ML20247D661
| ML20247D661 | |
| Person / Time | |
|---|---|
| Issue date: | 06/30/1989 |
| From: | Szukiewicz A NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| NUREG-1217, NUDOCS 8907250271 | |
| Download: ML20247D661 (64) | |
Text
,-
f Safe"y Imiica': ions of Corr:ro1 Systems in LWR Nuclear Power Plants Technical Findings Related to USI A--47 Final Report U.S. Nuclear Regulatory Commission OfTice of Nuclear Regulatory Research A. J. S7ukiewicz pn ncoq
?W*n8Hib""
1217 R PDR
AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the followlng sources:
1.
The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washing.on, DC 20555 2.
The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washirigton, DC 20013-7082 3.
The National Technical Information Service, Springfield, VA 22161 Although thn listing that follows represents the majority of documents cited in NRC publica-tions it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investi-I gation notices: Licensee Event P.eports; vendor reports and correspondence; Commission l
papers; and epplicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceed-ings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regula-tions in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
l Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legis!ation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of Information Resources Management, Distribution Section, U.S.
Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory j
process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copy-righted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway,
)
New York, NY 10018.
l
NUREG-1217 Evaluation of Safety Implications of Control Systems in LWR Nuclear Power Plants Technical Findings Related to USI A-47 Final Report Manuscript Completed: November 1988 Date Published: June 1989 l
A. J. Szukiewicz Division of Safety Issue Resolution Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 I
y.... 5,,
- gm.;
\\,...../
Abstract This report summarizes the work performed by the Nu-conducted to determine the generic applicability of the clear Regulatory Commission (NRC) staff and its con-results to the class of plants represented by the specific tractors, Idaho National Engineering Laboratory, Oak plants analyzed. Generic conclusions were then Ridge National 12boratory, and Pacific Northwest labo-developed.
ratory, leading to the resolution of Unresolved Safety Issue (USI) A-47, " Safety Implications of Control Sys.
Steam generator and reactor vessel overfill events and re-tems." The technical findings and conclusions presented actor vessel overcooling events were identified as major in this document are based on the technical work com-classes of events having the potential to be more severe pleted b the contractors.The principal documents that than previously analyzed. Specific subtasks of this issue i
contain the technical findings and conclusions of the con-were to study these events to determine the need for pre-tractors who worked on USI A-47 are summarized in Ap-ventive and/or mitigating design measures.
pendix B.
This report describes the technical studies performed by the laboratories, the NRC staff assessment of the results, An in-depth evaluation was performed on non-safety-the generic applicability of the evaluations, and the tech-related control systems (see Section 1) that are typically nical findings resulting frcm these studies.
used during normal plant operation on four nuclear steam supply system plants: a General Electric Com-This final report contains the staff's responses to, and pany boiling-water reactor, a Westinghouse 3-loop resolution of, the public comments that were solicited pressurized-water reactor (PWR), a Babcock & Wilcox and received before September 16,1988 in response to Co. (B&W) once-through steam generator PWR, and a the draft reports issued for public comment on May 27, Combustion Enginec:bg PWR design. A study was also 1968.
l l
iii NUREG-1217
Contents Page Abstract........................................................................................iii.
Acknowl edgem e n ts............................................................................... vii Abbrevia tion s.................................................................................. viii 1 S tat emen t of t h e Issu e......................................................................... 1 2
Approach................................................................................-.....
3 l
2.1 S el ection of Pla nts....................................................................... 3 2.2 Limitations and Assumptions...............................................................
3 i
2.3 USI A-4 7 Program O verview................................................................ 4 2.4 R eview Proced u res......................................................................
6 2.4.1 Cri t e ria Developm en t................................................................ 6 2.4.2 Systems Level Failure Mode and Effects Analyses 7
j 2.4.3 Thermal-Hydraulic Transient Analyses.............................................. 7 1
2.4.4 Li t era t ure Search... '................................................................ 8 2.4.5 Failure Analyses of Significant Control System Failures................................... 8 3 Results.of the INEL and ORNL Studies......................................................... 12 3.1 Potentially Significant Control System Failure Scenarios........................................ 12 3.1.1 G E B WR Plant Design.............................................................. 12 3.1.2 E 3-Imop PWR Plant Design......................................................... 1:
3.1.3 B & W PWR Plan t D esign............................................................ 12
]
3.1.4 CE PWR Plant Design............................................................. 13 4
i 3.2 Li t era t ure Search........................................................................ 13 l
3.2.1 G E B WR Pl an t s.................................................................... 13 3.2.2 W 3 Loop PWR Plants............................................................. 13 3.2.3 B &W PWR Pla n ts................................................................. 13 1
3.2.4 CE P W R Pla nt s.................................................................... 14 4 G en eric Applicability.......................................................................... 26 4.1 G E B WR Pla n t s......................................................................... 27 4.1.1 Overfill Events at Power Resulting From Failures in the Reactor Vessel High-Water-Level i
Feed wat e r Trip Syst em.............................................................. 27 4.1.2 Overfill and Overcooling Events During low. Pressure Startup and Shutdown Operations...... 28 4.2 E 3-loop PWR Plants.................................................................... 28 4.2.1 Overfill Events Resulting From a Sustained Operation of the Auxiliary Feedwater Flow....... 29 4.2.2 Overfill Events Resulting From Failures in the Steam Generator High-Water. Level Feedwat e r Trip Syst em.............................................................. 30 4.2.3 Overcooling Evem s During Hot Shutdown and Full-Power Operation....................... 30 4.2.4 Overpressure Events During Imw-Temperature and Low-Pressure Shutdown or Startup Operatin g Conditions............................................................... 32 4.2.5 Control System Failures Aggravating a Steam Generator Tube Rupture Event............... 33 v
NUREG -1217
Contents Page 4.3 B &W PWR Plan ts........................................................................ 33 43.1 Overfill Events Resulting From Failures in the Steam Generator High. Water. Level Main Feedwater Trip bystem......................................................... 34 4.3.2 Overheating Events Resulting From Steam Generator Dryout............................. 35 4.4 CE PWR Plan ts......................................................................... 3 5 4.4.1 Overfill Events Resulting From Operator Errors During a Steam Generator Overfeeding Event.................................................................. 36 4.4.2 Overheating Events and Possible Pressurized Thermal Shock Events Resulting,
From Operator Errors During Small. Break Iess.of-Coolant Accidents...................... 36 5 Summary and Conclu'sions..................................................................... 38 6 R eferences................................................................................. 39 Appendix A: Other Related Studies, Programs, and Issues.............................................. 41 Appendix B : Summary of the Principal Documents Used for USI A-47 Study............................. 44 Appendix C : Staff Resolution of Public Comments................................................... 46 Figure 1
2.1 USI A-47 program overview............................
5 Tables 2.1 Control system screening criteria used by INEL to identify system fadures on the GE BWR reference plant design..potentially significant control 9
2.2 Control system screening criteria used by INEL to identify potentially significant control system fadures on the E 3. loop PWR reference plant design....................................... 10 2.3 Control system screening criteria used by ORNL to identify potentially significant control system fadures on the B&W and CE PWR reference plant designs................................. 11 l
3.1 Potentially significant failure scenarios in a representative OE BWR................................. 15 3.2 Potentially significant failure scenarios in a representative W 3. loop PWR............................ 17 i
3.3 Potentially significant failure scenarios in a representative B&W PWR............................... 21 3.4 Potentially significant failure scenarios in a representative CE PWR................................. 24 NUREG-1217 vi
I l
Acknowledgements The technical findings relevant to Unresolved Safety Is-N. Anderson NRC/RES sue A-47, " Safety Implications of Control Systems,"
W. Bickford PNL which are presented in this report, represent the com.
S. Bruske INEL bined efforts of staf fs at the Nncicar Regulatory Commis-W. Hodges NRC/NRR sion (NRC), Idaho National lingineering Laboratory E. Iantz NRC/NRR (INEL), Oak Ridge National 1& oratory (ORNL) (and A. McBride SAI ORNL's subcontractor Science Applications Inc. [SAI]),
and Pacific Northwest Laboratory (PNL). The following C. Ransome -
INEL individuals deserve special mention for their participation R. Stone ORNL I
and contributions:
A.Tabatabai PNL i
l i
1 l
l l
vii NUREG-1217 i
i
Abbreviations ACRS Advisory Committee on Reactor Safeguards MSIV main steam isolation valve ADV atmospfieric dump valve MSLB main steamline break AEOD Office for Analysis and Evaluation of
' Operational Data NRC U.S. Nuclear Regulatory Commission AFW auxiliary fee lwater NSS nuclear steam system ATWS anticipated transients without scram NSSS nuclear steam supply system B&W Babcock & Wilcox Co.
BWOG B&W Owners Group ORNL Oak Ridge Nationallaboratory BWR boilmg-water reactor CE Combustion Engineering PNL Pacific Northwest I2boratory CFR Code of Federal Regulations PORV power-operated relief valve CSF control syst,em failure PRA probabilistic risk analysis h
sys er l'IS Pressurized thernal shock S
PWR pressurized-water reactor ECC emergency core cooling ECCS emergency core cooling system EFW emergency feedwater RCS reactor coolant system FMEA failure mode and effects analysis FSAR final safety analysis report SAI Science ApplicationsInc.
SAR safety analysis report neral design criteria GDC beneral Electric Co.
SBLOCA small-break LOCA GE SGTR steam generator tube rupture HPI high pressure injection SIAS safety injection actuation signal IEEE Institute of Electrical and Electronics SRV safety / relief valve Engineers INEL Idaho National Engineering Laboratory TBV turbine bypass valve LCO limiting condition (s) for operation TMI Three Mile Island LER licensee event report LOCA loss-of-coolant accident LPCI low-pressure coolant injection UCLA University of California at Los Angeles LTOP low-temperature overpressure USI unresolved safety issue MFW main feedwater MMS modular modeling system E
Westinghouse Corp.
j I
viii NUREG-1217
1 Statement of the Issue Nuclear power plant instrumentation and control systems (2) steam pressure regulator malfunctions or failures comprise safety-related protection systems and non-that result in an increase or a decrease in the steam safety-related control systems.The safety-related protec-flow (including the turbine trip event) tion systems are designed to satisfy the general design criteria (GDC) identified in 10 CFR Part 50 and are used (3) spectrum of reactivity addition events to (1) trip the reactor whenever certain specific parame-ters exceed allowable limits, (2) protect the core from (4) chemical and volume control malfunctions that in-l overheating by initiating the emergency core cooling sys, crease the reactor coolant inventory or decrease the l
tems, and (3) actuate other safety systems such as the clo.
boron concentration
{
sure of main steam isolation valves or opening of the I
safety or relief valves to maintain the plant in a safe condi.
Because non-safety-related control systems are only l
tion. Non-safety-related control systems are used to audited as part of the licensing review, there may exist maintain a nuclear plant within prescribed level, pres.
some potential (which an audit review did not disclose) for sure, and temperature limits during shutdown, startup, accidents or transients developing into more severe I
and normal power operation. Non-safety-related control events than previously analyzed, if compounded by non-systems are not relied on to perform any safety functions safety-related control system failures, during or following postulated accidents.They are used to control plant processes that cot #d have a significant im-These system failures or malfunctions may occur mde-pact on the plant dynamics. Non-safety-related control Pendently or as a result of an accident or transient. Con-systems include, but are not limited to: (1) reactivity con, cerns have previously been identified (NRC [AEOD],
trol systems; (2) reactor coolant pressure, ternperature, 1980; NUREG-0153)in which a failure or malfunction of level, and flow control systems; and (3) inventory control the non-safety-related control system can (1) potentially systems (such as feedwater and borated water controls).
cause a steam generator or reactor vessel to overfill (see In addition, they include secondary system pressure and AEOD report) or (2) can lead to a transient (in PWRs) in flow controls (pressurized-water reactor [PWR]) as well which the vessel could be subjected to severe overcooling as associated support systems, such as electric, hydraulic, (see NRC, SECY-82-465). In addition, the potential ex-and pneumatic power supply systems. The non-safety-ists for a sm, gle failure (such as a loss of power supply, a related control systems are not required to be designed to short circutt, an open ctreutt, a control sensor failure) or satisfy the GDC.
for multiple failures resulting from a common cause fail-ure to cause a malfunction of one or more control systems During the Ik ensing review processes, the U.S. Nuclear which could lead to an undesirable control system re-Regulatory Commission (NRC) performs an audit review SPonse, or could provide misleadmg mformation to the l
P ant operators.
on the non-safety-related instrumentation and control systems on a case-by-case basis. Although this audit re-view is not conducted to the same degree as the review of The purpose of the Unresolved Safety issue (USI) A-47 the safety systems, the review provides confidence that an study is to perform a more in-depth review cl the non-odequate degree of separation and independence is pro-safety-related control systems and to (1) evaluate the vided betw en these non-safety-related systems and the need for modifying control systems in operating reactors, 1
safety-related protection systems. The audit review also (2) verify the adequacy of current licensing regt'irements identified in Section 7.7 of the Standard Revew Plan provides confidence that misoperation or failure of non-safety-related control systems does not result in transient (NRC, NUREG-0800), and (3) evaluate the need for ad-conditions more severe than conditions assumed in the ditional guidelines and criteria to ensure that non-satety-bounding analyses reported in the plant safety analysis re-related control svstem failures do not pose unacce table
~
p rt (SAR).
public risk. To this end, taskt, were established to i entify control systems whose failure could (1) cause transients or accidents to be potentially more severe than those Events that licensees are required to address are specified identified in the final safety analysis report (FSAR) and in Chapter 15 of the Standard Review Plan (NRC, previously analyzed, (2) adversely affect any assumed or NUREG4)800). These events include, but are not lim-anticipated operator action during the course of tran-sted to:
sients or accidents, (3) cause technical specification safety limits to be exceeded, or (4) cause transients or accidents (1) feedwater system malfunctions that result in a de-to occur at a frequency in excess of those established for crease or an increase in the feedwater flow (includ-abnormal operational transients and design-basis ing the loss of normal feedwater flow) accidents.
(___-___-__________-_
The Issue It should be noted that the focus of the USI A-47 review ine the design of each nuclear power plant now operating was directed to identify and evaluate control system fail-or under construction for significant risk contributors, ures that could cause transients or accidents to be poten.
Once NRC and the nuclear industry have developed a tially more severe than those identified in the FSAR.
method of analysis, every nuclear power plant that has Control system failure-induced transients that were not yet been appropriately examined will be studied, and bounded by the FSAR analysis were not considered sig-any changes that are needed will be made to ensure that nificant failures for this review. These transients were no excessive risk is posed to public health and safety evaluated, but if they were determined to be adequately (NRC, NUREG-1070).
mitigated by safety-related systems or if sufficient time was available for the transients to be mitigated by subse-The section that follows, " Approach," describes (1) the quent operator action and not exceed the bounding approach used to review non-safety-related control sys-analyses, they were not considered to pose an important tems, (2) the limitations and assumptions made, and risk to public health and safety.
(3) the methods developed and the activities performed.
Section 3 describes the results of the individual plant re-Because control systems are an integral part of plant op-views and identifies the control system failure scenarios erations, failures in these systems have historically caused determined to be potentially safety significant. Section 4 plants to shut down or to actuate safety systems. Chal-discusses the generic applicability of the plant-specifiere-lenges to the safety systems could represent a small but views of the reference plants, Section 5 presents the potentially significant fraction of the overall plant risk.
staff's conclusions, and Section 6 lists the references cited This fact aas been demonstrated in plant probabilistic risk '
in this report. Appendix A provides a summary of other assessments that have been performed to date. As a result NRC and industry studies, programs, and issues related to of plant-specific analyses that have exposed unique vul-USI A-47. In Appendix B, the principal documents un-nerabilitic? to severe accidents, some plants have modi-derlying the resolution of USI A-47 are summarized. Ap-fied their designs. Generally, undesirable contributions pendix C contains the staff's responses to, and resolution to risk have been reduced to acceptable levels by changing of, the public comments that were solicited and received procedures or modifying designs. The Commission plans before September 16,1988, in response to the draft re-to formulate an integrated systematic approach to exam-ports issued for public comment on May 27,1988.
2 Approach l
2.1 Selection of Plants of the overpressure protection system, and (c)initia-tion of the minimum number of required emergency Three pressurized-water-reactor (PWR) plant designs core cooling (ECC) sys.xms, if needed during a con-and one boiling-water-reactor (BWR) plant design were trol system failure transient. This assumption is con-selected for the review of non-safety-related control sys.
sidered valid on the basis that adequate separation tems. These reference plants are specific designs from and independence is required to be provided be-each of the four major nuclear steam supply system tween the non-safety-related contro) systems and (NSSS) vendars: Babcock & Wilcox Co. (B &W), Westing.
the safety-related protection systems. Independ-house Corp. (E), Combustion Engineering Co. (CE), and ence is provided by verifiable isolation devices 10-General Electric Co. (GE). A major factor in the selec.
cated between safety-related and non-safety-related tion of the reference plants was the quality and quantity systems and/or by physically locating the safety sys-of plant-specific design information available to the NRC tems in separate areas and routing the electrical ca-staff. In addition, the three PWR designs were already be.
bles in separate raceways throughout the plant.The ing evaluated in the study of USI A-49, " Pressurized staff audits the safety-related systems (audit re-Thermal Shock," and a significant amount of information views) as part of the licensing review process to en-obtained in that study could be utilized. The BWR plant sure that an adequate degree of separation and was selected because a considerable amount of design in.
independence has been provided. Also, as part of formation was available from other NRC projects. Also, the 'A-47 program, a literature search was con-an existing thermal-hydraulic computer model was avail.
ducted to review the operating history of control sys-able for this plant.
tem failures.The purpose of the review,in part, was to identify any control system failures that could The reference plant designs were reviewed by two na.
cause a failure in both safety-related protection sys-tionallaboratories.Two of the PWR plants, representing tems. The staff's review (see Section 3.2 of this re-B&W and CE designs, were evaluated by Oak Ridge Na.
port) did not identify any such failures. In addition, l
tional 12boratory (ORNL) (NRC, NUREG/CR-3692, as part of the USI A-17 systems interactions pro-1
-4047, ~4265 (Vols.1 & 2), and -4449). The other two gram, spatial interactions between safety-related j
plant designs, a GE UWR and a E PWR der' ;n, were systems and non-safety-related systems were consid-evaluated by Idaho National Engineering I boratory cred. Any identifled interactions between safety-i (INEL) [NRC, NUREG/CR-4262 (Vols.1 & 2), and related systems and non-safety-related control 1
-4326 (Vols.1 & 2)].The risk analyses for potentially sig.
systems were evaluated as part of that program and nificant control system failures were performed by Pacific are not meluded m the scope of the USI A-47 Northwest laboratory (PNL)(NRC, NUREG/CR-3958, review.
4385, -4386, and -4387). Appendix B summarizes the (2) External events such as earthquakes, floods, fires, content of the principal documents used for this review.
and sabotage have not been considered in this study.
Multiple control system failures were evaluated to assesss meeff cts fc mm n-c usefailures nthe 2.2 Linlitations and Assumptions plant. However, the review was limited to selected m
a ns of conM system faQures. Not d To perform a systematic review of control system failures a
es am aas a resM it became quickly evident that the scope of the review had these external events were reviewed in detail. An at-to be confined. The type of events and the type, number, tempt was made to select those failure scennios that and combinations of possible control system failures were would bound the dynamic effects of a number of therefore limiteri. In order to keep the review at a man-control system failures, System failures were evalu-ageable level, limitations and assumptions had to be ated for automatic and manual modes of operation made. These limitations and assumptions and their bases and at different reactor power levels that included are discussed below.
Iow, intermediate, and full-power operation.
(1) Non-safety-related control system failures would It should be noted that evaluations have been not cause simultaneous failure of both redundant performed by the staff and the utilities to assess the trains of safety-related protection systems. This as-plant's ability to achieve safe shutdown during these sumption implies that a minimum number of safety-external events. Fire protection reviews for all related protection systems would be available for operating plants have also been performet to (a) actuation of the reactor trip system,(b) actuation ensure conformance to 10 CFR Part 50, Appendix 3
NUREG-1217 L_-.
Approach R, and to evaluate the plant's ability to cope with ing anticipMed transients and to mitigate the conse-fires and flooding in different cable trays as well as in quences of an ATWS event.
different areas of the plant.These reviews evaluated the effects of fixs and floodmg in control. grade as (7) Control system failures that could lead to failures of well as proter'. ion-grade equipment.
liquid tanks located outside the containment and to fuel-handling accidents (for example, spent fuel or Also, as pan of the USI A-46 activities, control-accidents involving waste disposal systems) were not grade and protection-grade equipment are eva!u-considered in this review.These systems do not usu-ated to assess their scismic ruggedness and ensure ally m, teract with control systems that are used dur-that plants have the ability to achieve safe shutdown mg n rmal plant operations.
after a design-basis seismic event (see item 2 in Ap-(8) Individual utilities had to address IE B ulletin 79-27, pendix A to this report).
"less of Non-Class IE Instrumentation and Contiol Power System Bus During Operation," and to mod-(3) Operator errors of omission or commission were not ify their plants appropriately in order to ensure that addressed in this review. Operating procedures for
. the operator would be able to achieve cold shutdown the important transients were reviewed. An assess-conditions after a loss of power of a single bus to in-ment was made to determme whether operating strumentation and controls in systems used in attain-procedures (to mitigate the transients of concern) ing cold shutdown. A reevaluation of IE Bulletin were written so that the operator could perform the 79-27 regarding the consequences of a loss of power l
task in the time allowed. An evaluation was also per-to the instrumentation and control systems is cur-formed to determine whether there was sufficient rently being performed for all B&W-designed oper-information (i.e., alarms and/or indications) avail-ating plants (see item 5 in Appendix A to this able m the control room for the operator to assess report).
the conditions in the plant at the time of the event.
In some cases, early recognition of transients was (9) The items of NUREG-0737, " Clarification of TMI l
necessery. Given early recognition, there were ac-Action Plan Requirements"(November 1980), were tions that the operator could take to mitigate these implemented or committed to be implemented on events. For the purposes of developing the failure individual plant designs, including but not limited to scenarios and analyzing resulting transients on the It ems II.E.1.1, lil.E.1.2, II.K.2.2, II.K.2.9, and II.G. I.
plant model, two of the four reviews assumed no op-erator action for the first 10 minutes into the tran.
sient. The other plant reviews evaluated operator action on the basis of available time for action during 2.3 USI A-47 ProSram Overview cach transient. For the risk-analysis phar,e evaluat-ing the core-melt frequency, operator acticn for all Figure 2.1 summarizes the A-47 program and identifies plants reviewed was determined on the basis of that program's maI'or activities. Both INEL and ORNL available time for action during each significant c ncentrated on identifying control system failures that transient identified.
could lead to:
(4) Transients resulting from control system failures (1) steam genuator (reactor wssel) od cents during limiting conditions for operation (LCO) (for (2) reactor vessel overcooling events example, systems deliberately disabled for a short time for testing and/or maintenance) were not con-(3) reactor core overheating events sidered in the review-(4) events or accidents that could be more severe than those previously analyzed in the FSAR (5) The processes used to modify and to maintain con-trol systems were not considered in this review.
Steam generator and reactor vessel overfill and reactor vessel overcooling events have been identified previously (6) Anticipated transients without scram (ATWS) were as potentially significant transients that could lead to un-not considered in the review. A separate generic acceptable consequences. Review of how control system study (NRC, NUREG-0460) was conducted to ad-failures contribute to these events was, therefore, a major dress this issue. On July 26,1984, Title 10 of the part of the program. The methodology developed during Code of Federal Regulations (CFR) was amended to this phase of the review was then applied to identifying include Section 50.62 (ATWS rule), which requires and evaluating control system failures contributing to re-specific improvements in the design and operation actor core overheating events and events or accidents that of commeicial nuclear power facilities to reduce the could be more severe than those previously analyzed in likelihood of failure to shut down the reactor follow-the FSAR.
/
i Approach l
sole.t e. set. of
" "I setety c i orL.*ir."o.'e,eesi. e-,o.ncern
.sei rian de m
ee.w nd enmipoted.e.,ecor e pe ooe.ranc->
I I
i identNy control systeme M
,I utop plant
.e,1.odet that,, hows potent,let to
- -memv*e n..-
e e ect t,e e,e,te of eenoorn 1
i r
ti,i.en fy 4 enure.s in.
.es.fe,rn i
ees a troie, te,n et-e that would adversely h
eserch of effect er contribute control system to evente of moneern feHure
.el in.p.rt-t oe.e, y systems and failure Z
cHtek seguoeces that need to I"
be evaluated in detall i
t l
Perform Shermel-hydraulic g
transient enelysis C
k of consequences of control system failure
~.ert.m.
,d.n.,,.,
.e thermel-hydraulle anochenismo and estimate Estimate water slifterrences in failure frequency of
=ag, s hemmer potentlet in different plant significant centrol system eteamlines from design for each NSSS fallu e scenerlos overflu events I
I o
Perform probabilistic Deveiop probability DMonnN control rlek essessment of estimetas of system differences in 8"* *'* pi=< *='e=
.y.algrdficant.c.ontrol steamdne damm04 t.. fauvr canarios due to oorfm I
I
- =:ee--
,=tir.c.en.
l
- ad d'a'an =t
.onn soon.
estimetee I
i Ameses generlo applica.bility of r
the r vie.
If C staff positions Develop Figure 2.1 USI A-47 program overview 5
Approach The goal of the review was to identify the non-safety-and estimates of failure frequencies were derived frem related control systems whose failure or misoperation generic failure-rate data. Estimates of failure frequencies could:
were also related to specific plant failure data when available.
(1) cause transients or accidents identified in the FSAR analysis of the reference plants to be potentially Safety-significant control system failures identified by more severe than previously analyzed INEL and ORNL are described in Section 3.
(2) adversely affect any assumed or anticipated operator PNL performed a probabilistic risk analysis on all signifi-action during the course of a particular event cant failure sequences that were identified. He impor-tance of these sequences was determined according to (3) cause techm. cal specification safety limits to be their expected contribution to risk.
exceeded For the more risk-significant failure sequences, plant (4) cause transients or accidents to occur at a frequency modifications were evaluated and the potential risk re-m excess of the values established for abnormal op-duction and cost for these modifications were estimated.
erational transients and design-basis accidents A typimi steamline configuration was analyzed (insofar as (5) cause frequent challenges to the protection systems stress) to evaluate the dynamic effects of overfill events.
These studies were performed by INEL through its sub-INEL and ORNL developed similar approaches for contractor CREARE R&D Inc, j
evaluating control systems. Each approach consisted of several activities conducted in parallel:
Evaluations were made to assess the generic applicability 1
of the review. This review was conducted in two steps:
{
(1) Selection criteria for choosing important systems (1) assessing whether the thermal-hydraulic characteris-and important failure sequences were developed.
tic of different plants (of the same vendor) were similar to the reference plants and (2) assessirig whether control (2) Failure mode and effects analyses were performed and safety svstems of different plants (of the same ven.
for all control systems in each reference plant to dor) are sumciently similar.
(a) identify systems that had the potential to affect the events of concern (for example, overfill, over-cooling, overheating) and (b) identify the failure 2.4 Review Procedures modes that would aggravate the events.
INEL and ORNL employed simita-aethods and pro e-(3) A literature search was conducted to review the op-dures to review the control systeias. Differences were crating history of selected plants and identify system noted in the initiating mechanism for each type of tran-failures that adversely affected plant safety.
sient evaluated, and in the number of control system fail-(4) hermal-hydraulic computer models (for each ref-ure combinations analyzed. Tht.Se differences are crence plant design) were developed with sufficient ated to th coHecta pdgmmts mMe h de re-detail of the plant systems and control systems de-viewers conducting the evaluations at each hboratory and e
a process used to seh Ge fah scenarios.
sign to simulate the dynamic responses of the plant during transient conditions.
'IheSC Procedural differences are not sp,sficant.
(5) Analysis was verified by comparing selected tran-2.4.1 Criteria Development l
stent response calculations with actual plant data and other independent analyses using accepted and The following events for BWRs and PWRs were consid-verified codes.
ered in identifying potentially significant control systems.
Credible combinations as well as some highly unlikely These events were selected using the collective experi-failure combinations of systems were analyzed to identify ence and judgment of the NRC staff and its consultants.
important control system failure sequences and to evalu.
Control systems whose failure could contribute to the ate their consequences. Non-safety-related control sys-listed events were identified by performing systems level tem failures were evaluated for automatic and manual failure mode and effects analyses (FMEAs) and were se-modes of operation and at different reactor power levels lected for detailed review as described in the following sections.
(low, intermediate, and full-power operations) in order to determine the bounding conditions. The sequences (1) BWREvents that satisfied the selection criteria were analyzed to iden-tify component failures (including component failures in (a) increases and decreases in reactor coolant in-support systems). Failure mechanisms were identified ventory I
Approach (b) increases in reactor heat removal related control systems designed to control pressure,
- A perature, flow, and flux. He control logic necessary (c) increases in reactor vessel pressure to automatically actuate the safety-related and control-grade protection systems and/or components was (d) increases in reactor core positive reactivity included.
(e) increases and decreases in reactor core recir.
For the INEL analysis, RELAP 5/ Mod 1.6 was used for culation flow both the GE and the E reference plant designs.
(2) PWREvents For the ORNL analysis, the computer model used for the B&W reference plant consisted of an analog model of the (a) increases and decreases in steam generator in-integrated control system coupled to a digital thermal-ventory hydraulic model of the major reactor components and sys-tems. This hybrid model (NRC, NUREG/CR-4449) used (b) increases and decreases in heat removal by the a number of different codes to model the various compo-secondary system nents and subsystems in the design. The codes most (c) anomalies in reactivity and power distribution For the CE reference plant design review, ORNL used (d) decreases in reactor coolant system flow rate the following plant models.
(c) increases and decreases in reactor coolant sys-(1) a RETRAN model of Calvert Cliffs Nuclear Power tem inventory Plant, Unit 1 (developed principally by CE for the Baltimore Gas & Electric Company and modified by Tables 2.1,2.2, and 23 list the screening criteria used by ORNL [NRC, NUREG/CR-4758] to include the INEL and ORNL to identify potentially significant con-necessary control and balance-of-plant system de.
trol systems.
signs), and I
(2) a modular modeling system (MMS) computer code l
2.4.2 Systems Level Failure Mode and adapted to the Calvert Cliffs design.
j ElTects Analyses ne MMS model was developed as a backup in the event I
the RETRAN model might not be available. Subse-A systems level FMEA was performed on all major plant quently, it was used for several transient simulations but systems for each reference plant design to identify sys-was not needed for the design review.
tems and their failure modes that could potentially cause or contribute to the events listed above [Section 2.4.1(1)
Control system failures identified during the FMEA were end (2)]. Systems that did not contribute to these events represented in the thermabhydraulic analysis. Single fail-were deleted from further review. During this stage of re-ures as well as multiple failures of systems such as loss of view, both non-safety-related systems and safety-related power to the control systems were evaluated to assess systems were addressed. The criteria (Tables 2.1, 2.2, and their effect on the transient behavior of the plant. It was
- 23) were interpreted broadly during the selection process not necessary in all cases to use the thermal-hydraulic to ensure that all systems that could contribute to the model to evaluate the effects of every system failure iden-events of concern were identified, regardless of their rela-tified by the FMEA. Engineering judgment limited the tive effect. The effects of the failure of support systems numbers and kinds of transients that were analyzed. Se-(e.g., loss of air and loss of power supply) were also con-lection of the type and number of system failures evalu-sidered in this phase of the review, ated was an iterative process. That is, the selection of system failures was highly dependent on the results of previous analyses. In selecting credible single-failure and 2.4.3 Thermal-Hydraulic Transient Analyses multiple-failure scenarios for analysis, engineering judg-ment prevailed. In some cases (more extensively in the re-Thermal-hydraulic transient analyses were conducted us-views of the GE and the E designs), highly unlikely ing computer models developed for each of the reference combinations of multiple failures were selected for analy-plc.nt designs.
sis. These combinations were chosen to select system fail-ure combinations that could have the most significant Computer models included the nuclear steam supply sys-effect on the events of concern. If these selected multiple tems, the balance-of-plant systems, the safety-related failures resulted in acceptable plant transients, many reactor protection systems, and the major non-safety-other (less severe) failure combinations could be 7
Approach climinated from consideration. Failure combinations sponse to failures that were assumed in the FSAR were also selected to assess the effects of potential com-analysis (that is, a single failure of a safety-related system mon-mode failures of the more important systems.
concurrent with loss of a single non-safety-related sys-tem) and in part to assess combinations of control system if unlikely failure combinations resulted in significant failures that might occur on other plants as a result of a plant transients, the failure modes were then analyzed to common-cause failure resulting from unique design con-determine how credible these failure combinations were figurations. The number of control system f? ilure combi-and to estimate the frequency of such failures.
nations that were analyzed were minimized by selecting 4
only those combinations that would have the greatest im-
}
Combinations of system failures under various normal pact on plant parameters (e.g., flow, pressure, and level).
plant conditions (i.e., startup, shutdown, and power op-
'Ihese combinations were judged to be the " worst case" eration) and accident conditions were analyzed. Failures scenarios. If these combinations resulted in acceptable that were considered for selecting worst-case or bounding plant transients, o.:.cr Sess severe) failure combinations transients included the following:
could be eliminated from consideration.
(1) single and multiple failure of safety-related protec-tion systems (evaluated only on G E and E designs) 2.4.4 ' Literature Search Some single failures in safety-related protection sys-tems could produce more severe transients than "Ihe literature was searched to identify and evaluate tran-those caused by combined failures of various non-sients or accide its initiated by failures related to control safety-related control systems. In many cases, in-and instrument systems. Licensee event reports (LERs) ciuding the effects of safety-related protection, and nuclear plant experience reports were reviewed to failures bounded the effects of a number of non-identify and select candidate scenarios for transient safety-related control system failure combinations analysis. Control system failures from these reports were and therefore minimized the number of non-safety-screened to identify those failures that could (1) adversely system failure combinations that needed to be ana-affect operator actions, (2) result in the actuation of pro-lyzed by computer simulation.
tection systems, (3) cause technical specification safety limits to be exceeded, and (4) cause transients or acci-(2) single failures of non-safety-related systems dents designated as moderate or infrequent events to oc-(3) multiple dependent failures of safety-related pro-cur more frequently than prescribed. Also, the LERs tection systems and non-safety-related systems re-were used to assess if control system failures (shown by sulting from a single event such as loss of a support nalysis not to be a problem on the reference plant) might system be of concern at other plants. Data on control and instru-ment failures from 1969 through 1985 were reviewed by (4) multiple independent system failures the laboratories. ORNL data were supplemented by addi-loss of ac and de electric power supply systems and air tional data provided by the University of California at Los systems was considered in the review. When multiple
^".geles (UCLA) (Alter and Okrent,1983). UCLA staff control system failures were identified that could occur as visited seven plant sites, gathering operating experience a result of a loss of a single electrical bus or a single air and reviewmg station records.
supply system or common sensing lines, they were ana-lyzed. For certain systems,ifit was not apparent from the 2.4.5 Failure Anal ses of 1 nificant Control I
E available mformation whether or not they could fail si-multaneously as a result of loss of power, multiple (de-System Failures pendent) failures were postulated. If. these failures resulted in significant plant transents, the failure modes Failures that met the selection criteria (refer to Tables would then be analyzed to determine if these failures 2.1, 2.2, and 2.3) were considered to be safety significant.
were credible.
Analyses were performed to identify the credible failure mechanisms that could cause the events of concern. Prob-For certain events, multiple independent failures of non-ability was also estimated for each identified failure safety-related systems (and safety-related systems for the mechanism and for the resulting failure scenarios that GE and the E review) were also evaluated. 'Ihese analy-could cause the events of concern.The results of these re-ses were performed in part to verify the dynamic plant re-views are described in Section 3.
Approach l
1 Table 2.1 Control system screening criteria used by INEL to identify potentially significant control system failures on the GE BWR reference plant design 1
(1) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired in-crease in reactor coolant inventory to the point at which moisture enters the main steamlines, will be selected for a detailed review. For this study, the point of overfill is defined as that level whicn, if exceeded, could cause significant water to carry over into the main steamlines.
(2) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired de-crease in reactor wsselinventory beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a de-tailed review.
(3) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired in-crease in heat removal beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review.
I System failures that could lead to cooldown rates in excess of 100F* in an hour were identified as potentially signifi-
)
cant failures during the transient analysis phase of the review.
{
t (4) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired in.
crease in reactor vesselpressure beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review.
(5) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired in-
)
crease or decrease in reactor core coolant flow beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review.
(6) Any control grade system or component failure, either initiating or aggravating, that results in an undesired in-crease in positive reactivity beyond the bounds of the Browns Ferry FSAR analysis, will be selected for a detailed review.
(7) Any control-grade system or component failures projected to cause transients identified as incidents of moderate i
frequency (anticipated operational occurrences) to occur more frequently than once a year, or failures which are i
projected to cause transients identified as infrequent incidents to occtr more than once during the lifetime of a I
plant, or failures which are projected to cause limiting faults (design /
accidents) will be selected for a detailed review.
(8) Any control grade system or component failures that would adversely affect any assumed or anticipated operator action or operation of automatic protection systems during the course of a particular event, or that would result in frequent manual or automatic actuation of engineered safety features, including the reactor protection system, or that would result in exceeding any technical specification safety limit, will be selected for a detailed review.
Approach i
l l
l Table 2.2 Control system screening criteria used by INEL to identify p6tentially significant control system failures on the H 3. loop PWR reference plant design (1) Any control-grade system or component failure, either initiating or aggravatir.g, that results in en undesired in-crease in steam generator water level to the point at which moisture enters the main steamlines, will be selected for a detailed review. For this study, the point of overfill is defined as that level which, if exceeded, could cause significant water to carry over into the main steamlines.
(2) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired in-crease or decrease in reactor coolant inventory beyond the bounds of the H. B. Robinson FSAR analysis, will be se-lected for a detailed review.
(3) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired de-crease in reacto coolant water temperature beyond the bounds of the H. B. Robinson FSAR analysis, will be scYected for a detailed review. System failures that could lead to cooldown rates in excess of 100F' in an hour were identified as potentially significant failures during the transient analysis phase of the review.
(4) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired in-crease in nuclear system pressure beyond the bounds of the H. B. Robinson FSAR analysis, will be selected for a de-tailed review.
(5) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired de-crease in reactor core coolantflow beyond the bounds of the H. P. Robinson FSAR analysis, will be selected for a detailed review.
(6) Any control-grade system or component failure, either initiating or aggravating, that results in an undesired in-crease in positive reactirity beyond the bounds of the H. B. Robinson FSAR analysis, will be selected for a detailed resiew.
(7) Any control-grade system or component failure, aggravating a steam generatortube rupture causing a release of radioactive material to the atmosphere greater than the FSAR analysis calculated, will be selected for a detailed review.
(8) Any control-grade system or component failures projected to cause transients identified as incidents of moderate frequency (anticipated operational occurrences) to occur more frequently than once a year, or failures which are projected to cause transients identified as infrequent incidents to occur more than once during the lifetime of a plant, or failures which are projected to cause limiting faults (design-basis accidents) will be selected for a detailed review.
(9) Any control-grade system or component failures that would adversely affect any assumed or anticipated operator action during the course of a particular event, or that would result in frequent manual or automatic actuation of engineered safety features, including the reactor protection system, or that would result in exceeding any technical specification safety limit, will be selected for a detailed rev"w.
NUREG-1217 10
Approach
\\
l Table 2.3 Control system screening criteria used by ORNL to identify potentially significant control 1
system failures on the B&W and CE PWR reference plant designs (1) Identifynuclearplantsystemswithpotentialtoinitiateoraggravatesteamgeneratoroverfill.Suchsystemswouldbe those whose failure or misoperation can introduce feedwater in amounts sufficient to fill the steam generator to the.
degree that water enters the steamlines.
(2) Identify nuclear plant systems with the potential to initiate or aggravate overcooling the primary system. Such sys-tems would be those whose failure or misoperation can lead to uncontrolled primary heat removal at rates greater than the rate of heat production to the extent where safety limits are challenged. System failures that lead to ex-tended cooldown rates in excess of 100F' in an hour were identified as potentially significant failures during the transient analysis phase of the review.
(3) Identify nuclear plant systems with potentia! to initiate or aggravate core damage through overheating.
(4) Identify reclear plant systems with potential to degrade the performance of safety systems.
i 1
l l
l 3 Results of the INEL and ORNL Studies 3.1 Potentially Significant Control Sys-Ercater break flow conditions than were assumed in the FSAR accident analysts.
tem Failure Scenarios Transient studies showed that the limiting mode of opera-Using the Iaethods and screening criteria described in tion for one of the two identified overcooling transients Section 2, potentially significant control system failure occurred during hot-shutdown conditions.The two over-scenarios were identified for each reference plant design.
pressure transients occurred during cold-shutdown op-The results are summarized in the sections that follow.
eration, and one of the overfill transients occurred during low-power operations. For the other failure scenarios, 3.1.1 GE B%R Plant Design mid-range to full-power operation produced more rapid and severe transients.
Three failure scenarios that could lead to reactor vessel overfill events were identified (NRC, NUREG/
For these events, an assumption was made that no opera-CR-4262, Vols.1 & 2).Two of the three failure rcenarios tor action was initiated for the first 10 minutes followm, g could also lead to overcooling events during low-pressure any postulated failure.This guideline applies to operator startup or shutdown operation. All other failure scenarios response to a specific failure regardless of the time at that were identified were determined to be bounded by which the failure occurs during the course of the event.
the plant FSAR analyses.
Results of the thermal-hydraulic transient analysis indi-For these events, an assumption was made that no opera.
cated that:
tor action would be initiated for the first 10 minutes fol-(1) The onset of overfill (via the main feedwater system) lowing any postulated failure. This guideline applies t could occur very quickly (between 20 and 20s operator response to a specific failure regardless of the seconds).
time at which the failure occurs during the course of an event.
(2) Plant cooldown transients reached cooldown rates of 100F' within 125 to 230 seconds.
The onset of overfill was predicted to occur very quickly (i.e., between 20 and 300 seconds into the event).The re-(3) Overpressure limits (10 CFR Part 50, Appendix G actor vessel was assumed to overfill when moisture en-curves) can t e exceeded in 15 to 162 seconds.
tered the main steamlines and was sustained. Moisture carryover was defined as a significant change in steam Table 3.2 summarizes the failure scenarios and the failure quality and was indicated by the steamline vaporvoid frac-mechanisms that were identified as safety significant, and tion and the downcomer water level.The transient analy-summarizes the failure probabilities of control system ses were terminated after the vapor void fraction in the failure sequences initiating the events of concern.
steamline continued to decrease at a steady rate,indicat-ing that more water was entrained in the steam. Tran-3.1.3 B&W PWR Plant Desi n E
sients that resulted in the downcomer fluid temperature decreasing at a steady rate greater than 100F' in an hour Three potentially safety-significant failure scenarios were were defined as overcooling transients. Table 3.1 summa-identified (NRC, NUREG/CR-3692, -4047, and -4449).
rizes the failure scenarios and the failure mechanisms One leads to a steam generator overfill event and two that were identified as safety significant, and summarizes lead to a reactor core overheating event. The analysis failure probabilities of control system failure sequences indicates that the onset of overfill associated with main initiating the events of concern.
feedwater flow can occur very quickly (i.e., approximately 3 minutes) at power levels between 50 percent and 100 3.1.2 W3-Loop PWR Plant Design Percent when both feedwater pumps are in operation.
Overfill events associated with the auxth,ary feedwater Eight failure scenarios were identified that could poten-system and the startup feedwater system were predicted tially lead to undesirable events (NRC, NUREG/
to occur at a much slower rate, so that the operator would CR-4326, Vols.1 & 2). Two of these scenarios were be expected to have sufficient time to identify the event identified as contributors to overfill events, two other scc-and terminate the flow before overfill cohditions could narios contributed to overcooling events, and two contrib-occur. The onset of overfill was determined by a very low uted to reactor coolant system overpressure events.The vapor void fraction fluid entering the steam generator remaining two failure scenarios contributed to a radiation downcomer and main steamlines.This guideline was simi-rele2se during a steam generator tube rupture, by causing lar to that discussed in Section 3.1.1 for the BWR resiew.
NUREG-1217 12
.)
Results For the overheating events, it was predicted that the core in the actuation of protection systems,(3) cause techni al could be severely damaged if the operator did not take specification safety limits to be exceeded, or (4) cause proper corrective action within 30 to 60 minutes.
transients or accidents designated as moderate or infre-quent events to occur more frequently than described.
Other control system failure scenarios were identified in Data on control and instrument failures from 1969 NUREG/CR-3692, ~4047, and -4449, but were deter-through early 1985 were reviewed.The sections that fol-mined to be either bounded by transients or accidents low summarize both that review and the conclusions, analyzed in the FSAR, or it was determined that the operator would have sufficient time to terminate the event before it became a safety-significant event; there-3.2.1 GE B%R Plants fore, they are not discussed here. Table 3.3 summarizes The literature review for BWR plants evaluated all re-the failure scenarios and the failure mechanisms that ported events of control system failure for the Browns were identified as safety significant, and summarizes fail-Ferry Nuclear Power Station, Units 1,2, and 3, during a ure probabilities of control system failure sequences initi-3-year period (1980 through 1982). This review was ex-ating or contributing to the events of concern.
panded to include all other BWR plants for the same pe-l riod. The dasa were further expanded to include 1
3.1.4 CE PWR Plant Design P tentially significant events occurring as early as 1970 (NRC, NUREG/CR-4262, Vols.1 & 2).
Four potentiaHv safety-significant failure scenarios were identified (NRC, N UREG/CR-4265). Two lead to over-Review of the operating experience did not identify any filling the steam generator vessel via the main feedwater control system failures that satisfied the above criteria.
system; one leads to overheating the reactor core; and one Three reactor overfill events did occur in the early 1970s.
overcooling event could lead to a possible pressurized Two occurred at Dresden Nuclear Power Station, Units 2 thermal shock event in a plant with a vulnerable pressure and 3, and one at Nine Mile Point Nuclear Station, Unit 1.
vessel.Two categories of such overfill events were investi-At the time of these events, the design did not provide a gated: rapid and slow. Slow overfeeding transients occur reactor vessel high-water-level feedwater trip system. A via the feedwater bypass valves after the main feedwater-trip system was later incorporated.
regulating valves are closed and were not considered safety significant because of the long time it took to over-l'our overcooling events were also identified (Edwin I.
fill. Overfill with main feedwater systems was predicted to Hatch Nuclear Plant, Unit 2 {1978]; Brunswick Steam occur very quickly (that is, onset of overfill could occur in Electric Plant, Unit 1 [1977]; Peach Bottom Atomic 2 minutes). Onset of overfill was assumed when low.
Power Station, Unit 3 [1979); and Cooper Nuclear Station quality steam entered the main steamlines.This guideline
[1980]). These events were regarded as precursors to the is similar to that discussed in Section 3.1.1 for the BWR transients evaluated in the plant model.
review. For the other two failure scenarios, the analysis indicated that for a vety narrow range of break sizes of 3.2.2 W 3-Loop PWR Plants i
small-break loss-of-coolant accidents (SBLOCAs), over-I heating of the core or possible pressurized thermal shock A similar review of the W PWR plants was conducted for can occur if the operator fails to take the plant to safe-the same 3-year period (1980 to 1982)(NRC, NUREG/
shutdown conditions. Other failure scenarios that were CR-4326, Vols.1 & 2). The review included the refer-identified in NUREG/CR-4265 were determined to be ence plant and five other W PWR plants.The review did bounded by the events analyzed in the FSAR accident not identify any control system failures that satisfied the analysis, or it was determined that the operator would criteria stated above.
have sufficient time to terminate the event. Derefore they are not discussed here.
3.2.3 B&W PWR Plants Table 3.4 summarizes the failure scenarios and the failure A review of the operating experience was conducted for mechanisms that were identified as safety significant, and the reference plant and all other B&W PWR plants summarizes failure probabilities of control system failure (NRC, NUREGICR-4047). The period ranged from sequences initiating or contributing to events of concern.
January 1975 through early 1985. On the basis of this re-view, no abnormal events were identified at the reference 3.2 Literature Search plant that led to potentially severe accidents or unsafe conditions. One steam generator overfill event occurred at Oconee Nuclear Station, Unit 3,in 1981.
Licensee event reports and nuclear plant experience re-ports were reviewed to identify control system failures The operating history data on other B&W PWR plants that could (1) adversely affect operator actions, (2) result revealed the following:
13 NUREG-1217 -
Results (1) Two steam generator overfill events occurred at 3.2.4. CE P%R Plants Kancho Seco Nuclear Generating Station, Unit 1 I
A review similar to the B&W review was conducted for '
(March 1978 and December 1985).
CE PWR plants (NRC, NUREG/CR-4265).
(2) Opera o e orscouldcausetechnicalspecifications A number of steam generator o' erfeeding events were v
identified; none progressed to an overfill condition. In all '
(3) Inadvertent malfunctions occurred infrequently.
cases, the overfeeding events were terminated by the con-trol system or by operator action. Maintenance and test-(4) Unnecessary scrams that challenge the protection ing problems resulted in the most frequent challenges to system occur. B&W PWR plants have a lower-than-the protection systems. The review did not identify any average industry record for the number of scrams control system failures that satisfied the criteria stated in j
(i.e., three per year).
Tables 2.1,2.2, and 2.3.
l l
i
\\
I 1
- NUREG-1217 14
r il e /y ibt s 3
5 t
a at b mn oie E
E rt v A
5 s
P e (e 3
2 er e
u e
s e n
w h
s s l
t f o
ea e o o
ypn r e e
l l
e s
n e
v e vl pr e e el la lee ee nmo
- c e e i l l
v e s t r a
c s
a u u
wn lat v h gsl c
l l
e pl oi l
nl f ea ui s
u l
l s -
n e
ef n
vn ew ga urf is v ase r e ef a e ra si n
o ns s h s t n e
s e rd c
rl eeu t
t e K
e o e va u
ai a s t n as t
s ea c
nwg wu pa W
t s
n r h c ao.
c ei dc br ycl i on t
hc ad n a
ye B
aa a
n t e s raef mt t
e c
a f
sp eel en n
r c
a t
i rf u ei E
mr e a c o c i
r f a s
uat s
G ies
. e,
o) c ude pc.
nn r eu g r )y wy rdl ier l
e e
pr a ea r
r i
ne at u )n a t
v eh c eet t it c av f a t
d e
( eir u f
e rn r er ns i
t t
h n
e o u l
a t e a rh c c
odl mee apw ou t
reh epp so ca t
r fh c ut s r oo o
n i
t c e ec ei n pieg ot t
e) m c
s a gl a
t l
s i
r f
f r ah r ur o sh sot oi e oa s7 yr o f n f na s
e oo f t o.
l e8 s
s o
c r
i r
t l
r3 n
uo n ef s is pc a
e o o s i t e
eaa e cw l
l p4 a
s ona f n hme tpwe mv rf s r) o r
r e -
h u
en e.
t n e aw.
u( n udl c
u a osg t s s
uh t
r t
l ef a
e r ol cwri n
s ee d
v nf(l d (o n in pt l
l n
t e s
e rl o e vo ia vd iaot s e t o a
re c r efl fl n na m
r f
on e e
n g
rt t lgeat lgs g
eeh eh g s
a l
ua r e ev o e c a 2
e ol.
oos i
s v
e si t
c s6 r
k 2
lu amrl m )r r
gn e
r s l
f e a ol pol iad o
wo l
n a
s e ne mt n mos n
e ihh s iah nid ir4 ia l
orag or nw d n v es e
f e o st cn s pt si n il a -
s Ceslreo nee Afew nR F
A c v s.
a fi e yn o
i Aodd Abi Af I sl t
e
( c cC s/eG rE uR l
iaU n
s fN p p e
im d e r
t r
n t u nt o
a C, t
icR nrp oa c
a e c s r
n a
i N e
f t
eae ee r
n s wt n
hd r
a t
g :e ud w ito n
o i
no sr a e i c p
r c ed a
lyu nf e
r e e u
o e
laS aef e
st t
i(
ch p
aa ra e n t
t e
o n
mt h ri s
et d
cm e
e el a
n t
i r r
bp o
e u
t o
s P
yair l
ant l
s s ist l
et r
s o
do u
e 1
lo t
f s s p
3 rd s
ul t
nl a a w
i e
n ai b
o a
7 cf l
o cwf 6
nr L
aT r or ct ao el o f t n
a tara o
er n
r i
re o.
we e t
i up t
t dap a
i o ron a
l r
ewo e
a o
e p
f e ei t fde h
pa e
ir eh O
mt Or a
e et e
b l
n hf r
ed rp a
d o
t t
n f
s n o
t ec nin ya fo a
n f
s s
nn o
i e
o w
ow e
es, i l
am oo t
i d
r r
i t o lu ue e d
rl dd en f
i t
l rt n
new nt i
ia cs o
ot o o
a u
t Fisny C
Cal Cs F
h a
sf se to n
l 1 l
l 2 t
t fi #
l #
o i
n rt f
o t
e n r
f v
v e e n e
v v e e
E Oe Oe S
v e
ZC:em?n
y id
)
t l
r t
e i
y ie/
t e
bt s 3
r f
a at e
bmn E
v oie o
t v
6 r s P e (e d
1 ip ar a
g w
e e
o r
n w
r r
l e e i
o u
u l
r w
ta o
l s
s e
u w l
s s
s s
r e
e s
s -
l o
r r
e ew fo tc p
p v
r o l
pl a
l l
l r
i l
e l
e e
o.
ll r f
r t )
o r
l w
w cd e
e il e
t y
y ae wc v
f ic r
r r
es ya o
e w
d d
ro r e v
d r.
t l
t h
o oc
)
n o
-n g
w wg ond v
n f t e
t e
ih t
t e
n e
s s
e e
k f
fi w
l ed o r
t o
v a
o ).
oi rnl p
e a
2 it t
ed ef ue c r
o pg p
u r e r(
l t
f c e
us u s iaen i e fdi e
o r
l m
oi h
ialc f
o l
l t
c ah t ni m
t t
s f
f c
nia w.
uc o
eg ei eo(
os i
i f
t t
n oi a
g e
s n sw d ws n
l I h
1 o n s.
ui i
f S u
nt e l
s l
a r
eC c
al ot ai a
e rh e
i cf cl e
t e
poc e
nu t
a r n (s nv e
t m
n v si a
s o i
i c r
o oe d ew w
n e
l e
e1 ei n
s r
r -
r c mh m r-ih s d
eI
)d r
c e
cl e
dC e
lu u e u c mt mt ot e e
n l
l i oP u
ia aa ag oi oa i t i
wivwe cL f
w n
F Fw Flo Cs Cw Tsl e
i t
h ee n
t hh o
t t C
ip
(
r iipp t
r r t t 1
o t
oo 3
t t s
e ry.
o a
iia r
l s s e
i aw lb v
l l r
t f
a d po c
l a
T asf a
r f f n
e o
r r ee r
t oo i
rt a
t t
noa r
r a a cn o
e r r i
s i
p p
e e rom u
o pp lt oo u
r t
s) e r
e I
t a
h
. ee eC r
t t
t hh Po s
nt t t
h t
cLs e
a et t i
i(l h
s a a ru t
nhh h
i s
)
at t na w of s
d r ))
i r er n
t dd mtco p
a gnn e et m
na a a
t js nr w
e l
mm i
yi e o
d o ee s
p t
/
odd I
nno 2
c / /
oa e n
5 r34 e
il oh o.
(
o((
0 v00 tc ot t n i
e cd a
e ee r o nt toen ei a
aa a t
t t
r r p u )a pa o
Or m
emm ir i
sii a
e sI e
t ut t sS r p s
s s n
h erC fo e
mee o
t ec np(
nn i
sii y
yy t
ot s
i t
n w
ow o
i l
l l e
e l i i r
r oi t o ib abb idd a
n aa l t lu u
c t
i il t e
n u b
abb a
a nj o
o c
h om F
Ften Cs r
r i
p
.t pp n
~
t e n e s s s
v e e e
di edd l
s luu l 3 us i
c nic lc l
t f
ah nn t
nrTI n
re n I t I
ev v ev
- tt E Oe t
Z E bL. O "
m i
t r
i y
l e/
ibt s a at b mn 4
8 oi e t
v E E
r s
P e (e 1
3 g
tn o
n l
g e
t i
e e
t f n t n r
v m
g oe ai s
o e
)
u m
lan d
l ni em u
t l
s erl e
a fi e
c ge er ra o nt l
gd i r n u ef ve o
s s n e
e in n ne is e t
en t d e a l
r r l
f gs r e anrg g
a arn i
le nn e v l
e (hi r
r au c
l n
neh o
rg e
l i R
v e t l i i iv c i
t v
s a
e n)i s
eea W
o ne w
e m
ewfal l
e t
nel f
ia l e vh(
l -
ev v
a a go f
e P
re l
se di we d
sr v a
s t
l s
es e s r s me n r o e vf t p
t u yl t
o at o o yt on l
r r e e o
a a f c r ar r
t a e acg a re eo e o
wc ao mt ex a
t ice n meh awm t
l.
a h e r e sd si 3
wn nt wt u i r e s k
i a
r t
n ea n u g n )t c c
pe n
r eo o
f r s
e ini ni pgn dot E
l a
e s.
t r r ee oes e mfa ).
ee t l h g u e gc l t u(
h n
o e l
r i )n s
s f
l a
n o
e v
a o r.
m c u mat ri ql t aoi t
t ul t
e e e
s nl e o a
acn i
r r o n
e yie ngs n nt e a i
t i i vt nc a) m et i a.
cd st ciua egug mf o
is r aa ei t
onbn nna e e a
s t 7 s
t t
r s l
l n8 eor r si n
n s
r l
l e3 n
gce u
f e a e iua eu sh nin ar i
p uiai e
o gr r
h cr h arc s4 a
l r n t
t l fi h dt e
h me e pne un t rt t col pl a
e nag r -
odf t
c at g ul v i
l e
i
(( e ur ar ncg nt v
rt nr n
e n pd e
e a rl o iap.
i n
t wm o
e i
i) r r e f o ri nne noo n n a n
m t
r r
r a
d a ot s e on rl r
rr o o c e
eed eee s
l t
eg r e e -
a e
eee k
6 r
s et oa lgt e ul e umr e k
sn up gd nu c
oe i
n2 u
s a cc nes irf iuuh a e i
ia oa ak omm i
l l
l l
f a
e i
vn at r arct eh i 3 l
f e a c
s4 ia en s
no f ne f t tdi f
l t e e l
l a
s o -
F Ahfo Ah a a r ov n on f n Aica A o a (t t
t c Avt Aco t t h Aist s
rR i
aC n/
eG csE eR w
rU lo d
e r
ehe u
f gh l
f -
e i N rh l
t i aio e.
t l it egmwf a
nhf t
i fC r
(
ah i
i ed e n a r tnR ev wrt evo n
ot s
o mt n n
aN id o yeoi t
ae o
i c
s c
t s et sf r nr v e e a a
a r rno r
iee it i :
f e
cf eeit r e
enl a
inc xent aae r
gr eh e amerp p
sel i
e u
o a gf p
iso ot gw o
e r
t n d e nr rme o
lyS ep r
c v
demeh g e
n a r
(
o e
la ah aet e
w ie ef nmk o
ns n w
t it eWt ye a a p
a a p
a o
l n
s h e e
t r
e n.ea wt a )g h l w
ef t
t s
l c
i s o so u.
l o
o u
u ixda n P
nt aeaw f
l ei yue rd e s y
c r c o 2
uebatas e r
udl edeiu o e
nl l f l
3 iar ehi ad V
a iau e t
7 f
le f et t nc cf ot 6
r edca a,i o.
n r
b mvoimlyn n
n n
t a at o
u nmi io a
e T
o em l
,mt c rn i
l e a t
t i c s gr c) ee a
a e s e a
t t
r eytsid pi r
f y.
s syt r
s e(t sa eo n e
s e
p p
ma o
p io l
ypmp ea O
edipt O
o wl r
r r
i oiht l
r t
a t
oat t rt r
s nr s n
nl c ut f e o.
s l ia f
l r
yat o
e of i l c
crt eaeih f )r wef a
l s
e vs r nt ne o
oo v n
et meia oe rl e o o
r iw e
a r
lgwt l hsit t
t fl i
o -
io t
t r c pi a t
i dp n r r-a i
u n
u ei m d g oeer d
d i i l
h nt n
e n
Aeatawu s
e s o i o%
ct t a
aap o
fi w( pcm C5 Awwo C F
1 l
l 2 l
l i #
i #
t f t f
t n
re n r
v v e e n e
v v e E Oe Ove ZC
y
)
t r
i e /y t
l ibt s 8
t a at b mn E
3 oi e t
v 4
E r
s P e (e 1
I r r s
s de e l
p s
nt t t e e
lt aa a nvmf de t
v u
l nv al s
r w-w eeu oe e
al h a e
le ml p eh l
e v
a t v r
rh r
t og u e r n
h v
e hv e
r t
l g
h r
r lep a
rt e i ot i t
eg ne l l ip et l
s at si el e -
r ah m
h a guh p r-v hm un o
l t
r nea nw w na e oe e
t et s u t i r u i -
e on o l
hd ic t
- a lid as t d v
s h
l cet ege nnt ea rw a
r r n
l l g vie h w e
f m
eu om a
e d
ehf eaf t
t h
t pc. pe pv c
vmn s c o a
a a
e mc l
e inh wi g
n re y(
e a o r oh oit g
r (i
h et t e u mt m
r t ep ot e
s l
ms t
an r
u eh oe rt s t a r c ue u
os e ar p mel ve t h rh hl c o
u e e ui dr d
r t
r r ei imi.
at a e e nt pufi vt ef s
r r
at lah r
t t r eo t iag mm m
ne u
ego ac f
n o nn nf n a a
ert r
nh g g
t et r
r o di e r e e ii i
s hndi e ee t
t n c t e gr e s s
e n
maiml nmt o s
t r
s s v gei i
r r
m mt a ae a fl ac ar u
u u uor e
l l
hi wu mi.
t c
cc a e n aa l
f et f oe)ig v
aa ac c e h o n
l vwo di e
af t s y e e
eay ef y r o os v t
e is s
s eot.
ghi u
i r
r ol ef t at r
r l
t e e e al n o et eh t
n l
s i
pr.
rdv r
s on p f ai a
t i
t o
int u t g n
di u ed u a
awe c pn r
c mui lu t
l dr uiat adc hn e a luf h
mi r
r eiu np o
l t
l r n c
f t
l l
e f ni t ai a
u i
i l
t ac a
ml g ag e
of ui onic o
e rl r o ac f r f r f r c
ord r a r r ov e) c oec
,dc el d f g
i ii f
m e
t eu a s n
n t
c r n o nwi ot ei es t e r ni I i r
g eI g a n
ng l l a
lge r
uic oo g n
e u
l io r oo To go or luo
)
i f a ee es lo k
r -
e o
n nr ml d
l cl a c s
np url ci is n a gd u i l e
s e iai t l l
ai l l e
t t
io np eem l
ent f s p i oi r
ot inn l ip u
s l
n a
f vv s
e iar Ah s w A pt Fct Haa Acs Ss Ai Hf a
e oi a
r r
e n
F Aalee it t
t l
no C
(
2 s
3 e
g v.
ise n
e la )e hh i
n l
n b
vvl (t t g
e a
a pa nn p.
h T
pmv it u t v s
s t
oi oe m uk r
s udc ad nl e
a lo r
e v d
l m mb es t
g pp rf v
a ae e oi ee a
r vi T
et h r
d e t
l t st er ar
(
s e
wto n
n l
t l e
n as oc n
w i
o e (r pa ni
- e i l o
l t
c l
r sm d
r e l
ewto t
t u e a
u v
s h
lue h
d o f
a pl
%t e s st s
nt ia t
t i af 2 a.
r r o
0 h )t o
t n a H
nr r 1 t s
aoo se h e t t nca
- ei v
t n
s iar oin el n
r a
o s ee r
i ua v
i t r p t
re lu t
r ue o aqt i p a
l r
sh e er e am e
f o
et i
r h
p oh u
p r
ht Oi md O
t t
rf a
aid rao t
e r
m o
n h wn fn o
ts t
a e e ya f
ec n
ncg s e n
s e
n r io os a t
o.
l e
i t
s e
ut p
t es o i) t i
r e iF ru i a l
l a r o dr y h
d' t
i f el nlul nt n7 r
a pi oi a of o4 F
Aof Cf e a
a C o.
C$
l 2) lo1 o2 l
l # d,
o#
o#
i c
ct t
f n 't t
t r
r n
r n
e n n
e e
v v e o v e v e e
v v
v E O e (c Oe Oe ZE5h3 O
l' l
6 y
G
)
t r
ES il e /y ibt s
(
t t
7 n) a at t
t at b mn 8
5 3
oie hn t e t
v E
E Eiv r s P e (e 2
4 2 we t
s e
a v
V l
ev n
h ia l
it i
R t
f a
c d
On r
s s
r
)
v a
eo h
e le h
nzd d ht lt e
Pa V
c i n n s
s ih u
en t
u g
t a
wr l
t oR i
r w
o u a o inV e
O s
ds nc R
c e
yc ine s
r e t
p t
l e
e t
n t
n t
t a e
a e e
mo eo oP r
e ri vO a
s h
ih f t ce o
ao l
t l
(
pi a aP u
t it aa t
et pr e
s q
n sh o
h eod v
t m m it h
e i
n u
t h pn nt it s e o (t v
us e
u c
h d
w o d p ws el t
a c s l
b r
t n h a d r r
t ee o
id uo t
v i
o c
o a t
sl df cr o d s.
eo m e ).
b h oba e
c wne ht ne o
a t
t l
t u.
ih u
t lcrV e
ans o
i s
avl do t t l
r gg t
r e oe f b )e ne eR a u oe a na s s t
oh ts ol n
e p
v t
l f h
c es fVonP oa e
io v s
esi oO fl s
u n nu a
t e
et a o
i i
f h
st n n
hl v c
pe oa art e
t e e co o
u pc t
t a p V hoeve rd h
ujt n nq mn s
r ei r
m n
un nt na oe ngm R
is PoRh t
is o a i
i iays et c
i a
l il l
is u O
r f
d ee gO o ia t
o c
n e
e o ras f n r
f t
a r n P
t i h
lu ec wh ePe ov h i
i o nfao luud ai.
v io un t
t e l
r t r un e
i pi e
ot eh nt f
c r
l i
ca a oe n
pf a t
es ai e st f au o ce a
r p t
f f
i m
h l
f t
i f
d o a
d a
ng eco e n p
m oens o np eu n el e
e r
r u of ul n
)
e a
l d
r lg a
s l t e
nwr e e
gc s
t o
od u e en na psum gi a oi er pd ntcs at s o e
s o lir a e
lu n dm es u u
i i
i nm snt s
l dd ni d
e is e d ea s
se e f
l F
A s (a A AaIcea nlop e
nt n
a j
Ait Aoe rf I co Ah nr nh t
I pa it cr no C
(
n el 2
f o
r a n 3
o it a
s ri m.
f mo s
ot f s
ien a
le s
it t
i l
b loo i
. n ai ee t
n ninr r o
r r a
o e
d u
i w p"e p T
as u
t et i
n l
c ot nf id eh oc u
inp da ot t st t o h
l u s
o n mr ar c uVt n
d a e o
e e
wt jh a
r c lo eb loa n sRt t
t u ne s.
st r
i c
dOiv f
e yl n
oPod o )t m
er np t
wo n
ec pain o
h o f
rt t
t t oe w
amee nie r
a i
f f
s zs d v r
dh o
gne p
o e oi t t d
t r "e i c r
e u
en u
no le t
nf d
u e
ne s r s h
g og d s f n h
t uuet oa s
r eet n
ar e gm, et r a s) d vapr cut it s
e in ar a
s s s a d e ee oV lo ah h pr ei H
es a n
n eo t t laR C
n t
gomlur pm pae i
r nO nbe i
o ni ar r P
n i en f ee n
h n t
i o
sbowa vt o
nt e s h.
i i i t
t ig n
a i
oo t
t t
l st luo r
uia"lo s a
s w t
i, t m
e r
t sbv e
sr r ns e
l t e
e(
p eoeer ioi p una o
l i
r e
s ee O
rt ph et a O
ert r
f cot h cf t ee t
r r s a
ai h r
aa t er r
ud n
o h es mf jo o
t l
h et f
r ih oI nt f ac e e
t t
c r
.i a n
hnt e
n eet r s
e et o
rh g t oc f t yr o
r r a e ce nt e i
e u un f
it ut ndi ep r sf t
r l
i i
u i s i d
il nieofao d
uea r
l as m n
fa euf ps n
t iv l
i f e r o
h e
it e
o al F
A pt C
A w (D h a
r ah e
ef h C
Fvt s s ot l
o 2 )d e1 e2 1
r r
o #
't u#
u#
Rt ct t
t n
n n r s rst r
e s n Tn e
es n e
eo v ee v ee Ge v
v vC r v r v v
Oe(
Ope Ope S e E
_e C
l.
lIl
y he
)
it t
r iv l
y i e/
we bt s a at 5R b mn 3
T
- E G uie E
t v
r s I
P e (e
'3(S
.e v
l l
l a
if w
v r
t o
n t
r e
.o n
e g
e lo lo e
v r
n m
e r
t
- e. t e
s f
o e
p u
f i
u h
w r
t a
i( e po a
e e
n w
t v
o r
t o
n Vl m
c r
l t
t a
o s
f a c
r e
l Rv ut n
s o
n ow o
v r
t e
d a
f i
ed e
a r
Oe V
c m
l s
e :
e ine t
r p
P h mR h
v e
a e
e i
t a
v n
t d f
w n
o l
e e eO h
s,r le a
e ge d
e t
la ins t P v
c t e r.w ih e
g n
m o
s st e
lma e e y
e nd o
m e
s lo ng f
t c
h n te m
ei t
v af e n e
a s
a i
t l f
n r
t a nm a
e e
er l
h e
y e n si o
t t
s s
r gc ne el s
s c i
a u
a) t e a
n et h o f
r a
r o
e e
e l
gw t
i e
nt t
h t
i ol o
f d r v
e s f
a f
f n g
t a
na e
e e md o o i
f w
n v
ew a
a e Vo r s e e e c o
d e
o e
f v
e r
n r
ps f
rt e
e.
e mu.
u Rb em m
lup t
un r
s p
r e
Sa v
e t e ul e
m o an il e
f s
i s
r f
a l
a oi ah pm o
ia in f u c
a y
v ce f
d1 n
f t
u t
l l p
n n#
r o
r a
e e a og r u n
r i. vt d
a n a.
l l
h a
a o a
at t h n
rt e
t m
e n ri icp n
ac ei os e
ic c f
n l
rl r
i n c
t wk i.
o cn o Ve we n
t i
ah e ee a ak Re dm lulo ki e
u o x
e r
n n
c c u loc v v
o m
h ic i r al v
rl af l
e rl e
h p p O
e at at u
o lee d
i e e eb e ok lul e e s o oe ct
)
i r r es PR r
c f n v
a c v d
f r c
f nd mo rT rl Ac Al Ale hh eh u
e e
n e
l m mi t t t
I h
s ia oG oi e et e t
on a
F Atas Aca Ai FS Ff t
t t
r t
t a a e a it t
n n n ita n i i i
o C
mmim
(
r r nr e ei e 2
t t
)
ot t
oot o 3
e t t s t e
s e
s si s l e
ng e
h l l ail lb oe v h s
iiaaf a l
a h d r.
lag me f f rf b
vim a
r r o r T
iwow y
a et oot o t l e
h u
t t
at c
t ae t
o e
t s g a a r a n ep f ds ee r r e r oh an a n
l e e pe t e s a od ppop ita oi e)f oo o
t e
f ns h lo e
s o
r t
o mRu it c eeh e pt o l Ve f
i hh t h n
r we t t t t ef h
rt t t at rco aOtp e
a ah a e
ea Pu wt hh t h o
js t
wd s
s( r t t ) t ot oao f
) ) d) sa p(l oe pn dd rd s
%e u glvh e
nn an d
%c t
a a ma n a;w mme m 2 r o i v 2 a 0 ue n
0 d e ed e j
f t n e
t 1 a dd/ d 1
pa pien ul ol e
- (
t
/ / 5 /
er n e 1 5 01
- nr u r r r
oem n
o 0000 u
iu
( (( (
i i
bi e
t t c
t ap e e e e a us sn n r
t t
t t
t i rt u
l l o
e e
a u
a a a a smc.
pr o
pr mmmm Otod eaee Oe it i i i ir n
r et b b
t t t a
r aa r
s s s s r
t au o
t s o u n
ee ee e
f e )t a
rt ft r r r r
yy yy c
ne h oeo n
s n
ot i
t i it o
t t
o ee t
e igh e )s a a t a l
il l l t
t i
iiii t
r i
s r
i r bbbb lu dm-uVwr de a a a a de n n bbbb e
l 1 na n
ia oeb iaie u
S e e o e oooo F
Ct F(f g Cg r r r r st pppp s s s s e e e e dddd 2
lc lc lc 1 )
u u u u d
l Rt# 't Rt n n nn tn Tn n Tn I I I I Geo Ge e
t t v
vC v
t E
Se(
Se 2CyOhG 8
l l
y
)
t r
i e /y l
ibt s a at b mn "
oie t
v r s E
P e (e 6
e n
g e
d e
s v
o m
t n
e l
e p
a io i
e r
a f
rt e
r m
r u
v r
oe st t
l e
c ia u
l t
e es v
u p
n f
l y
v nl p
o u
s il ia p
us o
ea
(
a f
e e
rw.
f e
f c
r pv dl r
oo l
g e
r e
og t
e l
n u
)
r t
a i
mt v
e t
R a
o o v
d X
l n i
l n
W w
a; le o
i P
n w
iad loo t
l a
a v
f d
ey i
r r
m T
d n
r c f
P ee rh o
s s
F id te e
sa t
r e
n e
vm e
W t
r
(
o J
f f
ei n
o ot a
a.
o it y
n r
l e
n gf n
a ca i
r a
e i
vd eg i n
e f w B
a ms n i c
i t
l r
a o
e lo n
a s
od n
l m
ae el i
m ib l
r s
m oi se e
i et ga p
r a ee a6 u e m
ms lt a
ir ip si f
lp v
e t t t f r
e rf i )
i r
u s
nl l
s :
t 8
r h
ae n
u oa lu e t
t t
s t
in el u
g p
p p
a cn ih a a g
n3 c
c at t u m
is m
m m
eis sh c
r g f
e4 ha sd s -
s l
ni r
e i
af ot oo o
o u
u u
n a
t t
n rd a
c wl wm w
w p
p p
a ae ui c
wv ow o
e pn h
t t
t t
t r
r r
l e
t v
r da nd t
ea c
a f e f
f f
e e
e a
r e
o t
t t
e hm ol ot o
o h
ev t
a a
as e
a a7 m
e r) r a r
r w
w we f
t t
l l
4 a
o.
l st ee e r e
e r
s:
nr n c c ei n0 e
es h g h e d
d d
u e e t
h h
e e
el r r iane i s i
4 r
r y t
t s o t n t n u
us s
e e
ei u a i
i e i
i Mcoop Ms p Ea Eg E E
F F
Ff i g o
a l
l r
l i i a
i2 a
ai r
r a
a9 F
Ft e
Fm n6 e3 c -
sR eC r/
as w.
t lug h
r el lo o
iE r yf t
t afR
) a) l r
t s rd a a U
e e
t eeh w ut n
v aN nt c
na lae ci eh haw ic vgt s
ewimd n
C g
f r
inR omd h d e it e
o anmrnf gN
(
e a
i mt uewa e r
s t
st s at h e
lye e o uyr ct p
c tywbs s
e e l
e o
a r t
st t pn et r
iu a
t niedl e
o r
n l e et g o
w S
e(
oh s
o s
t r
epmt o
t i
o t
marr p
nf r P
oop ueoo l
c t t a
3 egpsas rnn rp m
rn e r
3 eooe opm o
t l
e ag t
u N
wnlya wo p lb dibw oe a
didl h re T
e n
es ef t e
s t
o f ef oferf a i
e ow a
t nre (p n a ed r
t iavt awre e
i o
monemdeilue p
i f
O le r
n a
ei rreea in r
b n
h ff uh e
t lt o
a u ct sa a f
t c
n snf e dm n
f s
i eoot e
erc ane o
o i
r r
enah t
d i
u udari t
d n
umlep n
e ludl l
l i
ia onir vi o
t a
aeer C
a F Fcaf t l t se ton l
t il o
t f
t o
n re n f
ev v e e
v E Oe e
S y
ZC:eb 1w
y
)
t r
i y
li e/
bt s 6
t a at 6
b mn E
oie t v 4
E r
s P e (e 1
9 lo r
t lo n
r o
t c
no d
c e.
t d
a) rX e".
g1 ta1 eH gH n
r t
i r e"
o t
r e
n o hC i
tD o"
o(
H I
t t
re" r s t
t wi ei o u wu m
pc o c r
r is pi i
"o c c
n h
dh a
t h
uc n c c
an a n e
" a h a m
r r
fob b
f e
m om
)
u lu s
d r
s e
o e s e t
st n
ia msy l
s F
Asy I s itnoC
(
f r
o es t
e n ss ip 3
pn t
s s
s n
d a nner w e
)
s 3
oo t
I le t
y ol ooh i
ms eiamp it it lylos is e
n t
eP kd l
l t
t g
aiel f n n uh oc e r
r Uemg b
ml ant b dl a ri abt H apm.t anot sl o
r e
a ts t
T yeo ut n r nt uet
,o(
nbpad r
it f i
uo ot a el t
t t
a gt n oni eewt osA s t r nt a nar e
el t c r r
s l
st a s pre gh v p
t d ot ewe hinwio e
cut t t d
oe.
oynmp g
r rt le s
eect w r s nt d
u o
y pi y e n el c n
epoepeh r e o nlo t
l u n dl de n f e a
t nh ef t n o ca oif t
i e am t a or nou nelal f f yj r
t o eae u u w
lyr r g
wu e
,d y
t
, t n
wamr ct i r
e r
r e
i n
h n dpedea o e0 n
o o
r ea r
t rl f d ol gh opreawt d avs eu e
ebl i
l t
i weyxi f eo sr c t
n3 a e cuni f t
e r t
euc a
f e
, vmsf u r et w t
si rwerbeo s pl u nt c s..o e
eapslaat oe ae e r
t i
egud p
h ne rh r l
r ome s.
o gt er v rt enen p h wmmt e ambe u
e df ude e i
t v r
a o
t nl s cewt nu ve c eepc l
d uunh w aaf t
r ef neunc oepmet de h oao o o a pl a arh s y s
r t h w er r s s pt hg a
t e i
ewwt ds
,d oeed e oeii m
rfdi vs et ar gn e s a
t k
rht r
en e nee hi f
t e sl ef edt h
"1 d d
t urI e aa n a
o a
o wie imda inn ox l
t ri o
moe af it wwa t rt ee N o
.f r
u oari r pmet l h
uia at u est r, o Hoecbxiaeh pt d e
rt ea t
on yaa wimr h a mt r
s r e "r yedor r
egn wt it e et r
t o
dh f t l lye de n
r e
po i
a v
csf luot ef hi rd on o woi s
t i
nt I hi on l
rpe een a n.aelat o i
t l o"
ao nod oo r n.
of t
v i
r oo pe r e a
u c e H. t acl p
s or r
hidee u sbea Hmt r t
cd r
e pl ne hm e
o e
t r
io c"
ont eoah a
e e e c
p r
l eor ardT r ot e
i eup t r h s otemtol
.e oiwcet wet ia h hd o O
s r
t r
t s u c u
os rf t
t s
sot h t enHPna londt yao r
a cia i
t e t a r e
st n
e u o
rf een r, g l t
i rt o
f r md wo wo l
nt ec f od ue r ar r l h r
e e c c
rh e.
.inu gwi ein na t
r t r nnt i c s
c eoo adctemloe vl e e e n
e umwor oo ei l
s f i t
b et ugr o
r o
bl e
nfiib eoaala woq oiot e ta b
i t el oh emr d lu r
shif nl apmrda e
t u
s c i t t r l
r wia eoeel aa ul d we d
r i
t i
il lon gd r r t
a e n
f m mt us t
ul ds a
Ne r u ht n
air eer net n s u e s
o e v
o F
Abafoppe eoe neo
,yut e a
rt f
C Ateo ueh ye e
oopr cf oww
. s s s gwr I 1 t b gt s t
t a1 a2 e#
e#
t h
h t
t n
r r
n n
e e
v v e v e e
v v
E Oe Oe ZEbh" au
e s,
t e
g u
t y
n n
u
)
i it r
l e /y d
i n
e m
i ibt s e
m a at f
0 b mn r
3 0
oi e e
3 P e (e o
in t
v v
r s
n h
d it i
h t
ip w
i w.
a r
r e s.r s a
e ee tat t t g
wuau n
dnwn i
eidi w
emem lo f
e y0 f 0 l
c6 y6 o
f l
n n c n i
ei ni l
gh eh f
rt gi t
re ei r v
m wew nmn o
oeo t
s t i
.i n
et e
ac c
t e
jia e e
v it j
r ini i i nt n p
i eie n
r o
r r
e r
m u 7 t t
e rs s
is es r s m
a?
t e e n
t t r i
a t
wpap h
n d h w-h ce i
egd g r
ei ei m
e fh eh t
f
)
e a
ne e
nt d
r w
ia aia t
u lu e
d miai e
it t
mi n
ia e
en n
i F
f t i ei tn e
a ot o t
o h
st at t
C t
nsl s s i
ni l
3 ip ei
(
r aia r
f efr t
or r
3 o
t ooo r
t e
st t t o
l a s a l
s b
t ia f eie l
ia r
l r
oa a
e r r a
T br pe f
pf p r
r o o o
t o p
o t
r d
s ot o. o a
rh ah e oe al n
t a
n r u t
e s eo e
it h
r et r t
d nwt t
e pt et lue u ar p
o a pa ogsf i p
n e
o h oh i
p et t
w mmgm e
h d ed n
o h
t nh n wauli0 r
t t
t oepo6 e t
a a a
n o n w a
h mtam t
lf s ci o
h t eh e r yo eri eh p
)d t d t
t at ri
)
d / )/
t as c d
n1 l
a 0. d 1n0 e ow a wsejc m
a m0 a0 n
dc n m m r
m ef mf i
ee en er e o e
d oeo f
r et N
d
/
d s
geut y 7
- 0. ta3a
/
3 e/e h s gs n
t n
s i t e ns o
0 0 m(i 0 m i
h h r oh it
(
(i s s pl t a
e et et i
i ys r
s s
l l
b bh r e a
a t
t e
et e io a aga p
a m
mt t
a e e et t
iymty t
t i s r
s sh s ia O
i it l t il i
r n
eci s
si si e
s, ohe n o e
eb eb f
i a
a c
et I n r
niv gh ly n
y t
tyb yb s
tu e'.el o
i l
t oio a
t il i r l
r e
i i
i t nt u d b
bpb p u
i i
ci a
a a
mel en n b
ba b a l
f o ia 0f d a o
o os os oi F
3 ecvmC r
r e r e p. pd pd t
u u
s s
s lc e n l
ec e e
d id ndn us ui ui lc cd cd nl l
t a
n nr n n nr I t I aia ev E
t O
Zc:e OL.
i
)
t i
r l
y ie/
bt s a at bmn 3
4 i e nt v E
E r
s P e (e 9
4 gn r
i o
t a
t g
d d
lu e
d n o r
t i
e e
g v
e wl e
e r
f f
e n
ef o a c
l n
e r
o.
el g n
e t
h a
e e
oi i
cv hf s w
h it l f
a t
t a
ep m
o.
d t
a v i hi t
e o
r mg rt t e
d e
t r e f
R h
ias n
io ei c nns n
u n ude:
W t
o t
c aie e
gl ia t
n a o b v P
s :
9) n c a
pl hrl m
ul i
t u
E ai 0
l l s
og ngua s
a e
t l
ai t v C
cf Y
oia o
e ch 1
rf h
l r eg e
no t
t v
at ne u
r nsh n
(
t a
s f
c l
c s ov o
/
rt ioit i
a i e it a
t u
cl f ea e
t ev b
a d
t a it a
se e
c sl r
vy u.
a lew dl uu u
ev r
n n
rl l
na ag e) m lu a a
d e
h e e cgce l
o n l
v i
a r l
s5 is i
ic r
a v
e ay r
v o ial e
e e o
f
. ' e.
i r6 n
f r t
f gs e
e t
f a h
h p24 a
o c
da t
t i
r r
l l v indrh t
t n e
gt e
iou a
t u
u a
l lu r -
h l
f i d n u c
ia a
ad e
iwu e e icg n
na c
e ng n i o
e ace r
i l
ni m emc s
i f
oo c
f f
f r
at e
e n
m n a log o
o r hl ue luh edsc ic y
e l
e a
r.
r e r e l
is8 r
o s
rt eg ia la a
e l r s
s e cu a
lb l
v e
g i t v r r o l
e o
oeut o
e a
f r o5 u
e o
iAw Mr Fv Ft a
i9 i
ha n aii t l l l
R C
r3 l
et L
a a
eR
' w e
Awff e
n-F I
aa cC s/eG rE u R o
l d
s iaU g
laaed t
n l
N i a i r
).
f n
t t
g nf ve an.
n gr or na C, ot o
i luin i
ist r u w
cR gi e o
t prtaoq iiN es v ll i
f n
e n
ro e r e a pee io r
g :e rp o
r t
e g
f t
i eo nb ra s c t
n r
ni sn n
ed i ee e
ly awpe o
bh gd p
u l
o rt l
o a
d oe it udmu iS e
f i
o t (n eyr d
t e
l e
n nt w r
f luv o
h ys w
eas e
e nf o c
s t
t s e o
o i
li r
P a ee t
f aau p
mhh n
i t t e
,f
,i l
l 4
niwa a
t e
is ne ou of m
3 hit n
it cf lp l
t e
r le r a a
i r o
s on r
di r b
e i T
c ei N
n T
u "s m o gt a
s t
l a u i i r a
e n
cn w
n a d (m i
c s t
o a
gt o
W id ue r a
i nl e t
ta" o
t h e e gf u r
s c
e o
hl t
e ee f r c
p i
et a O.
h o O
le ir r nf r rt b
a ui rp e e n
r r
n l
oi vt e a
o a
i laio fr oa ac f
t t
e at t
c f
f f a nr n wnt n
o s
r le r
e oe o o adi n o
eme i
i d
t t gt p t
i c ner v i
n u
neo da ef ee d
e il i
v ne s
e v et n
lah or o
t a
l Avt Ca iGh oli C
a F
t t f s
e ton 1
2 t
l l
i #
i #
o l
l t
f f
o t
t n
r r
f e n e n e
v e e
v v ev v
e E
Oe Oc S
ZC o $L. "
u*
l'
)
t i
r l
e /y t
l ibt s a at 4
r an o
b mn 6
o oi e E
it ta t
v E
5 r
s r
i P e (e 9
1 e
d n
n e
o g
c
. m e
h d
l a
t n
d e
l e
i t cs f
nis i
sn t
o r t e
s l
a a
r a o
r t ar r
e s d
aohprt l
e c
l s
u o
e nr u e
v e l
aut z
oh c
y e
aVw o pb loda i
t t
,j r
n r oeni r D o )e.
cs d n s
e u
na i
n a y r.
oA hv c oe s
l o cr s
ei omimt o
v v
.to t t b eo m ec r rd e
n )d n e
c ar ef r eh ub opn p
pwns r
r a
a r t
a eyuds e st m cf u oae t
t rb yt m
a o e.
od mo e n ar s ne e
h m ind s
ekd t
h of o revi r
oed l
t e a et t
van co f t e
i o/d t s
noa a eha eam oys m c 5. d I
tn ur et r
l o
e t r h
h it )
a / plup npe c t es e s iacd o s o e
r y S0 es
e ehi h ua n
men o e ne C(
t t
rbat r n mah m z
t iap sRmc i
a l r i
me o n )s ga a u c (t r
e u ot d
f s p( ei r9 gh s r a t
nsd sO nt sfi ay m
t eaVian m
myi s n t c iYin e
it r
n ra u
l is i nDiay a
a es n
rt n.
oi pt n
a pluis ri r
s ye wAfl a l
n t
l es e t
i c
h u ph e
x yah so n o e
a n o ( )s e n t
s r i
t b o det io r u h
d s r g pw t
c ol eVi s
r r a at i
f s
otomie o
st s
e i e r wnayV o vBd nnd t
t m
e ol nn ao ro dl r t
caTio eroi e
R rl cin o
e oa r
r ef i r
s v
lu m p(s t o t
r e olio gi uw b
lu mc c aV
)
d t
i sa u
r f ci eina l
xP e
lu ioVb a erS eR nrh i
i a e mvs u ap u
i f t o
f t t
f sC pO at a e.
o r
ot Br i
s l
s n
a Asdyual c f
vca AoTp AsiR OP yn s
F it mcraoin z
n r o o
e e ui r s C
t n
e h
eVsi sd t
(
A pt Re n t
r nw a
r 4
e a
u C
riOpo i
oie s
t c
d t i 3
idvh y ds O
nP e e
r z r L
lyi rh) ee e
cirt r 3
l c c or l
t mheip r
k a oe 1
v b
aot o o k
z nF a
cc et ue a
ut iu p(
t a) c a
t i sl e
ner e T
nmeVn e
s esb r
a r k
a r
r y
ea b
ml e
Ru b
s nr r us o lot s
c e
i e oo o yh O e l
t epe s
l c st Po la ao al a
ofar t h r
l np n
,u m
, ps s t
-f t e( c m
s s l l l
onzee ooyv s
l i iai a a
s i
r vs ot ma a
at vf m ai ss u
a cs l
f a o o ula l
p S r r os v ris o r
rh s
a r
oe c
e oa t
e o (tCt l
h k cef f y t
sRat t
t t
r e f
a r r iey f
c r r
ag a
a l
a a oia e o pl r e e ed la n
ei pe rt eei n
et l
h aim w
pi oz t
b cd rt r
w r x l
t a
n ll e rd o
de ua o
oi i
r bee u a r/oe e npad d
e a izh t
d t
s a oen u
hbr t
reda o t
t s
t t nr p u
t i t
s a ae h
Aeat h
out e t
rs ar S
a psh p pn S
Chi lu h
et i
dti r, o Liie n
r ptyt t
a ti Of ns e n c
n t er o
zio t
r oaem o
,r r o
yueie is i
t l
kdod i
i l t
we a
a e l
t idi u lyt r li a b
a e
e ot r
r bf oad s
et Vu lar n e
o cuepy p
ia r
o e
a r be t
bt Rc p
b oeor s
ir f i i l gr O
iOk O
ot r r u ey n
r au pl a
ia l
mir z a r
la Pc r
prl cf i
i n
e o
s o
o a
ar p f
mireh f
d pf nl eidf e
pa a
eus c
s
,t s
n s nz s n
n o ae s
a )A e s s y o.
awi o
a d
mlen ms l
e er i
r a.
i iA o u s
t r
r a nCh t
n aee ds ml i
u e
pi dC el s rs n
dti)/
e d
e p d v l
l vOt ex oO i
n ivoees d
f ia i La h u rh e o
/ l 1
G(ivt a CL G m pt v C
1 un0 o F
0 mam0t y
i s s e sl e e ei d
b t
dd/d l
a o
uu1 ub a
e o
l l t
ct c c 0. lco h
tn re n r
n n0 n r e
e e n p
I I ( I v
v v e v
v t
E Oe Oe yu
l 4 Generic Applicability Reference plants were selected on the basis of (1) the used to limit the number and kind of transient analyses quality and quantity of design information available to parformed. Selection of the type and number of system conduct a review and (2) the belief that any weaknesses in failures evaluated for the plant model was an iterative control system designs were more likely to be identified in process highly dependent on the knowledge gained from older plants.
respnnses to the failure sequences simulated in previous analyses. In some cases, highly unlikely combinations of A number of control system failures having the potential multiple failures were evaluated to assess wurst-case or for causing undesirable events were identified at the ref-bounding scenarios. On the basis of the combinations and crence plants.To determine if the results obtained for the number of control system failures analyzed, it became ap-reference plants were applicable to other plants supplied parent that as long as the protection systems were not by the same vendor, similarities in the thermal-hydraulic compromised and performed their intended design func-parameters and similarities in control systems of other tions, the events (except those noted below) induced by plants were evaluated. This evaluation of control systems control failures were satisfactorily mitigated. On the basis (similarity review) of other plants focused primarily on of the number of credible and unlikely failures evaluated, those design charactenstics identified as contributing to the staff concluded that other control system failures that the events of concern. Sensitivity studies were selectively could occurat the reference plant (but have not been ana-performed to evaluate if the differences were significant.
lyzed in this review) would also be mitigated by the pro-The significant transients analyzed for the reference tection systems. Since the designs of the reactor protec-plants were also evaluated to determme (1)if similar tran-tion systems of other plants (of the same vendor)are func-sients could occur in other plants and (2)if the transients tionally similar to the reference plant designs, the same a nalyzed for the reference plant represented a more se-degree of protection to mitigate multiple control system vere or bounding transient.
failures is provided in other plants.
Results of the review of the reference plants were cot 4 It should be noted that a few plant designs vary signifi-ered generically applicable to the same vendor's other cantly from the reference plant designs. nese plants in-plants if:
corporate unique design features in major fluid systems (1) Major fluid systems of other plants were functionally and/or instrumentation and control systems, power sys-similar to the reference plant.
tems, or reactor protection systems which have not been evaluated in detail. For BWRs these plants are: Oyster (2) Ratio of power to volume and various ratios of Creek Nuclear Power Plant, Unit 1; Big Rock Point Nu-volume to flow of other plants were similar to the clear Plant; Nine Mile Point Nuclear Station, Unit 1; La reference plant.
Crosse Nuclear Generating Station; Millstone Nuclear Power Station, Unit 1; and Dresden Nuclear Power Sta-(3) Hermal-hydraulic transients analyzed at the refer-tion, Units 2 and 3. For the E 3-loop PWRs, the plants ence plant were similar to or would bound transients are: Yankee Rowe Nuclear Power Station, Haddam Neck on other plants of the same class.
Plant, and San Onofre Nuclear Generating Station, Unit (4) Control systems at other plants were sufficiently
- 1. For CE PWRs, the plants are: Arkansas Nuclear One, similar to the reference plants so that any differ-Unit 2; San Onofre Nuclear Generating Station, Units 2 ences in the design were not significant enough to and 3; Mam, e Yankee Atomic Power Plant; and Palo substantially alter the events e' concern.
Verde NucIcar Generating Station, Units 1,2, and 3. For B&W PWRs, the plants are Arkansas Nuclear One, Unit (5) Heactor protection systems (that is, the reactor trip 1; Crystal River Nuclear Plant; Rancho Seco Nuclear systems and the engineered safety features systems)
Generating Station, Unit 1; and Davis-Besse Nuclear at other plants are functionally similar to the refer.
Power Station, Unit 1. The major differences in these de-ence plants so that any differences in the design of signs and their effects on the significant events are dis-the reactor protection system were not significant cussed below. Most of the events identified during the enough to substantially alter the events of concern.
Unresolved Safety Issue (USI) A-4*/ review were found to be generically applicable to most other reactors of the A large number of single and multiple control system fail-same class. Some events, however, were determined to be urcs were analyzed for the reference plants. It was not applicable only to the reference plant.
necessary or practical to evaluate all possible control sys-tem failure combinations that could occur in any one The following discussions assess the generic applicability plant. Engineering judgment and the failure modes and of the events determined to be safety significant during effects analysis (FMEA) conducted on each plant were the review. Design features of other plants that could NUREG-1217 26
I Applicability l
potentially modify failure seenaiioc or transients analyzed isolation of feedwater on a reactor vessel high-water-level in this review are described and the criteria used to assess signal and rely solely on the operator to mitigate an generic applicability are identified. This assessment is overfeeding event.
based on fundamental engineering principles, the generic The relative benefits of the different high-water-level trip evaluations conducted by ORNL and INEL (see NRC S C Provisions were evaluated using the reference plant 1
i reports NUREG/CR-3991, -4047, -4262, -4265, -4326; as a model. The nsk reduction associated with the differ-and Letter Report ORNL1NRC/LTR-86-19), and staff ent trip systems was estimated (NUREG/CR-4387).
judgment.
Safety benefits gained by providing additional reactor ves-Sd w ter-level redundancy and independence to some ex-4.1 GE BWR Plants istmg feedwater trip systems are not significant. The esti-mated reduction in frequency of overfill events between Several control system failures that could contribute to P ants that have some sort of automatic reactor vessel l
reactor vessel overfill and reactor overcooling events high-water-level feedwater trip system was not sigmfi-were identified as potentially safety significant. All other cant. For plants with no automatic feedwater tnp system, control system failures that were evaluated were deter-the overfill frequency was estimated to be about 15 times mined to be bounded by the FSAR analyses. The failure more likely than for plants with automatic feedwater trip mechanisms contributing to these events are identified in systems. In actual practice, the three BWR plants with no Table 3.1. Major contributors to events that occur during tnp system have demonstrated better reliability because power operation were multiple control system failures of the operator's role m controlling feedwater. Results that initiated overfeeding transients and failed the auto-and conclusions of analyses of the reference plant apply matic feedwater pump trip system. Major contributors to to other BWR plants if they meet the following critena events that occur during startup or shutdown operation with respect to control system design:
were single and multiple failures that initiated vessel overfeeding.
(1) The plant must have an automatic reactor vessel The discussions that follow summarize the design fea-high-water-level feedwater trip system.
tures of other plants and assess the generic applicability (2) The trip system must be operable during power op-of the major events identified for the reference plant, eration or administrative procedures must be imple-mented to ensure that manual feedwater trip can be 4.1.1 Overfill Events at Power Resulting accomplished in time to prevent overfill when the automatic feedwater trip system is not operable.
From Failures in the Reactor Vessel Iligh-Water-Level Feedwater Trip Thermal-Hydraulic Differences System i
Most BWR plant systems that could contribute to reactor vessd overfeeding and vessel overfill events are function-l Control System Differences ally similar. Although variations in the design exist in Review of the plant-specific safety analysis reports some plants, such as the number, type, and capacity of (S ARs) and the docket files identified variations in the re-valves or pumps and the size of reactor vessds, these vari-actor vessel high-water-level feedwater trip systems that ations are not significant when the overall size of the plant terminate reactor vessel overfill events in BWRs during is considered. Major systems are designed with roughly power operation.
similar proportions so that the time to overfill at other BWR plants is expected to be very similar to or bounded Most operating BWR plants provide commercial non-by the time predicted for the reference plant. Several safety-rdated reactor vessel overfill protection identical BWR plants identified above (p. 26) incorporate designs to the reference plant; that is, a 2-out-of-3, high-water-that differ from the reference plant design.These differ-level trip system with separate and independent electrical ences include: (1) different recirculation flow systems, power supplies for each level sensor. Several plants how-(2) use of isolation condensers, (3) different power supply ever have overfill protection designs with less mdepend-designs, and (4) use of different reactor vessel capacities, ence and reliability. These designs vary from a 1-out-of-1 or a 1-out-of-2, to a 2-out-of-2 reactor high-water-level These design differences (except for vessel size) would feedwater pump trip. At some plants. logic separation not change the results of the overfill transients analyzed and electrical power independence could not be verified.
for the reference plant. Although reactor vessel capacity More-recent designs provide improved flexibility and re-(i.e., size) can affect plant response for overfill events, the dundancy by including a four-level sensor logic system, ratio of feedwater flow to reactor vessel volume for these that is, a 1-out-of-2 taken twice. Three plants (Big Rock plants is smaller than the ratio for the reference plant so Point, La Crosse, and Oyster Creek) have no automatic that the overfill transients at plants with larger reactor 27 NUREG-1217
Applicability vessel volumes'(like La Crosse) are expected to occur plants rely on the operator to terminate flow from these more slowly than predicted for the reference plant.
systems once they are initiated.
He following criterion was used to assess the generic ap-placability of this overfill event at other plants: Ratios of Thermal-Hydraulic Differences 4
power to flow, power to volume, and reactor feedwater Several plants provide fluid system designs that are differ-flow to reactor vessel volume for other plants should te ent from the reference plant design. These differences similar to the ratios for the reference plant. If the ratios are discussed in Section 4.1.1.
vary, they should vary in the direction that causes the overfill transients to occur more slowly.
The differences in the major fluid systems in these plants (except for reactor vessel size) do not affect the overfill Plants with thermal-hydraulic characteristics that satis.
transients analyzed for the reference plant. For plants fied this criterion were determined to be similar to the with larger reactor vessels, because the ratio of conden-j reference plant.
sate flow and/or emergency core cooling sysnm (ECCS) l flow to the reactorvessel volume is smaller than these ra-l Cceclusions tios for the reference plant, overfill transients for these l
plants are expected to be slower and less severe than the (1) Most BWR plants provide automatic feedwater transients predicted for the reference plant.
pump trip systems on high reactor vessel high-water level. (Only three plants do not have automatic feed-The following criteria were used to assess the generic ap-water pump trip on reactor vessel high-water level).
placability of this event on other plants:
(2) Variations in the design of the control system for (1) Ratios of power to flow, power to volume, and con-automatic overfill protection exist in other BWRs.
densate flow or low-pressure ECCS flow to reactor For plants with automatic overfill protection sys-y lume should be similar to the values for the refer-tems, variations in the design do not significantly ence plant.
modify expected failure estimates to reduce the fre-(2) The fill rate of the condensate system or the ECCSis quency of overfill events that could result from con-less than or about equal to the reference plant flow trol system failures.
rates.
(3) Overfill events at plants with no automatic overfill (3) Administrative procedures are implemented to help protection are estimated to be 15 times more likely ensure that manual trip can be accomplished to ter-than at plants with automatic overfill protection.
minate condensate or ECCS flow in time to prevent Operator action can significantly reduce this overfill.
estimate.
Plants that had thermal-hydraulic characteristics and ad-(4) Ratios of power to flow, rower to volume, and reac-ministrative procedures satisfying these criteria were de-tor feedwater flow to reactor vessel volume at other termined to be similar to the reference plant.
l BWR plants are sufficiently similar to these ratios The risk associated with control failures that could lead to for the reference plant so that the analysis con-ducted on the reference plant is considered a overfill events (estimated for the reference plant) was bounding analysis and is generically applicable t small. Because the variations in control system design for other BWR plants.
other plants were not significant enough to substantially increase these estimates, sensitivity studies of control sys-tems contributing to this event at other BWR plants were 4.L2 Overfill and Overcooling Events Dur.,
not performed.
ing Low-Pressure Startup and Shut-Concie.n down Operations Ratios of power to flow, power to volume, and condensate Control System Differences flow or low-pressure ECCS flow to reactor volume at Various failures m. the condensate system and in the low-Other BWR plants are similar enough to the reference plant so that the analysis conducted on the reference pressure coolant mjection (LPCI) and core spray (CS) sys-plant is considered a bounding analysis and is generically tems were identified that could cause reactor vessel applicable to other BWRs.
overfeeding events during low-pressure startup and shut-down operations.
Most BWR plants provide LPCI, CS, and condensate sys-
~~
p p
tems similar to systems in the reference plant design. Al-De review of a E 3-loop PWR plant identified several though variations in some control system designs exist, all control system failures that could contribute to steam NUREG-1217 28 l
Applicability -
I generator overfill, reactor vessel overcooling, and reactor erence plant and should not result in a steam generator overpressure events. Several failures were also identified overfill.
that could contribute to undesirable release (i.e., releases J
in excess of those calculated in the FSAR analysis for Thermal-llydraulic Differences steam generator tube rupture [SGTR]) of radioactivity Variations exist in the design of the AFW cystems in other durmg an SGTR. All other control system failures that E PWR plants that would change the time to overfill.
were evaluated were determmed to be bounde3 by the FSAR analysis.The failure mechanisms that contribute New 4-loop designs and some 3 loop designs have devices to these events are identified in Table 3.2. Overfill events (orifices or throttling valves) installed in the AFW lines.
could be caused by either sustained operation of the auxil-These devices restrict the flow into the steam generators 1
i iary feedwater system or the main feedwater system.
so that a less severe overfeeding transient would result Overcooling events could be caused by failures in the than analyzed for the reference plant. In addition, most steam dump control systems (i.e., steamline atmospheric 4-loop designs have split AFW headers, so only 50 per-dump valves or condenser steam dump system). Over.
cent of total AFW could flow into the faulted steam gen-l pressure events could be caused by failures in the pres.
erator instead of 100-percent flow for the 3-loop refer-I surizer power-operated relief valve (PORV) control sys-ence plant design.
tem, failures of the letdown valves, and failures in the The following criterion was used to assess the generic ap-ECCS circuitry. Failures m the steamline pressure relief placability of this event on other plants: The ratio of control systems could also contribute to excessne release steam generator volume to main feedwater flow rate and of radioactivity during an SG FR.
the ratio of steam generator volume to the auxiliary feed-The discussions that follow summarize the generic appli-water flow rate should be similar to or greater than these cability of other E PWR plants to the major events iden-ratios for the reference plant.
tified in the reference plant.
Plants with thermal-hydraulic characteristics satisfying this criterion wcre determined to be similar to the refer-l "C
PI "
4.2.1 Overfill Events Resulting From a Sus-tained Operation of the Auxiliary Feed.
Som e E PWR plants identified above (p. 26) incorporate designs that are different from the reference plant.These n ier Fi m design differences include: (1) large cooling capacity of the reactor coolant system so that the ratio of the steam Control System Differences generator volume to the main or auxiliary feedwater flow is significantly greater than the reference plant design; On allE PWR designs, auxiliary feedwater (AFW) flow is (2) the use of chargmg pumps (i.e., high-pressure mj,ec-automatically initiated when the main feedwater pumps 13 n Pumps) that have a higher pressure capability than are tripped. There are no automatic interlocks to termi.
the reference plant design; and (3) mam steam systems nate AFW flow when the water in the steam generator that have no main steam isolation valves. These des,gn i
reaches a high Icvel (except for Virgil C. Summer Nuclear difft,rences would not change the results of the overfill Station, Unit 1). An overfill event similar to the reference evmts anaWd for the reference plant with the plant event can occur unless the operator manually termi-exception of plants with larger reactor vessel volumes.
nates the AFW flow. Analysis performed on the refer-r thse plants, ksmem oveM cvents are upectd ence plant predicts onset of overfill occurring rapidly, re-quiring quick operator response to terminate the AFW Although other differences, such as operator training and flow.
procedures, the design of the level-indication system, and alarms available to the operator, will alter the operator Results and conclusions of analysis performed on Ihe ref-response time to address an overfeeding event, the review crence plant apply to other E PWR plants if they do not did not identify any plants tF.at wuold have more-severc meet the following criteria with respect to control system overfill transients.
design.
Conclusions (1) Automatic reduction of the AFW flow on steam generator high-water level is provided, or (1) Overfill events via the AFW system can occur at other E PWR plants under similar conditions ana-(2) Administrative procedures are implemented to give lyzed in the reference plant (except for the Virgil C.
reasonable assurance that the AFW valves can be Summer plant which has automatic termination of manually throttled in time to prevent overfill.
AFW).
If other E PWR plants meet the above criteria, the ana-(2) The overfill transients via the AFW system at other lyzed failure modes would be less severe than for the ref-E PWR plants are determined to be equal to or less 29 NUllEG-1217
Applicability severe than those analyzed for the reference plant Thermal-Ilydraulic Differences (except for the Virgil C. Summer plant which has automatic termmation of AFW).
ne following criterion was used to assess the generic ap-placability of this event to otherE PWR plants: The ratio (3) Ratios of steam generator volume to main feedwater of steam generator volume to main feedwater flow rate flow rate and steam generator volume to AFW flow should be similar to or greater than that of the reference rate at other E PWR plants are so similar to refer-plant.
ence plant ratios that the overfill analysis conducted Plants with thermai. hydraulic characteristics satisfying at the reference plant is considered a bounding this criterion were determined to be similar to or bounded analysis applicable to other E PWR plants. Al-by the reference plant.
though several plants provide different designs, so that some of the thermal-hydraulic characteristics Some E PWR plants identified above (p. 26) incorporate mentioned above are different from the reference designs that differ from the reference plant.These differ-plant, the differences are such that the transients ences would not adversely change the results of the over-would be equivalent to orless severe than the results fill events analyzed for the reference plant. Less-severe of the overfill events analyzed for the reference overfill events are expected for plants with larger steam plant.
generator volumes. Although other differences, such as operator training and procedures, the design of the level indication system, and alarms available to the operator, 4.2.2 Overfill Events Resulting From Fail.
can alter the operator response time to an overfeeding ures in the Steam Generator High-event, the review did not identif any plants that would Water-Level Feedwater Trip System h"** * '* 8***'* **'IIII **""'
Conclusions Control System Differences (1) Variations in the design of the automatic overfill-All of the overfill-protection system designs at E PWR protection system exist in other E PWR plants. The plants (except for three very early plant designs, i.e., Had.
designs are the same as or better than the reference dam Neck, Yankee Rowe, and San Onofre 1) have either l
P ant design (except as noted for three very early a 2-out-of-3 or a 2-out-of-4 steam genecator high-water.
plant designs).
level trip system to terminate the feedwater flow during a (2) Overfill ' transients in other E PWR plants are feedwater overfeeding event. Rese systems are redun-dant and designed to satisfy safety requirements. The judged to be equal to or less severe than those ana-newer designs incorporate a more flexible and redundant lyzed for the reference plant.
2-out-of-4 system that provides additional improvements (3) The ratio of steam generator volume to main feed-for testing and fully satisfies all the prescribed safety re.
water flow rate at other E PWR plants is so similar quirements oi IEEE Std. 279-1971, " Criteria for Protec.
to the reference plant ratio that the overfill analysis tion Systems for Nuclear Power Generating Stations."
conducted on the reference plant is considered a San Onofre 1 and Yankee Rowe plants do not have auto.
bounding analysis applicable to other E PWR matic overfill protection. He Haddam Neck plant pro.
plants. (Although several plants provide differcat vides an overfill-protection system consisting of a safety.
designs so that some of the thermal-hydraulic char-related,1-out-of.2 steam generator high-water-level in.
acteristics discussed above are different from the terlock which automatically shuts the main feedwater reference ptant characteristics, these differences do control valves to the steam generator. Results and con.
not change this conclusion.)
clusions of the reference plant apply to other E PWR plants if they meet the following criteria with respect to 4.2.3 Overcooling Events During Hot Shut-control system design:
down and Full-Power Operation (1) ne plant must have an automatic steam generator high-water-level feedwater trip system similar to or Control System Differences better than the reference plant design has.
Several control system failures were identified that could (2) The trip system must be operable during power op-cause the steam dump valves to the condenser or the at-eration oradministrative procedures must be imple-m sphenc dump valves (ADVs) to open. These failures mented to provide reasonable assurance that a man-can result m reactor vessel overcool events dunng full-ual feedwater trip can be accomplished in time to p wer operation or hot-shutdown conditions.
prevent overfill when the automatic feedwater trip All E PWR plants utilize similar ADV and condenser-system is inoperable.
steam dump valve control systems. Although the number NUREG-1217 30
l l
Applicability of val res and valve capacities of these systems may differ Thermal-llydraulic Differences 3, ar d 4-loop plants is proportional to the plant,s power Most E PWR plant systems that can contribute to reactor f
at oth er E PWR plants, the overall valve capacity for 2,
leve:. Transients resulting from failures m these systems vessel overcooling transients are functionally similar. Al-at o.her E I WR plants were determined to be similar to though variations in the design exist at some plants (such those analyzed for the reference plant.
as the number, type, and capacity of valves, and the num-ber of steam generators), the variations are not sigmficant A majority of operating plants and plants under review when one considers the size of the plant. Major systems for an operating license (i.e.,37 out of 52 E PWR plants) are sized m roughly the same prog ortions so that the over-have incorporated lead / lag-compensated steamline pres.
cooling transients on other E PWR plants are expected sure measurement in the steamline-break-protection sys, to be similar to or bounded by transients analyzed for the tems. This control system can terminate steam flow reference plant. Several E PWR plants identified above through the steam dump valves to the condenser by iso-(p. 26) incorporate designs that differ from the reference lating the main steamlines on a low steamline pressure plant. Plants that have larger reactor vessel and steam signal. This control design feature is not provided for the generator volumes, like Yankee Rowe Nuclear Power reference plant and represents an improvement over the Station, have larger cooh,ng capacities and larger ratios i
reference plant design. For E PWR plants utilizing this f r reactor coolant system volume to atmospheric dump feature, overcooling transients resulting from inadver-valve (or steam dump valve) capacity and steam generator tent opening of steam dump valves dm.nstream of the volume to atmosphenc dump valve (or steam dump valve) i main steam isolation valves (MSIVs) will be less severe capacity. Overcoohng transients resulting from madver.
than transients predicted for the reference plant.
tent opening of the steamline PORV or steam dump l
valves to the condenser at these plants would be less se-In addition, most operating plants as well as plants of vere than transients analyzed at the reference plant.
newer designs utilize arming circuits in the steam dump The following criteria were used to assess the generic ap-valve control system similar to circuits m the reference placability of this event at other E PWR plants: Ratios of plant design. Multiple independent failures m, these sys-(1) reactor coolant system volume to atmospheric or tems, similar to those postulated for the reference plant, condenser-steam dump valve capacity and (2) steam gen-are needed to cause all the steam dump valves,to fail crator volume to atmospheric or condenser-steam dump open. The mitiatmg frequency for such failures is very valve capacity ratios should be similar to or greater than these values for the reference plant.
Although one plant design (San Onofre Nuclear Gener-Plants with thermal-hydraulic characteristics satisfying ating Station, Unit 1) does not have MSIVs or a lcad/ lag-these criteria were determined to be similar to or cwipensated steamline pressure control system, it does bounded by the reference plant, utilize arming circuits similar to those of the reference plant to prevent inadvertent opening of the dump valves.
Conclusions Results and conclusions of analyses of the reference plant (1) All E PWR plants provide adequate control systems apply to other E PWR plants if they meet the followmg to prevent overcooling transients resulting from in-criteria with respect to ccmtrol system designs:
advertent opening of the steam dump valves to the condenser. Most plants provide overcooling tran-(1) Must automatically term. mate the steam flow sient protection that is better than that of the refer-through the steam dump valves to the condenser by ence plant.
isolating the main steamlines on low steamline pres-sure (that is, must have a lead / lag-compensated (2) Transients that could occur as a result ofinadvertent steamline pressure control system, or equivalent) or opening of the steam dump valves to the condenser or atmospheric dump valves are expected to be (2) Multiple independent control failures are needed to equal to or less severe than those analyzed for the open ali steam dump valves to the condenser (that is, reference plant.
provide arming circuits in the steam dump valve con-trol systems similar to those in the reference plant).
(3) Ratios of (a) reactor coolant system volume to at-mospheric dump valve or (b) steam dump valve ca-(3) Administrative procedures are implemented to en-pacity and steam generator volume to ADV or steam sure that (a) the ADVs can be manually isolated in dump valve capacity at other E PWR plants are suf-time to prevent severe overcooling or (b) multiple ficiently similar so that the overcooling analysis con-independent failures are required to open more ducted for the reference plant is a bounding analysis than one ADV.
applicable to other E PWR plants.
31 NUREG-1217
Applicability Although several plants provide such different designs may be susceptible to the kind of procedurally in-that some of the thermal-hydraulic characteristic dis-duced conditions analyzed in the reference plant re-cussed above differ from those of the reference plant, the view. Variations in procedures at other plants could differences would cause less-severe transients and there-affect the frequency and severity of this procedurally fore do not adversely change the results of the overcool-induced transient. The emphasis placed on PORV-ing events analyzed for the reference plant.
related events since the WI-2 accident, however, has made more operators more aware of this type of 4.2 4 Overpressure Events During Low-Temperature and Low-Pressure Shut-(2) Results and conclusions of the analysis of the refer-l ence P ant apply to other PWR plants if they meet down or Startup Operating Conditions the following criteria:
Several control system failures were identified that could (a) Thelow-temperatureoverpressure(LTOP)sys-prevent pressurizer PORVs from opening. These failures tem is removed from service during plant in conjunction with events that would increase reactor heatup before the RCS temperature is at or coolant system (RCS) pressure can resu!! in reactor vessel near the minimum pressurization temperature overpressure events.
so that an LTOP condition can occur, or l
Control System Differences (b) The ECCS is enabled during plant heatup be-I fore the RCS temperature is at or near the mini-Pressurizer PORV control systems at all E PWR plants mum pressurization temperature for the reac-are designed to conform to NRC Branch Technical Posi-tor vessel, or tion RSB 5-2 (Denton, July 23,1985) which requires the control systems for the pressurizer PORV valves to satisfy (c) No other automatic pressure reduction capabili-the single-failure criterion and to be powered from reli-ties exist to limit overpressure transients during able independent power supplies (not necessarily Class low-temperature operations.
1E). Some new plants improve their control systems over the referance plant design by designing pressurizer Under certain conditions, PWR plants are allowed to op-PORV control systems that conform fully to all the re.
erate under limiting conditions for operation (LCO),
quirements of safety-related systems, so that additional wherein a redundant pressurizer PORV may be rendered failures would be needed to produce the transients ana.
inoperable for a finite period. If, during this time, the sys-lyzed for the reference plant. Control system designs at tem is subjected to a pressure transient, the plant may be otherE PWR plants are, therefore, very similar to or bet.
vulacrable to an overpressure event if a single failure in ter than the reference plant designs.
the available PORV control system can render the megressure-protection system inoperable. This scenar-(1) Results and conclusions of the analysis of the refer-i6 nas ben identified as a safety issue. Generic Issue 94 ence plant apply to other PWR plants if they meet was identified to reevaluate the existing LTOP designs the following criteria with respect to control system and to assess the need for additional improvements to the design:
low. temperature overpressure-protection system. This (a) Pressurizer PORVs must be powered by reli-study is applicable to all PWRs that have PORVs (Den-able and independent power supplies and must ton, J uly 23,1985). By resolving this issue, insights may be be designed so that multiple independent fail-gained to warrant modifications.
urcs are required to disable both PORVs.
Thermal-Hydraulic Differences (b) Administrative procedures are implemented to Because the major systems at E PWR plants are of ensure that when one of the redundant pres-roughly the same proportions, the overpressure tran-surizer PORVs is rendered inoperable for a lim-sients at all E PWR plants are expected to be similar to or ited period of time during low-temperature op-bounded by transients analyzed for the reference plant.
erations, the remaining PORV can be opened Several E PWR plants identified (p. 26) incorpomte
- manually, some designs that differ from the reference plant design.
These differences, discussed in Section 4.2.1 (except for Operator-indaced procedural failures could also plants that have high-capacity injection pumps), would prevent both PORVs from opening during low-tem-not adversely change the results of the overpressure tran-perature and low-pressure conditions. These procc-sients analyzed for the reference plant. For plants that dural failures are dependent on the adequacy of pro-utilize high-capacity injection pumps (higher than the ref-cedures used. Operating procedures at other plants crence plant design,like San Onofre Nuclear Generating were not reviewed to determine how many plants Station, Unit 1), the overpressure transients induced by NUREG-12t7 32
Applicability l
inadvertent initiation of the high-pressure injection could All E PWR plants provide steamline ADV designs simi '
f produce a more-severe overpressure event than ana-lar to that of the reference plant design.They rely on the lyzed. Additional administrative procedures are used at operator to isolate the flow through these valves should
{
these plants to lock out the isolation valves to the high-the valves fail to close during an SGTR event. Although head pumps during shutdown conditions to preclude,such' the design of the ADVs may vary at other plants, these events so that additional independent failures would be variations are not sufficient to modify the analysis per-required to cause similar or more-severe events than ana-formed for the reference plant design.
lyzed for the reference plant. The following criteria were Results and conclusions of the analysis for the reference used to assess th generic applicability of these events t plant apply to other E PWR plants if they meet the fol-lowmg critena with respect to control system vesign:
(1) The ratio of RCS volume to normal cold shutdown (1) must have electrically initiated air-operated ADVs letdown flow rate should be similar to or greater than that of the reference plant.
(2) require manual operator action to isolate flow through the ADVs (2) Administrative procedures are implemented during startup or low-temperature, low-pressure operation Conclusion j
to ensure that the pressurizer PORV low-pressur setpoint is not changed to the higher setpoint for Transients at other E PWR plants that could occur as a d
f&
ADVs m normal operation before reaching the minimum g
pressunzation temperature, or at the reference plant.
(3) Other automatic pressure-reduction capabilities ex-ist to limit the overpressure transients during LTOP 4.3 B&W PWR Plants I
operation.
The review of the B&W PWR reference plant identified Conclusions potentially significant control system failures that could contribute to steam generator overfill events and reactor (1) Most pressurizer PORV control system designs at core overheating events. All other control system failures other E PWR plants are very similar to designs of that were evaluated were determined to be bounded by the reference plant. The designs provide similar the FSAR analysis. The failure mechanisms that contrib-electricalindependence.
ute to these events are identified in Table 3.3.
(2) A few plants have better PORV control systems The major contributors to these events were single and than the reference plant has, so additional multiple multiple control system failures that (1) initiated independent failures would be needed to produce overfeeding transients and failed the automatic feed-I similar scenarios analyzed for the reference plant.
water pump trip system that would have terminated an overfill event and (2) caused a loss of electrical power to (3) The thermal-hydraulic analyses conducted for the various sections of the integrated feedwater control sys-reference plant are applicable to other E PWR tem resulting in a feedwater underfeeding condition that designs-could lead to core overheating if proper operator action wer n t initiated.
(4) Plants whose high-head injection pumps have a capacity higher than that of the reference plant pro-It should be noted that about half of the B&W PWR vide additional lockout devices to prevent inadver-plants currently operating incorporate an "820" tent initiation of the injection pumps during low-integrated control system rather than a "721" integrated temperature operation.
control system design utilized by the reference plant.
Although these two control systems are functionally similar, they differ significantly in the power supply 4.2.5 Control System Failures Aggravating a configuration. Design differences, such as providing Steam Generator Tube Rupture Event additional independence and power supply separation, were implemented by the individual utilities on the 820 Several control system failures were identified that could systems in order to improve system reliability on a loss of cause inadvertent opening (or failure to close once chal-power. "However, for this review, the 721 and the 820 lenged) of the atmospheric steamline dump valves during systems were not compared in depth. To address the an SGTR event. An ADV that fails to reclose during an different transients resulting from a loss of power to the SGTR event can result in more severe transients than integrated c(mtrol system (and other control systems),
those previously analyzed by E for an SGTR event.
Bulletin 79-27 was issued by NRC's Office of Inspection 33 NUREG-1217
Applicability and Enforcement to all licensees.He bulletin required improvement over the reference plant design when the all licensees to take certain action to ensure the adequacy installation is complete.
of plant procedures for accomplishing cold shutdown upon a loss of power to any Class IE or non-Class 1E bus Results and conclusions of analyses of the reference plant supplymg power for instnaments and controls m systems apply to other B&W PWR plants if they meet the follow-used m attammg cold shutdown. The licensee's response ing criteria with respect to control system design:
and design modifications to comply with Bulletin 79-27 (1) ne automatic overfill protection is at least as reli-were considered and evaluated in the review of the able as the reference plant design. A single failure in reference plant. He staff did not verify satisfactory the overfill-protection system for the reference compliance with this bulletin for all other plants.
p' ant can negate the automatic overfill-protection The discussions that follow summarize the generic appli-system.
cability of the major transients identified in the reference (2) The main feedwater trip system must be operable plant to other B&W PWR plants.
during power operation, or administrative procc-dures must be implemented to ensure that manual 43.1 Overfill Events Resulting From Fail-f edwater trip can be accomplished in time to prevent overfill when the automatic feedwater tnp ures in the Steam Generator High-system is not operable.
Water-Level Main Feedwater Trip System Thermal-Hydraulic Differences Most B&W PWR plant systems that could contribute to Centrol System Differences steam generator overfeeding and overfill events are func-Review of the main feedwater control systems at all B&W tionally similar. Variations in the designs exist at some P ants, such as the type and capacity of main feedwater l
operating PWR plants and all new B&W designs currently under review for operating licenses indicates valves or pumps; these vanations are not sigmficant when that the 2-out-of-2 steam generator, high-water-level considering the overall size of the plant. Major systems main feedwater trip system provided on the reference are sized in roughly the same proportions so that the time design is plant unique and not generically applicable. All to overfill on other B&W PWR plants is expected to be j
other B&W operating PWR plants have installed or have very similar or is bounded by the time predicted for the
- committed to install safety-related overfill-protection reference plant.
j systems that will satisfy the single-failure criterion.
The following criterion was used to assess the generic ap-(Arkansas Nuclear One, Unit 1, implemented the new placability of this event to other plants: The ratio of steam design in 1986; Rancho Seco Nuclear Generating Station, generator volume to main feedwater flow rate and the ra-Unit 1, installed its system in 1988; nree Mile Island tio of steam generator volume to the auxiliary feedwater Nuclear Station, Unit 1, installed its system in 1987; and flow rate should be similar to or greater than those of the Crystal River Nuclear Plant, Unit 3, installed its system reference plant.
but has not yet implemented the trip system. It should also be noted that for the Bellefonte and WNP-1 plants Plants with thermal-hydraulic characteristics satisfying overfill protection will be provided by high steam this criterion were determined to be similar to the refer-generator differential pressure (i.e., water level) when ence plant.
reactor power is below 31 percent and by excessive feedwater flow when reactor power is above 25 percent.
Conclusions Power dependence will be removad from the water level (1) Control systems for overfill protection for the main trip after a rcactor tnp is imtiated.) The matiating iogic for feedwater system for the reference plant is plant these designs is either a 2-out-of-4 or a 1-out-of-2 specific to Oconce Unit 1. The control systems for taken-twice, steam generator high-water-level main overfill protection are not as reliable rs those pro-feedwater inp system. The trip system actuates vided or planned to be provided at all other B&W redundant mam feedwater isolation systems consistmg of PWR plants.
a main feedwater pump trip and a mam, feedwater isolation or control valve trip. One plant design currently (2) All other B&W PWR plants provide (or have com-under review for an operating license will use a mitted to provide) improved safety-related control safety-related 2-out-of-3, high-water-level main feed-systems for steam generator overfill protection sys-water trip system. These plants provide (or will provide) tems for the main feedwater system.These systems additional redundancy, independence, and testing consist of either a 2-out-of-4 or a 1-out-of-2 taken flexibility in their steam generator overfill-protection twice or a 2-out-of 3 steam generator high-water-system and they are expected to represent a significant level trip. Although there are theoretical reliability NUREG-1217 34
Applicability differences between these systems, these differ-and, therefore, represent an improvement over the refer-ences are outweighed by the improvements in over-ence design.)
all reliability and operational flexibility allowed by such systems. All are thus adequate for overfill pro-Thermal-Hydraulic Differences tection. It should be noted that until these modifica-Variations in the designs exist at some plants, such as type tions are completed some of the plants are currently and capacity of the feedwater valves or pumps. These operating with no overfill protection.
variations are not significant when considering the overall (3) Ratios of steam generator volume to main feedwater size of the plant. Major systems are sized in roughly the flow rate and steam generator volume to auxiliary same proportions so that the time of steam generator feedwmer flow rate at other B&W PWR plants are dryout at other B&W plants is expected to be similar to or similar to the reference plant ratios; thus the overfill bounded by the time to dryout predicted for the reference P ant. The following criteria were used to assess the ge-l analysis conducted on the reference plant is a bounding analysis applicable to other B&W PWR neric applicability of this event to other B&W plants:
plants.
(1) The ratios of steam generator volume to main feed-water flow rate and steam generator volume to the auxiliary feedwater flow rate should be similar to 4.3.2 Overheatm.g Events Result.mg From these values for the reference plant.
Steam Generator Dryout (2) The ratio of power to volume should be similar to Several control system failure scenarios were identified this value for the referente plant.
that could result in steam generator dryout on a partial Plants with thermal-hydraulic characteristics satisfying loss of electncal power to the feedwater control system.
these criteria were judged to be similar to the reference Such events could lead to reactor core overheatmg if ade-plant.
quate feedwater flow is not established within 30 minutes of a steam generator dryout and high-pressure injection onclusions (HPI)is not initiated within 60 minutes. Losses of electri-cal power to the " hand control" (i.e., manual control) cir-(1) All other B&W PWR plants provide control system cuit during the manual mode of operation or to the " auto designs to initiate auxiliary feedwater on steam gen-control" cinuit during the automatic mode of operation crator low-water level to prevent steam generator were identified as major contributors.
dryout on loss of main feedwater. This design fea-ture represents an improvement over the reference plant dedgn.
Control System Differences Power m hw, power m fegater hw a
Half of the oPeratin& B&W PWR lants have an 820inte-rate, and steam generator volume to mam feedwater P
grated control system rather than the 721 integrated con-flow at other B&W PWR plants are similar to values trol system used at the reference plant. Only four plants for the reference plant; thus the steam generator (Oconee Nuclear Station, Umts 1,2, and 3, and nree dryout analysis conducted for the reference plant is Mile Island Nuclear Station, Unit 1) use 721 systems.
similar to or is a baunding analysis for other B&W Electric power distributions in the 820 system are differ
- PWR plants.
ent from the distributions in the 721 system.The 820 sys-tem was not reviewed in detail to determine if a credible (3) He overheating event scenario analyzed for the rei-partial loss of power to the integrated control system erence piant is not directly generically applicable could cause similar events; however, all other plants (in.
but boun s overheating events at other B&W PWR ciuding TMI-1) incorporate separate control circuits that plants.
automatically Mitiate auxiliary feedwater flow on low-water level in the steam generator. These circuits repre-4.4 CE PWR Plants sent an improved design that mitigates a steam generator dryout scenario postulated for the reference plant.
The review of the CE PWR reference plant identified several p tentially significant control system failures that Results and conclusions of analyses of the reference plant could contribute to (1) steam generator overfill events,(2) apply to other B&W PWR plants if they meet the follow-a reactor core overheatmg event, and (3) an overcooh,ng ing criterion with respect to control system design: Auxil-event that could lead to a potential pressurized thermal iary feedwater flow is not automatically initiated on low-shock event m a plant with a vulnerable pressure vessel.
water level in the steam generator. (Plants in which AFW is automatically initiated on low-water level in the steam All other control system failures that were evaluated generator are less susceptible to steam generator dryout were determined to be bounded by the FSAR analysis.
35 NUREG-1217 lL-----------
Applicability The failure mechanisms that contributed to these events charge head higher than the reference plant design and are identified in Table 3.4.
(2) no pressurizer PORVs. 'Ihese design differences would not change the conclusions for overfill events ana-The major contributors to these events were (1) single lyzed for the reference plant. Although otherdifferences, and multiple control system failures that mitiated such as operator training and procedures and design of overfeeding transients or prevented atmospheric dump the levelindication system and alarms available to the op-valves or turbine bypass valves from openmg on demand crator, will alter operator response time to respond to an l
and (2) incorrect operator actions to open the pressurizer overfill event, the review did not identify any plants with PORVs when needed.
characteristics that would cause more-severe overfill l
The sections that follow summarize the generic applica.
events.
j bility of the major transients identified in the reference ne following criterion was used to assess the generic ap-plant to other CE PWR plants.
placability of this event to other CE PWR plants: The ra-tio of steam generator volume to main feedwater flow 4.4.1 Overfill Events Resulting From Opera.
rate and the ratio of steam generator volume to the auxil-tor Errors During a Steam Generator i ry feedwater flow rate should be similar to or greater
^
8'^
8 '" "'*"
E^
Overfeeding Event Plants with thermal-hydraulic charr.cteristics satisfying this criterion were determined to be similar to the refer-Control System Differences ence plant.
On all CE PWR plant designs, no automatic steam gen-erator high-water-level signals trip the main feedwater Conclusions pumps. If an overfeeding event occurs, a stcam generator high-water-level signal will automatically trip the main (1) The feedwater control system designs on all CE steam turbine. A turbine trip signal will trip the reactor, PWR plants are similar to feedwater control system shut the feedwater valves, and open the startup feedwater design for the reference plant.
valves to 5-percent flow.
(2) There are no automatic steam generator high-water-This trip system can limit the frequency of steam genera.
level feedwater-pump trip systems; manual operator tor overfill events, but operator action is still required to action is required to trip the feed pumps or close iso-trip the main feedwater pumps to prevent overfill. If the lation valves to prevent overfill.
operator does not manually trip the feedwater pumps, a (3) The ratio" ~.eam generator volume to main feed-single failure in the feedwater control system can cause water flow rate at all CE PWR plants are similar to the steam generator to overfill.
such ratios at the reference plant; thus the overfill The results and conclusions of analysis on the reference analysis conducted for the reference plant is consid-plant appiv to other CE PWR plants if they meet the fol-cred applicable to other CE PWR plants.
lowing critesn with respect to control system design: All main feedwater flow is not automatically isolated on a 4.4.2 Overheating Events and Possible Pres-steam generator high-water-level signal. Plants with surized Thermal Shock Events Result-automatic overfill-control circuits would be more resis-inE From O erator Errors DurinE E
tant to overfill transients than the reference plant would be.
Small-Break Loss--of-Coolant Accidents Thermal-Ilydraulic Differences Several failure scenarios were identified for specifically Variations in design exist at some plants.These variations sized small-break loss-of-coolant accidents (SBifCAs) include type and capacity of feedwater valves and pumps, that could lead to eventual core dryout and fuel damage if These variations are not significant with regard to steam the operator does not take proper action to depressurize generator filling times when considering the relative size the reactor coolant system to (1) maintain adequate high-of the plants. Major systems are sized in roughly the same pressure injection flow or (2) avoid reaching R rNDT proportions so that the time to overfill at all other CE (reference temperature nil ductility transition) limits.
PWR plants is expected to be similar or bounded by the time to overfill predicted for the reference plant.
Control System Differences Several CE PWR plants incorporate designs that are dif-For the reference plant, manual operation of the atmos-ferent from the reference plant design.These design dif-pheric dump valves (ADVs) ot the turbine bypass valves ferences include (1) the use of charging pumps with a dis-(TBVs) or both may be required to depressurize the pri-NUREG-1217 36
Applicability mary system during SBLOCAs to maintain adequate Thermal-Ilydraulic Differences high-pressure injection flow. Operator use of the pres-Several CE PWR plants incorporate designs that are dif-surizer PORVs or pressurizer auxiliary sprays could also ferent from the reference plant design.These design dif-be used to depressurize the primary system if the ADVs ferences include (1) the use of high-head safety injection or the TBVs or both are not available or tf the R NDT T
pumps with higher heads than the reference plant has and' limits for the reactor vessel are exceeded. Failures that (2) some CE PWR plants do not have pressurizer could keep the ADVs or the 'IEVs from opening on de-PORVs. The use of higher head injection pumps will sig-mand include loss of power or loss of instrument air to the nificantly change the analyzed failure scenarios. Higher valves. For the re,ference plant under LOCA conditions, a head pumps will be able to inject water into the reactor safety m, jection signal isolates service water flow to the air vessel at higher pressures, so that specifically sized compressors that supply operation air to the ADVs and SBLOCA events analyzed for the reference plant would the TBVs. Ioss of service water could result in a failure of be significantly less severe.
the air system. This design is similar to the design of other CE PWR plants. Although an operator of the reference The following criterion was used to assess the generic ap-plant can manually transfer control of the ADV to the placability of this event on other CE PWR plants: The auxiliary shutdown panel and can provide air to the valves shutoff pressure of the high-head pumps should be simi-from the salt-water-cooled air compressor, emergency lar to or less than the reference plant design safety procedures for the reference plant do not instruct the op-injection.
erator to perform this task.
I P
s dW % Wh a hsd m k Results and conclusions of analysis of the reference plant similar to the reference plant. Plants with higher head apply to other CE PWR plantsif they meet the following safety injection pumps were determined to have less se-criteria with respect to administrative procedures or con-vere transients than analyzed.
trol system design:
Conclusions (1) Air supply to ADVs or to the TBVs is lost during SBLOCA conditions. (At the reference plant, auto-(1) Seven of the fifteen CE PWR plants have similar matic isolation of service water to instrument air high-head pressure injection pump systems; thus compressors is initiated during LOCA conditions so failure scenarios analyzed on the reference plant are that the ADVs or the TBVs are rendered inoper-generically applicable, j
able. Plants that continue to supply instrument air to i
the ADVs under LOCA conditions are protected (2) Eight of the fifteen CE PWR plants have substan-against this type of event.)
tially higher high-head pressure mjection pumps so that admmistrative procedures to depressurize the (2) Administrative procedures do not clearly instruct primary system are not as critical for these eight the operators to provide operating air to the ADV or plants as for the reference plant.
the TBVs from an alternate source in the event that service water flow is isolated to the main instrument (3) Seven of the eight CE PWR plants that have high-air compressors (if administrative procedures exist, head pressure mjection pumps do not have pres-plants are less susceptible to overheating events of surizer PORVs. For these plants, auxiliary pres-this type), and surizer spray systems are used to control pressunzer pressure. This design difference does not signifi-(3) An alternate compressed-air source to the ADVs or cantly change the conclusions reached in item 2, TBVs is available.
above.
37 NUREG-1217
5 Summary and Conclusions Before any safety issue can be resolved, the nature of the tions and maintenance. The control system designs concern must be clearly described. Concerns described as between the plants supplied by the same nuclear general subject areas (such as common-cause failures, op-steam supply system (NSSS) vendor are functionally crator errors, sabotage, and undetected failures) can similar enough that the transients resulting from the prove to be so broad that almost every conceivable safety failure of the same type of non-safety-related system issue could fall within the concern, and thus an issue on the different plants will produce similar tran-would prove to be unmanageable. Therefore, to proceed sients (see Section 4, " Generic Applicability," for with a resolution of the concern expressed as " safety im-exceptions).
plications of control systems," the NRC staff developed a set of limitations and assumptions to attempt to focus on (2) Control system failures have occurred that resulted the safety concern. The staff also decided to take advan-in complex transients. Improvements mede after the tage of other ongoing efforts. Thus, if some aspects that TMI-2 accident in the design of the auxiliary feed-might be considered to have control system safety impli-water system and in operator information and train-cations were better addressed by these other efforts, the ing should greatly aid in the recovery actions in the scope of USI A-47 was modified, avoiding duplication of future.
effort. As a result, a number of concerns (such as: (1) ef-fects of seismic events on control systems. (2) dynamic ef-(3) Plant transients resulting from control system fail-fects on plant safety resulting from water entering the urcs can be adequately mitigated by the operators main steamlines, and (3) reduction in the frequency of in-provided the failures do not compromise proper op-tegrated control-system-induced transients in B&W eration of the minimum number of protection sys-PWR plants) were left to be addressed outside the frame-tem channels required to trip the reactor and initiate workof the USI A-47 study.Thelimitationsandassump-the safety systems if such initiation is required.
tions identified in this report are crucial to understanding the scope of the issue and its resolution.
(4) Control system failure scenarios have been identi-On the basis of the limitations and assumptions, a number fied that could potentially lead to reactor vessel /
o' tasks were defined. These tasks were structured to:
steam gerierator overfill events, core overheating (1) make use of the operating experience of actual events, events, and overpressure events.
(2) take advantage of previous control system studies, (3) take advantage of the staff requirements identified in (5) Transients or accidents resulting from or aggravated the TMI-2 Action Plan (NUREG-0660), (4) evaluate the by control system failures (except those noted in this safety significance of control system failures, and report that can contribute to reactor vessel / steam (5) evaluate the safety benefit and cost effectiveness of generator overfill or core overhes'ing events) are potential corrective measures.
less severe and therefore are bounced by the tran-sients and accidents identified in the I S AR analysis.
Because the initiating events and the frequency of control system failures are for the most part plant specific, the (6) PWR plant designs having redundant commercial-risk estimates that are used to evaluate safety significance grade (or better) overfill-protection syst emc that sat-were difficult to extrapolate to cher plants. The safety 1sfy the smgle-failure criterion are considead to benefit derived for the reference plant and extrapolated adequately preclude water entering the main stea-to other plants is based both on qualitative insights and im, es.
quantitative analysis. The generic applicability analysis is also based on qualitative analysis and deterministic (7) BWR plant designs with commercial-grade (or bet-arguments.
ter) overfill protection systems are considered to adequately preclude water entering the main On the basis of the technical work completed by the staff steamlines.
and NRC contractors, the following conclusions have been reached:
(8) PWR plant designs that provide automatic initiation of the auxiliary feedwater flow on steam generator (1) Control system failures are dependent on individual low-water level are considered to adequately pre-plan t characteristics such as power supply configura-clude core overheating.
NUREG-1218 38
1 l
l 6 References i
Alter, J., and D. Okrent, "The Contribution of Control
-, NUREG-0737, " Clarification of TMI Action Systems in LWR Safety," University of California, los Plan Requirements," November 1980.
Angeles,1983.
--, NUREG-0800, " Standard Review Plan for the Babcock & Wilcox Owners Group, BAW-1564, "Inte.
Review of Safety Analysis Reports for Nuclear Power
~
grated Control System Reliability Analysis," August Plants," LWR Edition, July 1981.
1979'
-, NUREG-0933, "A Prioritization of Generic
{
Safety Issues," Main Report and Supplements 1-6, i
Denton, H., NRC, Memorandum to R. Bernero,"Sched-Augmt M87.
ule for Resolving and Completing Generic Issue No. 94,
' Additional low Temperature Overpressure Protection
--, NUREG-1070,"NRC Policyon Future Reactor for Light Water Reactors'," July 23,1985.
Designs," July 1985.
Denton, H., Memorandum to V. Stello, " Staff Actions
--, NUREG-1154, "less of Main and Auxiliary Resulting From the Investigation on the December 26, Feedwater Event at the Davis-Besse Plant on June 9, 1986 Incident at Rancho Seco (NUREG-1195),"
1985," July 1985.
April 25,1936.
--, NUREG-1177, " Safety Evaluation Report Re-Dircks, W., NRC, Memorandum to NRC Directors, lated to the Restart of Davis-Besse Nuclear Power Sta-
" Staff Actions Resulting From the Investigation of the tion, Unit 1, Following the Event of June 9,1985,"
June 8, Davis-Besse Event (NUREG-1154)," August 5, June 1986.
1985.
--, NUREG-1195,"Ioss ofIntegrated Control Sys-tem Power and OvercoolingTransient at Rancho Seco on Miraglia, F., NRC, Memorandum to NRR Ditectors, December 26,1985," February 1986.
" Staff Actions Resulting From the Investigation of the December 26, 1986 Incident at Rancho Seco
--, NUREG-1218 (Draft for Comment), "Regula-(NUREG-1195),, September 4,1986.
tory Analysis for Proposed Resolution of USI A-47, Stello, V., NRC, Memorandum to H. Denton, " Staff Ac-l tions Resulting From the Investigation of the Decem-
--, NUREG-1231," Safety Evaluation Report Re-i ber 26,1986 Incident at Rancho Seco (NUREG-1195),"
lated to Babcock and Wilcox Owners Group Plant Reas-March 13,1986.
sessment Program," November 1987; Supplement No.1, l
March 1988.
I Tucker, H., BWOG, Letter to D. Crutchfield, NRC, "B&W Owners Group Plant Reassessment," May 15,
--, NUREG-1286, " Safety Evaluation Report Re-1986.
lated to the Restart of Rancho Seco Nuclear Generating Station, Unit 1 Following the Event of December 26, U.S. Nuclear Regulatory Commission, NUREG-0153, 1985," October 1987; Supplement No.1, March 1988.
" Staff Discussions of Twelve AdditionalTechnicalIssues Raised by Responses to November 3,1976 Memorandum
--, NUREG/CR-3692 (ORN1JTM-9061), "Possi-From Director, NRR, to NRR Staff," December 1976.
ble Modes of Steam Generator Overfill Resulting From Control System Malfunctions at the Oconee-1 Nuclear Plant," July 1984.
--, NUREG-0460, " Anticipated Transients With-out Scram for Light Water Reactors," Vols. I and 2, April
--, NUREG/CR-3958 (PNI.e-5767), " Effects of 1978; Vol. 3, December 1978; Vol. 4, March 1980.
Control System Failures on Transients, Accidents and Core-Melt Frequencies at a Combustion Engineering
--, NUREG-0660, "NRC Action Plan Developed Pressurized Water Reactor," March 1986.
As a Result of the TMI-2 Accident," Vols.1 and 2, May 1980.
--, NUREG/CR-3991(ORN1/rM-9383)," Failure Modes and Effects Analysis (FMEA) of the ICS/NNI
--, NUREG-0667, " Transient Response of Bab-Electric Power Distribution Circuitry at the Oconce-1 cock & Wilcox-Designed Reactors," May 1980.
Nuclear Plant," October 1985.
39 NUREG-1217
References
--, NUREG/CR-4047(ORNI/FM-9444),"An As.
--, NUREG/CR-4387 (PNir5545), " Effects of sessment of the Safety Implications of Control Systems at Control System Failures on Transients, Accidents, and the Oconee 1 Nuclear Power Plant, Final Report," March Core-Melt Frequencies at a General Electric Boiling 1986.
Water Reactor," December 1985.
--, NUREG/CR-4262 (EGG-2394),
- Effects of
--, NUREG/CR-4449 (ORNI1FM-9868),
"A Control System Failures on Transients and Accidents at a PWR Hybrid Computer Model for Assessing the Safety General Electric Boiling Water Reactor," Vols. I and 2,
' implications of Control Systems," March 1986.
May 1985.
--, NUREG/CR-4758 (ORNI1TM-10236),
"A
--, NUREG/CR-4265(ORN11TM-9640),"An As-RETRAN Model of the Calvert Cliffs-1 Pressurized sessment of the Safety Implications of Control Systems at Water Reactor for Assessing the Safety Implications of the Calvert Cliffs-1 Nuclear Plant." Vol.1, Main Report, Control Systems, March 1987.
Apnl 1986; Vol. 2, Appendices, July 1986.
--, Office for Analysis and Evaluation of Opera-
~
' NUREG/CR-4326 (EGG-2405) " Effects of E
Control System Dilures on Transients and Accidents at a
."erfill and Combmed Primary and Secondary Blow-3-12)op Westinghouse Pressurized Water Reactor,"
Vol.1, August 1985; Vol. 2, October 1985.
--, Office of Inspection and Enforcement, Bulletin
--, NUREG/CR-4385 (PNL-5543), " Effects of 79-27, "laiss of Non-Class 1E Instrumentation and Con-Control System Failures on Transients, Accidents and trol Power System Bus During Operation," Novem-Core-Melt Frequencies at a Westinghouse Pressurized ber 30,1979.
Water Reactor," November 1985.
--, ORNI1NRC/LTR-86/19, Letter Report, "Ge-
--, NUREG/CR--4386 (PNir5544), " Effects of neric Extensions to Plant Specific Findings of the Safety Control System Failures on Transients, Accidents, and Implications of Control Systems (ORNL) Program."
Core-Melt Frequencies at a Babcock and Wilcox Pressur-ized Water Reactor," Pacific Northwest Laboratory,
--, SECY-82-465, " Pressurized Thermal Shock December 1985.
(I'13)," November 23,1982.
l NUREG-1217 40
Appendix A Other Related Studies, Progrants, and Issues A number of ongoing U.S. Nuclear Regulatory Commis-actions needed to mitigate SGTR and prevent overfill, sion (NRC) and industry programs are related to Unre-and (c) radiological offsite dose calculations from an solved Safety Issue (USI) A-47. These programs are dis-SGTR event. These activities are being evaluated in the cussed here and summarized in Table A.1.
study of Generic Issue 135.
(1) Generic Issues in NUREG-0933 (4) Babcock & Wilcox (B&W) Design Reexamination A comprehensive B&W Owners Group study (Tucker, As specifically identified in NUREG-0933, Generic Is-May 15,1986) was initiated to reassess all B&W pressur-sues 70 and 94 deahng with overpressure protection may ized-water-reactor (PWR) plant designs including, but require modifications to existing control systems. The not limited to, the integrated control cystem, support sys-staff concluded that resolution of these issues should pro-tems such as power supplies, and maintenance.
cced via the more focused review specified for these ge-neric issues.
Of particular relevance to USI A-47 was the part of this reexamination that dealt with improving the reliability of the B&W PWR plants by (a) reducing the number of re-(2) Seismic Qualification of Equipment in Operating actor trips caused by non-safety-related control and sup-Plants, USI A-46 port systems or by operator or maintenance errors and Within the framework of ongoing NRC and industry pro.
(b) improving response to plant transients..The NRC grams, the seismic ruggedness and operability of control-staff mom,tored this comprehensive study. Recom-f grade and protection-grade design equipment during de-mended actions for design modifications, for mainte-sign-basis seismic events are being evaluated. Data from nance, and for changes to operating procedures devel-actual experience during seismic events (including recent oped for the utilities by the owners group were coords,-
earthquakes in Chile and Mexico) are being evaluated to nated with the staff through NRC's Division of Engmeer-assess the seismic capability of electrical and mechanical ing and System Technology.The NRC staff assessroent of equipment needed to safely shut down the plant. Equip-the B&W Owners Group Plant Reassessment Program is ment used in non-safety-related control systems that in-documented in NUREG-1231 and Supplement No. I to teract with safety-related equipment or that are used in that report, dated November 1987 and March 1988, achieving and maintaining hot shutdown are being evalu-respectively.
ated to ensure that their operability (or lack thereof) does not compromise the plant's ability to achieve and main-(5) Staff Actions Resulting From the Investigation of tain hot shutdown during or aftera seismic event. All con-the December 26,1985 Incident at Rancho Seco trol system components and instruments are included in Generic and plant-specific actions resulting from the in-the USI A-46 scope by type if not explicitly reviewed. As vestigation of the Rancho Seco incident (see NRC part of the USI A-46 scope, the current review is evaluat-NUREG ;1195) were identified in part in a memorandun$
ing two plant des,gns (i.e., Zion and Nine Mile Point Unit i
from V. Stello to H. Denton, dated March 13,1986, and in
,1), focusing on equipment installation, its function, and a subsequent response memorandum' dated April 25 its actual location. Once the methodology and review pro-1986. Several other memoranda have been iss!
cedures are established, the review will extend to all other operating plants in the USl A-46 scope (which includes quent to the April 25,1986 response related to the identi-fied issues.These memoranda are listed in the September 1
70 operating plants).
4,1986 memorandum from F. Miraglia to the various di-rectors of NRR. The activities discussed in these memo-(3) Reactor Vessel / Steam Generator Overfill randa were pursued by the NRC staff and were requested to be evaluated by the B&W Owners Group (BWOG).
In separate evaluations, the staff is investigating the con-The major activities are summarized below:
sequences of water entering the main steamlines result-ing from overfeeding transients or steam generator tube (a) Regarding completeness of actions taken with re-rupture (SGTR) events. These evaluations include (a) spect to BAW-1564 (" Failure Modes and Effects analysis of the potential waterhammer conditions that Analysis of the ICS") and the Oak Ridge Na-could degrade steamline integrity, (b) assessment of the tional Laboratory (ORNL) review of it, the adequacy of existing emergency procedures for operator BWOG has been asked to reevaluate BAW-1564 41 NUREG-1217
Appendix A and to describe its plans to address the ORNL con-(6) Staff Actions Resulting From the June 6,1985 Incl.
cerns. The staff evaluation is discussed in dent at Davis-Besse NUREG-1231, Supplement No.1.
Generic and plant-specific actions resulting from the in-vestigation of the Davis-Besse incident (see NRC, (b) ne staffinitiallyasked the UWOG to reevaluate IE NUREG-1154) have been identified in a memorandum Bulletin 79-27 regarding the consequences of a loss from W. Dircks to the Directors of NRC, dated August 5, of power to the instrumentation and control systems 1985. Short-term, plant-specific items have been ad-for all of the B&W-designed operating plants. Be-dressed and the resolution is described in the " Safety cause of program constraints, the reevaluation of Evaluation Report Related to Restart of Davis-Besse Nu-Bulletin 79-27 was removed from the BWOG scope clear Power Station"(see NRC, NUREG-1177). A num-and is now being conducted by the NRC staff. All ber of potential generic issues were also identified.Hese B&W plants will be evaluated. De Rancho Seco issues include possible deficiencies in the design, con-plant evaluation has already been completed. HP struction, or operation of several or a class of nuclear evaluation is presented in NUREG-1286, power plants. nc staff did not iden tify a need for any im-Supplement No.1, March 1988. It is anticipated that mediate staff action of a generic nature related to these the review of the other B&W plants will be com-issues. ncse issues have, however, been designated for pleted by mid-1989.
review as part of Generic Issues 122 through 125. These issues are to be evaluated and resolved on a schedule con-(c) With regard to atmosphen. dump valves (ADVs) sistent with their priority designation. Currently, the staff c
and turbine bypass valves (FBVs) opening on loss of is completing the prioritization of these issues. Heir integrated control syrtem (ICS) power, the staff has status and priority level are provided in NUREG-0933.
met with the BWOG and determined that only Ran-The staff is pursuing resolution of these issues on a sepa-cho Seco has the ADV problem and only Rancho rate schedule independent from the USI A-47 study.
Seco and Arkansas Nuclear One Unit 1 (ANO-1) have the TBV problem. Rancho Seco has already (7) Systems Interactions (USI A-17) redesigned the ADV and TBV controls to climinate the problem. The staff's evaluation is presented m Potentially undesirable interactions between plant sys-NUREG-1286, Supplement No.1. ANO-1 modi-tems, components, and structures were evaluated within fied its TBV controls during the August 1986 refuel-the framework of the USI A-17 study.nese evaluations ing. The modified design prevents the TBV from include identification of interdependencies between automatically opening on a loss of power m the ICS.
safety-related protection systems and systems not related to safety, including non-safety-related control systems.
The staffis pursuing resolution of this issue on a separate (d) The staff has conducted a survey of completeness of schedule independent from the USI A-47 study.
actions taken with respect to NUREG-0667 recom-mendations by the staff and by licensees of each (8) Multiple Systems Response Program (MSRP)
B&W-designed operating reactor. The survey shows that 90 percent of the related staff requirements A number of potential safety concerns were raised by the have been implemented. The Rancho Seco licensee NRC staff and the Advisory Committee on ReactorSafe-and the BWOG have reviewed the recommenda-guards (ACRS) which were not covered by the existing tions as part of the Rancho Seco recovery and B&W.
USI programs (i.e., USI A-17, A-46, and A-47)or other design reassessment programs. The staff's evalu-safety issues (e.g., fire protection and environmental ation is provided in NUREG-1286 and qualification). Rese concerns were identified because NUREG-1231, Supplement No.1.
they were either: (a)outside the scope of the safetyissue, (b) a spinoff from the existing issues, or (c) peripheral (e) In connection with the partial loss of the non-concerns for which additional review effort is thought necessary.
nuclear instrumentation (NNI) system at Rancho Seco in 1984, Rancho Seco staff and the BWOG The MSRP was established to address these concerns and have reviewed this event as part of the recovery and develop them as issues of sufficient detail that they may design reassessment programs. The staff's evalu-be evaluated, if needed, as new generic issues according ation is provided in NUREG-1286 and in to priority. This program is being pursued on a separate NUREG-1231, Supplement No.1.
schedule independent from the USI A-47 study.
NUREG-1217 42
Appendix A Table A.1 Summary of USI A-47 related studies, programs, and issues Estimated Issue Subject completion schedule GI 0 PORV and block valve reliabi'ity Early 1989 GI-94 Low-temperature overpressure protection Early 1989 for light-water reactors USI A-46 Seismic qualification of components Mid-1991 (plant-specific implementation)
GI-135 Water entering main steamlines (overfill)
Iate-1989 B&W plant reexamination BWOG reevaluation to minimize calienges Completed in March 1988 to protection systems and improve mitigation of complex transients Staff actions resulting from Included as part of BWOG reevaluation Completed in March 1988 Rancho Seco Dec. 26,1985 incident Staff actions resulting from NUREG-1177 (short-term actions)
Completed in June 1986 Davis-Besse June 6,1985 incident i
GI-122 (initiating feed and bleed)
Mid-1988 GI-124 (AFW system reliability)
Mid-1988 GI-125 (reevaluate design to automatically Mid-1989 isolate feedwater from the steam generator USI-A-17 Systems interactions Mid-1989 Multiple Systems Response Various potentially safety-significant subjects To be determined on Program (MSRP) individualissues 43 NUREG-1217
l Appendix B Summary of the Principal Documents Used for USI A-47 Study 1,
ne following are summaries of the principal documents the contractor presents its conclusions and -
i underlying the resolution of Unresolved Safety Issue recommendations.
{
(USI) A-47.
From the technical findings presented in these two reports, the staff formulated the resolution of USI (1)
Draft NUREG-1217, " Evaluation of Safety Impli.
A-47 for General Electric and Westinghouse cations of Control Systems in LWR Nuclear Power l
P ants.
Plants, Technical Findings Related to Unresolved Safety Issue A-47," April 1988.
(5)
NUREG/CR 4047,"An Assessment of the Safety Implications of Control at the Oconee 1 Nuclear This report presents the technical findings and Plant," Final Report March 1986. (See summary summarizes the work performed on USI A-47 by for NUREG/CR-4265.)
the U.S. Nuclear Regulatory Commission (NRC) and its contractors Pacific Northwest Laboratory (PNL), Jdaho National Engineering 12boratory (6)
NUREG/CR-4265,"An Assessment of the Safety.
(INEL), and Oak Ridge National 12boratory Implications of Control at the Calvert Cliffs 1 Nu-(ORNL). Summaries and staff conclusions regard-clear Power Plant," Vol.1, April 1986; Vol. 2, July 1986' ing other related work, such as generic applicability and operating experience survey, are also nese two reports (numbers 5 and 6) summarize presented.
the work performed on USI A-47 by ORNL Sum-maries of failure modes and effects analysis, com-From the technical findings presented in this re-puter analysis, recorded plant occurrences, and port, the staff foernulated the resolution of USI probabilistic assessment of significant control sys-A-47.
tern failure frequencies are provided. In addition, the contractor presents its conclusions and (2)
Draft NUREG-1218. " Regulatory Analysis for recommendations.
Proposed Resolution of USI A-47 Safety implica-From the technical findings presented in these two tions of Control Systems," April 1988.
reports, the staff formulated the resolution of USI His report presents a summary of the regulatory A-47 for Babcock & Wilcox Company and Com-analysis conducted by the NRC staff to evaluate bustion Engineering plants.
the value impact of alternatives for resolution of USI A-47. The resolution presented in this USI (7)
NUREG/CR-4385, " Effects of Control System A-47 study is based on. these analyses.
Failures on Transients, Accidents, and Core-Melt Frequencies at a Westinghouse Pressurized Water Reactor," November 1985. (See summary for (3)
NUREG/CR-4262, " Effects of Control System NUREG/CR-3958.)
Failures on Transients and Accidents at a General Electric Boiling Water Reactor" (Vols. I and 2).
(8)
NUREG/CR-4386, " Effects of Control System May 1985. (See summary for NUREG/CR-4326.)
Failures on Transients, Accidents and Core-Melt Frequencies at a Babcock and Wilcox Pressurized at (4)
NUREG/CR-4326, " Effects of Control System U
G/ R-39 Failures on Transients and Accidents at a 3-loop Westinghouse Pressurized Water Reactor "
Vol.1. August 1985; Vol. 2, October 1985.
(9)
NUREG/CR-4387, " Effects of Control System
~
Failures on Transients, Accidents, and Core-Melt These two reports (numbers 3 and 4) sumrnarize Frequencies at a General Electric Boiling Water the work performed on USI A-47 by INEL Sum-Reactor," December 1985 (See summary for raries of failure modes and effects analysis, com-NUREG/CR-3958.)
puur analysis, recorded plant occurrences, and proaabilistic assessment of significant control sys-(10) NUREG/CR-3958, " Effects of Control System ters failure frequencies are provided. In addition, Failures on Transients, Accidents and Core-Melt NURitG-1217 44
Frequencies at a Combustion Engineering Pres-neering reactors are presented. In addition, value/
surized Water Reactor," March 1986.
impact analyses of possible modifications to pre-ven c nr vs em a ures are puenteGese These four reports (numbers 7-10) summarize the work performed on USI A-47 by PNI Probabilis-fd if d I and ORN tte nsk analyses and estimates of core-melt frequencies and public risk associated with control From the technical findings presented in these four system failures in Westinghouse, Babcock &
reports, the staff developed the regulatory analysis Wilcox, General Electric, and Combustion Engi-for USI A-47.
1 l
45 NUREG-1217
l l
l Appendix C i
Staff Resolution of Public Comments Drafts of NUREG-1217 and NUREG-1218 were isst2cd water when the plant is at power. Only a very large addi-in April 1988 for comment. Public comments were re-tion of unheated feedwater could provide the cooling ceived from the organizations and individuals listed be-necessary to cause significant OTSG [once-through low. The comment period was extended to September steam generator] tube tensile loading. Tube stresses dur-1988 so that the substantive comments that came in late ing MSLB [a main steamline break] have been evaluated could be included.
as acceptable..
Charles H. Cruse - Baltimore Gas & Electric Resolution Company Appendix C of draft NUREG-1218, with regard to W. J. Johnson
- Westinghouse Electric SGTRs as they relate to overfill events, states that 'the Corporation more-severe scenarios could potentially lead to a steam-line break and a steam generator tube rupture." This Harry G. O'Brien - Tennessee Valley Authority statement implies that such an oxurrence is possible; however, the statement does not imply certainty. The J. L Sullivan
- GPUNuclearCorporation supporting analyses for the staff conclusions are de-scribed in detail in NRC contractor reports (NUREG/
H. B. Tucker
- Duke Power Company CR-3958, NUREG/CR-4385, and NUREG/CR-4386) for the three different pressurized-water reactor (PWR) i The comments that follow were extracted from the re-designs of the major nuclear steam supply system (NSSS) l sponses the staff received.
vendors.
i The conditional probability estimates for SGTR given a Comment I steamline break were taken from the results of unre-solved safetyissue (USI) A-3, A-4, and A-5 studies pro-The events listed in Table 3.3 {of NUREG-1217] lack de' vided in NUREG-0844 and varied from 0.017 to 0.003 tail and are few m number. There are more events to draw conclusions from and, without details, it is difficult to depending on the number of tubes ruptured.
judge the importance and probability of these events.
In addition, a sensitivity study for reactor vessel / steam generator overfill scenarios, provided in Appendix B of Resolution NUREG-1218, also describes the dominant accident se-quences used to determme pubhc risk resulting from Table 33 of NUREG-1217 only summarizes (1) the fail-overfill events and evaluates the risk associated with ure scenarios and the failure mechanisms that were iden-three different conditbnal probability estimates for a tified as safety significant and (2) the failure probabilities main steamline break given an overfill event. These esti-of control systems failure sequences initiating or contrib-mates go to at least two orders of magnitude lower than uting to the events of concern.The contractor reports ref-used in the initial analyses, crenced in Sections 2.1 and 3 of NUREG-1217 provide additional detailed description of the tvne of twents Since this information is already stated in NUREG-1218 cyaluated and the type of events tnat weie identified as (e.g., Section 3 and Appendix B), no additional modifica-potentially safety significant. For additional clarity, tion or clarification is necessary.
7tbles 3.1 through 3.4 were revised to refer directly to the contractor reports.
Comment 3 The probability of main steamline break (MSLB) due to Ccament 2 overfill is arbitrarily high and not supported by the esi-Appendix C [of NUREG-1218] implies that steam gen-
- E erator tube rupture [SGTR] is inevitable as a result of an l
overfill event. This is totally unsupported by analysis. The
""' 3' assumed thermal shrinkage which causes [SGTR] is not
'Ihe estimated frequency for main steamline break possible since there is no large volume of unheated feed-(MSLB), given [an] SG [ steam generator] overfill, is too NUREG-1217 g
l
Appendix C high. As teferenced by NUREG-1217, a comprehensive errors in mitigating the significant-events sequences also review of such events [NUREG/CR-3958] indicated that are summarized in the footnotes of Tables 3.1 through 3.4 no such MSLBs had occurred despite several spillover of NUREG-1217. Therefore, no additional modification events. We are also unaware of any such events occurring or clarification to this report is considered necessary.
since the date of this study.
Comment 5 Resolution it is not clear if systems interaction was or was not in-Most overfills that were identified were initiated by fail-cluded in this study. [See Table 2.3 of NUREG-1217.]
ures in the main feedwater control and high-water-level trip circuits. If these events were not terminated by the Rdb operator, they would lead to water filling the steamlines, which could possibly result in damage or total steamline The staff agrees that additional clarification is needed to failure. A large uncertainty exists concerning this poten-explicitly state that systems interactions are addressed by tial damage; therefore, the staff conservatively assumed a others and are not included in the USl A--47 scope.
high probability of MSLB given a spillover of waterinto Therefore Section 2.2(1) has been revised so that the last the steamlines.This probability was assumed to be either two sentences now read: "In addition, as part of the USI 0.95 or 0.50. Recognizing this conservatism, a sensitivity A-17 systems interaction program, spatial interactions study (see Appendix B of NUREG-1217) also was per-between safety-related systems and non-safety-related formed to assess the public risk associated with what is systems were considered. Any identified interactions be-considered to be more-realistic conditional probability es-tween safety-related systems and non-safety-reitsted con-timates for MSLB (given a spillover)/Ihese best-estimate trol systems were evaluated as part of that program and values derived from operating history data were esti-are not included in the scope of the USI A-47 review."
mated to be between a factor of 4 to a factor 7 times less that the initial estimates and were based on two events in Europe in which steamline damage resulted from water Comment 6 entering the steamline. The sensitivity studies also in-Appendix A item (4) of [NUREG-1217] is incorrect cluded an estimate 100 times less than the m, itial esti-where it states "The purpose of this reexamination is to mate.The staff's conclusions factor m the more-realistic mprove the reliability of the B&W [ Babcock & Wilcox]
best-estimate MSLB probabilities resulting from overfill PWR [ pressurized-water reactor] plants by (a) reducing events. Since this infonnation is already described in Ap-the number of reactor trips caused by non-safety-grade pendix B of NUREG-1217, no additional modification or control and support systems..." "Ihe Safety Performance clarification to the report is considered necessary.
Improvement Program looked at all systems regardless of their safety-grade [ safety-related) or non-safety-grade Comment 4
[n n-s fety-related) status.
The importance of the operator in responding to events is not recognized in the conclusions of [NUREG-1217].
Response
'Ihe staff agrees that the Babcock & Wilcox Owners mup a tperformanceImpmument hogram scope Resolut"."
included safety-related systems. The discussion in item The scope of the USI A-47 study is described in Section 2 (4)of Appendix A states that the reassessment review in-l of NUREG-1217. Factors such as the adequacy of exist-cluded, but was not limited to, the events identified. The 1
ing operating procedures and information displays were scope of the reassessment program was extensive; how-evaluated for the important transients, but operator er.
ever, the discussion in NUREG-1217 focused only on rors of omission and commission were not systematically those systems that are applicable to the A-47 scope, i.e.,
addressed.
non-safety-related systems.
For all significant event sequences, the importance of the Item (4) of Appeindix A has been reworded to clarify this operator respcmse in the face of failed control systems crea.
was included in the final judgment of probability of the event-hence a factor in the resolution of this issue. The Comment 7 degree to which operator errors were addressed is de-scribed in Section 2.2(3) and also in the various contractor It is not clear from NUREG-1218 whether the suggested reports that are identified in Section 2.1 of r edundant trip circuitry should apply to the actual trip cir-NUREG-1217. The probability estimates for operator cuits within the FWl'I'[feedwater pump trip], or only to 47 NUREG-1217 l
Appendix C the logic that app'Jes the trip signal to the FWIT main cation and testing guidelines are provided in Appendix C, trip solenoid valve.
item (3)(b)of NUREG-1218.The staff also believes that periodic verification and testing of overfill protection sys-tems can pm without a signJicant increase in feedwater pump @tnps.
Resolution For most applications it is difficult to have coincidence logic such 24 a 2-out-of-3 for the entire system from the Comment 10 sensors to the actuators. However, if the output of the logic cperates only a single solenoid actuator, there is a in regard to various solutions presented to create a 2-out-single point of failure that can defeat one of the main pur-of-3 logic in the overfill protection circuits, it does not ap-poses of coincidence logic. To eliminate a single point of pear that using startup level indication as a third channel failure, it is necessary that there be redundant actuators.
would offer adequate redundancy, because the startup If there are redundant actuators, a logic of 2-out-of-3, level and operating level (downcomer level) are not com-2-out-of-4, or 1-out-of-2 taken twice can be designed so pletely related. The operating level is temperature com-that there is no single point of failure in the system.
pensated, the startup level is not. The operating level looks at level within the downcomer, and thus offers de-tection of level that would flood the aspiration ports; the Comment 8 startup level looks at water level in the heat transfer area The paragraph associated with Section 4.3(1) of ofIhe OTSG [once-through steam generator) and is sub-NUREG-1218 is incorrect. 'Ihe signal monitors are a ject to resistive pressure drop errors and other variations deenergize-to-trip logic. The trip relay is an energize-to.
at power. Therefore, during normal power operation, the trip [ logic] but it is from a different power source from the btartuo level is subject to much greater inaccuracies than 1
rest of the control system. Therefore, the design of the is the operatmg level.
J system is such that loss of control system power will auto-
)
matically trip the M13V l main feedwater] pumps.
Resolution in NUREG-1218, Section 4.3(3), Case 1 is an evaluation Resolution for changing steam generator high-water-level trip by The intent of the referenced paragraph is to show that adding a level system to trip the MFW block valves inde-there are sm, gle failures for the existing 2-out-of-2 tnp pendently of the 2-out-of-2 trip logic that trips the MFW logic for the MFW pump trip on high-water level in the pump.The basis for the cost estiraate in NUREG-1218 is steam generator and that the existing 2-out-of-2 trip logic an assumption that an existing stcam generator water cannot be tested while the reactoris operating. A smgle level sensor could be used (e.g., startup range system) for failure could defeat the trip, but it would not be detected this independent trip system. lf the startup range trans-until after the reactor was shut down and the system was mitter cannot be used, the cost estimate is not applicable, tested. Although the paragraph of concern is correct,it However, there is a second value/ impact evaluation (Case was inodified to clarify what was meant by control power
- 2) based on the installation of additional equipment.This alternative also is considered viable on the basis of the and by the control system and is compatible with the ter-mmology used above.
value/ impact evaluation, but its benefit is less. The selec-tion of the best alternative should be based on theindivid-nel plant requirements.
Since this information is already stated in NUREG-1218 Duke [ Duke Power Co.] agrees with the conclusion (and presented in the referenced NUREG/CR-4386 re-reached in Section 4.3.1(c) of NUREG-1218, that addi-port), no additional modification or clarification is tional trips from monthly testing would occut and that the necessary.
cost / benefit ratio makes this alternative unattractive.
Comment 11 Resolution The two overheating events described in Table 3.3 of It should be noted that the ccmclusions discussed in Sec.
NUREG-1217 are no longer applicab:e due to a tion 4.3.1(c) apply only for providing full system testing modification presently being installed at Oconee. This capability on a monthly basis on the existing 2-out-of-2 modification produces an automatic MFW pump trip on a steam generator high water-level trip system. Periodic loss of either hand or auto power to the ICS [ integrated testing and verification of overfill protection systems with control system]. This modification is the same as additional modification as indicated is however a viable corrective action (iii) for alternative (4)in Section 4.3 of alternative, as discussed in Section 4.3.2. periodic verifi.
NUREG-1218. In addition, corrective actions (iv) and (v)
NUREG-1217 as
Appendix C f
I have already been implemented at Oconce. Operators fication requirements to maintain it are not appropriate have been trained to cope with a loss of hand or auto for B&W plants.
power to the ICS, and alarms have been installed in the control room to alert operators to the loss of hand or aut Resolution power to the ICS.Therefore, it is not necessary to provide automatic initiation of the EFW [ emergency feedwater]
The staff agrees that the modifications identified and im.
system on steam generator low-water level. The auto-plemented on the Oconee plants by Duke Power Com-matic initiation circuitry for EFW at Oconee uses low pany to provide an automatic MFW pump trip on a loss of MFW pump discharge pressure or low MFW pump con-either hand or auto power to the ICS may be found ac-trol oil pressure signals to anticipate the loss of MFW.
ceptable if designed to include all the branch circuits i
This design feature permits automatic initiation in a more identified in Section 2, item 4, of NUREG/CR-3991. For timely manner to reduce the likelihood of steam additional clarity, Section 3 of Appendix C to generator dryout. Furthermore, low-level initiation of NUREG-1218 has been modified to include all other ac-EFW has some potential negative impacts such as ceptable corrective actions that could be taken to avoid increased reactor trips, increased operator burden, steam generator dryout on a loss of power.The staff, how-edditional challenges to safety systems and potential ever, still maintains that low-water-level initiation of overcooling due to EFW overfill which has not been ade-EFW ensures adequate flow to the steam generator in the quately addressed.
event of other failures, such as inadvertent MFW valve closure, and that the system can be designed to minimize Duke [ Duke Power Co.] notes that the values used to esti, inadvertent trips and challenges to the safety systems. On mate operator reliability in the two overbearing events the basis of the location of the low MFW pump discharge are conservative. In particular, the probability that the pressure, it is not clear that in the event of an MFW valve operators fail to initiate high-pressure injection following closure, EFW would be automatically initiated. Justifica-a loss of feedwater is estimated to be 1.0E-02 [0.01).
tion for the adequacy of such a design should be submit-Work performed for the NRC by EG&G Idaho and pub.
ted for staff review.
lished in NUREG/CR-4966 shows that this probability should actually be 1.0E-03 [0.001] or lower. Other opera-The staff agrees that there is considerable uncertainty m tor actions which have been given too high a failure prob-the values used to estimate operator reliability for these ability are reinstating MFW or initiating EFW during the events. However, on the basis of operating history of overheating events. Given that more than 30 minutes are B&W plants and the amount of confusion mtroduced by available to tak: either action, significantly lower failure an ICS power failure (for example, as nemplified by the probabilities would be appropriate. The use of a more Rancho Seco power supply failures), the staff beheves realistic assessment of operator actions following these that the estimates used are justified. Although it also overheating, events produces calculated core-melt should be noted that the consequences of dryout of one frequenciu one to two orders of magnitude lower than steam generator have been adequately analyzed, dryout those given.
of both generators is a more severe event not adequately analyzed for all plants.
In summary, using a more realistic assessment of operator 1
actions significantly lowers the calculated probability of Comment 12 overheating events leading to core melt. Furthermore, The draft NUREGs [NUREG-1217 and NUREG-1218]
the two overheating events described in NUREG-1217 indicate that a 1-out-of-2 taken-twice trip logic is accept-are no longer applicable due to actions already taken at able. This design would place the unit at a higher risk of Oconce. As a result, a value/ impact analysis shows that inadvertent unit trip, since a singic failure can cause ac-none of the remaining corrective actions meet the stated tuation of the trip logic. This situation would result in un-criterion of $1,000/ man-rem.
necessary challenges to safety systems. This concern and the resultant impact are not considered by the investigation.
Co,nment lia Steam generator dryout for B&W plants has been found Resolution not to be a concern based on the fact that restoring feed-A 1-out-of-2 taken-twice logic, if properly designed, water flow to the steam generator restores cooling even would not inadvertently actuate the trip logic as a result of without a significant water level present. Emergency a sing'ie failure. For example, the General Esectric Co.
feedwater (EIM) actuation on low steam generator uses a 1-out-of-2 taken-twice logic in the reactor scram
[ water] level is provided for reasons other than avoiding system. A boiling wrer reactor (BWR) has four solenoids dryout. Although dryout is not desirable, icchnical speci-on each control rod assembly, two of which are 49 NUREG-1217
i Appendix C deenergized to trip and two of which are energized to trip.
Rese two events were used in the sensitivity analysis Here is no single failure that could cause an inadvertent found in Appendix B of the regulatory analy:as I
actuation of the trip syste:n. The selection of the logic (NUREG-1218). As illustrated in the sensitivity analysis, should best meet the individual plant requirements, the use of a best-estimate less-conservative value based on operating experience (of 0.13) for the conditional probability of an MSG given an overfill event resulted in Comment 13 a smaller, but still appreciable, reduction in public risk and a favorable cost-benefit analysis asa result of the pro-The overfilling scenario described m. Table 3.3 of posed resolution.
NUREG-1217 assumes a 0.95 probability of main steam-line break (MSG) given spillover into the steamlines.
He staff conclusions consider the more realistic estimate This arbitrary assumption results in a 9.58E-06/yr calcu-for the conditional probability of an MSG given an over-I lated core-melt frequency and a 45.8 man-rem /yr calcu-fill. Even with the less-conservative estimates, the pro-lated public risk, as stated in NUREG/CR-4386.
posed fix is still warranted. Since this information is However, Duke Power analysis of the Oconee main already presented in Appendix B, no additional modifica-steamlines shows that, following spillover, the loads pro-tion or clarification to the report is necessary.
duced in the lines do not result in an MSw. Since main steamline integrity is maintained, the conditional steam Comment 14 generator tube rupture, which is postulated in the domi-nant sequence, will also not occur. Therefore, the actual We agree that events may be postulated in which a failure calculated core-melt frequency from the overfill scenario of the feedwater control system and failure of the opera-is that due solely to the remaining T2 transient (a loss of tor to take timely action can initiate an SG [ steam main feedwater due to turbine damage). NUREGI generator] overfill event. However, we believe that the CR-4386 calculated this frequency to be 6.88E-08/yr value/ impact analysis does not justify the proposed al-1 cith a calculated public risk of 0.186 man-rem /yr.He re-terations because the probability of the control room op-sulting safety benefits (in man-rems) of the potential up-erator not taking corrective action in time to preclude an grades for the overcooling renario are actually [more SG overfeed event is too conservative. The Oak Ridge than] two orders of magnitude less than those stated in National 12boratory (ORNL) analysis states the prob-NUREG-1218. A value/ impact analysis, using the actual ability of operator error to be 0.1 failure per demand but public risk benefit with the estimated costs given in does not describe the basis for this value. It appears that NUREG-1218, shows that none of the alternatives meet this value is based upon the human reliability analysis as the stated criteria of $1,000/ man-rem.
provided in [NUREG/CR-1278]. However, our opera-tors have demonstrated their proficiency in mitigating This conclusion is in agreement with the statement in Ap-this type of event before SG overfilling occurs by both op-pendix B of NUREG-1218..?!f the probability of an crating experience and tmining. A reactor trip plus a MSW (given overfill) was further reduced by as much as stuck feedwater valve scenario did occurat Calvert Cliffs 2 orders of magnitude, the risk reduction would not be
[ Nuclear Power Plant] in October 1983 and wa significant enough to warrant a design change? This is successfully terminated by prompt operator action.
also in overallagreement with he NRC staff position that Corrective action is specifically given in emergency t
overcooling events at B&,,1,lants are minor contributors operating procedures. The ORNL, analysis was based to core damage, as stated in NUREG-1231, upon the configuration of Calvert Cliffs at the time of data collection. Since that time, we have made several Resolution changes to upgrade both the control room and operating' procedures to improve operator performance. Many of The staff agrees that the initial estimate of the conditional these changes were in response to TMI-related probability of an MSLB, given an overfill event, is conser-initiatives. Changes made include: (1) implementation of
- vative.De staff maintains, however, that the claim of en-functional recovery emergency procedures; (2) upgrading sured main steamline integrity following an overfill event abnormal operating procedures including SG overfill is unsubstantiated. A staticload analysis is not convincing event; (3) requiring degreed shift technical advisors to for the accident conditions being investigated. His single complement the operating shift crews; (4) addition of a event can result in the introduction of high-temperature computer-based safety parameter display system to the saturated waterinto the steamlines with the potential for control room; an.1 (5) construction and use of a fully being rapidly accelerated and potentially introduces operational site-specific control room simulator. Human forces on the steamlines large enough to break them. Ex-factors upgrades en progress will further aid operators to perience suggests that there is a real chance of an MSW function mor's effectively during unusual operating given an overfill event. In two events in Europe, steam-conditions. None of these changes were considered in the lines were damaged when water entered the steamline.
original anelysis. However, these changes affect the NUREG-1217 50
Appendix C performance shcping factors relevant to the human the utility for this alternative may be closer to $200,000.
reliability analysis and, as a result, increase the probability It should be noted, however, that the sensitivity that the operator will terminate the event.
analysis in Appendix B of NUREG-1218 shows that design modifications costing $248,000 would still be Resolution In the staff's reviews and simulations of credible overfill ne staff revised the report to reflect the utility's cost es-scenarios, several scenarios were identified in which timates; no additional modifications were warmnted. In water could spill over into the steamline within 3 to 5 min.
addition, the staff does not propose any changes and be-utes of the initiating event. If tFis event were coupled with lieves that the assumption of a 30-year remaining 1ifetime reactor scram that was not directly related to the overfill is a more prudent estimate than the suggested 25 years, event, then such an event scenario could further distract particularly m light of potential life extension and/or h-the operator from the overfill problem. Operator actions censee renewal activities.
to mitigate the overfill event under these conditions would be more complex and difficult to predict, ne Comment 16 staff's criteria on establishing quantitative success prob-abilities for operator actions in such circumstances is dis-The core-melt frequency stated in Table 5.1 of cussed in Section 4.4 of NUREG/CR-4265. A review of
[NUREG-1218] (1 x 10 7) does not agree with that stated operating history in the overfill event identified in Licen.
in the text in Section 4.2(5)(a), page 4-8 (1.4 x 10 7).
see Event Report (LER) 87-011-02, which occurred at San Onofre Nuclear Generating Station, Unit 3, indicates Resolution that a failure probability of 0.1 for an operator to termi-nate an overfill event is a reasonable estimate. Since a Table 5.1 of draft NUREG-1218 summarizes the alterna-less-conservative but defensible estimate was not pro-tives discussed in Section 4. For simplicity, the estimated posed, no modification to NUREG-1217 is warranted.
core-melt frequency values shown in this table were rounded off to the most significant numberand are within Comment 15 the error band of the calculations performed. No modifi-cation to the report is necessary as a result of this The estimated cost to implement the proposed automatic comment.
trip as calculated by the draft NUREGs [NUREG-1217 and NUREG-1218] is too low. We have estimated that Comment 17 the total cost would actually be closer to $200,000....The cost estimated for design engineering and safety evalu-In NUREG-1218, Section 4.2(5), page 4-7, Case 1 is de-ation was increased because the modification may be de-scribed as the inadvertent opening of all five condenser-termined to be an unresolved safety question.The change steam dump valves. Most Westinghouse plants provide would increase the probabilhy of occurrence of a design-for condenser-steam dump isolation on a protection basis event, loss of feedwater. Accordingly, the trip sys-grade low-low Tag signal which closes the steam dump tem will have to be designed such that we do not degrade valves regardless of the control-grade demand signal.
the reliability of the feedwater system or increase the probability of unnecessary challenges to safety systems.
Resolut. ion Our estimate does not include the cost of installing new containment penetrations, cabling, or cabinet space; this ne staff agrees. Section 4.2(5) was revised to reflect this can only be determined by a detailed plant-specific design
- comment, analysis, if these changes are needed, the cost would in-crease dramatically. Our estimate also does not include indirect factors such as the opportunity costs or escalated Comment 18 costs. Also, the remaining plant life was assumed to be 30 Section [4.2(1) of NUREG-1218] states that steam gen-years. Smcc the proposed automatic inp would not be crator overfill via the AFW [ auxiliary feedwater) system fully operational for 3 years from the project initiation, was predicted to occur in about 3 minutes.
the actual remammg plant hcensed life for Calvert Cliffs
[ Nuclear Power Plant] would be less than 25 years.
For overfill event #1, as described in NUREG-1217, any l
of the four proposed failure mechanisms result in the
.feedwater (MFW) valve to inadvertently open Resolution resultmg m overfeed of the steam generator. Upon The staff agrees that the original cost estimate of reaching the steam generator hi-hi water-level setpoint,
$100,000 may be low and that the total cost estimated by the MFW pumps and turbine are tripped and the AFW 51 NUREG-1217
Appendix C pumps are initiated on MFW pump trip. The time to Resolution overfill the sicam generators via AFW for this scenario is expected to exceed the 3 mmutes due to the effect of tur-The staff agrees. Section 4.2.1(2) has been revised to eliminate this confusion.
bme tnp and MFW pump trip.
For overfill event #2, as described in NUREG-1217, the Comment 20 initial failure mechanism (e.g., a failure in the controlling steam generator level channel) results in the MFW valve ne implication from the statement [in NUREG-1217, to inadvertently open resulting in overfeed of the steam Section 4.2.1(1)(b), page 4-6] concerning the availability generators. The second failure assumed is the loss of a of P ant admimstrative procedures for manually throt-l second channel of the hi-hi steam genera tor level trip sys_
timg auxthary feedwater (AFW) flow following reactor i
tem which would result in the loss of MFW pump and tnp or safety mjection is that many Westinghouse NSSS turbine trip. However, the AFW pumps would not be ac-
[ nuclear steam supply system] plants do not have such tuated. The time to overfill the steam generator in this procedures available.
scenario due to MFW is approximately 3 minutes. How-ever, this conclusion is m conflict with the statement m We would ;ixe to emphasize that all Westinghouse NSSS Section 4.2(1) which states the steam generator is over-plants that were members of the Westinghouse Owners filled via the AFW system m about 3 minutes.
Group (WOG) have available administrative procedures for controlling level in the steam generator following re-actor trip or safety injection as described in the Emer.
Resolution genev Response Guidelines (ERG), Procedure E-0, ne computer simulation of the first event showed that
" Reactor Trip or Safety Injection." His guideline directs approximately 205 seconds into the transient there was the operators to mamtam total feed flow greater than a significant flooding of the moisture separators and Preset value until narrow range level is restored to the that moisture carryover was experienced from one of the narrow range span in at least one steam generator. Subse-three steam generators. This overfill transient assumed quently, the operator is to control feed flow to maintam no operator action to manually terminate the AFW the narrow range level between 0 and 50 percent of span.
Hence, any plant that has implemented the WOG ERGS ne second overfill event resulted from an MFW flow has administrative procedures for controlling feedwater overfeeding transient with no automatic or operator-w (both main and auxiliary) following reactor trip or assisted manual termination of the MFW flow. For this safety injection.
event, AFW was not initiated. He computer simulation for this event showed a substantial reduction in steam Resolution quality 20 seconds into the event.
The staff is not implying that many Westinghouse plants The RELAP5 computer model that was used to perform do not have procedures for instructing the operators to these simulations was subjected to code verifications and
"""**lly throttle AFW flow following reactor inps or quality assurance checks as well as correlation checks be-sa ety mjecuon nents. Mion (26) staks dat d a tween calculated results and actual plant measured re-Westinghouse plant does not have such procedures, or if sults. These checks provide reasonable assurance that the the procedures (or trammg) are madequate, then these lP ants are susceptible to AFW overfill transients similar model closely predicts plant behavior. Analyses of these two events are described in more detail in NUREG/
t those desenbed in the reference plant. It is prudent for CR-4326, Volume 1.
all plants, not just members of the Westinghouse Owners Group, to ensure that their plant procedures and trainmg For additional clarity, Section 4.2 of NUREG-1218 was are adequate to preclude overfill transients via the AFW revised to preclude any perceived conflict by identifying 878**"'
the specific event of concern in the reference plant study.
No modification or clarification is proposed as a result of this comment.
Comment 19 In NUREG-1217, Section 4.2.1(2), page 4-7, the use mment M of the terminology " charging pumps"is confusing in Need and Criteria for Plot Specific Evaluations-The this context. Generally, charging pumps refer to the analysis to support the USI A-47 conclusions seems to Westinghouse high-head safety injection pumps and not have examined control sptem failures that could have the the auxiliary feedwater or startup feedwater pumps.
most adverse impact on ti.c primary-and secondary-side NUREG-1217 52
Appendix C systems. Although the spatial effects of specific hazards since multiple unintended operations have occurred in such as fire, flooding, harsh environments, earthquakes, several actual fires.
L etc., were not specifically addressed, this approach may give a reasonable " coverage" of these effects. Evaluations were made of the generic applicability of the analyses of comment 21e the representative plants. nis approach has a great deal Treatment of Specific Events and Spatial Effects-of merit for both a generic assessment and for plant-Section 2.2(2) and Appendix A of NUREG-1217 and specific assessments.
Section 2.1(2) of NUREG-1218-ne draft NUREGs in-dicate that " external" events such as earthquakes, floods, liowever,it is not clear that this approach gives sufficient fires, and sabotage have not been considered. It appears coverage of this very broad area. I think thatplant-specific that the evaluations did not consider the spatial aspects of evaluations are needed tofactor in (a) the various hazards potential hazards (e.g., fires, floods, etc.) or the locations and their spatial effects on the control systems...and (b) of the control systems. Ilowever, a limited number of plant-specific control and support systems. I think that multiple unintended (spurious).operatians' were as-the industry needs to develop criteria and practical meth-sumed. Rese assumptions may be fairly representative odology for use in plant-specific evaluations. The evalu-and give good " coverage" of the failures that might be ations for aerating plants can be based on risk reduction caused by these types of events. I think further work is and value/ impact for operating plants; however, the needed to develop anintegratedtreatment of these types of evaluations for future plants and perhaps construction events as well as the failures within the current scope of -
plants [ plants under construction) need to also factor in USI A-47. This integrated treatment should include (1) the traditional design-basis event (DBE) type of safety the various hazardous events, such as pipe breaks," inter-limits and safety analyses.
nal" flooding, " internal" fires. Other events that produce harsh environments, earthquakes, etc., and (2) considers-coinnwne 2:a tion of the spatial aspects of the hazards and their effects on the control systems located within the zone of their The environmental qualification requirements in 10 CFR influence. Different assumptions may be appropriate for 50.49 require that non-safety-related electrical equip.
different hazards.
ment must be environmentally qualified ifits failure un-der harsh environments can prevent safety-related equipment from accomplishing its safety function. USI Resolution A-47 needs to be expanded to cover unintended opera-tion of control systems caused by environmental condi-In its technical evaluation of USI A-47, the staff consid-tions caused by pipe breaks and other events that could ered individual and selected multiple system failures that produce a harsh environment. For example, NRC Infor-result from nonmechanistic failure modes. This approach mation Notices 79-22,86-106, etc., should be factored evaluates, to some extent, the effects of system failures into the evaluation. USI A-47 also should be expanded to that could occur as a result of externai events such as fires, cover flooding from moderate energy line breaks, flow di-flood ng, and earthquakes.His was a limited study focus-versions, etc., that are outside of the scope of 10 CFR ing only on non-safety-related control system failures.
50.49.
This study assumed that at least one channel of safety-related mitigating systems would be available if needed.
The limitations of the USI A-47 evaluation were estab-lished on the basis that these events were addressed in other programs: USI A-17, USI A-46, Fire Protection l
NRC Generic Letter 87-02 implies that USI A-46 may (10 CFR 50 Appendix R) review program, Environmental not cover unintended (spurious)oper Sons of nonscismic Qualifications program. Ilowever, some potential safety -
(non-safety 4rade [related)) contr..,ystems m carth-concerns were identified by the staff and the Advisory quakes (see pages 4 and 12, etc.). The seismic experience Committee for Reactor afeguards (ACRS) that were data base does not seem to cover unintended (spurious) either(1) not in the scope of the safety issue or other pro-operations during an earthquake. If my understanding is grams, (2) a spinoff from the existing issues, or (3) periph-correct, the discussions in Section 2.2(2) and Appendix eral concerns for which additional review effort is thought A(2) of NUREG-1217 may need some expansion.
to be needed. As a result, a program has been established l
to address these concerns and to develop them as issues of i
Sections Ill.G and Ill.L of 10 CFR 50, Appendix R, re-sufficient detail so that they may be evaluated, if needed,.
quire that spurious actuations be addressed for fires.
as new issues according to priority. This program is enti-I flowever, NRC Generic Letter 86-10 does not appear to tied the Multiple Systems Response Program and is pro-l require that more than one spurious actuation be as-gressing on a separate schedule independent from USI sumed. This does not appear to be adequate coverage A-47.
53 NUREG-1217
Appendix C Comment 22 alternative, depending on the outcome of the staff's review.
Overfill Events-One of the more rapid and significant overfill events for a PWR seems to be a reactor trip As a result of this comment, Section 4.3.1 of followed by a failure of the control systems to rapidly run-NUREG-1217 and Section (3) of Appendix C of back the MFW. This type of event seems to only be ad-NUREG-1218 have been revised to permit other designs dressed in two cases in Section 3 of NUREG-1217:
that are equivalent or better.
(1) overfill event #1 in Table 3.4 and (2) overheat event #1 in Table 3.3. I think that this type [ofj overfill event needs to be treated in more detail for all of the representative Comment 24 plants.
Atmospheric and Condenser Dump Valve Controller Logie-Section 4.2(6) of NUREG-1218-TVA modified Resolution the atmospheric and condenser dump valve controller logic in the ICS for our B&W plant so that a single failure All of the representative plants studied during the USI in the logic could only open a few dump valves. This was A-47 evaluation were evaluated for this type of transient.
done to prevent a relatively likely initiating event single It should be noted that NUREG-1217 only summarizes failure from causing the fuel safety limits for a frequent l
the results of several contractor reports. Specific details event (ANS Condition II event) to be exceeded. Although of the analyses performed can be found in the referenced this is not directly related to frequency of core melt, I contractor reports.
think it is an improvement worth considering for other PWRs-particularly for future plants and perhaps for Sectico 4 of NUREG-1217 discusses the generic
[ plants under construction].
applicability of such events, and Appendix C of NUREG-1218 proposes recommended actions for each type of nuctcar stcam supply system (NSSS) plant in order to mitigate the consequences of such events. Therefore, Resolution no additional action is considered necessary as a result of Existing NRC criteria require that accidents and tran-this comment.
s ents be analyzed assuming a worst-case single failure.
Acceptance criteria also are specified for each category of Comment 23 events. The acceptance criteria for increase in steam flow transients are specified in NUREG-0800, Section 15.1.1.
B&W Overfill Protection Systems-Section 4.3 of Each licensee is responsible for providing an appropriate NUREG-1217 and Section (3) of Appendix C of plant design that will meet the applicable acceptance cri-NUREG-1218-Our 205 fuel element B/. N plant, Bel-teria for all accidents and transients.
lefonte, does not have a measurement of steam generator water level. This resulted in the need for a much more complex overfill protection system that used neutron flux, Comm:n125 MFW flow, steam generator differential pressure, etc., to develop trip signals. The NUREGs [NUREG-1217 and Steam Generator Tube Rupture Events-Section 3 of NUREG-1218] should reflect this different protection NUREG-1217, and Sections 3.2.4 and 4.2(9) of system used on a few B&W construction plants.
NUREG-1218... address the affects of control system failures on SGTR [ steam generator tube rupture] events for Westinghouse plants (see SGTR event #1 and #2 in
. Resolution Table 3.2 [NUREG-1217]). It appears to me that these
'Ihe staff agrees. Overfill protection for Bellefonte types oMahes Md present sMar concerns for th Nuclear Plant and Washington Nuclear Plant, Unit 1, B&W and CE plants. If valid, these failures and events should be addressed m
[NUREG-1217 and is provided byhigh steam generaiordifferential pressure (i.e., level) when the reactor power is below 31 percer t NUREG-1218].
and by excessive feedwaterflowwhenthereactorpower is above 25 percent. Reactor power dependence is Resolution removed from the level trip after a reactor trip has been initiated. '1his system is designed as part of the SGTR events were addressed in the contractor reports engineered safety features actuation system and is for both the B&W and CE plants. 'Ihe evaluations are designed to conform with the prescribed criteria for these provided in NUREG/CR-4047 and NUREG/CR-4265, systems.This design also may be considered an equivalent respectively, and are referenced in NUREG-1217.
NUREO-1217 54
Appendix C Comment 26 bustion Engineering (CE) pressurized-water reactors Initiating Event Failures vs. Consequential Failures-The USI A-47 evaluation considens some control system TVA was instrumental in identifying the potential prob-failures that are the consequences of DBEs [ design-basis lem with control system failures that could cause a steam events]; however, most of the emphasis is placed on initi-generator overfill transient in 1972 before it became an ating event contrc! system failures. I think additional NRC concern. We noted that Westinghouse @) had pro-attention needs to be given to consequential control sys-vided a safety-grade [ safety-related] cutoff of main feed-tem failures. For example, the unintended opening of the water (MFW) on high steam generator [ water] level fer secondary side PORVs [ power-operated relief valves] up-core overcooling protection (which also provided steam stream of the main steam isolation valves (MSIVs) can generator overfill protection), and that B&W and CE did create safety problems of (a) a loss of containment isola-not have any provisions for automatic MFW isolation. We tion in a LOCA [ loss-of-coolant accident] (assuming a also noted that B&W had transferred [its] integrated con-small pre-existing steam generator tube leak), (b) exces-trol system (ICS) design from [its] fossil to [its] nuclear sive cooldown rates and loss of pressurized steam genera-plants; however, [B&W] had not transferred the separate tors for a heat sink in a steamline break, (c) loss of overfill " protection" type system provided in [itsj fossil capability to terminate the radiation release in a steam plants. At 1VA's direction, B&W and CE added pcovi-generator tube rupture, etc.
sions to isolate MFW to prevent overfill to the engi-neered safety features actuation systems (ESFAS) for our Bellefonte and Yellow Creek plants.
Resolution In other areas,'IVA directed B&W in the early 1970s to The USI A-47 study addressed DBEs bein;; made more add a safety-grade [ safety-related] system for Bellefonte severe than previously analyzed as a result of non-safety-to initiate and control auxiliary feedwater (AIM). This related control system failures.1hese failures could occur was expanded after TMI-2 to provide better control. In as a result of the event or independently. A review of the the mid-1970s, TVA upgraded the primary-and contractor reports referenced in NUREG-1217 shows secondary-side power-operated relief valves (PORVs) to that a significant effort was made in this area. In all but a be safety grade for both the opening and closing modes few cases, it was shown that the existing safety-related sys-for our B&W and CE plants. (Our CE plants did not have tems adequately mitigated DBEs even when com-PORVs on the primary side.) These valves serve the pounded by multiple non-safety-related system failures.
safety functions of cooldown, depressurization, isolation, Single and selected multiple non-safety-related control and prevention of unintended operations. TVA has also failures were evaluated under different normal operating provided safety-grade pressurizer sprays to serve the conditions ar'l accident ccmditions. These failures in-safety function of depressurization (in conjunction with cluded consequential failures as well as random failures the PORVs). In the early 1970s, TVA also provided of non-safety-related control systems in order to assess safety-grade control air systems to power the PORVs, worst-case transient condiuons.
AFW control valves, etc., f( our E, B&W, and CE plants.
Comment 27 g,soi,,io, General Impressions-Based on a brief review, I think It is commendable that TVA has undertaken several in-that the evaluation and the proposed resolutions for USI itiatives for design improvements related to USI A-47, A-47 are generally reasonable for operating plants. I Procedural, administrative, and design modifications that think some further effort may be needed on an integrated improve plant safety are encouraged.
approach for unintended (spurious) operations of non-safety-related equipment. Plant-specific evaluations may As a result of operating experience and transients that be appropriate. A somewhat more conservative approach have occurred at several Babcock & Wilcox (B&W) may be appropriate for future plants and perhaps for plants, an mdustry-sponsored program was developed by
[ plants under construction].
the owners of the B&W plants. The stated goal of this program (i.e., Babcock & Wilcox Owners Group Safety and Performance Improvement Program)was to increase l
commen 21.
the level of plant safety by reducing plant trips and by re-ducing or eliminating complex transients. This effort TVA Initiatives Related to USI A-47-TVA has complements the proposed actions under USI A-47.
unde-taken several initiatives for design improvements relate d to the USI A-47 area.The majority of these were A large number of recommendations were developed and made for our later Babcock & Wilcox (B&W) and Com-are currently being implemented by the individual plants, 55 NUREG-1217
Appendix C including Bellefonte. He staff believes that this industry Resolution effort makes plants safer.
He technical evaluation to address USI A-47 included consideration of DBEs and specifically addressed acci-Comment 28 dents or transients being more severe than previously analyzed. This methodology inherently included asseu-Commercial Grade vs. Safety-Grade [ Safety-Related]
ment of traditional safety limits and safety analyses. It Overfill Protection Systems-Items (6) and (7) of Section should be noted that Section 7.7 of the Standard Review 5 of NUREG-1217, and items (6) and (7)and Appendix C Plan (SRP) (NUREG-0800) already describes accep-j of NUREG-1218-The conclusions for USI A-47 indi-tance criteria for non-safety-related control systems, m-cate that commercial-grade overfill protection systems cluding the consequences of their failures. The SRP is that meet certain design requirements are considered to applicable to current license applications as weIl as to fu-be adequate. This is reasonable for backfits for operating ture plants. With the exception of incorporate, g guide-plants; however, I think future plants and perhaps con-lines for overfill protection, no additional revisions to the struction plants need to provide safety-grade overfill pro-SRP are anticipated as a result of the USI A-47 effort.
tection systems.
Regarding SGTR events,in its study of Generic Issue 135, the staff is investigating the consequences of water enter-Resolution ing the main steamlines refer toitem 3 (p. A-1)of Appen-dix A to NUREG-1217.
The staff's recommendations are presented in NUREG-1218, Appendix C. These recommendations reflect mini-mum acceptability. It should be noted that the more.
Comment 30 recent plant designs have chosen to incorporate safety-related overfill protection systems. These designs Development of Methods of Treating Multiple Failures in are fully endorsed by the staff. It is, however, the respon.
Control Systems-The assumptions for unintended (spu-sibility of each licensee to justify the adequacy of its de.
rious) failures has been a controvenial topic and a source sign. He staff believes that it is appropriate for licensees of confusion for many years. He assumptions for non-of new plants to provide such safety-related systems and safety-grade [non-safety-related] equipment are much encourages them to do so.
more uncertain than are the assumptions for safety-grade
[ safety-related] equipment.
Csmment 29 I think that the industry needs to develop a practical meth-odology for designers to use to evaluate and provide pro-Traditional DBE Safety Limits vs. Risk Basis-he pro-tection from a limited number of multiple unintended posed resolutions of USI A-47 are generally based on risk operations of non-safety-related equipment. As dis-reduction and value/ impact analyses. This is appropriate cussed..., this needs to be an integrated approach for the for potentia'. backfits for operating plants. However, for various types of hazards.The spurious operations need to future plan;s and perhaps for [ plants under construction),
be addressed for non-safety-grade components that are I think that traditional DBE [ design-basis event) type of (a)in the zone ofinfluence of the event and (b) not quali-safety limits and safety analyses needs to also be consid-fied (or designed to function) in the environment. The cred. For newer plants, the control system failures need methodology should build on (a) the approaches being to be factored into the traditional conservative safe:y developed for the resolution of USI A-47 and USI A-17 analyses to some degree. Exarnples include: Item and (b) the approaches being developed for various indi-(1) Overfill Events-If an overfill event can cause the vidual hazards.
failure of steamlines or relief valves on a PWR, then the traditional safety limits associated with steamline breaks ne methods development needs to include an evalu-need to be considered as well as the risk basis concerns of ation of the (a) need, (b) merits, and (c) practicality of ad-a steamline break causing steam generator tube ruptures dressing a limited number of multiple unintended and core melt. See also the safety concerns in item (3) of operations.This involves an evaluation of whether or not Appendix A of NUREG-1217. Item (2) SGTR Events-the increased complexity of the analysb of, and protection ne effects of control system failures need to be evalu-from, a limited number of muhiple unintended opera-ated in terms of the traditional SGTR [ steam generator tions would give a worthwhile and cost-effective increase tube rupture] dose limits-even though [such failures do]
in safety over the assumption of one spurious action.
not lead to a core melt considered in the risk basis. See Here is a need to developpracticalmethods oflimiting the clso the safety concerns in item (3) of Appendix A of number of multiple unintended operations to those that NUREG-1217.
are more likely and that are also more significant.
NUREG-1217 56
Appendix C The previous treatments for unintended (spurious) op-staff also believes that a significant number of plant up-erations that have been either proposed or used by indus-sets are the result of multiple failures and that a system-try have involved a full range of assumptions. They are atic means for dealing with them is not available to all generally limited to equipment in the zone of influence plants. Some effort in this area is currently being ad-that is not designed to work in the environment produced dressed via the use of plant simulators and plant-specific by the event. These include:
probabilistic risk assessment analysis.
(1) No unintended (spurious) operations.
In the USI A-47 study, multiple control system failur:s were considered. The selection of the multiple failures (2) One unintended operation.
l was the result of a careful consideration of the most likely (3) Alimited number of multiple unintended operations.
failure combinations and the most safety-significant com-(4) Multiple unintended operation of all nonqualified binations. He selections were based on engineenng equipment in zone of influence.
evaluation and were derived from a large number of tran-sient simulations.
I do not think it is reasonable to assume cither (a) no unin-tended operations or (b) multiple unintended operations Comment 31 of all nonqualified equipment in the zone of influence.
The most likely results of DHEs (design-basis events] with The proposed resolution includes requirements for in-hazards, such as fires, harsh environment, floodmg, vibra-cluding certain items in the plant technical specifications.
tion from an earthquake, etc., are a limited number of It is not apparent that this position has been evaluated us-midtiple unintended operations. It is difficult to defend ing the NRC Interim Policy Statement on Technical the assumption of one uninterded operation from likeh-Specification Improvements.
hocd and past experience. However, tia assumption of We believe that the NRC Interim Policy Statement, as one unintended operation " covers" a good interim posi-written, does not support including steam generator over-tion until (a) a more detailed evaluation of the issue, fill protection in the technical specifications. We are (b) positions, and (c) practical methods of addressing aware of the NRC staff position in [the NRC] letter dated multiple unintended operations can be developed.
May 9,1988, to Mr. Wilgus, chairman of the B&W Own-ers Group. We disagree that the existing criteria support Although only one spurious action is assumed, it could oc-including "certain active design features...and operating cur at any h> cation in the zone of influence, thus, allspuri-restrictions...needed to preclude unanalyzed accidents."
ous actions would need to be evaluated individually. In Furthermore, it cannot be generically concluded that general, the likelihood of multiple unintended operations steam generator overfill protection is necessary to pre-decreases as the number is increased. (There are a few ex-clude an unanalyzed accident on the basis of a review of a ceptions such as containment isolation and other actions single plant. Therefore, the need for new technical speci-of the ESFAS [ engineered safety features actuation sys-fications must be made on a c tse-by-case basis. As a mat-tem], the solid-state control systems, etc.) Also, the as-ter of interest, the event has been evaluated for TMI-1 sumption of one failure may be commensurate with the and does not result in an unanalyzed event without taking importance to safety. If the equipment is not safety re-credit for overfill protection.This conclusion has been re-lated, its function is not directly related to the mitigation viewed by the NRC staff and found acceptable.
of the DBEs. Ifit is assumed that it does not work, a class of failure modes is already analyzed. If one spurious fail-Resolution ure is assumed, an additional class of events is climinated.
The failures not analyzed would be multiple failures of The NRC staff does not agree. The staff maintains that non-safety [-related] equipment that somehow combine the position to periodically verify the operability of the to affect multiple trains of safety [-related] equipment or overfill protection system is consistent with the NRC In-in combination with a random failure, affect the remam, -
terim Policy Statement on Technical Specification Im-ing specific train. He effort involved m chmmating this provements. For most plants, this position satisfies threat may not be commensurate with the risk.
criterion 2 of the NRC Interim Policy Statement, which delineates constraints on design and operation of nuclear power plants that are derived from the plant safety analy-Resointion sis report, and does belong in the technical specifications.
The staff generally agrees with the suggestion that indus-Also, for some plants, this position also satisfies criterion try should develop improved analysis of the effects of 3 of the same policy statement because the high-water-non-safety-related system failures and interactions and level trip system is used to mitigate a main feedwater believes that the effects of multiple failures on the ability overfeed transient, which is a design-basis event.
of operators to diagnose the need for intervention and Therefore, the resolution has not been modified as a re-1 correctly intervene should be studied in more detail.The sult of this comment.
M NE-E
. u. s.cevia== =t paintinc wr itt ei,e,-24s-seoie:13s
NRC 7 ow M5 U S NUCLE A64 Rf gut ATORY COMMrSSiON I '4lPOR1 U*1e,a l
@c% w
$"C.?"=' 'f.?h 53' ""
o no m o' BIBLIOGRAPHIC DATA SHEET m.,~ n.r,.v u, v.c,"""
- 2. TIT LE AND SUhlitT Lt Evaluation of Safety Implications of Control Systems in LWR Nuclear Power Plants 3-oAn RteORT eveussto Technical Findings Related to USI A-47 l'
Final Report June
-1989
- b. AUTH(eRtS) 6 TYPE OF REPORT j
l Final Report -
l A. J. Szuklewicz
? P& RIOD COVE RED #tactuur o,re.
l 8 PE RF O.s Mi,NG ORGANIZ AT TON - N AME AND ADDR L SS Ot NnC. orov*de D.**sen. Ortoce ar nog.on. v.S Nostrar neeuronorv Commmron. and mar!"v am. sr c R
- n...
. ma.arni Division of Safety Issue Resolution Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555
- 9. SPONSOR tNG ORG ANIZ ATlON N AM E AND ADDR ESS III Nac. oror "some sn eso<e"; sr consrector. orovide Nac o.en on. ort,cr oc eog.oe. u s Nuceer pogusomry commmen.
cod ma oma adsteral Same as above
- 10. SUPPLEME NT ARY NOT E S 1t. ABSTRACT (200.ords or euf his report summarizes the work performed by the No.
conducted to determine th generic applicability of the clear Regulatory Commission (NRC) staff and its con-results to the class of plants represented by the specife tractors, Idaho National Engincenng laboratory Oak plants analyzed. Generic conclusions were then Ridge National laboratory, and Pacifc Northwest labo-developed.
ratory, leadmg to the resolution of Unresolved Safety Issue (US!) A47, " Safety Implications of Control Sys.
Steam generator and reactor vesseloverfill events and re-tems." ne technical findings and conclusions presented actor vessel overcoohng events were identified as major in this document are based on the technical work com.
classes of events having the potential to be more severe pleted by the contractors. De principal documents that than previously analyzed. Specific subtasks of this issue contain the technical findings and conclusions of the con.
were to study these events to determine the oced for pre.
tractors who worked on USI A47 are summarized in Ap.
ventive and/or mitigating design measures.
pendix B.
This report describes the technical studies performed by the laboratones, the NRC staff assessment of the resultc.
An in. depth evaluation was performed on non-safety-the generic applicability of the evaluations, and the tech-related control systems (see Section 1) that are typicaUy nical findings resulting from these studies.
used during normal plant operation on four nuclear steam supply systern plants: a General Electric Com.
His final report contains the staffs responses to, and pany boihng-water reactor, a Westinghouse 3-loop resolution of, the public comments that were scheited pressurized-water reactor (PWR), a Babcock & Wilcox and received before Septembar 16,1988 in response to Co. (B&W) once through stearn generator PWR, and a the draft reports issued for pubic comment on May 27, Combustion Engineering PWR design. A study was also 1988.
- 32. K L Y WORDS/DE SCR'P t OR S tt see.o ai er ear.ars enes..is..use e,.,..cae,i m smerme rn, ne ore. #
ta avmitAeiaii v s1*1s Mt N1 Unlimited
- 34. $6cy84) Y cL AsW tc AlloN u.,,,,,
Unc1assified
- u...oora Unresolved Safety Issue A-47 Unclassified Control Systems a NUueta m PAGu it, PRict
- u.1.COVEphmoir Palhtihc arrJCE 1999 241A90: 00135
UNITED STATES speciat counin-ctass acts i
NUCLEAR REGULATORY COMMISSION "05'AT3j!'S"^'
WASHINGTON, D.C. 20555
,,,,,,,g, OFFICIAL BUSINESS PENALTY FOR PRIVATE USE,6300 120555139531 1 1 Af;1 A11RD11 S US N R C - 0 A D 'd DIV FOIA
'; PUBLICATIONS SVCS TPS PJd-NUREG P-204 WASHINGTON OC 20555 1
k
(
I l
+
b
_ _ _ _ _ - _ _ _. _ _ _ - _ _ _ - - _