire brigade, damage control, and control room personnel.

The fire brigade's training program is designed to ensure that the capability to fight potential fires is established and maintained. The program consists of-an initial classroom instruction program followed by periodic classroom instruc-tion, firefighting practice, and fire drills. These are detailed below.

(1) Instruction i

The initial classrw m instruction consists of indoctrination in the plant's firefighting plan and specific identification of each individual's respon-sibilities, the type and location of fire hazards and associated types of fires that could occur in each plant area, the proper use cf available firefighting equipment, and the correct method of fighting each type of fire. The types of fires studied include fires in energized electrical equipment, fires in cables and cable trays, hydrogen fires, fires involv- l ing flammable and combustible liquids or hazardous process chemicals, )

fires resulting from construction or modifications (welding), fires in records, and in hazardous areas in nuclear plants, including roofs.

P) Practice Practice sessions are held for the fire brigade on each shift on the proper method of fighting the various types of fires that could occur in a nuclear power plant. These sessions provide brigade members with experience in actually extinguishing fires using emergency breathing apparatus under the strenuous conditions encountered in firefighting.

1 (3) Drills Fire brigades drill in the plant so that the fire brigade can practica as a team and at the site it serves.

The drills must be preplanned to establish the training objectives of the

, drill and are evaluated to determine how well the training objectives have j been met. Unannounced drills are planned and evaluated by members of the i

management staff responsible for plant safety and fire protection. Per-formance deficiencies of a fire brigade or of individual fire brigade 1

(

members are remedied by scheduling additional training for the brigade 'or members.

Drills must include the following:

(a) Assessment of fire alarm effectiveness; time required to notify and l assemble fire brigade; selection, placement, and use of equipment; and firefighting strategies.

(b) Assessment of each brigade member's knowledge of his or her role in the firefighting strategy for the area assumed to contain the fire 2-16 i

and the brigade member's conformar.ce with established plant fire-fighting procedures and use of firefighting equipment, including self contained emergency breathing apparatus, communication equip-ment, and ventilation equipment, to the extent practicable.

(c) The simulated use of firefighting equipment required to cope with the si'.uation and type of fire selected for the drill. The area and type of fire chosen for the drill should differ from those used in the pre-viouc driil so that brigade members are trained in fighting fires in various plant areas. The situation selected should simulate the size and arrangement of a fire that could reasonably occur in the area selected, allowing for fire development because of the time required to respond, to obtain equipment, and to organize for the fire, assum-ing loss of automatic suppression capability.

(d) Assessment of the brigade leader's management of the firefighting effort as to thoroughness, accuracy, and effectiveness.

A major problem at Chernobyl in combating the fires was the inability to get firefighting equipment to the fires, that is, on top of burning roofs that were ignited when hot core material landed on them. NRC guidelines require that roofs be constructed of noncombt.stible materials that are listed as " acceptable for fire." Such a roof would be difficult to ignite and if ignited, it would in-herently retard propagation to other areas. In addition, NRC guidelines require the installation of (1) standpipes and hoses to allow manual firefighting and (2) personnel access and escape routes for each fire area in the plant, thereby addressing the concern of accessibility for firefighting personnel and equipment.

Another problem encountered at Chernobyl was the need to extinguish fires in areas that, as a result of the accident, had become highly radioactive. In the United States, it is currently the practice in nuclear plants that a health physics technician responds to a fire along with the fire brigade, in order to recommend to the brigade leader ways of preventing extensive radiation exposure.

Currently, no specific guidelines are provided on fighting fires in a highly radioactive area. Using typical protective equipment (turnout coats, boots, gloves, hard hats, and self-contained breathing apparatus) provides a measure of safety against radioactivity as well as against fire and smoke. Explicit guidelines do exist regarding radiation exposure. If a fire should occur in a high radiation area, all licensees will follow established utility guidelines and procedures regarding proper attire to protect against radiation in addition to observing guidelines and procedures regarding firefighting apparatus.

At nuclear power plants in the United States, the concept of defense in depth is established to achieve a high degree of safety by using echelons of safety systems. With respect to the fire protection program, the defense-in-depth principle is aimed at achieving an adequate balance in preventing fires from starting detecting fires quickly, suppressing those fires that occur, putting them out quickly, and limiting their damage designing plant safety systems so that a fire that starts in spite of the fire prevention program and burns for a considerable time in spite of fire 2-17

protection activities will not keep essential plant safety functions from being parformed No one of these echelons can be perfect or complete by itself. Each echelon meets certain minimum requirements; however, strengthening any one can compen-sate in some measure for weaknesses, knoun or unknown, in the others.

On November 19, 1980, the Commission published a revised Section 50.48 and a new Appendix R to 10 CFR 50 regarding fire protection features at nuclear power plants. The revised 10 CFR 50.48 and Appendix R became effective on February 17, 1981.Section III of Appendix R contains 15 subsections, lettered A through 0, each of which specifies requirements for a particular aspect of the fire protection featur~ at nuclear power plants.

Because it is not possible to predict the specific conditions under which fires ;

may occur and propagate, design-basis protective features rather than the !

design-basis fire are specified in the rule. Plant-specific features may re-quire protection different from the measures specified in Section III.G (the key section in Appendix R). In such a case, the licensee must demonstrate by means of a detailed fire hazards analysis that existing protection or existing protection in conjunction with proposed modifications will provide a level of safety equivalere to the technical requirements of Section III.G of Appendix R. l In summary, Secticn III.G deals with fire protection features for ensuring that systems and arsociated circuits used to achieve and maintain safe shutdown are not damaged by fire. Fire protection configurations must either meet the specific requirements of Section III.G or an alternative fire protection con-figuration must be justified by a fire hazards analysis. Generally, the staff will accept an alternative fire protection configuration if (1) The alternative ensures that one train of equipment necessary to achieve hot shutdown from either the control room or emergency control station (s) is free of fire damage. !

(2) The alternative ensures that fire damage to at least one train of equipment necessary to achieve cold shutdown is limited so that the equipment can be i repaired within a reasonable time (for minor repairs, components stored on I the site are used).

(3) Fire-retardant coatings are not used as fire barriers. I l

(4) Modifications required to satisfy Section III.G would not enhance fire protection safety levels above that provided by either existing nr proposed alternatives.

(5) Modifications required to meet Section III.G would be detrimental to overall facility safety.

2.4.2 Work in Progress The NRC is currently working to ensure full implementation of fire protection programs at all U.S. nuclear power plants as follows:

2-18 i

(1) 95% of all plants licensed before January 1, 1979 have completed fire pro-tection modifications. All plants will be in compliance with 10 CFR 50.48 and Appendix R by 1989.

l l

(2) All plants licensed after January 1,1979 have completed significant fire protection modifications and have fully implemented their fire protection programs.

Efforts to date at all plants reflect the consensus that has evolved from the i

staff's promulgation of rules and generic guidance. NRC, however, continues to evaluate the prudence and effectiveness of its regulations in the area of fire protection via an NRC-sponsored risk-based analysis of fire hazards and effects on safe plant operation / shutdown following an abnormal event.

2.4.3 Assessment As indicated, the concept of defense in depth is primary in the fire protection program at U.S. nuclear power plants and is implemented by (1) prevanting fires from starting (2) detecting fires quickly, suppressing those fires that occur, and limiting their damage (3) designing plant safety systems so that a fire that starts in spite of the fire prevention program and burns for a considerable time in spite of firefighting activities will not keep essential plant safety functions from being performed The approach indicated above provides a substantial level of protection against fires. The fire brigade's use of typical protective equipment (turncoats, boots, gloves, hard hats, and self-contained breathing apparatus) provides a measure of protection against radioactivity as well as against fires and smoke.

Training the fire brigade in the proper use of the protective equipment as stated previously can ensure its effectiveness in protecting personnel from the effects of exposure to radiation. Fire brigade training also includes instruction on the proper use of equipment and firefighting in all plant areas, including roofs. Thus, NRC fire protection practice in general and specific firefighting criteria are considered to be adequate at this time.

2.4.4 Conclusions and Recommendations As a result of the accident and ensuing fires at Chernobyl, the NRC staff has reviewed the fire programs implemented by NRC rules, regulations, and guide-lines and concludes that the programs provide an adequate level of defense in depth for all anticipated events.

Nevertheless, to confirm that the cui ent provisions are adequate, it is recom-mended that the provisions for f'refighting with radiation present be reviewed further, 2-19

CHAPTER 3 CONTAINMENT The role of the containment vessel or containment building as a vital barrier to the release of fission products to the environment has been recognized for some time. The public safety record of U.S. nuclear power plants has been enhanced by applying the " defense-in-depth" principle, which relies on a set of independent barriers to fission product release. The containment is one of these barriers. During the licensing review, applicants must demonstrate that the plant is designed to provide protection for the public in case of accidents up to the design-basis accident. The containment plus certain othw engineered safety features, such as spray systems and filters, are designed and relied on to mitigate such events.

The NRC began to give attention to severe accidents even before the accident at Three Mile Island (TMI) and has increased its emphasis in this area since that accident. With regard to containments, one of the first requirements intro-duced after the TMI accident was intended to reduce the challenge to contain-ment integrity from a hydrogen combustion. Thus, the smaller boiling-water-reactor (BWR) containments, such as the Mark I and Mark II, were required to be inerted with a nitrogen atmosphere, effectively precluding the possibility of a hydrogen combustion; others were fitted with a hydrogen igniter system designed to burn any hydrogen in a controlled fashion, preventing substantial contain-ment overpressure.

Recently, two groups of experts working on severe accidents assessed containment loading and containment performance. Two reports document that effort. The first report, NUREG-1079, " Estimates of Early Containment Loads From Core Melt Accidents," estimates the magnitude of pressure and temperature loads on con-tainment associated with severe-accident sequences involving significant cord damage and presents the results of studies to evaluate the potential effects of such phenomena on containment integrity. The second report, NUREG-1037,

" Containment Performance Working Group Report," discusses the leakage rate of containment buildings as a function of increasing internal pressure and temperature.

The Chernobyl accident focused new attention on containments and the perfor-mance of containments under severe-accident conditions. Such challenges include phenomena such as increased pressures from an uncontrolled hydrogen combustion or release of large quantities of noncondensible gases from core concrete inter-actions. Venting the containment in case of certain severe accidents could N an effective way to preserve the long-term containment functional integrity .

reduce the uncontrolled release of radioactive material. The rest of this chap-ter summarizes the activities already in place in the areas of containment integ-rity and containment venting and addresses the need for additional work.

3-1

3.1 Containment Performance During Severe Accidents The Chernobyl accident has focused attention on whether containments for U.S.

light-water reactors that were built using criteria based on design-basis acci-dents have adequate margins available to prevent the release of large quantities of fission products during severe accidents.

3.1.1 Current Regulatory Practice Containment design criteria are based on a set of deterministically derived challenges. Pressure and temperature challenges are based on the so-called design-basis loss-of-coolant accident. Radiation considerations are based on a postulated substantial core-melt accident. Also, external events such as earthquakes, floods, and tornados are considered in the design. The margins of safety provided in U.S. practice have been the subject of considerable re-search and evaluation, and these studies have indicated the ability of contain-ment systems to survive pressure challenges of 2.5 to 3 times design levels.

Severe-accident evaluations and research had progressed to the point that the Commission issued a Severe Accident Policy Statement in August 1985 (50 FR 32138) concluding that existing plants posed no undue risk to the public. How-ever, the Commission pointed out that at each plant there will be systems, components, or procedures that are the most significant contributors to risk.

Utilities should identify these contributors and develop appropriate courses of action, if and as needed to ensure acceptable margins of safety. Furthermore, the Commission stated that such examinations "will include specific attention to containment performance in striking a balance between accident prevention and consequence mitigation." Relative to new plant applications, the Commis-sion expressed a desire that new plants should have a higher standard of safety than earlier designs, to cover postulated severe accidents. It also assigned the staff to evaluate the need for new containment performance criteria and, if j the need exists, to formulate such criteria.

Both before and since the statement was issued, improvements in containment design have been studied for several plants and designs, including Zion, Indian Point, Limerick, and the GESSAR II standard plant. In addition, research has been conducted on containment challenges and performance (including estimates of uncertainties), and risk outlier searches are planned to be initiated in 1987, through individual plant evaluations (IPEs) by industry.

Improvements aimed at reducing the likelihood of containment challenges through improvements in combustible gas control have been promulgated through revisions to 10 CFR 50.44 (" Standards for Combustible Gas Control System in Light-Water-Cooled Power Reactors"); for response to anticipated transients without scram (ATWS) through 10 CFR 50.62 (" Requirements for Reduction of Risk From Antici-pated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants"); and for station blackout through proposed rule changes (10 CFR 50.63, " Loss of Alternating Current Power," and General Design Cri-terion 17, " Electric Power Systems," of Appendix A to 10 CFR 50).

Strategies to enhance containment performance have been considered in develop-ing emergency procedures. One such strategy is containment venting to prevent catastrophic containm':nt f ailure. Containment venting was considered in NUREG-0956 (" Reassessment of the Technical Bases for Estimating Source Terms")

3-2

I in evaluations of radionuclides releases and was also considered in evaluations supporting the NUREG-1150 (" Reactor Risk Reference Document") risk evaluations for plants having such a procedure in place. Containment venting is only one of a number of potential containment performance improvements considered by the.

staff and industry.

3.1.2 Work in Progress Work on reassessing risks (NUREG-1150) and other emerging research is expected to indicate whether changes are warranted in predictions of accident.probabil-ities, and containment system challenges and perform 6nce. This research has included substantial experimentation in areas such r.s containment loads and performance. Combustible gas phenomena, core-concrete interactions, and equip-ment survivability have also been evaluated. Implementation of the Severe Acci-dent Policy Statement through the IPEs, utilizing emerging research, is expected to indicate whether risk outliers exist at specific plants that justify improve-ments in containment system performance. This implementation is the principal NRC program for identifying plant-specific severe-accident risk outliers and for implementing new requirements. For BWRs specifically, the staff, the Vermont Yankee licensee, the Pilgrim licensee, the Boiling Water Reactor Owners Group, and NUMARC* are all involved in considering initiatives to improve the perfor-mance of BWR containments because of a perception that BWR containments designed by the General Electric Co. have a low probability of surviving core-melt acci-dents. The staff, through the Severe Accident Program and review of the Industry Degraded Core Rulemaking (IDCOR) Program, has similarly evaluated pressurized-

-water reactor (PWR) containments. Activities are also being conducted to develop containment performance criteria for new plants. Foreign initiatives are in progress to improve containment system performance (such as those in Sweden, France, Germany, Finland, and Italy). The initiatives include potential design and procedural changes, one of which is containment venting.

3.1.3 Assessment l

Research programs and regulatory initiatives to address the issue of contain- l ment performance dcring severe accidents are currently in progress at NRC.

Generic vulnerabilities have been identified for some types of containments, but only a few detailed plant-specific containment assessments have been made. 1 The systematic search for plant-specific problems that is due to begin in 1987 1 is, however, expected to provide more information on containment performance. 1 On the basis of existing research and evaluation programs, new programs or ,

initiatives are not needed as a result of the accident at Chernobyl.

3.1.4 Conclusions and Recommendations The Chernobyl event has graphically demonstrated the effect of containment per-formance on the overall risks of nuclear power plant operation. The Chernobyl event should strengthen the commitment by NRC and industry to implement the design and operational improvements needed to provide greater assurance of containment survival in severe accidents. Current programs are adequate for this purpose; new programs or initiatives are not needed.

CThe Nuclear Utility Management and Resources Committee (a confederation of all 55 utilities with nuclear plants, either in operation or under construction.

3-3 i

l _ . -:.. - - .. ..

3.2. Filtered Venting The Chernobyl accident has focused attention on whether U.S. containments should be provided with filtered venting in order to mitigate the consequences of acci-dents of the type that occurred at Chernobyl.

3.2.1 Current Regulatory Practice 1 Venting as a containment strategy has been evaluated and is being incorporated l into the emergency procedures for some BWRs. The staff has reviewed the tech-

! nical bases for such procedures, including both combustible gas and pressure considerations. At the present time there is no regulatory requirement for plant specific implementation of such a procedure, but it is up to individual utilities to provide for filtered venting as a last resort to prevent gross containment failure on overpressure, and to prevent an excessive buildup of hydrogen in the containment, for accident conditions more severe than were considered in the original containment design. No analogous procedures or guidelines exist for PWP.s.

3.2.2 Work in Progress Containment venting has been evaluated as part of severe-accident research pro-grams related to radionuclides release assessments (NUREG-0956) and risk assess-ments (NUREG-1150) for reactors that incorporate venting in their emergency procedures, and for generic studies of venting as a mitigation strategy. In addition, evaluations associated with implementation of the Commission's Sen re Accident Policy have considered venting. The Advisory Committee on Reacto' Safeguards has also expressed interest in venting as a severe-accident mi', iga-tion strategy. These evaluations and considerations were all being pursued before the Chernobyl accident occurred.

Filtered venting as a strategy to mitigate the consequences of some severe accidents is being considered and implemented in Sweden, France, and Germany.

Venting can preserve containment integrity against excessive containment pres-sure buildup (slow to moderate) from the loads generated during the severe-accident scenario. At the same time, filtering retains most of the long-lived radioactivity, thus avoiding gross contamination of the areas surrounding the nuclear power plant and minimizing long-term health and economic effects. For example, the Swedish government now requires venting through newly constructed filtered vents for some reactors, is evaluating others, and has established per-formance criteria for such systems. The performance criteria provide for auto-matic actuation and specific filter efficiencies. The transient pressure-relieving capabilities of the improvements vary from early relief for BWRs to late pressure relief for PWRs. The French Government plans to install filtered vents on all PWRs. These vents would be activated manually as a measure to save a threatened containment from late overpressure failure.

For BWRs specifically, filtered venting is one such improvement that, if cor-rectly implemented, could reduce the risk from severe accidents. Preferably, gases should be vented from the wetwell by remote manual actuation for elevated exhaust through the stack. Existing vents and piping may need upgrading to with-stand venting pressures. Fission product could be removed (i.e., filtered) through the use of sprays and suppression pools. No separate or new filter 3-4

1 requirements have been identified. Thecombinationofpostaccidentfkssion-product removal and elevated releases would be expected to significantly reduct the offsite consequences of the most-severe accident sequences. The current strategy is to use existing controlled venting capabilities insofar as possible to mitigate such accidents.

In a related activity, a nuclear industry group /the BWR Owners Grou'p) has revised its guidance on emergency procedures for PWRs (BWROG, 1986). The revised guidance, which the staff is reviewing, includes additional guidance on venting.

Individual utilities, however, are not required to implement such guidance and earlier versions of such guidance have not been universally adepted.

3.2.3 Assessment

<s Filtered venting is an existing strategy currently being evaluated as part of the Severe Accident Policy implementation program in the United States. Anticipated technical exchanges with regulatory and utility representatives in other coun-tries that are occurring as a result of Chernobyl related initiatives, and potential U.S. BWR containment improvements, are all expected to add.to the information available on the effectiveness of filtered venting. Therefore, no '

new initiatives are needed at this time.

3.2.4 Conclusions and Recommendations Filtered venting as a means of limiting the offsite consequences of core-melt' accidents is being pursued in a number of countries and is being examined in the United States. The U.S. programs of severe-accident research and implemen-tation will, however, be enhanced by anticipated technical exchanges with repre-sentatives from other countries (such as Sweden, France, and Germany) that are implementing filtered venting.

i T

\e 3-5

n

't CHAPTER 4 EMERGENCY PLANNING A number of facts about the Cherrobyl accident bear on emergency planning and preparedness around U.S. commercial nuclear power plants. The implications of the Chernobyl accident and the Soviet response for four aspects of U.S. emergency planning, namely: (1) size of the energency planning zone (EPZ), (2) medical services, (3) ingestion pathway measures, and (4) decontamination and relocation, l are ex uined in this chapter.

In drawing a nexus between the Soviet response to the Ctwrnobyl accident and emer-gency planning implications "for U.S. plants, contrasts and dif ferences in four areas should be noted. First, there -is a substantial difference in the emergency olanning base. After the. accident at Three Mile Island, large resources were expended to im rove emergency planning and response capabilities around U.S.

plants. In contrast, ttiere is little: indication that the Soviets have comparable site-specific emergency plans for the general public around their nuclear power plants.

Second, the specifics of the Chernobyl release are unique to the RBMK design.

The amounts of radioactive material released from U.S.' plants would, for most accident sequences, be considerably less because, among other things, U.S. plants have substantial containments. In addition, although low probability, fast-moving accident sequences are possible, severe accidents at U.S. plants would, in gen-eral, progress more slowly, r u ulting in longer warning timos before release.

Third, some aspects of tne Chernobyl evacuation defy comparison with similar aspects at U.S. plants because of economic and societal differences. For example, the Scviets had to assemble 4000 buses and trucks for the Chernobyl evacuatior., whereas, in the United States most people have access to private transportation and necessary alternative transportation is preplanned around U.S. nuclear power plants.

Finally, it should be recognized that issues such as effsite decontamination and long-term relocation raise matters whose scope and timing extend beyond the

" emergency" actions for which detailed advance planc.ing,is beneficial and appropriate. As such, these matters may fall outside the traditional scope of emergency planning for U.'S. plants.

4.1 Size of the Emergency Planning Zones The Chernobyl accident has focused attention on the adequacy of the si;:e of emergency p1b ning zones around U.S. commercial nuclear power plants.

The Soviets evacuated a total of about 135,000 people as well as considerable farm livestock from Pripyat, Chernobyl, and other towns and villages within 30 kilometers (18 miles) of the Chernobyl nuclear power plant. This evacuation appears to have taken place in several stages, beginning about 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months after 4-1

the initial release, anu utending over several days to a week. The whole-body radiation dose to the vast majority of individuals did not exceed 25 rem, although persons in the most severely contaminated areas may have been exposed to whole-body doses in the range of 40-50 rem. The population of Pripyat was initially sheltered as a protective measure and then evacuated when radiation readings increased. In addition to radiation considerations, logist*cs and con-tamination control influenced the timing of the evacuation. The Soviets took ingestion pathway protective measures within the 30-kilometer zone and well be-yond. Ingestion pathway protective measures were also taken in several Soviet bloc countries, in Scandinavia, and in Eastern and Western Europe.

4.1.1 Current Regulatory Practice Emergency planning is currently required under 10 CFR 50.47 for all U.S. commer-cial nuclear power plants for two concentric zones having radii of approximately 10 and 50 miles (except for plants with power levels below 250 MWt and for gas- i coole- reactors, which have smaller zones). The inner ;e ie, referred to as the !

l plume exposure pathway emergency planning zone (EPZ), is one in which the prin-cipal sources of exposure would com9 from the radioactive plume and from material deposited on the ground. The outer zone, referred to as the ingestion exposure 3" pathway EPZ, is one in which the principal exposure would come from ingestion of contaminated water or foods such as milk and fresh vegetableu. The sizes of thece zones were determined from considerations given in NUREG-0396, " Plan-ning oasis for the Development of State and Local Government Radiological Emergency Plans." These specifically included consideration of the accident risks from the complete spectrum of severe-accident releases given in WASH-1400,

" Reactor Safety Study." In addition, a distance of 10 miles was also chosen for the inner zone bhsed on the conclusion that " detailed planning within 10 miles would provide a substantial base for exoansion of response efforts in the event that this proved necessary" (NUREG-0654, " Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Suppo N of Nuclzar Power Plants").

Requirements for emergency planning in the United States include the capability to alert and notify che population in the plume exposure pathway EPZ within 15 minutes of the decision by responsible public officials that protective actions are necessary. It is the licensee's responsibility to (1) classify the emergency (unusual event, alert, site area emergency, or general emergency) in accordance with the potential risk to the public health and safety; (2) notify offsite authorities; and (3) recommend any public-protective entions. The -

implementation of the onsite planning requirements is exercised annually by the licensee. It is the offsite authorities' responsibility to (1) determine the proper protective actions, (2) alert and notify the general public within 15 min-utes of a decision to recommend protective actions, and (3) assist the general public in carrying out the protective actions. The implementation of the off-site planning requirements is exercised every 2 years by the offsite authorities.

4.1.2 Work in Progress Regarding EPZ size, a mrjor NRC research effort began about 1981 to obtain a j better understanding of radionuclides transport and release under severe-accident conditions. This research on radionuclides release includes the development and application of new computer codes for core-melt phenomena and containment per-formance. It also includes an extensive review effort by peer reviewers and 4-2

industry groups, as well as independent assessment under the auspices of the American Physical Society. The report explaining and detailing this revisea methodology t. calculate accident radionuclides release was published in July 1986 as NUREG-0956, " Reassessment of the Technical Bases for Estimating Source Terms." Revised risk profiles which apply this methodology were published for comment as NUREG-1150, " Risk Reference Document," in February 1987. This docu-ment attempts to use the new source term information to provide insights Ebout (1) how offsite doses would be expected to vary with distance for the plants analyzed and (2) the relative effectiveness of different offsite protective actions at various distances from the plants.

4.1.3 Assessment One difficulty in assessing the implications of emergency actions taken at Chernobyl for U.S. commercial nuclear power plants is the vat difference in the emergency planning base. From an emergency planning standpoint, the United States experienced its "Chernobyl" accident at TMI-2 in 1979. After TMI-2, large resources were expended to improve site-specific and generic emergency planning capabilities. Utility, State, local, and Federal emergency plans were developed, reviewed, and exercised. Alert and notification systems have been designed, installed, and tested within the plume exposure pathway EPZs (10-mile radius) for all U.S. plants. The populations within the plume exposure pathway EPZs for U.S. plants have been informed of the risks of an accident and have been instructed on protective actions during an emergency.

In contrast, there is little indication that the Soviets have comparable site-specific emergency plans for the general public around their nuclear power plants.

It appears that many of the protective actions taken were ad hoc measures.

Although an accident in the United States could require some ad hoc measures to be taken, a detailed planning base exists to facilitate implementation of any necessary protective actions. Therefore, care and time must be taken to identify only those Chernobyl lessons that could improve the existing U.S. emergency plan-ning base.

Another difficulty in assessing the implications of the Chernobyl accident is that the specifice of the Chernobyl relrase are unique to the RBMK design. The amounts of radioactive material released from U.$. plants would for most acci-dent sequences be considerably less because, among other things, U.S. plants have substantial containments. In addition, although low probability, fast-moving accident sequences are possible, severe accih nts at U.S. commercial nuclear plants would generally progress at a slower pace, resulting in longer warning times before release. Again, care and time must be taken to identify what the United States can learn from the Chernobyl accident on the basis of the know? edge provided by U.S. source term research.

hith regard to the issue of EPZ size, the Soviets evacuated the oopulation out to 18 miles, or roughly twice the distance for which an evacuation capability is required to be demonstrated in the United States. Similarly, measures were taken to prevent ingestion of foodstuffs, milk, and water at distances con-siderably greater than the 50-mile ingestion exposure pathway in the United States. This might imply that the U.5. EPZs are too small. However, two points lead to a different conclusion.

4-3

First, the 10-mile and 50-mile EPZs have always been considered a planning base within which to demonstrate a capability. They have not been considered as an absolute limit for taking protective actions. NUREG-0654 clearly notes:

The choice of the size of the Emergency Planning Zones represents a judgement on the extent of detailed planning which must be per-formed to assure an adequate response base. In a particular emer-gency, protective actions might well be restricted to a small part of the planning zones. On the other hand, for worst possible ac-cidents, protective actions would need to be taken outside the planning zones.

Second, as stated above, the Chernobyl radionuclides source term is specific to the RBM design and U.S. source terms are expected to be lower.

4.1.4 Conclusions and Recommendations The Chernobyl accident and the Soviet response do not reveal any apparent deficiency in U.S. plans and preparedness, including the 10-mile plume exposure pathway EPZ size and the 50-mile ingestion exposure pathway EPZ size.

These zones provide an adequate basis to plan and carry out the full range of protective actions for the populations within these zones, as well as beyond j them, if the need should arise.

4.2 Medical Services 1

The Chernobyl accident has focused attention on (1) the adequacy of the U.S. l Government's policy on potassium iodide (KI) and (2) the adequacy of medical I services around U.S. nuclear power plants.

At Chernobyl, potassium iodide was distributed to schoolchildren within about 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of the accident, and to the entire population of Pripyat the morning of the following day; ultimately it was given to the population in the 30-kilometer zone and other areas. Tie Soviets report no serious adverse reac-tions ti VI.

Two hundred and three plant and response personnel suffered ecute radiation sickness; many of these people also had other injuries, primarily burns. By the end of July, 29 had died. A specialized medical team, which arrived within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of the accident, examined 350 persons and performed about 1000 blood analyses. To provide medical care for the evacuees during the first few days after the accident, 450 brigades (made up of 1240 physicians, 920 nurses, and 360 physic.ians' assistants) and more than 3400 other personnel were mobilized.

No persons from the general public were fcund to be victims of acute radiation sickness.

4.2.1 Current Regulatory Practice The U.S. Government policy on distribution of KI around nuclear power sites for use as a thyroid-blocking agent was published in the Federal Register (50 FR 30258) on July 24, 1985. Although the stockpiling and use of KI are recommended for emerger.cy workers and institutionalized individuals, the U.S.

Government's position with regard to the redistribution or stockpiling of KI 4-4

for use by the general public is that it should not be required. The policy .

statement elaborates: i While valid arguments may be made for the use of KI, the pre-ponderance of information indicates that a nationwide require-ment for the redistribution or stockpiling for use by the general public would not be worthwhile. This is based on the ability to evacuate the general population and the cost effec-tive.,ess of.a nationwide program which has been analyzed by the NkC and DOE National Laboratories (NUREG/CR-1433).* While the use of KI can clearly provide additional protection in-certain circumstances, the assessment of the effectiveness of 1 KI and other protective actions and their implementation prob- '

lems indicates that the decision to use KI (and/or other pro-tective actions) should be made by the states and, if appro-priate, local authorities cn a site specific basis.

For onsite personnel and emergency workers, NRC licensees are required to provide an onsite first-aid capability and to arrange for local (primary) and backup hospitals that have the capability for evaluating radiation exposure and uptake, including assurance that persons providing these services are adequately prepared to handle contaminated individuals, i

For offsite members of the general public, Commission policy is contained in a statement published in the Federal Register on September 17, 1986 (51 FR 32904) titled, " Emergency Planning - Medical Services." The Commission stated that its regulation required that preaccident arrangements be made for medical ser-vices for individuals who might be severely exposed to dangerous. levels of off-site radiation following an accident at a nuclear power plant. Such arrangements would include (1) identification of the capacities, special capabilities, cr other unique characteristics of the listed medical facilities;'(2) a good-faith reasonable effort by licensees or local or State governments to facilitate or:

obtain written agreements with the listed medical facilities and transportation providers; (3) provision for making available necessary training for emergency response personnel to identify, transport, and provide emergency first aid to i severely exposed individuals; and (4) a good-faith reasonable effort by li-censees or State ot local governments to see that appropriate drills and exer-cises are conducted which include simulateel severely exposed individuals. The Federal Emergency Management Agency (FEMA) and NRC staff have prepared guidance for implementation of this policy (FEMA,1986). The guidance should be imple-mentea within about 1 years.

4.2.2 Work in Progress As mentioned above, State and local governments and licensees will be imple-menting the Commission's new' policy statement on medical services. In addi- '

tion, t!a medical community is addressing implications of the Chernobyl acci-dent on the area of medical response through its traditional mechanisms; for

" Examination of the Use of Potassi n Iodide (KI) as an Emergency Protection Measure for Nuclear Reactor Accid d s," October 1980.

4-5

I example, the American Medical Association held an international conference on nonmilitary radiation emergencies in November 1986.

l 4.2.3 Assessment l

The Soviets credited the use of KI by the Pripyat population with keeping thyroid exposures within the permissible limits (stated as less-than 30 rad) for.97% of the 206 evacuees tested at one relocation center. They said there were no serious adverse reactions from the use of KI (USSR, 1986).

l The policy statement of the U.S. Government acknowledges the effectiveness of KI in-certain circumstances; however, it concludes that the preponderance of information' indicates that a nationwide requirement for the redistribution or stockpiling for use by the general public would not be worthwhile. It further '

l concludes that the decision to use KI should be made by the States and, if appropriate, by local authorities on a site-specific basis. (Tennessee has redistributed KI, and Alabama has stockpiled it.) The apparently successful j use of KI at Pripyat does not alter the validity of this guidance. ]

The Soviets mounted an impressive and effective medical response to the Chernobyl accident. Fortunately, the United States has not had to respond to a radiation medica 1' emergency of that magnitude, although the U.S. medical community has responded to other sizeable medical emergencies at home and abroad. ,

'l In the United States, the present and future medical response capabilities in the regions around commercial nuclear power plants.were described in Section 4.2.1 above. The accident at Chernobyl emphasizes the prudent natJre'of such measures. A national response to a Chernobyl-type accident would be coordinated through the Federal Radiological Emergency Response Plan (50 FR 46542), which has the resources of the Radiation Emergency Assistance CenteF/ Training Site ,

(REAC/TS) at Oak Ridge, Tennessee and the National. Disaster Medical System I (NDMS) headquartered in Rockville, M eyland.

The REAC/TS has its own response team to a radiation emergency, trains emergency medical personnel, and maintains a computerized registry of approximately 1650 j people who have been trained at its center;.the registry includes 650 physicians.

l The NDMS has four medical assistance teams (MATS) that can respond to radiological emergencies; these teams are augmented by health physicists from the Food .and

! Drug Administration (FDA), the Department of Energy (DOE), and other sources.

! Currently, the NDMS has enrolled in its program 76,478 hospital beds in 965

! non-Federal medical institutions. Its goal is to have 100,000 non-Federal beds i and 150 MATS enrolled in its program. The NDMS also has a goal to train all of its teams in the handling of patients exposed to radiological, biological, or chemical contaminants.

4.2.4 Conclusions and Recommendations The apparently successful use of KI by the Soviets does not alter the validity of U.S. Government policy that redistributing or stockpiling KI for use by the general public should not be required. Rather, this decision should be made by individual States and by local authorities.

Further, the staff concludes that the present arrangements and future plans for medical services around U.S. commercial nuclear power plants are adequate. The 4-6

1 aational capability is both substantial and growing. Also, the international

.,ffers of medical support to the Soviet Union following the Chernobyl accident demonstrate that the U.S. regional and national medical response can be aug- j mented, if necessary, by a response ft om the international medical community. i 4.3 Ingestion Pathway Measures l

The Chernobyl accident focuses attention on (1) the adequacy of U.S. standards j for the ingestion of radioactive materials in food and water (and the mechanisms i for adapting those standards to changing conditions) and (2) the adequacy of U.S. plans and preparedness for taking measures to protect the public from the ingestion of hazardous levels of radioactive materials in food and water.

Soviet authorities initiated measures to protect the public from receiving un-acceptably high levels of radiation through consumption of radioactively contaminated food. These measures were taker, in two stages. Immediately after the accident, standards were promulgated governing the permissible content of iodine-131 (I-131) in milk and milk products. Cows were placed on stored feed. i Similar standards were introduced governing the I-131 content in meat, poultry, l eggs, berries, and raw materials used for medical purposes. On May 30, 1986, I standards for cesium-134, cesium-137, and rare earth isotopes were issued to i reflect the changes in the composition of the radiation contamination at that l time. The permissible whole-body and internal organ dose in these standards was 5 rem committed dose.

4.3.1 Current Regulatory Practice The Food and Drug Administration has published action levels (47 8 47073) to ;

provide State and local agencies with recommendations for taking protective action if an ir.cident should cause contamination of human food and animal feeds.

These can be used to determine whether levels of radiation encountered in food after a radiological it' ' dent warrant protective action and to suggest appro-priate action that may oe taken if action is warranted. In the United States, the States and local governments have primary responsibility for taking protec-tive actions to protect the public from the ingestion of contaminated food.

The U.S. response to a radiological emergency is governed by the Federal Radio-logical Emergency Response Plan (FRERP) (50 8 46542). The FRERP establishes a mechanism for a coordinated Federal assessment of the corcequences of a nuclear accident occurring within the United States. It also specifies authorities and responsibilities of each Federal gency that may play a significant role during a radiological emergency. The FRERP includes the Federal Radiological Monitor-ing and Assessment Plan (FRMAP) for use by Federal agencies with radiologist.1 monitoring and assessment capabilities.

The FRERP recognizes that State or local governments have primary responsibili-ty for determining and implementing any measure to protect the public. There-fore, one of the principal areas in which the Federal Government assists State and local governments is in advising them on protective action recommendations for the public.

4-7

4.3.2 Work in Progress FEMA is developing ingestion pathway guidance. The guidance provides planning considerate)ns for protecting the human food chain, including animal feeds and water, which may be contaminated following a radioactive release from a commer-cial nuclear power plant. The guidance will be addressed to State and local government emergency planners for those areas within a 50-mile radius of most nuclear power plants and will be reflected in State and local emergency plans within 1 year from the date the FEMA guidance is published.

4.3.3 Assessment The Protective Action Guides (PAGs) for human and animal food would apply during and after an accident, although Federal, State, and local governments can modify the PAGs. The Federal mechanism for providing recommendations to State and local governments is the FRERP. The adequacy of the Federal guidance cannot be tested in the light of the Chernobyl accident because the specific Chernobyl releases are unique to the RBMK design. However, the adequacy of the Federal guidance will be reviewed through evaluations provided by U.S. research on radionuclides release and dispersion. To date it appears that the existing Federal guidance will provide adequate protection for members of the general public from contaminated food.

Similarly, the United States does have plans and preparedness measures in place to protect the public from ingesting hazardous levels of radioactive materials in food. The adequacy of the planning distances (50 miles) will be reexamined, taking into consideration U.S. source term research.

4.3.4 Conclusions and Recommendations The guidance, planning, and preparedness around U.S. nuclear power plants for taking protective measures that deal with the ingestion pathway appear to be adequate and are not amenable to direct comparisons with the protective mea-sures taken by the Soviets and others following the Chernobyl accident because of a difference in radionuclides source terms. Ingestion pathway measures will be reexamined, in cooperation with the Federal Emergency Management Agency, as part of the application of U.S. source term research. It should be noted, how-ever, that past and current research results indicate that the interdiction of foodstuffs at large distances (beyond 50 miles) may be necessary for very large, low probability source terms. This was recognized in NUREG-0396 and is the reason that the 50-mile ingestion exposure EPZ is recognized as a planning base that can be expanded if the need arises.

4.4 Decontamination and Relocation The Chernobyl accident focuses attention on the adequacy of U.S. plans and pre-paredness to mount large-scale decontamination and relocation efforts. l I

The Soviets evacuated and relocated 135,000 people and 19,000 cattle from an ]

area within a 30-kilometer radius of the Chernobyl nuclear power plant. Appar-ently, some of these people have been permanently relocated.

The 30-kilometer area was subdivided into three zones of 0-3, 3-10, and 10-30 kilometers. All transport was strictly monitored for radioactivity, and decon-tamination points were established. At the boundary of each zone, workers were 4-8 i

transferred from one vehicle to another to reduce transmission of radioactive materials. The Soviets are decontaminating large areas of cropland, forest, orchard, etc., and are also taking measures to prevent or minimize contamina-tion of the watershed and the Pripyat River.

4.4.1 Current Regulatory Practice In the United States, onsite decontamination is the responsibility of the util-ity. Offsite decontamination would be conducted subject to the Environmental Protection Agency (EPA) operational guidelines for external exposure and food pathways. To enable re-entry, FPA is preparing proposed formal guidance for Federal agencies. To date, large-scale environmental ' decontamination have j been handled on an ad hoc basis by the Department of Energy (DOE).

FEMA is responsible for coordinating the Federal aspects of relocation efforts ;

through the FRERP mentioned above. The 384 Federal field exercise at St. Lucie '

tested the FRERP up to the relocation phase. Through exercises, licensees and State and local governments must be able to demonstrate the capability to pro-vide for people who would be effected by an accident at a nuclear power plant.

FEMA engaged in a large-scale r0 location effort for the Mariel boat-lift people.

4.4.2 Work in Progress A report on the 1986 Federal " table-top" exercise focused on decontamination and recovery. The next Federal field exercise (scheduled for June 1987) will focus on the same two issues. As part of its post-Chernobyl activities, FEMA will be reexamining its role in coordinating Federal support for relocation- q efforts. To date, decontamination and relocation planning has generally assumed that relocation would be short term and re-entry would be f easible.

Research on large-scale environmental decontamination efforts is currently being conducted in the Pacific in conjunction with the rehabilitation efforts for Eniwetok Atoll, by Lawrence Livermore National Laboratory (LLNL), undet contract with DOE. Several efforts and reports focus on decontamination limits, but no criteria have been established.

4.4.3 Assessment Decontamination techniques employed by the Soviets, including decontamination of personnel, appear to be similar to those used in the United States in sup-port of the nuclear weapons testing program, the TMI-2 accident, and interdic-tion related to chemical spills. Desert areas and coral atolls have been de-contaminated, but the United States has little experience in the large-scale decontamination of forests and orchards or croplands with the purpose of restor-ing viability and productivity to the land. The Soviets are using special agro-technical and decontamination measures designed to enable contaminated lands to be used one day. These methods include changing the system of soil cultivation, the use of special polymer dust-suppression compounds, and changing harvesting and crop processing methods.

l Again, as before, strict application of the Soviet experience with decontamina-tion from the Chernobyl accident to the United States is not possible. Decon-tamination capabilities in the United States will have to be uamined in light 4-9 E _ _ _ _

of U.S. radionuclides source terms. However, from the Soviet experience, there will be much to learn about the technology of decontamination. This information will transfer over an extended period of time as the Soviets become able to assess the effectiveness of the measures they have taken.

Similarly, the Soviet relocation effort will have to be viewed in the light of U.S. source term research.

4.4.4 Conclusions and Recommendations The effectiveness of Soviet decontamination and relocation efforts should be examined as the data become available. The U.S. capabilities should be examined within parameters provided by U.S. source term research. This effort is already being pursued in cooperation with the Federal Emergency Management Agency.

l 4-10

CHAPTER 5 SEVERE-ACCIDENT PHENOMENA The highly energetic reactivity excursion accident at Chernobyl mechanically disrupted the core, rapidly vaporized the water coolant with which the fragmented fuel came into contact, and generated combustible hydrogen by chemi-cal reaction of core materials (notably zirconium) and water at the high tem-peratures reached in the accident. Because of basic design differences between the RBMK reactor of Chernobyl and U.S. light-water reactors (LWRs), the spe-cific accident mechanisms involved at Chernobyl have no exact parallel in U.S.

reactors. However, these Chernobyl phenomena are assessed for implications by analogy for radionuclides releases, : team explosions, and combustible gas gene-ration and deflagration control in U.S. reactors.

To assess the implications of radionuclides release one must examine the possi-bility that the United States may need to extend its research on such release; for example, to enhance understanding of met.ianical disruption mechanisins, in addition to accident processes dominated by core melting, the current U.S.

research effort focuses on radionuclides release. Questions that the Chernobyl accident may raise uuout the adequacy of U.S. safety measures dealing with steam explosion and combustible gas control are assessed.

5.1 Source Term The Chernobyl accident led to a large, energetic release of radionuclides to the environment over a period of 10 days. It is believed that essentially all of the noble gases, about 10 to 20% of the volatile elements (iodine, cesium, and tellurium), and about 3 to 6% of the remaining elements in the reactor core were released.

The release that took place on the first day of the accident (April 26, 1986) occurred as a highly energetic release (with an initial plume height of about 1000 to 2000 meters) without any warning. As reported by the Soviets (USSR, 1986) (see Figure 5.1), the first day's releases were approximately 25% of the total release. In the days that followed, the daily release rate fell steadily to the end of the sixth day, then rose to the end of the tenth day. After the tenth day the release rate cuddenly dropped, because of the actions taken at the damaged reactor, to less than 1% of its initial average value and continued to decline thereafter.

Although the Chernobyl reactor had significantly different design and operational characteristics than those of the U.S. commercial LWRs, the characteristics of the Chernobyl source term (timing, energy, magnitude, and oth9r characteristics of radionuclides release) as described above raise several issues related to the state-of-the-art understanding of severe reactor accider.c source terms. Broadly, the issues are:

5-1

1 4

12.0 j

10- -

8.0 7.0 0 I E

d 5- - j 4.0 4.0 l 3.4 1

2.0 x 10'8 2.0 2.0 :

0 l12.6 1 2 3 4 5 DAYS 6 7 8 9 E , 0.01 10 14 r.c icus. .e vo, u y s.1ses.

1 I

Figure 5.1 Daily radionuclides release into the atmosphere from the damaged unit (not including noble gases)

Source: Soviet experts at the Vienna meeting (USSR,1986)

(1) Do the magnitude and other characteristics of the Chernobyl source term confirm or contradict those that would be predicted for U.S. LWRs, con-sidering current NRC methods?

(2) Are there radionuclides release and in plant transport mechanisms identified in the Chernobyl accident that may not have been considered in staff evaluations?

5.1.1 Current Regulatory Practice Radionuclides releases to the environment from reactor accidents (" source terms")

are deeply embedded in the regulatory rolicy and practices of the NRC. Consid-eration of source terms entered the regulatory process via the evaluation of l

postulated accidents (so-called design-basis accidents) in the safety review to assess (1) plant mitigation features and (2) the suitability of a site. The Code of Federal Regulations (10 CFR 100) requires that an accidental fission-product release be postulated to occur within containment and that its radio-logical consequences be evaluated assuming the containment to be leaking at 5-2

its maximum permissible rate. The release into the containment is derived from the 1962 Atomic Energy Commission (AEC) report' TID-14844 (" Calculation of Dis-tance Factors for Power and Test Reactor Sites"), and consists of 100% of the noble gases, 50% of the iodines (half of which are assumed to deposit on in-terior surfaces very rapidly), and 1% of the remainder of the core. With re-gard to this release, a footnote to 10 CFR 100 states that it "would result in potential hazards not exceeded by those from any accident considered credible.

Such accidents have generally been assumed to result in substantial meltdown of the core with subsequent release of appreciable quantities of fission products."

Use of the TID-14844 release has not been confined to a determination of plant and site suitability alone. The regulatory applications of this release cover i a wide range, including the basis for (1) the radiation accident environment l for which safety-related equipment should be qualified, (2) postaccident I habitability requirements for the control room, (3) performance of important fission product cleanup systems such as sprays and filters, and (4) post- )

accident sampling systems and accessibility. '

The first systematic evaluation of the probabilities and consequences of severe ,

accidents, including their source terms, was given in a 1975 AEC report, '

WASH-1400,* " Reactor Safety Study: An Assessment of Risk in U.S. Commercial Nuclear Power Plants." The spectrum of releases given there includes releases resulting from core melt and containment failure. The most severe release i categories from WASH-1400 entail releases of volatile fission products of com-parable or greater magnitudes than were released at Chernobyl, although the j releases of low-volatility species were higher for Chernobyl. I Source terms from severe accidents (beyond-design-basis accidents) ?ntered into regulatory usage over the next several years a W rated by the Three Mile ,

Island accident and its aftermath. Current % ? ary applications of severe- '

accident source terms rely to a large extent C .he insights of WASH-1400, and include (1) the basis for the sizes of emergency planning zones (EPZs) for all plants, (2) the basis for staff assessments of severe-accident risk given in plant environmental impact statements, and (3) the basis for staff prioritiza-tion of generic safety issues (GSIs), unresolved safety issues (USIs), and j other regulatory analyses. Source term assessments based on WASH-1400 method-j ology anpear in many probabilistic risk assessment (PRA) studies performed to date. i Hence, any insight gained with regard to source terms has the potential for !

affecting a broad spectrum of regulatory applications.

5.1.2 Work in Progress Source term estimates under accident conditions began to be of great interest .

shortiy after the Three Mile Island accident when it was observed that only relatively small amounts of iodine were released compared with the amount of j noble gases. This led a number of observers to claim that severe-accident j

releases were much lower than previously estimated. i l

l l

WASH-1400 was designated as NUREG-75/014 by the NRC when it succeeded AEC.

5-3

)

A major NRC research effort began about 1981 and has been undce way since then to obtain a better understanding of fission product transport and release mech-anisms under severe-accident conditions. This research has included a very large and extensive staff and contractor effort, ir.<olving a number of national laboratories, and has resulted in the development and application of a now set of computer codes (Source Term Code Package) to examine core-melt phenomena and containment loadings. It has also included significant review efforts by peer l

reviewers, foreign partners in NRC research programs, industry groups, and the general public. An independent evaluation of the results was also performed under the auspices of the American Physical Society. The NRC report assessing and detailing this revised methodology to calculate accident source terms was published in July 1986 as NUREG-0956, " Reassessment of the Technical Bases for Estimating Source Terms." The staff is revising risk profiles for five operat-ing U.S. LWRs which will utilize the new methodology. This effort has been issued for comment as NUREG-1150, " Reactor Risk Reference Document."

l Ten regulatory areas affected by knowledge about source terms have been iden-l tified in SECY 86-76 (February 28, 1986), which describes the staff's plans for implementing the Commission's Severe Accident Policy Statement (50 FR 32138) as well as the staff's intended use (in regulatory applications) of information I

about source terms.

5.1.3 Assessment l A comparison of the characteristics of the Chernobyl release with regard to l quantities released, timing, duration, and release energy with those predicted l for U.S. LWRs is useful. '

The total quantity of fission products released from Chernobyl was large and is considered to be comparable with the quantities predicted to be released for the worst cases (those involving core melt with early containment failure or containment bypass) studied for U.S. LWRs using WASH-1400 as well as the most recent source term methodology. Many core-melt sequences for U.S. plants are predicted to result in considerably lower amounts of fission products released ,

to the environment, chiefly because of the mitigating c:rects of the contain- I ment and other fission product cleanup systems. In this regard, the report by l the International Nuclear Safety Advisory Group (INSAG, 1986) has noted that I

the Chernobyl release represents a near worst case in terms of the risks of nuclear energy.

The Chernobyl release occurred with essentially no warning. This is considered I unique to the RBMK design and is a consequence of its sensitivity to large ;

reactivity-initiated accidents (RIAs). Accident-se7.'nce progression for U.S.

reactors is estimated to occur more slowly. Althoud. a small number of severe-accident sequences could progress rapidly, resulting in releases within a fraction of an hour from the onset of discernible off-normal conditions, the progression for most accidents is considered to take hours.

The energy and duration of the Chernobyl release were unusual. Approximately l 25% of the total release was in the initial plume, which also had sufficient i energy to result in an initial plume height of about 1000 to 2000 meters. This is considerably in excess of the plume heights predicted for. energetic severe sequences in U.S. plants, which are estimated to be about a few hundred meters.

A release duration of 10 days is considered to be large on the basis of the j 5-4 1

l 1

j s

i methodology of WASH-1400, which does not have release durations greater than i 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months . This may have been due to the exigencies of the WASH-1400 consequence j model, however, which did not adequately model releases of greater duration, j The newer source term methodology predicts longer duration releases, principally i from interactions between core and concrete. However, releases from U.S. plants l are predicted to gradually decline as the core debris gradually cools. The ;

release rate during the Chernobyl accident decreased rapialy in the first few {

days and then increased in the last few days, presumably because the materials l deposited on the degraded core (as a part of the actions taken to manage the 2 accident) acted initially to filter radionuclides releases and later as insula-tion that allowed core debris to heat up before cold nitrogen was used to cool the core permanently.

(1) Mechanisms Involved in Mechanical Releases 1

The Chernobyl accident is believed to have been an RIA. With an estimated l average energy insection in excess of 300 cal /g, the skewed power distribution ;

in the core would have led to local regions in the core with much higher fuel l enthalpies- perhaps 400 to 600 cal /g. On the basis of a relatively good un- j derstanding of RIAs (see MacDonald, 1980), an explosive core disassembly such j as took place in Chernobyl would have been expected. Figure 5.2, for example, I shows that UO 2 fuel with 400 to 600-cal /g energy deposition would be fully mol- j ten and at least partially 19porized because of fundamental properties of the material. Figure 5.3, from in-reactor RIA tests, shows that debris recovered ;

from tests in excess of 300-cal /g energy deposition is indeed pulverized, fac1- 1 litating rapid heat transfer associated with the generation of high pressures. '

Although RIAs are relatively well understood, they have not been included in recent source term assessments because such large RIAs have been " designed out" of U.S. LWRs. However, mechanical releases related to the power excursion and to the mechanical core disassembly during the Chernobyl accident amounted to l between 3 and 6% of the fuel material and the fission products contained therein. {

Because of the serious consequences of the Chernobyl accident, the potential for l RIAs is being reexamined, and the mechanical processes involved in the dispersion of fuel material should be further investigated. '

Although consideration of RIAs like the one that occurred at Chernobyl does not !

seem to be warranted for U.S. LWRs, other energetic events are pos,sible in LWRs that might lead to mechanical releases. These events are high pressure melt !

ejection, steam explosions, and hydrogen detonation. Although all of these events are being studied with regard to their likelihood of occurrence and !

their consequences, associated mechanical releases of fission products have not I been quantified in current sourc0 term models, and the study of such releases i has only just begun to receive attention. Because some of these phenomena appear to have played a dominant role in the releases at Chernobyl, it is very important to understand these phenomena more completely and to improve the !

modeling in NRC source term assessment codes. .

(2) Mechanisms Involved in the Late Enhanced Release i

At this time, the staff does not compktely understand mechanisms associated ;

with the increased rate of release at Chernobyl which began about 6 days after '

the initial release and peaked on the 10th day (to almost the initial value).

However, one or more of the follcwing explanations may apply:

l 5-5

867 - - - ~ ~ ~ ~ ~ - - -

E 463 8 -

U u -

iE ,

+ - - - - - - - - -

g 404 g 333 _ - - - - - 66 l 2, _____

1 I I l i t l t !t 2840 3450

\*EMPE R ATUR E,'C ;

Figure 5.2. Enthalpy of U02 (a) Increasing temperatures may have vaporized fuel and fission products in the det:ris. The increasing temperatures were probably caused by decay heat and the insulating effects of materials deposited on the debris (boron carbide, dolomite, clay, sand, and lead) v.d also by the graphite fire.

(b) Enhanced gas flow from the hot debris may have resuspended particulate debris that had settled back into the core rogion after the initial release.

1 (c) Enhanced oxidation (conversion of UO 2 to U20s) or other chemical reactions involving carbon may have produced small pr.rticles of fuel material and 4 fission products that were transported as aerosols.

1 Releases resulting from vaporization (item a) and resuspension (item b) have been considered in source term evaluations for U.S. LWRs, but release mechanisms !

involving chemical reactic.is (item c) are not included as models in current source term analytical methods, except in connection with interactions between

~

]

molten core de~oris and concrete.

At even relatively low temperatures (e.g. , around 1000 C), U02 can be further oxidized in the presence of oxygen to form Ua0s. When U0 2 in the form of solid fuel pellets or fragments oxidizes to U 0s, 3 a loose,' powdery material is_ pro-duced on the surface because U3 0s is 20% less. dense than UO2 . This powdery material would also contain fission products previously retained in the solid 002 , provided that the oreceding temperature history had not produced complete release.

I 5-6 I

These fission products would be " stripped" off the surface in proportion to the amount of UO 2 converted to U3 08. It is postulated that at Chernobyl the powdery U0 38 containing fission products was entrained in some increased gas flow, thus contributing to this second release. Air samples collected by aircraft were found to contain U3 08 particles and seem to support this hypothesis. However, the presence of U3 0s does not confirm this simple oxidation process because other chemical reactions involving carbon might have produced the same result and because U0 2 released to the atmosphere might have oxidized after its release.

Shortly before the accident at Chernobyl, NRC-supported research at Battelle Columbus Laboratories had shown that fission product stripping could take place by thermal mechanisms. In that research it was found that fission products were

, released in proportion to the amount of 00 2 that was vaporized when tempera-I tures were high enough (abava 2000 C) to produce copious UO 2 vaporization.

That is, fission product releases were no longer proportional to their own vapor pressures but rather to the vapor pressure of UO2-The stripping of fission products by the removal of the uranium oxide surface layers, whether by chemical or thermal mechanisms, is not currently modeled in NRC source term codes, and the Chernobyl accident underscores the importance of accounting for this mechanism. It should be kept in mind, however, that the transport of such released fission products as aerosols depends strongly on particle size and carrier gas flow. In the absence of a large source of gas flow, such fission products would not necessarily be carried into the atmosphere.

(3) Other Observations A number of other observations related to the source terms have been made as a result of the accident at Chernobyl. These are described below.

(a) Sudden Drop of Enhanced Release Rate No confirmed explanation for the sudden drop in release rate after May 6 has been offered. However, three hypotheses have been offered.

Nitrogen gas introduced under pressure (May 4 or 5) beneath the core succeeded in cooling the core and prevented further oxidation reactions.

During the phase of enhanced release (before May 6), parts cf the core debris reheated as a result of residual decay and may have liquefied be-cause of reduced heat loss through the moltan cover provided by the depo-sited materials. The liquefied debris eventually fell into lower pipe runs where it froze. Continued cooling flow of gas into the pipe runs may have prevented any further release from the quenched debris.

According to the Soviet experts (USSR, 19BF) the materials dropped on the core (sacd, clay, dolomite, boron carbide, and lead) interacted with radio-nuclides to produce nonvolatile and more refractory chemical forms.

(b) Effects of Materials Deposited on the Core The Soviet strategy of depositing on the core materials such as sand, clay, dolomite, boron carbide, and lead seems to have been effective in initially 5-7

e g )

al r ey 2 eup0 vf - 0 5 5 a kh la0 ' 4 0 4 l at i g M > 2 2 1 iae nla d pe c a ( C D

R C y

e h

al p )2 l

t caO n oh U l t - 0 0 4

0 7 i

_ k ng %

3 >

7 2 2 1 a el d e

el la t Peu (c s f

e t

s d

- o r

r M X

P rN S

- e h _

_ t n

e i _

s -

n _

o i .

, t g.M i

s _

o p _

e d .

y -

g r _

e _

n ._

e _

s u

o _

i0 _

r8 a9 -

v1 _

r ,

od .

fl a ..

en go h-aD mc aa

@ T_

dM d

o:

re l r eu c

uo -

FS .

n d

3 -.

o E"'

~' 5 i! ..

s 2

) e .

r oO u -

pU_

g e

dg /

8 7

8 0

4 g i F

yl 3 2 2 j g a re (c n

E l lIIllllli!

4 reducing and subsequently terminating the radionuclides release. This strategy was augmented later by introducing cold nitrogen into the reactor vault, which {

is believed to have assisted in the sudden drop of the release.

It would be possible to study filtering effects, chemical reactions, and tem-perature. effects of materials such as those used at Chernobyl to determine their effectiveness in mitigating fission product release. Of particular in- l terest would be a study of the use of such materials as an accident-management l strategy to dampen or terminate the release. However, when the roof blew off l the reactor building at Chernobyl, an open path was available for aerial depo-sition of solid materials. Such large openings of the containment appear un-likely 'at U.S. reactors. - However, it would be illuminating to study the role of accident-management strategies similar to those followed at Chernobyl on source terms from LWRs after containment failure.

(c) Mechanisms for Release of Single Elements There are reports that aerosol particles containing pure cerium, cesium, or ruthenium were found in the Chernobyl release. This is a surprising result that is not explained by the present technology. It is not clear whether.this observation has any significance, but there is'some interest in investigating ,

this matter to determine whether it would shed further light on U.S. source I term technology, particularly on understanding the influence of chemistry on the release.

(d) Hydrogen Generation From Dispersal of Fragmented Debris During the RIA, the oxidation of fragmented and dispersed core materials led to the production of hydrogen. There is some speculation that this hydrogen may have been involved in a second explosion. It is not clear that the hydro-gen could have become mixed with oxygen via air ingress rapidly enough to be involved in that second explosion. Nevertheless, the generation of hydrogen from the dispersed fragmented debris is probably an important process. This process has already been identified in the NRC's research program on e arce term release, and is being studied currently.

(e) Physical and Chemical. Forms of Iodine Physical and chemicil forms of the fission product iodine were a subject of debate before the thernobyl accident. Some believe that cesium iodide, an aerosol particulate form, will dominate; others believe that molecular iodine, hydrogen iodide, organic iodide, or some other vapor phase form may be prevalent.

There is no information about the initial chemical form of iodine in the Cher-nobyl release. There were reports from Sweden that gaseous forms of iodine reached that Sountry. Cesium iodide, which may have been the initial form of iodine in the release, was, however,. exposed to the atmospheric conditions for extended periods of time en route to Sweden; during this time iodine would be expected to become converted to' gaseous forms. The Swedish observation is probably incnnelusive. The chemical forms of fission product iodine are cur-rently being investigated in NRC research programs, and no new insights have been gained from the Chernobyl accident that would influence this investigation.

5-9

5.1.4 Conclusions and Recommendations l Many differences exist between the RBMK design and the design of U.S. LWRs and !

between the Chernobyl accident and those hypothesized for U.S. LWRs. There ;

are, however, similarities in physical processes that may occur in both reactor types. The magnitude of the Chernobyl source term is comparable to the worst-case releases studied for U.S. LWRs. Many severe-accident scenarios in U.S.

reactors would be expected to result in considerably less amounts of released radionuclides. However, the lack of any warning before the impending initial release and the composition of the radionuclides release appear to be unique to the RIA of the Chernobyl type. After the initial release, the subsequent course ;

of the radionuclides release appears to have been strongly influenced by the i accident-management strategies followed to control the release and cool the reactor. ,

l Little is seen in the Chernobyl event that would provide new insights on or l suggest inadequacies in current U.S. source term technology. The major areas l affected that have been identified to date and that are not currently modeled in U.S. source term analytical methods involve two mechanisms of fission product release from fuel debris, namely, mechanical dispersal and chemical stripping.

Althcugh it is not clear that these mechanisms will have any effect on accident sequences relevant to U.S. reactors, it is recommended that the need for addi-

tional research be assessed. This research would be conducted to understand these mechanisms better and to incorporate such phenomena into the NRC's ana-lytical models of source term evaluation, as appropriate.

5.2 Steam Explosions l

The term " steam explosion" refers to a phenomenon in which molten fuel rapidly l fragments and transfers its energy to the coolant, resulting in steam genera- ,

tion, shock waves, and possible mechanical damage. If such events were to take l place on a large enough scale within the reactor pressure vessel, missiles could :

be generated which might penetrate the containment and allow early release of l fission products. In the Reactor Safety Study (NUREG-75/014) this mode of containment failure wa: denoted by the' symbol alpha (a) and is often referred to as a-mode' containment failure or simply a-mode failure.

(1) Consideration of the Role of a Steam Explosion in the Chernobyl Accident According to current information offered at the Vienna meeting of August 1986 (USSR, 1986), the Soviets have attributed the mechanical destruction observed during the Chernobyl accident to a steam explosion. In this regard, the basic observations about this event are:

(a) A reactivity initiated ,ccident (RIA) occurred because of boiling with a positive coolant void reactivity. According to U.S. initial approximate estimates, the void effect could yield a strong overpower condition.

According to Soviet results, the overpower was strong enough to produce more than 300 cal /g in the fuel within a few seconds (USSR, 1986; INSAG, 1986).

(b) The Soviets assumed that at this energy. level fuel rod destruction occurred on a large scale yielding rapid vapor generation, augmented core voiding, and a very strong power pulse. They presented the results of a calculation 5-10

for this runaway condition, but they indicated the uncertainties in their 1 analysis. Still, the Soviets currently'believe that the reactor was shut j down by a mechanical disassembly involving homogenie.ation of fuel with the <

moderator and relocation of graphite. Within this general context of a very strong power pulse, the Soviets could visualize an intense fuel /

coolant interaction, i.e., a steam explosion.

(c) A good portion o' the roof of the reactor building appears to have been blown off, and many graphite blocks are seen to lia outside in the immedi-ate vicinity of the plant. It is not clear whether this mechanical damage was a direct consequence of the power pulse or of a subsequent explosion that was heard 2 to 3 seconds later.

(2) Steam Explosion Phenomenology The following si dements can be made regarding the potential occurrence and ;

role of steam explosions in the Chernobyl accident:

(a) In an idealized sense, strong overpower conditions in a flooded (by cool-ant) reactor core are conducive to highly energetic interactions between ,

fuel and coolant. This is because the two materials are already mixed at l coarse scale and in near-ideal (thermodynamically) proportions. That is, j there are no limits on the quantities of the materials participating in j the explosion other than the size of the core or the portion of it under- i going the excursion. Also, as a result o' the high power and associated thermal expansion of the fuel and swelling by fission gases, the two materials are forced together coherently (the prompt-critical power pulse i in water reactors imposes millisecond-scale coherence), which ensures a !

violent thermal interaction even if the conditions are not quite suffi-cient for a trigger / escalation of a propagating explosion event. For l ,

these reasons such " premixed" configurations have been strongly contrasted I l

in the past to the p uring mode of contact found in the slow meltdown !

situations relevant for current U.S. commercial reactors.

(b) Notwithstanding the above considerations [and even though energetic inter-actions between fuel and coolant have been considered responsible for the destruction of several small-size experimental reactors under intentional l (SPERT 1-0) or accidental (SL-1) overpower conditions], it cannot be as- i sumed that every major excursion in a water reactor would lead to similarly j energetic consequences. For example, a summary of 27 typical SPERT-CDC i

l (capsule driven core) test results show only two with substantial pressure generation (MacDonald, 1980). The maximum events recorded were a 26-bar i pressure pulse for test CDC-478 at 275 cal /g U02 and a 162-bar pressure pulse for test CDC-569 at 282 cal /g U02 . Some tests in the SPERT-CDC test series were run with higher energy depositions. Energy depositions greater !

than 300 cal /g UO2 have produced significant pressure pulses (about 100 to ,

150 bar) in some but not all tests. The more recent power burst facility l (PBF) tests show that the idealized conditions mentioned in item a above J are difficult to achieve. Here no major energetic events were seen for !

I power pulses producing up to 285 cal /g. Only test RIA-ST-4 run at 350 l cal /g yielded a 350-bar pressure pulse (MacDonald, 1980). It is not known !

how the origin of these pressure pulses is partitioned between fission gas .

I pressure and vapor pressure resulting from interactions between fuel and coalant.

5-11 l

L J

(c) The key consideration in assessing the potential for, and magnitude of, energetic interactions between fuel and coolant in LWRs under strong power excursions relates to the race between fuel melting and dispersion within the coolant channels on the one hand and coolant expulsion from these channels on the other. To a large extent, the outcome of this race is determined by the timing, location, and mode of fuel rod failure. These aspects are, in turn, determined by the power shape and history, the con-dition of the cladding, the irradiation history of the fuel, and the in-ertia and frictional constraints opposing coolant expulsion. Local fail-ures would promote coolant expulsion by .1ssion gases and possibly some limited interactions betweei fuel and coolant so that axial propagation of l the fuel rod failure might just follow the coolant expulsion front. Other l mechanisms include cladding dryout and heatup, ductile behavior, and fuel swelling upon fission ges expansion (i.e., 250% swelling was seen in some of the PBF tests) which would yield a natural separation between the escaping coolant and the disrupting fuel. In any case it might be ex-pected that the fission gases released in copious quantities (for ir-radiated fuel) will play a strong role in moderating the extent of contact between fuel and coolant.

In relation to the Chernobyl events, the following statements can be added with regard to uncertainties in the current assessments of that accident:

(a) Because of the positive void reactivity, the " race" in item c above would be self-limiting or convergent in the sense that coolant expulsion would lead to further power escalation and thus, possibly, to merging of the cool-ant expulsion and fuel failure fronts. This possibility cannot be assessed without further investigation of the reactivity behavior of the system and detailed thermal-hydraulics coupled to it.

(b) In any case, axial fuel motion within any formed fuel and coolant interac-tion zone must also be accounted for in estimating the reactivity of the system during the excursion. According to the Vienna proceedings (USSR, 1986; INSAG, 1986), it appears that the Soviets did not account for such a shutdown mechanism.

(c) According to tiie Vienna proceedings, only one-third of the reactor core (the lower portion) at Chernobyl participated in the excursion. This translates to a total of only 2 meters of axial length, and it is entirely possible that coolant was largely expelled from this region (1-meter travel in each direction) before the autocatalytic catchup mentioned above could manifest itself. On the other hand, the possible effects of such local excursion on the rest of the core, including fuel and coolant inter-actions there, cannot be assessed without a much better understanding of space-time kinetics (and reactivity behavior) of such a largely uncoupled reactor core.

Notwithstanding the above uncertainties and qualifications, the potential for highly energetic steam explosion events as a consequence of RIAs is fully appre-ciated not only for Chernobyl but also for U.S. power reactors. The issue then is whether this potential can be physically realized, given the particular designs and operating constraints in the United States.

5-12

5.2.1 Current Regulatory Practice In relation to the implications of the above considerations for U.S. power reac-tors, the following statements can be made:

l (1) One of the early safety precautions in U.S. power reactors was the imple-mentation of design features to. limit RIAs'to events yielding specific energy depositions in the fuel to values less than 280 cal /g. Current U.S.

regulations limit RIAs to those that yield peak radial average fuel enthalpy of less than 280 cal /g. .. Ample experimental evidence exists that such events cannot lead to energetic interactions between fuel and coolant.

(2) Even for assumed more severe excursions, the voiding / failure race mentioned above would be strongly affected by the negative void reactivity in U.S. )

reactors which would, in contrast to that at Chernobyl, promote the in-creasing separation (in time) between these two events. However, the technology available for assessing the outcome of such postulated events is rather limited at this time.

Energetic steam explosions are considered in the United States in the context of risk assessment and mitigation studies. Such studies, beginning with WASH-1400, are continually evolving both in depth and sophistication, partic-ularly since the TMI accident. However, the phenomenology involves an ini-tially separated configuration of molten core material and water which is widely 3 l perceived as having a vastly reduced potential for highly energetic behavior.

i The principal reasoning is related to limitations on pour rates during contact- -

l ing, and on associated rates of coarse mixing (called premixing). The' detailed quantitative aspects of such assessments are rather involved but have been con- l tinuously improving. Currently, subjective estimates of an upper bound for the a-failure probability (conditional on core melt) are placed at a value of 0.01

-(NUREG-1116, "A Review of the Current Understanding of the Potential for Con-tainment Failure From an In-Vessel Steam Explosion"). A best-estimate value is well below this number, although it is difficult to quantify with confidence.

5.2.2 Work in Progress All of the studies on steam explosion currently in progress are being pursued in the context of the staff's radionuclides release reassessment program. As part of its program to reassess radionuclides release, the staff has initiated ;

studies of a number of issues, including steam explosions. The conclusion noted above on a-mode failure has been adopted for that review as well. A team of senior analysts from the national laboratories and from the NRC is reviewing the radionuclides release reassessment issues as part of the Severe Accident -

Risk Reduction Program '(SARRP). The Sandia National Laboratory (SNL) was assigned a lead role in the SARRP review. The following observations can be made about the findings of this group with regard to a mode failure (see, for i example, SAND 86-1013,1986): 1 (1) The SNL/SARRP analysis indicates that uncertainties in the probability of a-mode failure are not a dominant consideration.

(2) The SNL/SARRP analysis assumes that the contribution to risk from this class of events (a-mode failure) can be neglected.

5-13

4

'1 i

There are no differences between the staff and SNL/SARRP assessments of the a-mode failure issue.

Additional assessments are being made with regard to alternative contact modes, multiple steam explosions, and the potential effects of steam explosions on safety systems and/or functions. Furthermore, research at SNL as well as at other laboratories and universities is continuing for the purpose of reducing uncertainties in this quantification through better understanding of the pheno-penological behavior.

5.2.3 Assessment ]

i The steam explosion phenomena associated with core dryout are quite different ,

from those associated with the strong overpower conditions generated in RIAs.

As a result of the high power and associated fuel thermal expansion and swell-ing by fission gases, the fuel and coolant are forced together coherently (the prompt-critical power pulse in water reactors imposes millisecond-scale coher-ence) which ensures a violent thermal interaction or a propagating explosion event. For these reasons such " premixed" configurations have been strongly contrasted in the past to the pouring mode of contact found in the slow melt-down situations relevant for current U.S. commercial reactors. Hence the Cher-nobyl accident has little relevance to the staff's current treatment of steam explosions.

I 5.2.4 Conclusions and Recommendations j It may be worthwhile to reexamine RIAs in a broader context, consistent with l modern PRA approaches, in order to obtain a more comprehensive picture of the risk due to RIAs; that is, without arbitrary limits on what is presumed as a credible event, but rather by considering the likelihood of all possible l events. Within such efforts it may become necessary to quantify the severity J of interactions between fuel and coolant within a phenomenological context I

outside the realm of present (or past) assessments. The extent of new efforts in such areas should be dictated by the likelihood of corresponding initiating l events. Steam explosions of lesser direct mechanical consequences could have some effect on safety systems and/or functions that affect containment' integrity.

The contribution to risk from such' events is believed to be small. However, it would be helpful to assess whether there is a need to expand further efforts in this area.

5.3 Combustible Gas Ine Soviet RBMK design utilizes large amounts of zirconium and graphite in the-reactor core, both of which may oxidize under certain conditions resulting in the generation of large quantities of combustible gases, principally hydrogen and carbon monoxide. The generation of large quantities of combustible ' gases was not apparently considered as part of the Soviet containment design. The

! Chernobyl accident produced reactor core conditions that may have led to the l generation of large quantities of combustible gases which, in turn, may have influenced the evolution and consequences of the accident.

The need to deal with the generation of combustible gas, principally hydrogen, as a consequence of reactor accidents has been recognized in the United States 1

5-14

since the early days of-light-water reactors. The burning and/or detonation of 4 combustible gases are of concern in reactor' safety for several reasons. First, a large enough energy release might threaten the integrity of the containment.

Second, even if the containment survived, important safety equipment might be ;

irreparably damaged, thus increasing the severity of the accident. Furthermore, since significant amounts of hydrogen can be generated early in the evolution of a severe reactor accident (i.e. , before the reactor vessel fails), combus-tion can result in containment failure before expulsion of the molten core, leading to the largest radioactivity releases to the environs.

In addition to the generation.of hydrogen within the reactor vessel, principally by the oxidation of hot zirconium, combustible' gas is generated outside the ves- l sel as a result of interactions between the molten core and concrete if the ves- l sel fails. This occurs as gases from the decomposing concrete (largely steam and )

carbon dioxide) pass through the debris pool and react chemically with the liquid metals to form hydrogen and carbon monoxide.

5.3.1/5.3.2 Current Regulatory Practice / Work in' Progress To better understand the rationale behind the various NRC requirements dealing with hydrogen control, it is useful to consider three classes of reactor acci-dents. They include the design-basis accidents (DBAs), the degraded-core accidents, and the core-melt accidents.

Design-basis accidents (e.g., loss-of-coolant' accidents and main steamline break accidents) are those accidents that must be thoroughly analyzed for plant !

design and licensing purposes. An institutional framework has been estab-lished in regard to such matters as safety margins, redundancy of equipment, seismic design capability, and quality assurance. !

Requirements for combustible gas control capability for DBAs were developed in the 1960s and were codified as regulations in 10 CFR 50.44 in 1978. These requirements initially addressed the hydrogen generation associated with DBAs, including (1) limited metal and water reaction involving the fuel element clad-ding; (2) the radiolytic decomposition of the water in the reactor core and the containment sump; (3) the corrosion of certain metals in the containment because of the action of spray solutions; and (4) possible synergistic effects of chemi-cal, thermal, and radiation byproducts of accident sequences on protective coat-ings and electric cable insulation.

Degraded-core accidents have been identified as a discrete set of accidents '

since the TMI-2 accident in March 1979. They are intended to include those accidents that are more severe than the DBAs (i.e., oxidation of more than about.5% of the fuel cladding), but which are successfully terminated short of core melt. Analyses to date of this class of accidents have postulated the oxidation of as much as 75% of the active cladding that surrounds the fuel.

Requirements for safety margins in analyses of degraded-core accidents are substantially reduced relative to those for DBAs. Several licensing require-ments have already been issued for dealing with hydrogen control during postu-lated degraded-core accidents. Moreover, the requirements for dealing with hydrogen releases during degraded-core accidents are interim requirements, pending c Npletion of longer term efforts for dealing with core melt accidents.

5-15 L_ .. _ . . = . ..

The interim requirements related to the Mark I and II boiling-water reactor ]

(BWR) containments were issued in the form of a final rule on December 1, 1981 {

(46 F The requirement to inert the smaller pressure-suppression con- j tainm_R 58484).ents was instituted because of the limited ability of these designs to J tolerate the range of consequences stemming from hydrogen combustion, coupled )

with the knowledge that for a number of years some Mark I and II containments I I

had successfully operated inerted.

l The interim requirements for those ice condenser and Mark III 8WR plants for which a construction permit was issued before March 28, 1979 were published as a rule on January 25, 1985 (50 FR 3498). The rule requires that these plants be provided with a hydrogen conUol system capable of handling an amount cf I

hydrogen equivalent to that generated from a 75% fuel cladding and water reac-tion without loss of containment structural integrity.

l The deliberate ignition concept has been the subject of NRC review since the l Tennessee Valley Authority (TVA ) initially proposed such a system in mid- j l 1980. At present, after investigating alternative approaches, all ice con- l denser PWR and Mark III BWR utility owners have chosen deliberate ignition as I the solution to the hydrogen control issue for degraded-core accidents.

In order to gain a better understanding of hydrogen generation and control in reactor accidents, both the NRC and the nuclear power industry have sponsored l extensive analytical and experimental work over the last several years. This research provided (1) the technical insights to support licensing of the ice condenser and Mark III containments and (2) the technical background information

to support the development of additional requirements for hydrogen control for i core-melt accidents. Various research programs have investigated relevant phe-nomena, such as hydrogen generation, transport and spatial distribution within containment, detection, combustion modes (including deflagrations, diffusion flames, flame acceleration, and detonations). Other programs have investigated mitigation schemes, equipment survivability, and the effects of combustion on fission product releases. Hydrogen control has also been identified as an Unre-solved Safety Issue, USI A-48, " Hydrogen Control Measures and Effects of Hydrogen Burns on Safety Equipment."

Currently there are no requirements for degraded-core-accident hydrogen control related to dry containments for operating reactors or near-term operating li-cense (NT0L) application At the time rulemaking occurred for the ice con-denser and Mark III containments, it was the staff's judgment that additional requirements were unnecessary. However, the staff committed to continue to in-vustigate the merits of additional hydrogen control for dry containments and report the findings to the Commission. It is anticipated that the staff will report to the Commission on this matter in early 1988.

I

Core-melt accidents are those accidents that involve sufficient reconfiguration l of the core as to make it uncoolable. They involve a failure of the reactor i

ves5el and a relocation of the core materials to the containment floor. Sub-stantial analyses and experiments have been in progress to develop a better understanding of the various phenomena associated with core-melt accidents. A

separate set of requirements was issued as a final rule on January 15, 1982 l

(47 FR 2286) to address hydrogen control requirements for pending construction

! permit and manufacturing license applications. Some of these requirements go 5-16 L - - - - - - - - - - - _ _ - - - - - - _

beyond those needed for dealing with degraded-core accidents. They were im- j p.osed with the anticipation that future efforts will require them and because the effect of their imposition on initiation of construction was minimal. In this regard, the principal requirements are:

(1) A dedicated penetration is to be provided for possible use with a filtered venting system.

i

(2) Structural integrity of the containment is ensured for internal pressures l of at least 45 psig, (3) Alternative hydrogen control systems are to be analyzed assuming 100% reac-tion between fuel cladding and water, and the resultant uniform hydrogen l concentration in the containment must be less than 10% by vol;me or the i mixture must be rendered nonflammable. I (4) Essential systems must be shown to survive the environments associated j

! with the accidents considered. ;

1 Any additional requirements for hydrogen control during postulated core-melt i accidents will be deferred, pending completion of work now under way on the l general subject of severe accidents. l 5.3.3 Assessment In the early stages of the Chernobyl accident, a very high power excursion, followed by what apparently was a steam explosion, caused severe damage to the core, disrupted the cooling system, and damaged the shroud surrounding the core.

l The subsequent large accumulation of thermal energy eventually caused a partial meltdown of the core. Zirconium-niobium alloy from the pressure tubes and from l

the fuel cladding reacted with steam, causing the generation of hydrogen.

Another important source of combustible gases was the graphite used as a neu-tron moderator in the core, which, when reacting with water and/or steam from the disrupted cooling system, produced hydrogen and carbon monoxide. It ic also possible that some methane gas was produced. Later in the accident, air was admitted through the damaged core shroud and the graph 1 R burned, emitting more carbon monoxide. It was estimated that about 10% of the graphite burned

[approximately 120 metric tons (tonnes)]. In the analyses of degraded-core accidents in U.S. reactors, the zirconium and water reaction is considered to be the principal mechanism by which hydrogen is generated. Thus, this source of hydrogen and its consequences have been studied extensively. In the Cher-nobyl plant, larger amounts of metal and higher temperatures were responsible for generating more hydrogen and for increased generation ratae. but basic mechanisms were probably similar to those postulated in the degraaed c e analyses. The real difference was the presence of graphite. In the United l States, only one commercial reactor (Fort St. Vrain Nuclear Generating Station) l uses a graphite moderator. This reactor, b.owever, of a completely different l design than the Chernobyl plant, uses helium as a primary coolant. There is no l analogy, therefore, between what happened at Chernobyl and the consequences of l postulated accidents in this reactor. Concomitant generation of hydrogen and i carbon monoxide has been considered in severe-accident analyses of U.S. reac-

! tors when molten core material reacts with concrete.

5-17

r, At the present time, there is no definitive evidence that the hydrogen generated in the Chernobyl core caused an explosion. The explosion tentatively ascribed to hydrogen occurred approximately 7 seconds after the first power excursion which damaged the' coolant system. This 7-second period is a relatively short time for significant amounts of hydrogen to leave the core and to mix with surrounding air to form an explosive mixture. In addition, the preceding steam explosion damaged the containment building, hence some hydrogen had probably escaped previously. Very significant differences in plant characteristics and in the types of containment buildings, along with the dearth of data on the i, Chernobyl accident, make it practically impossible to draw any analogies between hydrogen transport and combustion in the Chernobyl plant and U.S. reactors.

5.3.4 Conclusions and Recommendations In summary, although the conditions that existed during the Chernobyl accident may have caused large amounts of combustible gases to generate, it cannot be concluded from the available data that these gases were generated by some new or different mechanisms or produced consequences not previously investigated as part of severe-accident analyses for U.S. reactors. It is difficult to apply observations from the Chernobyl accident to U.S. plants because of significant design differences between the RBMK and nuclear power reactors in the United States; furthermore, the NRC staff still lacks d(triled accident data. Con-sidering the preliminary evaluation, it does not an] ear'that any additional work is warranted solely on the basis of the Chernuoyl event. As a corollary, the staff concludes that its current regulatory position and research program on combustible gas phenomena in conjunction with the study of severe accidents is adequate for addressing this. issue in U.S. reactors.

j 5-18

i l

l CHAPTER 6 GRAPHITE-MODERATED REACTORS The Fort St. Vrain high-temperature gas-cooled reactor (HTGR) in Weld County, Colorado, and the Department of Energy's (D0E's) N-reactor at the Hanford Res-ervation in Washington State are the only graphite-moderated power reactors )

operating in the United States. Because the N-reactor is licensed by the DOE and is not under the authority of NRC, the implications of the Chernobyl acci-dent for the N reactor are being assessed separately by DOE and other groups.

In addition to licensing reactors that generate electric power, the NRC.also licenses non power reactors (those used for testing, research, and the produc-tion of radioactive isotopes); some of these are. moderated by graphite or use i graphite for neutron reflectors and for other purposes. These reactors have !

comparatively low fission product inventories, and the risk to the public is j l not comparable to the risk from power reactors. The NRC staff is currently l l

reviewing a petition for rulemaking from The Committee To Bridge the Gap with I respect to probabilities and consequences posed by graphite fires that might i be caused by Wigner energy release and other mechanisms in non power reactors

and in the Fort St. Vrain reactor. The results of this review should be avail-i able by the fourth quarter of FY87. Therefore, the NRC will not discuss further in this document the role of graphite in the consideration of i accidents at non power reactors.

The HTGR type of reactor has been unde' development in the United States and West Germany since the late 1950s. Fort St. Vrain is the only operating HTGR in the United States, although additional HTGR experience and technology have been gained through operation of the Peach Bottom Unit 1 HTGR from 1967 through 1974 and through development and licensing programs for advanced HTGRs. Two HTGRs are operating in West Germany and have contributed to the HTGR technology base in the United States. Currently, HTGR development efforts in the United !

States are being concentrated on the modular HTGR (MHTGR) concept that uses !

available HTGR technology in combination with inherent and passive safety fea-tures. The MHTGR concept is being proposed by DOE in conformance with the Commission's recently published " Statement of Policy for the Regulation of Advanced Nuclear Power Plants" (51 F_R 24643). Thus, assessment of the Cher-nobyl implications and candidate issues has value both for Fort St. Vrain and the MHTGR, Although the discussion that follows largely centers on Fort St, i

Vrain, bec use of its operating status, it also addresses the MHTGR to the

extent appropriate in supporting the staff's current review of the MHTGR concept.

The HTGR concept, with emphasis on Fort St. Vrain, is assessed here against the issues raised by the Chernobyl accident: issues of operations, design, contain-ment, emergency planning, and severe-accident phenomena. The general conclusions and those pertaining to the principal specific areas for light-water reactors (LWRs) presented in this document are also assessed from the HTGR perspective.

6-1

The discussions that follow illustrate how the unique features of the HTGR concept were considered in forming these assessments and a?;o how certain specific assessments for HTGRs were derived.

6.1 The Fort St. Vrain Reactor and the MHTGR The only features that the 330-MWe Fort St. Vrain reactor, the MHTGR, and the Chernobyl design have in common are the use of a graphite moderator and the use of gravity-driven control rods. At Fort St. Vrain a helium coolant is used which is pressurized to 700 psi arc which flows downwa-d through 1/2-inch-diameter holes in a fully ceramic (graphite) core. Ti srium and uranium dicarbide-coated fuel particles are dispersed in hexagonal graphite blocks 31.2 inches long and 14.2 inches measured across the flat sides of the hexagon.

The coating of each fuel particle (from inside to outside) consists of a porous carbon buffer layer, a layer of dense isotropic carbon, a silicon carbide layer, and an outer coating of dense isotropic carbon. The reactor core and the entire primary coolant system, including steam generators and helium circulators, are enclosed in a prestressed concrete reactor vessel (PCRV) which, through use of inner and outer penetration seals and in conjunction with a filtereJ and vented confinement building, satisfies the NRC's general design criteria for reactor containment.

The MHTGR concept uses a fuel and reactor design derived from the Fort St. Vrain reactor. However, the reactor will be contained in a steel pressure vessel and the helium circulator and steam generator in a connected second steel vessel rather than full enclosure of the primary system in a single PCRV. Itc safety approach is based on an inherent negative power coefficient and selection of the reactor power density and vessel size so that decay heat can be removed passively from the exterior wall of the vessel for postulated accidents. Decay l heat would be removed by natural convection airflows that are adequate to pre-clude fission product release from the fuel, or unacceptable damage to the reac-tor vessel or to other vital reactor systems. The reference plant would consist of four such modules ar.J would produce total electric power of 550 MWe.

6.2 Assessment 6.2.1 Operations Administrative control and operational practices at Fort St. Vrain, although generally similar to those of light-water reactors (LWRs), originally contained some differences believed to reflect the unique features of the HTGR concept.

In recent years, however, changes have been made to bring plant operations much closer to those of LWRs. A program to upgrade the Technical Specifications is currently under way that will result in administrative controls that are com-parable to those of LWRs. Furthermore, although regulations do not require that American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code procedures be followed, inservice inspection and testing requirements are nevertheless being restructured into a format that utilizes ASME Code require-ments "as applicable." The Fort St. Vrain reactor also must meet the same or equivalent requirements as those for LWRs with respect to quality assurance, equipment qualification, external events, physical security, fire protection, radiation protection, and operator training and qualification.

6-2

Two important differences between HTGRs and LWRs with respect to operational safety are the slower response of HTGRs to plant transients, because of low-power density, and their increased margin to fuel failure, because of the fully ceramic core. These differences formed the basis for permitting less prescrip-tica in some administrative procedures and are considered to enhance overall safety.

The designers of the MHTGR are proposing a design that utilizes inherent and ;

passive safety features and fully automated plant control systems that tend to minimize the need for operator action to ensure safety, thus reducing the importance of the man-machine interface to reactor safety. The staff is re-viewing this approach and will include its findings in a safety evaluation report on the modular high-temperature gas-cooled reactor; the report is sched-uled to be issued in 1988.

6.2.2 Design (1) Reactivity Accidents Unlike the Chernobyl reactor, the Fort St. Vrain reactor (HTGR) and the MHTGR have overall negative power and temperature reactivity coefficients, and reac-tivity additions can be terminated by diverse, redundant shutdown devices--

gravity-operated control rods and boron carbide pellets in hoppers above the core. The helium coolant has essentially no reactivity effect.

Like LWRs, however, very large reactivity insertion accidents must be precluded by both the reactor protection system and by structural designs. At Fort St.

Vrain, control rod ejection is precluded by two separate and diverse structural systems. Other potential mechanisms for reactivity insertions of a more exten-sive but less probable nature are water ingress, loss of control rod integrity by overheating, and the downward displacement of the core from the top sus-pended control rods caused by failure of the core support structure. These mechanisms are highly unlikely for both Fort St. Vrain and advanced HTGRs, but i

probabilistic risk assessment (PRA) studies to further ensure their low prob-l abilities are being considered for Fort St. Vrain and will be reviewed for the MHTGR.

(2) Accidents at Low Power and at Zero Power Except for a prompt critical event, the HTGR's characteristically slow thermal response to transients and large margin to fuel failure make accidents at low power or at zero power of lesser concern than for LWRs. Use of PRA is being conside 2d to explore this operating regime further both for Fort St. Vrain and for advanced HTGRs. l (3) Multiple-Unit Protection This issue is not of direct concern for Fort St. Vrain because it is a single-unit plant and there are no plans to construct an additional nuclear unit. How-ever, certain low probability accidents might result in habitability concerns for manual actions that might have to be performed in the reactor building outside the control room. PRA is being considered as the appropriate means for evaluat-ing this concern. .

I 6-3

l l

The issue is different for the MHTGR bacause operators for four reactors would be stationed in a single control room. The designers are proposing that the l operators serve primarily to monitor re:dctor operations and that individual reactor safety functions be automatically and locally controlled. The staff is reviewing this proposed approach and will report its findings as part of I

the MHTGR review. )

(4) Fires and Explosions i i

A study of the potential for a Chernobyl-type fire and for explosions derived from hydrogen and carbon monoxide " water gas" at Fort St. Vrain was initiated immediately after the Chernobyl event (Brey, 1986). The staff has reached the conclusion that the use of a helium coolant, th9 overall negative reactivity coefficient, completely diverse alternative shutdown and cooling systems, and the protection offered by the PCRV against reactor f Nes, internal postulated explosions, and fission product release to the enviro..s remove Fort St. Vrain f rom any vulnerability characteristic of the Chernobyl design. In assessing the potential for a graphite fire, the licensee was asked to consider the highly improbable simultaneous failures of penetrations both at the top and bottom of the PCRV, which would cause a chimney effect for sustained air in-gress. Although the staff believes that the occurrence of such an event is ex-tremely improbable, it agrees with the licensee that if the need arose, the reactor building could be flooded with water to a level sufficient to defeat the chimney effect and subsequently terminate the fire, f The potential for and consequences of fires in the MHTGR are being considered in the staff's review of that reactor and will be assessed in a safety evalua-tion report on the modular high-temperature gas-cooled reactor scheduled to be

issued in 1988.

i (5) Containment As indicated in Section 6.1, the Fort St. Vrain reactor and primary coolant )

system are both enclosed in a PCRV. This technology, originally developed i I

for European gas-cooled reactors, is considered in England and Scotland as providing appropriate containment for the many carbon-dioxide-cooled, graphite-l moderated power reactors in their utility systems. At Fort St. Vrain, addi-tional containment protection was gained by using double penetration closures, a PCRV liner cooling system for diverse emergency decay heat removal, and a building enclosure that provides for immediate pressure relief by venting, fol-lowed by a controlled filtered release of the building's atmosphere. This

( design was found to meet the general design criteria in effect at the time the construction permit was issued, and it was again found acceptable following the

Chernobyl event. No further consideration of the Fort St. Vrain containment system as a Chernobyl candidate safety issue is considered necessary.

In the MHTGR, steel vessels rather than a PCRV will be used, and containment credit will not be taken for its surrounding structures because of the inherent and passive safety characteristics of the fuel design and decay heat removal system. The staff's review of the MHTGR will address the adequacy of this approach.

6-4

i (6) Emergency Plannin_g Following the accident at Three Mile Island Unit 2, emergency planning needs for Fort St. Vrain were reviewed and it was concluded that an emergency planning zone (EPZ) with a radius of 5 miles would be sufficient, rather than the 10-mile radius required for LWRs. This decision acknowledged the longer time needed for an accident to progress to the fission product release stage and the lower fission product inventory associated with a reactor of Fort St. Vrain's power level.

The MHTGR designers claim that the design's inherent safety characteristics will simplify offsite emergency planning and will permit reduction of the EPZ to the site boundary. The staff is considering this claim in its review of the MHTGR concept.

(7) Severe-Accident Phenomena Severe-accident phenomena for' Fort St. Vrain in terms of graphite fires and combustible gas explosions are being studied as described above in " Fires and Explosions." Loss of forced convective cooling and helium depressurization accidents are considered as design-basis accidents, and although core tempera-tures become elevated, fission product release to the environs meets the guide-lines of 10 CFR 100. Severe accidents beyond the design-basis accidents, other than those discussed in " Fires and Explosions," which could include combined loss of forced cooling and helium depressurization or large reactivity inser-tions, have not been studied because their probabilities of occurrence are considered to be very low. The staff is considering a limited analytical and experimental plan to explore the phenomena of severe accidents at Fort St. Vrain and at the same time address the needs of advanced HTGRs. The analytical plan would consist of a targeted PRA study that would utilize past severe-accider t and risk studies pertaining to a large and advanced HTGR concept, PRA studies already performed for Fort St. Vrain's design-basis accidents, and component I experience f rom other operating gas-cooled reactors as appropriate (e.g. , PCRV performance, gravity control rod performance, and primary system components).

The staff will consider uncertainties in this analysis that result from such factors as a limited technology base in assessing the needs and benefits derived from such a PRA.

It is not expected that a PRA study for Fort St. Vrain would result in any modi-fications or additions to plant equipment. Rather, the study is expected to identify or confirm areas of high risk and to provide information useful for plant operations. In particular, the PRA results would support the program now in progress to upgrade the Technical Specifications and would address the sub-ject of component reliability needs. It would be useful to know more about com-ponent reliability in assessing current programs and programs being developed in inservice inspection and testing and in maintenance.

Although this PRA study would not be directly applicable to the MHTGR concept, indirect benefits would include impro"ed bases for selecting MHTGR components, systems, and structures and helping develop the capabilities for the study of seve e accidents at MHTGRs.

The staff is considering continuing an experimental program to investigate how graphite performs under thermal stress. This would help establish design margins 6-5

in the support structure for the graphite core for Fort St. Vrain and would provide other information on the use of graphite as a structural material.

PGX-type graphite wc.uld be used and notch sensitivity would be determined, as well as its thermal stress responses. This program combined with inservice i

inspection of the lower plenum region, now being studied, would address the re-l mote possibility of a reactivity insertion accident conceivable from core sup-port failure. Wits respect to the MHTGR, this study would help develop the methodology for combining thermal and primary stresses to determine acceptable safety factors for designing graphite components that have a structural function.

6.3 Conclusions and Recommendations The HTGR at Fort St. Vrain and the MHTGR now being developed and reviewed have been assessed against issues raised by the Chernobyl accident in a manner simi-lar to the assessment performed for LWRs. Except for the use of a graphite moderator and gravity-driven control rods, these HTGRs and the Chernobyl reac-tor have no other features in common. The staff assessed the other areas at issue--operations, design, containment, emergency planning, and severe-accident phenomena- and found that the implications of the Chernobyl accident have gen-erated no new licensing concerns for HTGRs and that general conclusions and those pertaining to specific areas are the same as those for LWRs. In perform-ing these assessments, the staff reviewed the existing information related to these areas and concludes that programs under way or being considered adequately satisfy any concerns that could be generated because of the Chernobyl accident.

A Fort St. Vrain PRA and further experiments with structural graphite were being considered before the Chernobyl accident (Denton, April 2, 1982). The issues raised by the Chernobyl accident have not caused any new concerns about HTGR severe-accident phenomena but rather enter into NRC plans described.

4 6-6

u 4

l REFERENCES l

l AEC, 1962 U.S. Atomic Energy Commissior,, " Calculation of Distance l Factors for Power and Test Reactor Sites," TID-14844, March 23, 1962.

AE00, 1985 U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, " Decay Heat Removal Problems at U.S. Pressurized Water Reactors," AEOD/C503, December 1985.

ANS 3.5 American Nuclear Society, " Nuclear Power Plant Simulators for Use in Operator Training," Standard 3.5, 1985.

ANSI /ANS 3.2 American National Standards Institute /American Nuclear Society, " Administrative Controls and Quality Assurance for the Operational Phase of Nuclear Power Plants," Standard 3.2, 1980. ..

Brey, 1986 Brey, H. L. (Public Service Co. of Colorado), Letter dated May 9, 1986 to H. N. Berkow (NRC) transmitting "Chernobyl Nuclear Reactor Accident and Its Implications Upon Fort St. Vrain," prepared by GA Technologies, Inc., and Public Service Co. of Colorado, revised December 4, 1986.

BWROG, 1986 BWR Owners Group, " Emergency Procedure Guideline," draft Revision 4AF, OEI Document 8390-4, August 1986.

CESSAR Combustion Engineering Standard Safety Analysis Report - Final Safety Analysis Report, May 10, 1983.

Denton, 1982 Denton, Harold R. (NRC), Memorandum dated April 2, 1982 to Robert B. Minogue,

Subject:

" NRR Research Needs for Fort St. Vrain."

FEMA, 1986 Federal Fmergency Management Agency, " Medical Services," FEMA Guidance Memorandum MS-1, November 13, 1986.

46 F_R 58484 U.S. Nuclear Regulatory Commission, "10 CFR Part 50 Interim Requirements Related to Hydrogen Control," Final Rule, 46 FR 58484, December 1, 1981.

47 F_R 2286 U.S. Nuclear Regulatcry Commission, "10 CFR Parts 2 and 50 '

Licensing Requirements for Pending Construction Permit and Manufacturing License Applications," Final Rule, 47 FR 2286, January 15, 1982.

47 FR 47073

~~ Department of Health and Human Services, Food and Drug Admin-istration, " Accidental Radioactive Contamination of Human Food and Animal Feeds; Recommendations for State and Local Agencies," Notice, 47 FR 47073, October 22, 1982.

R-1

+

9

50 FR 3498 U.S. Nuclear Regulatory Commission, "10 CFR Part 50 Hydrogen Control Requirements," Notice, 50 g 3498, January 25, 1985.

50 FR 30258 Federal Emergency Management Agency, " Federal Policy on Dis-tribution of Potassium Iodide Around Nuclear Power Sites for Use as a Thyroidal Blocking Mechanism," Notice of Issuance of Federal Policy / Correction, 50 FR 30258, July 24, 1985.

50 FR 32138 U.S. Nuclear Regulatory Commission, " Policy Statement on Severe Reactor Accidents Regarding Future Designs and Exist-ing Plants," 50 B 32138, August 8, 1985.

50 FR 46542 Federal Emergency Management Agency, " Federal Radiological Emergency Response Plan," November 8, 1985.

51 FR 24643 U.S. Nuclear Regulatory Commission, " Statement of Policy for the Regulation of Advanced Nuclear Power Plants," 51 B 24643, July 8, 1986.

51 FR 32904 U.S. Nuclear Regulatory Commission, " Emergency Planning -

Medical Services," 51 8 32904, September 17, 1986.

52 F_R 3788 U.S.J uclear Regulatory Commission, " Policy Statement on Tech-nical Specification Improvements for Nuclear Power Reactors,"

52 M 3788, February 6, 1987.

IEEE Std. 279 Institute of Electrical and Electronics Engineers, " Criteria for Protection Systems for Nuclear Power Generating Station Safety Systems," IEEE Std. 279, 1971.

IEEE Std. 338 Institute of Electrical and Electronics Engineers, "IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Safety Systems," IEEE Std. 338, 1975.

INSAG, 1986 International Nuclear Safety Advisory Group, " Summary Report on the Post-Accident Review Meeting on the Chernobyl Accident,"

August 30-September 5, 1986, GLC (SPL.I)/3, IAEA, Vienna, September 24, 1986.

MacDonald, 1980 MacDonald, P. E. , et al. , " Assessment of Light-Water-Reactor Fuel Damage During a Reactivity-Initiated Accident," Nuclear Safety, Vol. 21, No. 5, September-October 1980, p. 582 ff.

Malsch, 1986 U.S. Nuclear Regulatory Commission, Memorandum to Commissioner Asselstine, June 27, 1986, from M. G. Malsch, Acting General Counsel and Guy H. Cunningham III, Executive Legal Director,

Subject:

Enforceability of FSAR Commitments.

NUREG-0396 U.S. Nuclear Regulatory Commissio1, U.S. Environmental Pro-tection Agency, " Planning Basis for the Development of State and Local Government Radiological Emergency Response Plans in Support of Light Water Nuclear Power Plants," NUREG-0396, EPA 520/1-78-16, December 1978.

R-2

NUREG-0654 U.S. Nuclear Regulatory Commission, Federal Emergency Manage-ment Agency, " Criteria for Preparation and Evaluation of Radio-logical Emergency Response Plans and Preparedness in Support of Nuclear Power Plants," NUREG-0654, FEMA-REP-1, November 1980.

NUREG-0660 U.S. Nuclear Regulatory Commission, "NRC Action Plan Developed as a Result of the TMI-2 Accident," Vol. 1, NUREG-0660, May 1980.

NUREG-0800 U.S. Nuclear Regulatory Commission, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Plants:

LWR Edition," NUREG-0800 (formerly NUREG-75/087), July 1981.

NUREG-0956 U.S. Nuclear Regulatory Commission, " Reassessment of the Technical Bases for Estimating Source Terms," Final Report, NUREG-0956, July 1986.

NUREG-1037 U.S. Nuclear Regulatory Commission, " Containment Performance Working Group Report," NUREG-1037, May 1985.

NUREG-1079 U.S. Nuclear Regulatory Commission, " Estimates of Early Con-tainment Loads From Core Melt Accidents," NUREG-1079, December 1985.

NUREG-1116 U.S. Nuclear Regulatory Commission, "A Review of the Current Understanding of the Potential for Containment Failure From an In-Vessel Steam Explosion," NUREG-1116, June 1985.

NUREG-1150 U.S. Nuclear Regulatory Commission, " Reactor Risk Reference Document: Main Report," Vol. 1, Draft for Comment, NUREG-1150, to be published in 1987.

NUREG-1250 U.S. Nuclear Regulatory Commission, " Report on the Accident at the Chernobyl Nuclear Power Station," NUREG-1250, January 1987.

NUREG-75/014 U.S. Nuclear Regulatory Commission, " Reactor Safety Study:

An Assessment of Risks in U.S. Commercial Nuclear Power Plants," NUREG-75/014 (WASH-1400), December 1975.

NUREG/CR-1433 U.S. Nuclear Regulatory Commission, " Examination of the Use of Potassium Iodide (KI) as an Emergency Protective Measure for Nuclear Reactor Accidents," NUREG/CR-1433, Sandia National Laboratory, Albuquerque, October 1980.

SAND 86-1013 Sandia Laboratories, " Containment Event Analyses for Postulated Severe Accidents at the Sequoyah Nuclear Power Plant," SAND 86-1013, March 1986.

SECY 86-76 U.S. Nuclear Regulatory Commission. " Implementation Plan for the Severe Accident Policy Statement and the Regulatory Use of New Source-Term Information," SECY 86-76, February 28, 1986.

R-3

USSR, 1986 USSR State Committee on the Utilization of Atomic Energy, "The Accident at the Chernobyl Nuclear Power Plant and Its Consequences," Information compiled for the IAEA Experts' Meeting, August 25-29, 1986, Vienna, 1986.

WASH-1400 U.S. Atomic Energy Commission " Reactor Safety Study: An Assessment of Risks in U.S. Commercial Nuclear Power Plants,"

WASH-1400, October 1975. ;

R-4

groa= an u s. =uctua mvLaTOa v Commissio= i ae Cat NU= sew.sse., ., rmC. , v uA. ,, ,,

$Iof E' fl8LIOCRAPHIC DATA SHEET /

NUREG-1251 ne.unzuef.O~ ou t asveau 2 TITLE AND SUSTITLE 3 L( AVE $L ANK DRAFT

/

Implications of Regulation of Co United States (Dra : for Comment) e Accident at Chernobyl for Safety rcial Nuclear Power Plants in the 4 oAfe araOaT CO fTso

/[-

( .ON T .,

j f v An

's aumOam ' August f 1987 I 6 DATE [RT ISSUED uON T ., veAR August /

fl 1987 7 f ERFOAMING ORGANilAT 60N NAMt AND WAILt DORES8 ffacen te cent 4 PROJECTIT A&s /w K UNir NUus&R U. S. Nuclear Regulatory ommission I Washington, D. C. 20555 1

10. SrONSORING ORGANL2ATION NAWL AND MAILING ADOR11 Av.ple Cedel lle 76 Of REPORT echnical b PERIOD COVEREO lsacesent diries/

52 $UPPLEMENT AR Y NOTts

(

IJ ASSTR ACY (JCd) eeres er Aess) t This draf t report issued for comment wa prep ed by the Nuclear Regulatory Commission (NRC) staff to assess the implications o t accident at the Chernobyl nuclear power plant as they relate to reactor safety re ation for commercial nuclear power plants in the United States. The facts used in ~is assessment have been drawn from the U. S. fact.-finding report (NUREG-1250) d ts sources. l l

\

4 k i 14 OOCUMeNT AN ALY$il - e KE vwCRD5/ 3CR171QR$ ig gyggggggggg y Chernobyl acciden , severe accident, radioactive release, hernobyl :TAfiucNt implications, r ctor safety regulation, operational contr s, reactivity unlimited-accidents, lo ower accidents, multi-unit sites, fires, co ainment, emergency pl ming, steam explosion, graphite reactors, acci nt g. u CU.,T v CL Au,,,C AT,0N ma nagement tra e, -,

. ioiNmiiR ,0,iN seoTea : Unclassi fied ernes -r.,

Unclassified 17 NuM6tR OF PAGtS i

,_ IS PRICE

UNITED STATES ,,,,,et,,,,,,, 0z NUCLEAR HEGULATORY COMMISSION rosraose isrsraio :D C WASHINGTON, D.C. 20555 wf'2"o*c. M$

renurr n.. o.n HO OFFICIAL BUSINESS U

PENALTY FOR PRIVATE USE, $300 120555078377 1 1A019E19H113 US NRC-0 ARM-ADM }

DIV 0F PUB POLICY SVCS g PUB MGT BR-PDR NUREG i

i g.m=7 b-W A N Ei1 N G I ON DC 20555 '

l . . _.

e "' g T

i

("

00 m>

0 0

E Em m

D O

>x rm Z>

CO 00 m

D B>

sH

$b 5z 20 d ?:

EL HO T :D mm m

$p m .<

0 m

m O

Z C

O b

__ _

ML20237J713

Contents

Text

SUMMARY

Subject:

Subject:

Navigation menu

ML20237J713

Text

SUMMARY

Subject:

Subject:

Navigation menu

Search