ML20246P043
| ML20246P043 | |
| Person / Time | |
|---|---|
| Issue date: | 11/14/1988 |
| From: | Beckjord E NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | Stello V NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| Shared Package | |
| ML20246D630 | List: |
| References | |
| NUDOCS 8905220066 | |
| Download: ML20246P043 (2) | |
Text
-....
i ENCLOSURE TO QUESTION 5 1 5 of 5 f[ga uegI',
UNITED STATES i
i+.
NUCLEAR REGULATORY COMMISSION j
s j
wAssiwoTors. o. c. 20sss
)
h,,.....f NOV 1 4198g l
3 MEMORANDUM FOR:
Victor Stello, Jr.
Executive Director for Operations k
FROM:
Eric S. Beckjord, Director Office of Nuclear Regulatory Research
SUBJECT:
DOE HTGR SER I spoke with Del Bunch this morning.
k agreement on DOE's position on this subject by 11/15.He said that he expect{
probably on Tuesday.
He will call you, l
He made several points in our discussion:
i 1.
Decay Heat Removal System can be improved.
2.
Containment can be improved.
3.
Emergency Core Cooling appears susceptible to several faults.
4.
Adequacy of local core cooling in emergency could be improved; consideration is being given to provision of forceo cooling in event that natural circulation is not adequate.
Del expects that these matters will be resolved in engir.eering terms by June, 1989.
staff SER report for their use,Meanwhile he would very much like for DOE to l
to resolving the containment question and the other p 1
in SECY-88-203, by issuing the staff's SER as a draf t for comment.
this we would be careful to remove from the SER any words that draw a finalIn clear these matters are still under consideration and th l
being solicited.
In fact, this would be a good way to obtain broader feedback briefing to the Commission on SECY-88-203 on August 9,i get the documentation of the more detailed results of our review (at least in It would also draft form) into the public record, which DOE has indicated would be of use to them.
e9o522co66 g o2 hREkh ENCE FDC
r-OV I 4 Iggg Victor Stello, Jr.
3, At a later date, after coments are received and af ter-DOE has respo our questions on the NPR containment, the Ccmmission could resume d 1
on the policy matters and we could finalize the SER.
review and revise the MHTGR SER, as appropri If'it is decided to Eric S. Beckjord, 1rector Office of Nuclear gulatory Research cc:
T. P. Speis D. F. Ross B. M. Morris T. King DISTRIBUTION:
Circ /Chron/Subj ESBeckjord RES:DIR
.ESBeckford:saf 11/ /88
ENCLOSURE TO QUESTION 6 l
Attachment A
- ps Mouq#o, UNITED STATES
^,
NUCLEAR REGULATORY COMMISSION o
5 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8,
- * * * *,o',#
WASHINGTON, D. C. 20555 1
"'+9 October 13, 1988 The Honcrable Lando W. Zech, Jr.
i Chairman U.S. Nuclear Regulatory Commission Washington, D.C.
20555
Dear Chairman Zech:
SUBJECT:
PREAPPLICATION SAFETY EVALUATION REPORT FOR THE MODUL TEliPERATURE CAS COOLED REACTOR Introduction During the 342nd meeting of the Advisory Committee on Reactor Safe-guards, October 6-7, 1988, and in previous meetings of the Committee and our Subcommittee on Advanced Reactor Designs, we reviewed a draft of the subject Safety Evaluation Report (SER).
During these meetings, we had the benefit of discussions with representatives of the NRC staff and its consultants, with representatives of the Department of Energy (DOE), and representatives of General Atomics, the chief design contractor for the Modular High Temperature Gas Cooled Reactor (MHTGR).
We also had the benefit of the documents referenced.
The MHTGR concept is a product cf a,ioint DOE / industry program to develcp a design for a nuclear power plant using HiGR technology and having important inherently safe characteristics.
The NRC staff is reviewing the concept under the advanc d reactor policy to help assure that the final design will develop alen, lines acceptable to the NRC.
The draft SER indicates that the staff believes the conceptual design is generally satisfactory and that work directdJ iv.. erd eie:rul :erC.'ica-tion should continue.
The staff has provided a number of conditions along with this endorsement and also believes that a :ontinuing program of research and development will be necessary to support final design and eventual licensing.
We are in general agreement that design and development should continue along the lines cutlined by the NRC staff.
We can agree to moving forward, however, only because we understand that an NRC endorsement at this time does not imply a final commitment either to the general design or to its details. We believe that ongoing research and development can resolve important safety issues before licensing.
We have a number of comments discussed below about the design.
kl%(-
64
F ~
., g.,
~
The Honorable Lando W. Zech, Jr. October 13, 1988
[
Key Features of the MHTGR The MHTGR differs in important ways from existing light water reactor (LWR) plants and from previous gas cooled reactor plants, including several new safety characteristics.
The goal of the designers is that the improved safety features will more than make up for the absence of others (e.g., containment).
They believe the MHTGR design will provide l
a plant that is safer than LWRs.
Safety of the MHTGR is keyed to properties of its unique fuel particles.
Millions of these microspheres of enriched uranium oxycarbide, each the size of a grain of sand, are in the reactor core.
Each fuel particle is coated with four successive protective shells that includes a buffer layer f a porous carbon and then bonded with others into a fuel rod which is, in turn, sealed in vertical holes in graphite blocks.
These graphite blocks provide neutron moderation and are the chief structural material in the core.
The maximum fuel particle temperature in normal operation will be about 1150*C.
An expected very small fraction of defective particles will cause a measurable, but acceptably low, level of chronic fission-product activity in the coolant and reactor systems.
So long as the particles are maintained below 1600'C, fuel, transur-anics, and fission products will be retained by the particle coatings, with very high efficiency.
At temperatures above about 2000'C, failures of particle coating will become significant, and above about 2300*C the coatings will fail completely. All other safety features of the reactor j
systems are designed to assure that particles will remain below 1600'C over a wide range of challenges and circumstances.
)
lt is expected that temperatures can be maintained below 1600'C, in any i
conceivable reactor transient, because of two favorable characteristics of the reactor core:
(1) Strong negative reactivity changes with increased temperatures in fuel or moderator and (2) Large thermal inertia of the core and fuel structure.
It is also expected that temperatures will be maintained below 1600*C even with loss of normal decay heat removal because of the following j
important features:
(1) The same strong' power even with failure of reactivity con low equilibrium shutdown systems.
(2) At these low or decay power levels, if normal heat transfer systems fail, all heat can be removed from the reactor by a passive heat transfer system that permits atmospheric air to flow by natural
1 e
y ; of t.
j The Honorable Lando W. Zech, Jr.- October 13, 1988 1
4 convection through a cavity surrounding the reactor vessel. - Under I
e these conditions, the reactor core and. the vessel will attain temperatures only slightly above.their normal operating values.
b (3)
If this passive heat removal system should. become unavailable (e.g... by blockage of air flow), heat at low power or at decay heat levels would be transferred from the-reactor cavity by conduction directly to the earth surrounding the-reactor building.
Under these conditions, fuel would remain below 1600'C, but the reactor vessel would eventually heat te well beyond its normal operating temperature.
Whether the reactor could be returned to normal operation after exposure of the vessel to such overtemperature is problematic at the present time.
But, the vessel would. remain sufficiently intact for the safe removal of decay heat.
The passive heat transfer functions in items (2) and (3) above require that the reactor core and vessel be small enough so that heat ' transfer can be accomplished without core temperatures becoming excessive.
This dictates the reactor size and leads to the modular design and the long, small-diameter core.
The reactor core is normally cooled by inert helium gas circulated through the core at high pressure.
Certain improbable failures of the reactor vessel could permit air to enter the core.
However, air flow through the core by natural convection would be at a very low rate.
With this restricted supply of oxygen, oxidation of graphite would be so slow that af ter many hours only a small fraction of the graphite would be consumed and the core would remain structurally intact.
Even if.the graphite should burn, through some undetermined mechanism, 'the indica-tions are that the graphite temperature would be well below the 1600*C critical temperature for the fuel particles. The combination of nuclear decay and combustion heat would not be expected to increase core tem-perature to greater than 1600*C.
The Safety Issues The challenge in assuring that the key safety characteristics claimed for the MHTGR design are realized in an actual plant is, in simplest terms, in assuring that the following issues are adequately addressed:
(1) Fuel particles must have the retention capabilities attributed to them and this must be assured with recognition of inevitable variability and im in the fuel particles and their compaction process. perfection This will require a higher level of quality in manufacture than has been achieved and must be experimentally verified.
1
g (,, "
The Honorable Lando W. Zech, Jr. October 13, 1988 (2) The reactivity and temperature-reactivity characteristics used in safety analyses are based on limited data.
Further verification of these characteristics as a function of fuel burnup, core shuffling, and a variety of operational transients is needed.
(3)
Inadvertent ingress of water or steam into the core must be pre-cluded with high reliability. Water or steam could cause corrosion and mechanical damage to the graphite and would also add a positive reactivity contribution.
This seems to be a possible complication of, for example, steam generator tube failures that is not present in LWRs.
Internal flooding of the underground reactor cavity could lead to similar problems.
(4) There must be assurance that decay and low-power heat transfer can be accomplished without causing excessively high core temperatures.
Performance of the passive atmospheric cooling system and the ability te ccnduct heat to the surrounding earth must be demon-strated.
(5) The structural properties of the graphite must be demonstrated and assured.
(6) Some of the impcrtant safety benefits of the design (e.g., passive decay heat removal and resistance to graphite burning) depend upon the core geometry remaining unperturbed.
Questions of seismic resistance, effects of aging, and the possible cascading effects of certain reactor accidents remain to be fully answered.
A major issue is whether a conventional containment structure or some other mitigation system or process should be required.
Neither the designers, the NRC staff, nor the members of the ACRS have been able to postulete accident scenarios of reasenable credibility, for which an additional physical barrier to release of fission products is required in order to provide adequate protection to the public.
This does not mean that a conventional containment shot:1d not be provided or required as further defense in dcpth against unforeseen and unforeseeable events.
However, it does mean that the design basis for a containment would have to be arbitrary, not altogether unlike what was done in the early days for LWRs.
We believe that the decisica to require a containment will have to be made on the basis of technical judgment, with appropriate consideration of the effects on other technically based safety features t
now a part of the design.
In addition, there may be safety and seconomic j
tradeoffs between provision for containment and provision for passive decay heat removel.
l
, ;.., 1.
+
6 The Honorable Lando W. Zech, Jr. October 13, 1988 Recommendations A substantial program of research and development must be continued to support the final design for the MHTGR, This program should concentrate on providing assurances relative to the safety issues we have discussed above.
General Atomics has generated extensive data on fuel performance, but a comprehensive program on the reference fuel appears to be needed.
This would include testing of irradiatto fuel, fuel from large-scale man-ufacturing, and fuel exposed to a variety of environmental conditions and temperatures such as might be encountered in possible accidents.
A hot critical experiment may be necessary.
The core is of an unusual geometry and has nuclear characteristics different frnm those in previ-ous HTGRs.
Assuring that the safety response of the plant is as pre-dicted will require comprehensive information on the reactivity charac-teristics of the core over a broad range of normal and accident con-ditions.
More extensive analysis is needed of the response of the plant to accidents that might change the core geometry. Certain accident scenar-ios can be hypothesized that would affect core geometry and influence coolant distribution and reactivity characteristics.
A prototype should be built and appropriately tested before design certification.
Concepts for a containment or another sort of physical mitigation system require further study.
Finally, there are two issues identified in our letter to you dated July 20, 1988. " Report on Key Licensing Issues Associated With DOE Sponsored Reactor Designs " that we believe should be given early consideration as the desi for (1) gn of this plant progresses. These issues are related to design resistance to sabotage and (2) operation and staffing.
The appropriate excerpts from that letter are attached.
Additional comments by ACRS Members Forrest J. Remick and Charles J.
Wylie, and William Kerr are presented below.
1 Sincerely.
William Kerr Chaiman j
i
l i
i l
-The Honorable Lando W. Zech, Jr. October 13, 1988 Additional Comments by ACRS Members Forrest
.1.
Wy lie Remick and Charles J.
- n general, we agree with our colleagues in the above letter.
- However, we cannot in good conscience recommend a design of a nuclear power plant for design certification which does not have a conventional containment or other mitigation system which -would serve as a more robust exte*nal barrier thcn is currently proposed to protect the public from radio-logical releases.
The designers of the MHTGR deserve much credit for their effort to incorporate inherent and passive safety features in the design concept.
However, even though we' believe that the proposed design has a good potential for' providing enhanced safety, experience has shown that new reactor designs have technical unknowns.
Because of the possible technical unknens, the known uncertainties associated with the pos-tulated inherent and passive safety features and the lack of experience with operation of a reacter of this new design, we do not recommend these reactors for design certification without a more extensive ex-ternal barrier consisting either of a conventional containment structure or other appropriate mitigation system.
We think it important that the ACRS and the Commission make this techni-cal judgment at this time in order that the designers of this promising reactor concept have tmple opportunity to thoroughly consider alternate designs.
Additional Comments by ACRS Member William Kerr I remind the Commission of the comments en containment included in the Committee's letter of July 20, 1988, namely:
"We are not prepared at the present time to accept these approaches to defense in depth as being completely adequate.
Further, we are not prepared at this time to accept the arguments that increased prevention of core melt or increased retention capacity of the fuel provide adequate defense in deptn to justify the elimination of the need for conventional containment structures.
This is not to say that we could not decide otherwise in the future, in response to an unusually persuasive argument."
That is still my position on the containment issue.
I would add only that I have not yet heard the " persuasive argument."
l' l.
r
,.,.. j :*
\\
The' Honorable Lando W. Zech, Jr. October 13, 1988 1;
References:
1.
Office of Nuclear Regulatory 'Research, " Pre-Application Safety Evaluation ' Report for the Modular High Temperature Gas Cooled Reactor,"datedAugust1988(PredecisionalDraft) 2.
Stone Webster Engineering Corporation (DOE Contract),
HTGR-86 024, "HTGR Preliminary Safety Information Document for the.
Standard MHTCR," Volumes 1-5, 1986 3.
GA Technologies, Inc.
(DOE Contract),
DOE-HTGR-86-011, "HTGR Probabilistic Risk Assessment for the Standard Modular High Temperature Gas-Cooled Reactor," Volumes 1-2, January 1987
Attachment:
Excerpts from July 20, 1988 ACRS Letter, " Report on Key Licensing issues. Associated With DOE Sponsored Reactor Designs"
7-,
q, ATTACHMENT TO ACRS LETTER ON MODULAR HIGH TEMPERATU GAS COOLED REACTOR Excerpt from July 20, 1988 ACRS Letter, " Report on Key Licensing Issues Associated With DOE Sponsored Reactor Designs"
_ Design for resistance to sabotaoe It is often stated that significant protection against sabotage can be inexpensively incorporated into a plant if it is done early in the design process.
Unfortunately, this has not been done consistently because the NRC has developed no guidance or requirements specific for plant design features, and there seems to have been no systematic attempt by the industry to fill the resulting vacuum. We talieve the NRC can and should develop some guidance for designers of advanced reactors.
It is probably unwise and counterproductive to specify highly detailed requirements, as those for present physical security 6
systems, but an attempt should be made to develop some general guidance.
Operation and staffing Little is said in the staff paper about requirements for operation and staffing of advanced reactors.
We find this to be a serious over-sight. Experience with LWRs has shown that issues of operation and staffing are probably more important in protecting public health and safety than are issues of design and construction.
The designers of the three reactor proposals seem to be claiming that the designs are I
so inherently stable and error-resistant that the questions of opera-tion and staffing, so important for LWRs, are unimportant for the advanced reactors.
And that in fact, the advanced plants can be operated with only a very sma,ll staff.
We believe these claims are unproven and that more evidence is required before they can be ac-cepted.
The two major accidents that have been experienced in nuclear those at THI-2 and Chernobyl 4, were caused, in large measure, power, by human error.
These were not simple " operator errors" but instead were caused by deliberate, but wrong, actions.
There are r ne indications that the advanced reactor designs being considered have certain characteristics tending to make them less vulnerable to such mal-operation.
But, this has not been demonstrated in any systematic way.
The traditional methods of PRA are not capable of such analyses; but, we believe a systematic evaluation should be made.
There seems little merit in making claims for the improved safety of new reactor designs if they have not been evaluated against the actual causes of the most important reactor accidents in our experience.
f5
~~
[a ng*'o, ENCLOSURE TO QUESTION 6' e,
,e Attachment B I
UNITED STATES
^
NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
. O,,
a WASHINGTON, D. C 20655
%, '.....f July 20, 1988' The Honorable Lando W. Zech, Jr.
Chairman U.S. Nuclear Regulatory Comission Washington, D.C.
20555
Dear Chairman Zech:
SU5 JECT:
REPORT ON KEY LICENSING ISSL'ES ASSOCIATED LITH DOE REACTOR DESIGNS During the 339th. meating of the Advisor.y Committee on Reactor Safe-guards, July 14 '16, 1988, we met with members of the NRC Staff and the Department of Energy (DOE) Staff and reviewed a draft Comission Paper on " Key Licensing Issues Associated with DOE Sponsored Reactor De-signs," dated February 9, 1988.
This subject was also considered during our 334th. 335th, 336th, and 337th meetings on February 11-13, 1988; March 10-12,1988; April 7-9,1988; and May 5-7, 1988, respec-tively.
Der 59bcommittee er. Advanced Reactor Designs met on January 6,
1988 to ' discuss this matter.
document's referenced to this letter. We also had the benefit of the Ttie Commission, in a letter dated July 9,1987, instructed the staff to develop such a key issues paper in advance of projec+.ed safety evaluation reports on each of the three conceptual designs being proposed by DOE and its contractors.
The Comittee celieves this was a wise decision; it is appropriate to confront and 6ttempt to resolve the most important safety and licensing istues in a general and direct way, rather than only by resicting to design propnssis.
i n >'*a *-
use ax6 Starf has tindertden an important and difficult task.
It can be viewed as an attempt to create, from the top down, a comprehensive rationale for licensing requirements.
This would. be very different frori, the existing body of regulations for light water reactors (LWRs),
which has grown an element at a time in a more reactive and pragmatic fashion.
The nation 'nas more than thirty years of experience in the development anc realization of practical nuclear power.
The DCE sponscred de-signers have n,ade use of this experience and of associated research i
7
).
7 4,..
- .J o '.
4 The Hencrable Lar.do W. Zech, Jr. July 20, 1988 and analytical development to create three conceptual _ designs which they believe offer significant advantages over existing LWR plants.
Similarly, the NP.C should take advantage of experience in the regu-lation ar.d safety anclysis of plants to create an improved approach to the specification of safety requirements.
In.doing this, care must be taken that regulatory requirements do_ not unnecessarily frustrate the-development cf advanced reactors.
The regulations should permit.the application of innovative reactor concepts while protecting the health and safety of the public.
We believe this can be done, but additional effort on the part of the Commissioners and the NRC Staff will be requi red.
False urgency should be avcided; it is niore important to do the jcb right than to do it socn.
The staff effort so far has been thoughtful and productive, and pro-sides appropriate preliminary guidence. They have identified four key issues as a basis for review of the design proposals:
Accident selection Siting source terrr selection and use Adec, Lacy of containment systems Adeqtacy of off-site emerger.cy planning.
We believe these are important issues, but they do not adequately encen. pass the fell set of concerns. We comment below on these issues and then oiscuss severel addition 61 issues that we believe are also important sno deserve further development.
We suggest that the staff's key-issues paper be regarded as preliminary guidance and that a continuing program of development and dialogue is necessary before criteria are considerec final.
fCCICCMT SELECTION The staff has prcposed four event categories for selection of design basis events based on estimates of the probability of events that might challenge a given system and on past practice and engineering judgment.
For the second of these event categories (EC-II), the staff would require that there be tolerance for single failures, that only safety-grade systems should be credited in meeting the event challenge, and that reactor plant systems should continue to operate normally in response to the challenge.
but requires two caveats:
We believe this general approach is sound,
Egx.::.
}
l The Honorable Lande W. Zech, Jr. July 20, 1988 s
- Credit for performance of nonsafety grade equipment in this class of events should be permitted when this can be justified.
Desigt.ation of a component or system as safety grade is intended z
to ensure it has certain specific attributes.
Among these are j
the 6bility to resist certain seismic events, ability to function
- j within certain harsh environments, and a high level of reliabil-i ity (supposedly guaranteed by a quality assurance program).
Not all postulated initiating events are challenges to all of these attributes.
Selectivity should be permitted when sufficient information is available about event.
the nature of the design. basis
- Ke agree there should not be complete dependence on probabilistic arguments.
Mthough estimates of prctability are a proper first-cut approach to the definition of event categories, uncertainty in these estimates is large.
Judgrrents are needed about whether ano how to include as design criterie the capability to accommo-date phenomena and secuences that are not specifically indicated tc be necessary by probabilistic estimates.
.C0hTAlt+ENT SYSTEMS Contcirment structures clearly are intenced to restrict release to the environn.ent of radioactive materials resulting from a severe accident.
For LWRs, altFough the design bases for containments have included a source term related to severe accidents, the design pressures and temperatures have been those related to a large-break LOCA rather than those resulting from an accident involving severe core damage.
Whether this seerringly inconsistent but pragmatic approach has served tFt r.uclear pcwer enterprise well can be debated.
On the one hand, some of the severe accident issues facing the NRC and the industry today are a legacy cf that approach.
On the other hand, such a containment performed very well in the TMI-2 accident.
Research over the pest few years indicates that most existing containments would be reasonably effective i.) reducing the consequences of severe accidents.
The staff proposal fer severe accident and containment requirements for advanced reactors seems to be taking a different, but not neces-sarily better approach, than that used for LWRs.
Their contention is that, if the early lines of defense, namely:
- prevention of challenges to protection systems, and
- prevention of core damage by protection systems
1
.j The Horerable Lando W._ Zech, Jr. July 20, 1988 are effective encugh, then the next two lines of defense, namely:
- a conventional containment structure, and i
- an emergency plan for the area around the site, are not necessary.
The so-called prevention and protection attributes of the three desigrs being proposed by DOE and its contractors are indeed im-pressive. The modular high temperature gas cooled reactor (MHTGR) has ne conventional containrncnt s truc tt.re, but relies instead on the capacity of its unique fuel particles to retain fissicn products, even at abnormally high temperatures, with high reliability.
The two ligt:id metal. reactor (LMR) designs have containers around the reactor vessels, but these have low volume and pressure capacity.
It is-unclear how they would accommodate a challenge greater than minor leakage of sodium coolant.
Accidents can be postulateo that would challenge the defense-in-depth concepts being advar.ced.
For the LMRs, a contemporaneous failure of the guard vessel and the reactor vessel, coupled with a sodium fire, would seem tu lead to severe consequences.
For the MHTGR, a fire in the graphite moderator, perhaps perniitted by massive failures of the reactor sessel and core support, might also have severe consequences.
Whether these or other accidents could be effectively mitigated by a containment enclosure, or a filtered vent, has not been determined.
We note that in all three designs, absence of containment helps to make feasible one of the major safety advantages, passive systems for removing decay heat.
In each case, the reactor vessel surroundings are designed so that air from outside the plant will flow by natural buoyancy through the reactor vessel cavity and thereby remove decay heat.
This seems to be a highly effective heat transfer means if the reactor vessel al.o core are intact.
If they are not, tnis ready supply of oxygen and access to the environment might be a problem.
This seems to be a major safety trade-off.
We are not prepared at the present time to accept these approaches to defense in depth as being completely adequate.
Further, we are not prepared 'at this time to accept the arguments that increased preven-tion of core melt or increased retention capacity of the fuel provide adequate defense in depth to justify the elimination of the need for conventional containment structures. This is not to say that we could not decide othervHse in the future, in response to an ur.usually persuasive argument.
o,.;
The Honorable Lando W. Zech, Jr. July 20, 1988 EP.ERGENCY PLANNING We agree with the present approach of the staff's proposal.
- However, we believe that emergency planning should be reexamined in an effort to describe an approach that would be applicable to all types of reactors.
ADDITIONAL ISSUES Pew safe should these plants be?
We believe the debate about how safe is safe enough is concluded. The safety goal policy is in place.
That should stand as the definition of how safe these advanced reactors. as well as future LWRs, should be.
There are, of course, matters of interpretation and implementa-tion with regard to safety goal policy.
These need to be. dealt with for hil types of reacter plant designs.
The focus of licensing and regulation for advanced reactors should be consistent with the safety Scal policy; no more, no less, no enhancements, no compromises.
The Advanced Reacter Policy states that advanced reactors must be at least as safe as the current generation of LWRs.
The staff interprets this to mean thc " evolutionary" 6eneration of LWRs now being reviewed by the NRC for preliminary design certification.
We believe the Advanced Reactor Policy requires no more than, and should require no morc than, the icvel of safety called for in the 56fety goal pclicy.
Reactor developers, i.e., DOE and the industry, ocy seek a design that is safer than the safety goal would suggest as necessary, or whose safety is more readily apparent to the public.
Those are not unreasonable goals for a developer in seeking public acceptance or more economic operation.
However, it seems to us inappropriate for the NRC to ratchet on the standard of safety it has established as necessary and sufficient.
To what extent should regulatory requirements accommodate public l
perception?
The draft paper states that the staff has incorporated only technical considerations in the development of its proposed positions.
In I.
particular, they have not attempted to accommodate external factors, such as public perception.
We applaud this restraint. And we counsel the Commission to keep safety regulations unambiguously related to protection of the public health and safety.
i
___-_________m._
0
%, t,
.,i+
l The Honorable Lardo W. Zech, Jr. July 20, 1988 i
Extra capacity in decay heat removal and scram systems The three DOE designs provide much more capacity in decay heat removal 1
i and scram systems than are provided in present LWRs.
While these important systems in LWRs must be tolerant of single failures, the advanced reactors go well beyond that.
The rearon for this is the 1
intent to build more robustness into the first two layers of defense in depth and thus permit less in the last two layers, containment and emergency planning.
Two independent scram systems are provided in two of the three prc+
poseo oesigns, Each system is sorrewhat. diverse in design and toler-ant, within itself, of single failure.
All three design proposals have multiple systems for decay beat removal.
In addition to being diverse and resistant to single failure, the extra systems have inherent p6ssive attributes.
They apparently will function effec-tively withcut motive power or operator intervention.
However, a caution is necessary.
Experience in operation and analysis has inoicated that redundancy, i.e., extra systems or components, is net as powerful in improvir:9 reliability as might be expected.
Too often the r.ature of initiating challenges, or of the ecmplex sequence of events in accidents, seems to cause the extra parts of a system to be faulted alcng with the main system. The diverse and passive nature of the three designs being ccnsidered might ameliorate such unwanted interde. pendency, but further study is warranted.
In addition, while the three proposed designs have these positive features, it is not clear that the NRC's proposed requirements would provide assurance that these desirable diverse and passive attributes would be guaran-teed.
Need for prototypino The staff prorcses only modest requirements for prototype testing of the advanced reactor designs.
Although, they have recently added a proposed requirement that any designs not incorporating a containment must be tested in prototype at a remote site, we question whether this is enough to carry the process to a point at which the NRC would be willing to license an unlimited number of new power plants.
For example, the metallic LMR cores are claimed to have very favorable, inherently stable characteristics in responding to possible tran-sients. These characteristics were not well understood a decade ago.
An excellent experimental and analytical program by ANL with the EBR-II reacter at INEL has effectively demonstrated that the EBR-II system does exhibit such inherently stable and predictable behavior.
However, it is not yet clear that such characteristics can be assured
The Penorable Lando W. Zech, Jr. July 20, 1988 for the larger and different & Rs to be used in commercial electric power production.
We believe that a more and 9xtensive series of prototype tests will be necessary before design certification could be granted.
Use of cost-benefit analysis The staff paper proposes that prospective licensees should be required to demcostrate through cost-benefit analysis that design features alternative tc those being proposed are not warranted.
Presumably, the NRC staff would review such analyses and perhaps suggest alterna-tives.
W( baieve this is an unworkable and unnecessary strategy.
The NRC shot concentrate its efforts on specifying design require,
raents that >:ill result in plants that are in conformance with the safety goe.l.
Consideration of alternatives and costs is properly a
' function of the designer and owner of a plant.
The NRC should have enough confidence in its safety goal that it does not feel the need for the proposed approach.
Desien for resistance to sabotace It is of ten stated that significant protection against sabotage can be inexpensively incorporated into a plant if it is done early in the design process.
Unfortunately, this has not been done consistently because the NRC has developed no guidance or requirements specific for plant design features, and there seems to have been no systematic
)
attempt by the industry to fill the resulting vacuum. We believe the fGC can and shculd develop some guidance for designers of advanced reactors.
It is probably unwise and counterproductive to specify highly detailed requirements, as those for present physical security systems, but er r.ttempt should be made te develop some general guidance.
Operation and staffico Little is said in the staff paper about requirements for operation and staffing of advanced reactors.
We find this to be a serious over-sight.
Experience with LWRs has shown that issues of operation and staffing are prcbably more important in protecting public health and safety than are issues of design and construction.
The designers of the three reactor proposals seem to be claiming that the designs are so inherently stable and error-resistant that the questions of opera-tion and staffing, so important for LWRs, are unimportant for the advanced reactors.
And that in fact, the advanced plants can be operated with only a very sma,ll staff.
We believe these claims are unproven and that more evidence is required before they can be ac-cepted.
I
y,.l$.
'i m
The Honorable Lando W. lech, Jr. July 20, 1988.
p L
.The two major accidents that have been experienced in nuclear power..
L those at THI-2 and Chernobyl 4, were caused,- in large_.. measure, by human error.
These were not simple " operator errors" but'instead were caused by-deliberate, but wrong, actions.
There.are some indications that the ' advanced reactor. designs being considered - have. certain characteristics tending to 'make. them less vulnerable - to such mal-operation.
But, this has not been demonstrated in any systematic.Way.
The traditional methods'of PRA are not.capableLof such' analyses;tbut, we believe a systematic evaluation should be made.
There seems little merit 'in making' claims for the improved safety of new reactor-designs-if they have not been~ evaluated against the actual causes of the most' importent reactor accidents in our experience.
Wili regulatory criteria evolve?
The. StaffE proposal provides for a future ' milestene in the ongoing-design-review-licensing process at which' the NRC will step back and make sure that'the agreements reached early in the process are still valid, given possibic new information and understandings.
We believe this is wise and necessary, although it does place a potential licen-see at some risk.
It _should be recognized that this milestone activ-ity might have to include the possibility of changes in the actual requirements, as well es interpretations of requirements.
Focus on the most important residual uncertainties Although the staff paper discusses uncertainties relative to' the development 'of requirements and designs.. it should' provide -a clearer statement of-what the staff believes to be the most important 'of these.
This would assist policymakers in making judgments about the designs and requirements and, perhaps, about whether certain ~ avenues of research should be further pursued before or in parallel with licensing.
Additional coments by ACRS Member Carlyle Michelson are presented below.
Sincerely.
Will11am Kerr Chairman f
Additional Coments by ACRS Member Carlyle Michelson
-it is not clear to me that the safety goal in its present fonn was L
intended to apply to advanced reactors which do not have conventional 1
The Honorable Lando W. Cech, Jr. July 20, 1988 containment systems.
The guidelines for regulatory implementation might have been different if the Commission had considered that the defense-in-depth approach might not include a containment system on future plants.
It would be unfortunate if the frequency of large release criterion suggested in the present guidelines is used as a basis for justifying the omission of a containment system for an advanced reactor plant at a time when advanced LWRs which might be able to meet the same crite-rion are required tc have containments.
References:
1.
Draft Commission Paper from Victor Stello, Jr., for the Commis-sioners,
Subject:
Key licensing issues associated with DOE sper.sored advanced reactor designs, dated February 9, 1988 2.
U.S. Nuclear Regulatory Comniission, NUREG-1226, " Development and Utilization of the NRC Policy Statement on the Regulation of Advanced Nuclear Power Plants," published June 1988 1
~ - - -
~
~ ~ ~
r ENCLOSURE TO QUESTION 9 florris j
Attachment A s
l
[#N p, ] g '
o,,
UNITED STATES Hichar NUCLEAR REGULATORY COMMISSION
.Riani i
o 5
I ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
- f '
[
0 WASHINGTON, D. C. 20556 FiIe j
t
\\_
U
/
pt
\\
November 22, 1988 i
1 The Honorable Lando W. Zech, Jr.
Chairman U.S. Nuclear Regulatory Comission Washington, D.C.
20555
Dear Chairman Zech:
SUBJECT:
SAFETY EVALUATION REPORT FOR THE " POWER REACTO SAFE MODULE" (PRISM) DESIGN During the 343rd meeting of the Advisory Committee on Reactor Safe-guards, November 17-18, 1988, we reviewed a draft of the subject safety evaluation report (SER).
The ACRS and its Subcommittee on Advanced Reactor Designs have reviewed these matters in previous meetings.
During these meetings we had the benefit of discussions with representa-tives of the NRC staff and its consultants, and with representatives of the Department of Energy (DOE) and its contractors, including represen-tatives of the General Electric Company, the lead design contractor.
We also had the benefit of the documents referenced.
The PRISM conceptual design is a product of a DOE program to develop designs for possible future power reactor systems that would have enhanced safety characteristics.
Other design projects in the program are the Modular High Temperature Gas-Cooled Reactor (MHTGR) and the Sodium Advanced Fast Reactor (SAFR).
The NRC staff is reviewing these designs in accordance with the Comission policy on Advanced Nuclear Power Plants.
These preapplication reviews are intended to provide NRC guidance on licensing issues at a relatively early stage of design development.
The ACRS has previously comented to you on NUREG-1226,
" Development end UtilinMon of the NU 'clicy Statement on the Regula-tion of Advanced Nuclear Power Plants," in June 1987, on key licensing issues associated with the entire program in July 1988, and on the SER for the HHTGR in October 1988.
We understand that issuance of the SER will not constitute approval of the PRISM design.
Further engineering development and documentation will be required to support a future application for design certifica-tion.
The PRISM design incorporates several small, modular reactors cooled by liquid sodium.
The standard PRISM plant would consist of nine reactor I
modules, each generating 425 MWt, providing a total plant output of 1245
~6 b AWW(T l9(),_
a 4
t,.1 q
q s
The Honorab1'e Lando W. Zech, Jr. November 22, 1988-MWe.
Each reactor, along with its intermediate heat exchangers and.
pumps, is immersed in a pool of sodium.
A steel vessel containing.this pool.is located within a secondary. steel container.
The steel con.
tainers share a common head.
Each such unit is installed within an 4
underground _ concrete silo.
Secondary sodium coolant flows to steam generators which are also located below grade, but are outside the silo.
along with the remainder of the " balance of plant" (BOP)' equipment.
The PRISM design provides several features for enhancing safety of a nuclear power plant.
- a passive system for emergency removal of decay heat
- inherent mechanisms for_ negative feedback of reactivity
- 1arge thermal inertia in the pool of sodium coolant
- metal fuel, offering greater opportunity for on-site fuel reprocessing
- small component sizes, providing opportunities for factory fabrication
- opportunity'for prototype testing of a single module
' separation of safety-related functions from B0P systems On the basis of its review, the NRC staff has concluded that the PRISM design has the potential for a level of safety at least equivalent to light water reactor (LWR) plants, provided that a number of-current specific issues are resolved.
Our general recommendation is that, from the perspective of safety and ifcensing, design development of PRISM should continue, taking into account the points made by_ the staff.
A number of' safety issues remain to be completely addressed, a program
~
of continuing research -and development is necessary to support further design, and plans for extensive prototype testing should be developed.
In the following paragraphs we coment on a number of specific safety issues which we believe should be considered by the staff in its final SER, and by DOE in its continuing development and design activities.
Containment l
Although a secondary vessel is provided to contain leakage of sodium coolant, the PRISM design does not include a conventional containment capable of resisting high temperatures and pressures.
It is contended that the potential for core disruptive accidents, for which such a
~.;
The Honorable Lando W. Zech, Jr. November 22,11988 1
i containment might provide mitigation, is so low that a conventional i
containment is not needed.
Both deterministic and probabilistic argu-ments are made in support of this contention.
Although these arguments q
have technical merit, we. are not yet convinced.
Our position cis as stated in our report to you of July 20, 1988 on the key 1.icensing issues 1
1 associated with DOE sponsored reactor designs and our report ~ to you of' l
October 13, 1988 on the preapplication safety evaluation report for the modular high temperature gas-cooled reactor.
However, there is a problem. One reason for providing a strong physical:
containment is to protect the public against unforeseen accidents.
- But, precisely because they are not foreseen,. the design requirements for a containment are not obvious.
Therefore, engineering and policy judg-ments must be made about the need for, and nature of,. containment that might be used with PRISH.
We believe that-further study is appropriate before final judgments are made.
Absence of a Backup Shutdown Sy* tem The PRISM design provides a control rod system consisting of six control rods, a safety grade means of scramming these rods.by-gravity, and a:
safety grade electrical system to drive the rods into the core.
How-
. ever, the design provides no backup to this control rod system other than the inherent characteristics of the core.
We question whether these inherent characteristics are av ate as a backup system, for two reasons.
First, they may not act fast enough to compensate for certain fast transients without scram.
Second, they are not capable of making the reactor subcritical and. taking it to cold shutdown conditions.
Therefore, we believe the - need for a backup system.or suitable-demon-stration of scram reliability deserves further study.
Need for Local Flow and Temperature Monitoring The ?RISH safety analysis indicates that blockage of flow through one fuel assembly may possibly damage that assembly, but will not damage adjacent assemblies.
Early work with oxide fuel has demonstrated that propagation is unlikely, but experiments and analysis with metal fuel have not been as extensive.
Especially because the design does not l
provide for monitoring flow and effluent temperature from individual assemblies, we believe this requires further study.
Individual Rod Worth Each cf the six control rods is sufficient, individually, to shut down the reactor and maintain it in cold shutdown.
Therefore each rod has a very large reactivity worth, about two dollars.
There is thus potential 1
.t.
7 7
{
The Honorable Lando W. Zech, Jr. November 22, 1988 for serious consequences frorr n rod ejection accident.
This potential is ameliorated in two ways.
First, for startup, rod operations are
, interlocked so that' the rods c&n be withdrawn only in a carefully orchestrated sequence.
This rod sequencing system will have to be very carefully designed, operated, and maintained.
Second,-for power opera-tion, the expected reactivity change of a core through' its lifetime is expected to be so flat that only very small rod insertion will be necessary at the beginning of core life, thus reducing.the effect of a
~ rod ejection accident.
These features will be. effective ' only-~ with accompanying. administrative controls on core design and rod operation over the lifetime of PRISM pltnt operations.
This should be acknowl-edged in the SER.
Role of the Operator We believe that ir, sufficient attention has been given to the role of the operator.
Claims that a PRISM plant would have such inherently stable and safe characteristics that the operator will have essentially no safety function are unproven.
Operation of 6ine reactors, possibly,in several different operational states at any given time, may be a daunt-ing challenge for the small operations crew envisioned.
Opportunities for cognitive error, which might defeat favorable safety: characteristics of the reactor, might be more abundant than is now recognized.
Further study appears to be desirable.
We believe insufficient attention has been given to the physical securi-ty of the plant's operating and technical support staff.
It is claimed that the control room, with. all of its contents, including operating -
personnel, can be destroyed and that the plant can be safely shut down from remote control stations that are within the physical security controlled areas of the plant.
Therefore, the control room and techni-cal support areas are now proposed to be located outside the physical security boundary.
We believe, given an external threat, such as an attack by terrorists, that it is essential to preserve the operating and technical expertise on-site, and recommend that the control room and appropriate technical support personnel be located within the physical security boundary.
Other Operational Considerations In 'adtlition, certain features that have been found to be desirable in LWR plants' are not provided in the PRISM design.
No technical support center is provided. Although remote shutdown capability is provided, it appears to lack some of the attributes of such systems in current LWR plants.
Also, the design does not include Class 1E AC electric power systems, but relies entirely on IE DC power from batteries.
It is not clear that adequate consideration has been given to the potentially e
i
'l The Honcrable Lando W. Zech, Jr. November 22, 1988 1arge power needs of essential auxiliary functions such as space cooling and emergency lighting.
Protection Against Sabotage With regard to the need for designing protection against sabotage, the
- following statement from our report of July 20, 1988 should be given early consideration as the design of this plant progresses:
"It is often stated that significant protection against sabotage can be inexpensively incorporated into a plant if it is done early in the design process.
Unfortunately, this has not been done consistently because the NRC has developed no guidance or requirements specific for plant design features, and there seems to have been no systematic attempt by the industry to fill the resulting vacuum.
We believe the NRC can and should develop some guidance for designers of advanced reactors.
It is probably unwise and coun-terproductive to specify highly detailed requirements, as those for present physical security systems, but an attempt should be made to develop some general guidance."
Sodium Fires Further study of the potential for and suppression of sodium fires and consideration of their possible consequences is needed.
Such studies should include the possibility of fires resulting from earthquake effects.
Sincerely,
/
Forrest J. Remick Acting Ch.sirman
References:
1.
Office of Nuclear Regulatory Research, " Safety Evaluation Report for the Power Reactor Inherently Safe Module { PRISM)/ Liquid Metal Reactor Conceptual Design," dated September 10,1988 (Predecisional Draft) 2.
General Electric / Nuclear Systems Technology Operation (D0E Con-tract), GEFR-00793, " PRISM Preliminary Safety Information Docu-ment," Volumes I through Y, 1986
YYMit7 ENCLOShRET0 QUESTION 9 Attachment B M-f
[p* *tcuq'o g
UNITED STATES
[
g NUCLEAR REGULATORY COMMISSION r
o.,
[
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHING ton, D. C. 20555
,/
)
a 1
3 January 19, 1989 The Honorable Lando W. Zech, Jr.
Chairman U.S. Nuclear Regulatory Commission Washingten, D.C.
20555
Dear Chairman Zech:
SUBJECT:
SAFETY EVALUATION REPORT FOR THE SODIUll ADVANCED FAST REACTOR (SAFR) DESIGH During the 345th meeting of the Advisory Committee on Reactor Safe-guards, January 12-14, 1989, we completed cur review of a draft of the subject safety evaluation report (SER).
This subject was also con-sidered c'uring our 344th meeting on December 15-17, 1988.
Our Sub-committee Advanced Reactor Designs met on on December 13, 1988 to discuss this matter.
During these meetings, we had the benefit of discussions with representatives of the NRC staff and its consultants, with representatives of the Department of Energy (00E) and its con-tractors, including representatives of Rockwell International, the lead design contractor.
We also had the benefit of the documents referenced.
4 The SAFR conceptual design is a product of a DOE program to develop designs for pessible future power reactor systems that would have enhanced safety characteristics.
Other design projects in the program are the Mec'ular High Temperature Cas Cooled Reactor (MHTGR) and the Pcwer Reactor Inherently Safe Module (PRISM).
The NRC staff has re-viewed these designs in accordance with the Jommission Policy on Ad-vanced Nuclear Power Plants.
These preapplication reviews are intended to provide llRC guidance on licensing issues at a relatively early stage of dasign development.
The ACRS has previously cocmnted te :-" i-Nnc 1987 on NUREG-1226, " Development and Utilization of the NRC Policy Statement on the Regulation of Advanced Nuclear Power Plants," in July 1988 on key licensing issues associated with the entire program, in October 1988 on the SER for the MHTGR, and in November 1988 on the SER for PRISM.
We understand that issuance of the SER will not constitute approval of the SAFR design.
Further engineering development and documentation would be required to support a future application for design certifi-cation.
~
The SAFR design incorporates small modular reactors cooled by ifquid sodiun.
The standard SAFR plant would consist of one or more " power paks."
Each " power pak" would comprise four reactor modules that would h
f0l
./
u-
q,,.
f The Honorable Lando W. Zech, Jr. January 19, 1989
~
4 produce a total of 3600 MWt (1400 MWe).
Each reactor, along with its intermediate heat exchangers and pumps is imersed in a pool of sodium.
A steel vessel centaining this pool is surrounded by a secondary steel container and each module is installed within a concrete structure above grade.
Secondary sodium coclant will flew from each reactor module to a pair of steam generators, located above grade along with the remainder of the balance of plant (BOP) equipment.
The SAFR modular design prevides several desirable features for enhanc-ing safety of a nuclear power plant:
' a passive systen for emergency removal of decay power
- inherent nechanisms for negative feedback of reactivity
- two independent scram systems, one capab M of self-actuation
' large thermal inertia in the pool of sodium coolant
- metal fuel, offering greater opportunity for on-site fuel repro-cessing t
' small ccepenent sizes, providing opportunities for factory fabrica-tion
- opportunity for prototype testing of a single module
' separation of safety-related functions frem S0P systems SAFR, while similar to PRISM, has some important differences 1 Each SAFR refactor module is larger and would generate 900 liHt compared with 425 I:Wt for PRISM.
SAFR pritory sodium would run hatter than in PRISM with a nominal core exit temperature of 950*F compared with 875'F for PRISM.
SAFR steam conditions are 850'F and 2700 psig, compared with 545'F and 990 psig for PRISM.
SAFR has two reactivity control and scram systems while PRISM has one. SAFR's main cociant pumps are conventional centri-l fugal while PRISM's are electromagnetic.
The DOE has decided te discontinue its development of the SAFR design and concentrate liquid metal reactor (LMR) efforts in the PRISM design organization, but has requested that the NRC staff complete its review of both SAFR and PRISli.
The NRC staff has expressed no opinion that there appears to be a net advantage in the PRISM design over that cf I.
SAFR, or vice versa.
On the basis of its review, the NRC staff has concluded that the SAFR design has the potential for a level of safety at least equivalent-to i
~
- c._ :.... ;
~
}
S.; y
- n' I
s l
l
. The Honorable Lando W. Zech, Jr. January 19, 1989 current light water reactor (LWR) plants.
and believe that SAFR like PRISM. could beWe have no reason'to disagree development work is pur,ued successfully.
licensed if continuing s
A nu'rber of safety issues remain to be completely addressed. A continu-ing progran of research and development will be necessary to suppo further design.
Plans for extensive prototype testing should be includ-ed.
safety issues which we believe should be conside final SER, and by DOE if it continues design and development of this concept.
~ Positiv_e Srdium Voidfoefficient SAFR, like PRISM, will. experience a larg? increase in reactivity in the event of significant boiling or other voiding of the sodium coolant.
The designers' analyses cannot show that such voiding is impossible, b they have coneluded that it is very improbable.
able renugh and whether the consequences of such voiding can be tole ated is the rtjor safety issue that must be resolved before these re6ctor designs could be licensed.
The simultaneous and sudden loss of both main circulatier, pumps, without scram, in a reactor module might cause significant resitive voiding coefficientsodium boiling and a reactivity increase.
If the shown to be of extremely low probability.is to be accepted, such events m i
design and safety analysis work is needed in this area.We believe that additio Other Reactivity Coefficients The satisfactory performance cf the _ system in certain icw probability transients is very dependent on the changes in core reactivity with
{
variations in power in the core geometry.3 temperature, end flow that can make subtle changes between the calculated response and unacceptable responsesi A con-sidarable design and development effort will be necessary.to assure that challenges. response of the core will be acceptable over a wide ' ange of pote r
Scram Systems The SAFR design includes two sets of control rods either of which can independently shut down the reactor in response to a scram signal and maintain it suberitical.
loss of holding power in a special clutch containing a magnet.On Abnor-mally high sodium temperature, greater than 1050*F, would cause the Curie point temperature of the ragnet to be exceeded.
We note, however, that this feature depends on there being maintained a sufficient flow of i
w m;
9 ; Q. :.
.{$_
The Honerable Lando W. Zech, Jr. ' January 19, 1989 sodium coolant over the magnet.
automatic shutdown is to be assured. This flow must be assured if Neither of the control rod systems is. fully safety grade.
Apparently, the systems de have some of the most important features of safety gra
- systems, e.g.,
tolerance of single failures.
While we egree that grade.is not a guarantee of high reliability, we su nation of a system as fundamentally 'important as a scram. s non-safety grade.is flouting not only convention but good sense.ystem as Usc of PRA
'The KRC staff seems to have been disappointed in the extent to which PRA has~ been useful in reviewing the design of SAFR, as well as the earlier revicw of the PRISl'. and MHTGR.
developed' in so little detail that risk analysts have-little to work with - and the benefits of the analysis are - limited.
Decision makers should regard with crution quantitative claims of high safety perform-ance for reacter systems still at the conceptual design stage.
Containment Although a secondary vessel is provided to centain leakage of sodium coolant, the SAFR design does not capable of resistine high temperatures and pressures. include a conven It is contended that the pctential "for accidents, for which such a containment. might provide mitigation, is so low that a conventional containment is not needed.
Both determini He and probabilistic arguments are -made in of this centention.
suppert Although these arguments have technical merit, we are not yet convinced.
Our position is as stated. in our repcrt to you ef July 20, 1988 en the key licensing issues associated.
with DOE-spenscred reactor designs and our report to you of October 13, 1988 on the preapplication safety evaluation report fcr the Modular High Temperature Gas Cooled Reactor.
However there is a problem in specifying containment design criteria.
One reas,on for providing a strong physical containment is to protect th public against unforeseen accidents, But, precisely because they are not foreseen the design requirements for a containment are not obvious.
Therefore, en,gineering and policy judgments must be made about the need for, and nature of, containment that might be used with SAFR.
We-believe that further study is appropriate before final judgments are made.
4 t.
gg l _.
-4
\\.
The Honorable Lande W. Zech, Jr. January 19, 1989 i
Individual Rod Worth There are two shutdown systems utilized in SAFR.
Neither is currently safety grade. The automatfc plant ' trip system can drive in all six of the primary control rods, which have,a net recctivity worth of about ten dollars.
It can also interrupt power to the electromagnetic latch and-drop three secondary control rods, with a net reactivity worth of about seven dollars.
The minimum number of primary centrol rods. needed for'
_ reactor shutdown is tuo out of the six to insert about three dollars.
The seccndary system needs but one r6d (about 2.2 dollars) to enter the
. Vith this. very -large reactivity worth for each rod there is a core.
potential for serious consequences from a rod ejection a,ccident.
We believe that.this requires'further study.
l'eed for loc _al Flow and Temperature Menitoring The SAFR; safety analysis indicates that blockage ' of flow through one-fuel asserbly may damage that assembly,. but will not damage adjacent assemblies.
Early work with oxide fuel has demonstrated ~ that propa-gaticn is-unlikely, but experiments and analysis with metal fuel have not been as extensive.
Especially because the design does not provide-for rionitoring flow and effluent temperature frem individual assemblies, we believe that this requires further study.
Re'e of the Operator We believe that insufficient attention has been given to the role of the operator.- Claims that a SAFR plant would have such inherently stable and safe characteristics that the operator will have essentially no safety function are unproven.
Operation of four reactors, possibly in several different operational states at any given time, may be a signif-icant challenge for the small operations crew envisioned. Opportunities for cognitive error, which might defeat favorable safety characteristics.
of the reactor, might be more abundant than is now recognized.
Further study is needed.
Other Operational Considerations In addition, certain features that have been found to be desirable in LWR plants are not provided in the SAFR design.
Although remote shut-down capability is provided, it appears to lack some of. the attributes of such systems in current LWR plants.
Also, the design does not include Class IE AC electric power systems, but relies entirely on Class IE DC power from batteries.
We reconnend that further consideration be given to the potentially large power needs of essential auxiliary functions such as space cooling.
=
____-__--________-_1
e **
c ;., y 4
i The'Hencrable Lando W. Zech, Jr. January 19, 1989 Protection /ccinst Sabotage With regard to the need for designing protection against sabotage.-the following statement frem our report of July 20,1988 'should be given
{
early consideration as the design of this plant progresses:
'i "It is often stated that ~significant protection against sabotaae can be inexpensively incorporated into a plant if it is done early 1
in the design process.
Unfortunately, this has not been done consistently because the i,'RC has. developed no guidance or require-ments. specific fcr plant design features, and there seems to have been no systematic. attempt by the industry to fill the resulting We believe the 7:RC can and should develop some_ guidance vacuum.
for designers of advanced reactors.
It is probably unwise and counterproductive to specify highly detailed requirements, as those j
for present physical security systems, but an attempt should be
.l r:ade to develop some general guidance."
'1 Sodium Fires Further study of the potential for and suppression of sodium fires and ccrsideration of their possible consequences is needed.
Such studies should include the possibility of fires resulting from earthquake effects.
Sincerely.
Forrest J. Remick Chairman P.cferences 1.
Office of Nuclear Regulatory
- Research,
" Safety ) Evaluation Report for the Sodium. Advanced Fast Reactor (SAFR," Novem-ber 9'll1988(PredecisionalDraft).
2.
Rockw International (DOE contractor),
AI-D0E-135?7, "SAFR Preliminary Safety Information Decument,"
Volumes I
through III, October 1985.
).
_