ML20248A396
| ML20248A396 | |
| Person / Time | |
|---|---|
| Issue date: | 07/31/1989 |
| From: | Szukiewicz A NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| REF-GTECI-A-47, REF-GTECI-SY, TASK-A-47, TASK-OR NUREG-1218, NUDOCS 8908080261 | |
| Download: ML20248A396 (49) | |
Text
-
NUREG-1218 Regu: a':ory Ana_ysis ::or Resoitt: ion 0:? USI A / 7 s
Safety Implications of Control Systems in LWR Nuclear Power Plants Final Report U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research A. J. Szukiewicz p
p ,RRECp
% 2%
s * = * * * ,
09C731 8908000261 PDR NUREG PDR 1218 R
AVAILABILITY NOTICE Availabit,ty of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be avaliable from one of the following sources:
- 1. The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office. P.O. Box 37082.
Washington, DC 20013-7082
- 3. The National Technical loformation Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investi-gation notices; Licensee Event Reports; vendor reports and correspondence: Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are evailable for purchase from the GPO Sales Program; formal NRC staff and contractor reports, NRC-sponsored conference proceed-ings, and NRC booklets and brochures. Also available are Regulatory Guides. NRC reguta-tions in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from thn National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunnnt agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, joumal and periodical articles, and transactions. Federal Register notoes, federal and state legislation, and congressional reports can usually be obtained fror.1 these libraries.
Documents such as theses, dissertations. foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the l publication cited.
l Singte copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of Information Resources Management, Distribution Section, U.S.
Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copy-righted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway.
New York, NY 10018.
NUREG-1218 Regulatory Analysis for Resolution of USI A-47 Safety Implications of Control Systems in LWR Nuclear Power Plants Final Report Manuscript Completed: November 1988 Date Published: July 1989 A. J. Szukiewicz i
Division of Sefety Issue Resolution Omce of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington,D.C. 20555
.--_._ - -_- -_- _ ___ - . . . - - . ~ . . . - . . . . - . . . . .
Abstract This report presents a summary of the ret,ulatory analysis (1) improve theircontrol systems to preclude reactor ves-conducted by the U.S. Nuclear Regulatory Commission sel/ steam generator overfill events and to pre'. ent steam (NRC) staff to evaluate the value/ impact of alternatives generator dryout,(2) modify their technical specifications for the resolution of Unresolved Safety Issue A-47, to verify operabilit/ of such systems, and (3) modify se-
" Safety Implications of Control Systems." 'Ihe NRC lected emergency prMdures to casure safe shutdown of staff's resolution presented herein is based on these the plant following a small-break loss-of-coolant acci-
)= analyses and on the technical findings and conclusions dent. 'D* report was issued as a draft for public commer.:
presented in NUREG-1217, the companion document to on M., ./,1988. As a m' ult of the public comments re-this report.The staff has concluded that certain actions ceived, this report was revised.The N RC staff's responses should be taken to improve safety in light-water reactor to and resolution of the public comments are included as (LWR) plants.The staff recommended that certain plants Appendix C to the final report, NUREG-1217.
l l
J l
l l
l l
l iii NUREG-1218
i Contents l
Page Abstract..................................-..................................................... iii Abb revia t ion s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Execut i ve S u mmary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 1 S ta t em ent of th e I ssu e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . 1 2 Summary of Limitations. Assumptions, and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 l 2.1 Limitations and Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 ' Co n cl u sions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 Al t e rnat i ves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . < . . . 5 3.1 G E BWR Pla n t Desigh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 E 3 1. cop PWR Plan t Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.1 Overfill Ev ents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.2 Overcooling Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.3 Overpressure Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 6 l 3.2.4 SGTR rvents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 6 3.3 B & W PWR P! ant Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . 7 3.3.1 Overfill Events . . . . . . . . . . . ..... ... ................................... .......... 7 3.3.2 Ove rh eatin g Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ 7 3.4 CE PWR Plant Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ,. . . . . . . . .. 7 4 Discussion of Al terna tives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.1 G E BWP Pla nt D esign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2 E 3. Loop PWR Plant Design . . . . . . . . . . . . ...................... .. ..-.............. ..... 9 4.3 B&W PWR Plant Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ...... ........ ..... 14 4.4 CE PWR Plan t Design . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . ...... ........ 17 5 Summary of Alt ernatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 6 Roolution of USI A-47 . . . . . . . . . . . . . . . . ...................... ............... . ... ........ 23 6.1 G E B WR Plant Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .............. 23 6.2 E 3.Inop PWR Plant Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 6.3 B& W PWR Plant Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... .. 23 6.4 CE PWR Plant Design . . . . ............. ................ ............... .... ..... .... 24 7 Application of the Backfit Rule,10 CFR 50.109 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3 R efe rences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... . . 27 Appendix A: R ej ect ed Ah ernatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 28 Appendix B: Sensitivity Study for Reactor Vessel / Steam Generator Overfill Scenarios . . . . . . . . . . . . . . . . . . . . 31 Appendix C: Control System Design and Procedural Modification for Resolution of USI A-47 . . .. ..... 36
. v NUREG-1218 l
1 1
L
Abbreviations ADV atmospheric dump valve MFW main feedwater AEOD Office for Analysis and Evaluation of MMS modular modeling system Operational Data MSIV main steam isolation valve AFW anxiliary feedwater MSLD main steam line break ATWS anticipated transient (s) without scram NRC U.S. Nuclear Regulatory Commission B&W Babcock & Wilcox Co* NSS nuclear steam system BWR boilmgauter reactor NSSS nuclear steam supply system R oehed I gula ions ORNL Oak Ridge National Laboratory CSF control ejstem failure CSI PNL Pacific Northwest laboratory core spray infection PORV CSS core spray r; stem power-operated relief valve PRA probabihstic risk analysis ECC emergency core ccoling PTS pressurized thermal shock ECCS emergency core cooling system PWR pressurized-water reactor EFW enKrgency feedwater RCS reactor coolant system FMEA failure mode and effects analysis FSAR final safety evaluation report sal Science Applications Inc.
SAR safete analysis report GE General Electric Co. SBLOCA smalbbreak LOCA HPI high-pressure injection SGTR steam generator tube rupture SIAS safety mjection acttiation signal IEEE Institute of Electrical and Electronics SRV safety / relief valve Engineers INEL Idaho National Engineering l2boratory TBV turbine bypass valve
'IMI Three Mile Island LCO limi' ting condition (s) for operation LER licensee event report UCLA University of California at Los Angeles LOCA los-of-coolant accident USI unresolved safety issue LPCI low-pressure coolant injection 1 TOP low-temperature overpressure E Westinghouse Corp.
l l
l NUREG-1218 vi
Executive Summary 1he U.S. Nuclear Regulatory Commission (N?C) has pated transient without scram events are not ad-ccmducted its technical evaluation of Unresolved Safety dressed in this review.
Issue (USI) A-47, " Safety Implications of Contr d Sys-tems." 'lhe purpose of evalaating USI A47 was t< deter- (4) The plant-specific designs were appropriately mine the need for modifying control systems in a perating modified to comply with IE Bulletin 79-27 and reactors, to verify the adequacy of licens% equirernents NUREG-0737.
identified in Section 7.7 of the %ndard Review Plan On thebasisof thefindingsidentifiedduringthisreview,a (NRC, N UREG-0800) for control systems, and to deter- number of alternatives for possible regulatory action are mine if additional criteria and guidelines were needed.To presented and discussed.The resolution was selected af-do this, the staff had to identify control systems whose ter considering the safety benefits derived in terms of risk failure could (l) cause transients or accidents to be poten- reduction and the cost of implementation.
tially more severe than those identified and analyzed in Tb alternatives were selected on the basis of their poten-the final safety analysis repons, (2) adversely affect any assumed or anticipated operator action during the course tial for reducing the frequency of the initiating failure or of a transient or accident,(3) cause technical specification reducing the consequences of control system Nures safety limits to be exceeded, or (4) cause transients or ac_
found to be significant. The following alternatives were cidents to occur at a frequency in excess of those frequen. selected as the resoietion for USI A-47.These alterna-tives are discussed in Section 4 of this report.
cies established for abnormal operational transients and design-basis accidents. 'lhis report summarizes the re-sults of the regidaterv analysis conducted by the NRC General Electric Co. (GE) B%11 Plant De-SIEUS staff to formulate the final resolution of USI A-47.The Iechnical findings and conclusions presented in this docu- (1) Improve plant designs with no automatic reactor ment are based on (1) the technical findings and conclu- vessel overfill protection to a 1-out-of-1 (or better) sions presented in NUREG-1217. " Evaluation of Safety automatic reactor vessel high-water-level feed-Implications of Control Systems in LWR Nuclear Power water trip system.
Plants, Technical Findings Related to Unresolved Safety Issue A-47," and (2) the probabilistic risk analysis per- (2) Modify technical specifications for aH plants to in-formed by Pacific Northwest Laboratory and presented in clude provisions to periodically verify the operabil-NRC reports, NUREG/CR-3958, -4385, -4386, and ity of the overfill-protection system and ensure that
-4387. automatic overfill protection is.provided at all times A concise set of limitations and assumptions was devel-oped to confine the USI A-47 investigation to a manage- (3) Issue an information letter to all applicamnnd li-able scope and to focus attention on the more safety- censees informing them of the evaluation results of significant potential control system failures.These limita- the failure analysis conducted for the USl A-47 tions and assumptions include the following; study.
UStinghouse Corp. (E) 3-Loop PM11 Plant (1) A niinimum number of safety-related protection .
Sgns systems would be available to trip the reactor and initiate overpressure protection systems or emer- (1) Take no action to improve existing main feedwater gency core cooling systems, if needed, during tran- overfill-protection systems on plants that have in-sients initiated or aggravated by failures in the non- stalled redundant, steam generator high-water-safety-related control systems. level overfill-protection systems consisting of a 2-out-of-3 (or tetter) steam generator high-water-level feedwater trip isolation system.
(2) Control system failures resulting from common-cause events such as earthquakes, floods, fires, and (2) Modify technical specifications for all plants to in-sabotape, or operator en ors of omission or commis- clude provisions to periodically verify the operabil-sion are not addressed in this review. Multiple con- ity of the overfill-protection system and (nsure that trol system failures m ngn-safety-related eqtup- automatic overfill protection is provided at all times ment were, however, studma a limited way.
during power operations.
(3) Transients resulting from control system failures (3) Take no action to improve existing reactor over-during limiting conditions for operation or antici- pressure-protection systems.
vii NUREG-1218
Executive Summary (4) Issue an information letter to all applicants and li- the failure analysis conducted for the USI A-47 eensees informing them of the evaluation results of study.
the failure analysis conducted for the USI A-47 study, It should be noted f hat on December 26,1985, an over-cool ng event occurred at Rancho Seco Nuclear Ger erat-Babcock & Wilcox (B&W) PWR Plant De. ing Station, Unit 1. ne overcooling event occurred as a signs result of a loss of power to the integrated control system (ICS) (see NRC, NUREG-1195). As part of the USl (1) Modify plants similar to the reference plant (i.e., A-47 review, failure scenarios resulting from a loss of Oconee 1) to either: power to control systems were evaluated for each of the reference plants. In addition, two other Babcock & Wil-(a) Provide additional instrumentation to limit or cox (B&W) plant designs using the ICS 820 model were terminate main feedwater flow on steam gen- also reviewed in order to identify any significant loss.of-erator high-water level. (De instrumentation power transients that may not have been identified on the should be separate from the existing main feed- Oconce reference design (which has an ICS 721 model).
water pump trip instrumentation. A system These alternatives reflect the staff's findings.
that initiates closure of main feedwater block As a result of the Rancho Seco event, however, a compre-valves on steam generator high-water level is hensive study by the B&W Owners Group was initiated to acceptable.); or reassess all B&W plant designs. He reassessment in-cludes, but is not limited to, the ICS and the support sys-(b) Modify the existing overfill-protection system tems such as the power supply systems and maintenance to minimize undetected failures in the system (Tucker, May 15,1986). Recommended actions for design and facilitate online testmg; or modifications, for maintenance, and for changes to oper-ating procedures (if any) developed for the utilities by the (c) Improve the existing overfill-protection system B&W Owners Group will be coordinated with the NRC to a redundant high-water-level trip system staff and are outside the scope of this study.
that satisfies the single-failure criterion for overfill protection. (A 2-out-of-4 steam gen- Combustion Engineering (CE) PMR Plant crator high-water-level trip system actuating Designs redundant feedwater isolation equipment is ac-ceptable.) (1) Modify all plants to provide additional instrumen-tation to automatically terminate main feedwater l il w n steam generator high-water level. The in-(2) Install Class 1E instrumentation in P ants similar to ,
strumentation should provide sufficient redun-the reference plant (i.e., Oconee 1) to automati-cally mitiate auxiliary / emergency) feedwater t dancy to satisfy the single-failure criterion for over-minimize the potential for loss of steam generator fill protection.
cooling under any condition of operation (including a loss-of-power event).
(2) Modify technical specifications for all plants to in-clude provisions to periodically verify the operabil-ity of the overfill-protection system and ensure that (3) Take no action on other plants that have installed auwmath overfill protection is provided at all times or have committed to install an emergency feed- durmg pewer opemtions.
water initiation and control system (or its equiva-1 erit) incorporating redundant steam generator (3) Reasser:, emergency procedures and operator high. water-level overfill protection. training programs at plants with low-head safety-related injection pumps and modify those proce-(4) Modify technical specifications for all plants to in- dures and programs if necessary to ensure safe clude provisions to periodically verify the operabil- shutdown during small-break loss-of-coolant ity of the overfill-protection system and ensure that accidents.
automatic overfill protection is provided at all times during power operation. (4) Issue an information letter to all applicants and li-censees informing them of the cvaluation results of (5) Issue an information letter to all applicants and li- the failure analysis condected for the USl A-47 censees informing them of the evaluation results of study.
NUREG-1218 viii
1 Statement of theISsue Instrumentation and control systems utilized at nuclear be exceeded, or (4) cause transients or accidents to occur
. power plants comprise safety-related protection systems at a frequency in excess of thosc frequencies established and -non-safety-related control systems. Safety-related for abnormal operational transients and design-basis protection systems are used to (1) trip the reactor when- accidents.
ever certain parameters exceed allowable limits, (2) pro-tect the core from overheating by initiating the emer. Included in the program established to resolve USI A-47 gency core cooling (ECC) systems, and (3) actuate other (NRC, NUREG-1217) was an investigation of the effects safety systems, such as closing main steam isolation valves of control system failures on four reference plant designs (MSIVs) or opening the safety / relief valves, to maintain subjected to single and multiple control system failures the plant in a safe condition. Non-safety-related control during automatic and manual modes of operation. Fail-systems are used to maintain a nuclear plant within pre- ures at different reactor power levels including low ,
scribed pressure and temperature limits during shut- middle , a:A f all-power operating conditions were evalu-down, startup, and normal power operation. Non-safety. ated. The rewew concentrated on identifying control sys-related control systems are not relied on to perform any tem failun:s that could lead to:
safety functions during or following portulated accidents, but they are used to control plant processes that could sig. (1) steam generator (reactor vessel) overfill events nihcantly affect plant dynamics. (2) reactor vessel overcooling events (3) reactor core overheating events
) ###"" '"# "" "I # u m re seme than The purpose of studYing Unresolved Safety Issue (US!) those previously analyzed m. the FSAR A-47 was to evaluate the need for modifym.g control sys-tems in operating reactors, to verify the adequacy of li- Steam generator and reactor vessel overfill and reactor censing requirements identified in Section 7.7 of the vessel overcooling events have been identified previously Standard Review Plan (NRC, NUREG-0800) for control as potentially significant events that could lead to unac-systems, and to determine if additional criteria and guide- ceptable consequences such as a steamline break, steam lines v ere needed. To do this, the staff had to identify generator tube rupture, or reactor vessel damage. (See control systems whose failure could (1) cause transients or NRC, "AEOD Observations and Recommendations accidents to be potentially more scvere than those identi- Concerning the Problem of Steam Genvator Overfill ficd and analyzed in the final safety analysis reports and Combined Primary and Secondary Side Blowdown,"
(FSARs), (2) adversely affect any assumed or anticipated December 17,1980). A number of specific control system operator action during the course of a transient or failure scenarios were identified that could potenti.Jiy accident. (3) cause technical specification safety limits to lead to such events.
1 NUREG-1218 1
1
J 2 Summary of Limitations, Assumptions, and Conclusions De limitations, assumptions, and conclusions presented attempt was made to select control system failure here are based on the scope and results reported in scenarios that would bound the dynamic effects of a i
. NUREG- 1217. number of control system failures. Such failures were evaluated during automatic and manual modes 2J- Limitations and Assumptions of Peration and at different reactor power levels that mclude iuw , intermediate , and full-power A clear and concise set of limitations and assumptions had operation, to be established to confine the investigation to a manage-able scope and to focus attention on the more safety- It should be noted that the staff and utilities have significant aspects of control system failures. The limita- performed evaluations to assess the plant's ability to tions and assumptions used for USI A-47, and their bases achieve safe shutdown dun,ng these external events.
! are discussed below. Fire protection has been reviewed at all operating l plants to ensure conformance to 10 CFR Part 50 (1) Non-safety-related control system failures would Appendix R and to evaluate the plant's ability to not cause simultaneous failure of both redundant cope with fire and flooding in different cable trays as trains of safety-related protection systems. His as- well as in different areas of the plant. These reviews sumption implies that a minimum number of safety- evaluated the effects of fires and flooding in control-related protection systems would be available for grade as well as in protection-grade equipment.
(a) actuation of the reactor trip system, (b) actuation Also, as part of the USI A-46 activities, non-safety-of the overpressure-protection system, and (c)initia- related and protection-grade equipment are evalu-tion of the minimum number of required emergency ated to assess their seismic ruggedness and ensure core cooling (ECC) systems, if needed during a that plants have the ability to achieve safe shutdown control-system-failure transient.This assumption is after a seismic event (see item 2 in Appendix A of considered valid on the basis that adequate separa- NUREG-1217).
tion and independence are required to be provided between the non-safety-related control systems and (3) Operator enors of omission or commission were not the safety-related protection systems. Independ. addressed in this review. Operating procedures for ence is provided by verifiable isolation devices lo. the important transients were reviewed. An assess-cated between safety-related and non-safety-related ment was made to determine whether operating systems and/or by physically locating the safety- Procedures (to mitigate the transients of concern) related systems in separate areas and routing the were wntten m such a way that the operator could electrical cables in separate raceways throughout perform the task in the time allotted.Re staff also the plant. The staff performs audit reviews of the determined whether there was sufficient informa-safety-related systems as part of the licensing review tion, i.e., alarms and/or indications, available in the process to ensure that an adequate degree of separa. control room for the operator to assess the condi-tion and independence has been provided. Also, as tions in the plant at the time of the event. In some part of the USI A-47 program, a literature search cases, early recognition of transients was necessary.
was conducted to review the operating history of Given early recognition, there were actions that the control system failures. De purpose of the review, operator could take to mitigate these events. For the in part, was to identify any control system failures purpose of developing the failure scenarios and ana-that could cause a failure of both safety-related pro. lyzing the resulting transients, two of the four plants tection systems.The staff's review (see Section 3.2 of were assumed to have operators take no action for NUREG-1217) did not identify any such failures. In the first 10 minutey of the transient.The other plant addition, as part of the USI A-17," Systems Interac. reviews assumed operator action could be taken on tion," program, spatial interactions between safety. the basis of available time for action during each related protection systems and non-safety-related transient. For the risk analyses in evaluating the control systems were considered. core-melt frequency, operator action for all plants reviewed was determined on the basis of available (2) External events such as earthquakes, floods, fires, time for action dunng each sigMicant transient and sabotage were not considered in this study. Mul- identified.
tiple control system failures were evaluated to assess some effects of common-cause failures on the plant. (4) Transients resulting from control system failures However, the review was limited to a selected num- during limiting conditions for operation (LCO) (for ber of combinations of control system failures. An example, systems deliberately disabled for a short NUREG-1218 2
I Summary l
time for testing and/or maintenance) were not con- (9) 'the requirements of NUREG-0737," Clarification sidered in this review. of TMI Action Plan Requirements," dated Novem-ber 1980, were implemented or committed to be im-(5) The processes used to modify and to maintain con- plemented on individual plant designs, including, trol systems were not considered in this review. but not limited to, Items II.E.1.1, II.E.1.2, II.K.2.2, (6) Anticipated transients without scram (ATWS) were not considered in this review. A separate generic 4.7 4
g000gUSionS study has been conducted to address the ATWS is-sue (NRC, NUREG/CR-4385). On July 26,1984, On the basis of the technical work completed by the the Code of Federal Regulations (CFR) was NRC staff and its contractors, the following conclu-amended to include 10 CFR 50.62 (ATWS rule) sions have been reached:
which requires specific improvements to be made in the design and operation of commercial nuclear (1) Control system failures are dependent on such indi-power facilities to reduce the likelihood of failure to vidual plant characteristics as power supply configu-shut down the reactor following anticipated tran. rations and maintenance. The control system de-sients, and to mitigate the e.Wences of an signs between the plants supplied by the same nu-A'IWS event. clear steam supply system (NSSS) vendor are func-tionally similar enough thr.1 the transients resulting (7) Control system failures that could lead to failures of from the failure of the ame type of non-safety-(a) tanks containing liquid k>cated outside the con. related system on the different plants will produce tainmcat and (b) fuel-handling accidents (for exam. similar transients.
ple, spent fuel or waste disposal systems accidents) (2) Control system . Murcs have occurred that resulted were not considered in this review. These systems in complex transienn. improvements made tfter the are designed to be separated from control systems TMI-2 (Ihree Mile Island, Unit 2) accident in the that are used dunng normal plant operations. design of the auxiliary feedwater system and in op-(8) Individual utilities had to address IE Bulletin 79-27, "P^ ." "" " E* "D*"N "
r c very actions m the future.
"less of Non-Class IE Instrumentation and Con-trol System Bus During Operation," and to modify (3) Plant transients resulting from control sydem fail-their plants appropriately in order to ensure that the urcs can be adequately mitigated by the operators operator would be able to achieve cold-shu'down provided the failures do not compromise proper op-conditions following a loss of power of a single ous to eration of the minimum number of protection sys-instrumentation and controls in systems used in at. tem channels required to trip the reactor and initiate taining cold shutdown. It should be noted that on the safety systems if such initiation is required.
December 26,1985, a reactor vessel overcooling (4) Transients or accidents resulting from or aggravated event occurred at Rancho Seco Nuclear Generatmg by control system failures (except those noted in this Station, Unit 1. The overcooling event occurred as a report that can contribute to reactor vessel / steam r sult of a loss of power to the mtegrated control sys-generator overfill or core overheating) ane less se-tem (ICS) (NRC, NUREG-1195). As part of the vere and, therefore, are bounded by the transients USI A-47 review, failure scenarios resulting from a and accidents identified in the final safety analysis loss of power to control systems were evaluated for each of the four reference plants. In addition, two "E # '
other B&W plant designs using the ICS 823 model (5) Control system failure scenarios have been identi-were reviewed. As a result of the Rancho Seco fied that could potentially lead to reactor vessel /
event, the B&W Owners Group (BWOG) has initi- steam generator overfill events, core-overheating ated a comprehensive study to reassess all B&W events, and overpressure events.
plant designs, including, but not limited to, the ICS (6) PWR plant designs having redundant commercial-and support systems such as power supplies and grade (or better) overfill-protection systems for the mamtenance (Tucker, May 15,1986). In addition, main feedwater system that satisfy the single-failure the B%OG is currently reevaluating IE Bulletin criterion are considered to adequately preclude 79-27 m terms of all B&W-designed operating water entering the main steamlines.
plants. Recommended actions for design modifica-tions, for maintenance, and for changes to operating (7) BWR plant designs with commercial-grade (or bet-procedures (if any) developed for the utilities by the ter) overfill-protection systems are considered to BWOG will be coordinated with the NRC staff and adequately preclude water entering the main are outside the scope of this study. steamlines.
l C
' Summary
- (8) PWR plant designs that provide automatic initiation
' of the auxiliary feedwater flow on steam generator low-water level are considered to adequately pre-clude core overheating.
r NUREG-1218 4
3 Alternatives On the basis of technical findings presented in (7) For core-melt sequences, all exposure pathways ex-NUREG-1217 and the probabilistic risk analysis per- eept ingestion were included.
formed by Pacific Northwest laboratory and presented in .
(8) ne guidelines and procedures identified m. the NRC reports NUREG/CR-3958, -4385, -4386, and ,
value-tmpact handbook (NRC, NUREG/LR-3568)
-4387, a number of alternatives for possible regulatory were used.
action are presented and discussed in the sections that follow.The selection of the alternatives for regulatory ac- The analysis is conservative. In the factors contributing to tion identified in Section 5 is based on the value of the al- conservatism are:
ternatives in terms of the safety benefits derived, that is, the risk reduction achieved and the cost of implementing (1) Operator error; The probability assumed for opera-the alternative These alternatives focus on reducing the tor failure to diagnon and terminate the scenarios initiating failure frequency or eliminating the failure ranged from 0.5 for scenarios with misleading or mechanism of the control systems that were found to be conflicting information or rapid progression (i.e.,
major contributors to events of concern. liest estimates overfill in several minutes) to 0.1 for scenarios with for equipment failure probabilities were used whenever non-conflicting information and alarms. Actual op-possible in the analysis for care melt and risk associated crator response might be better, particularly in with the control system failures identified.The risk reduc- plants with simulator programs stressing proper tion resulting from the alternatives is represented by the diagnosis of failures, difference between the base case before action is taken (2) Steamline baak: The conditional probability of a and the adjusted case that results from imp!cmenting the main steamline break (MSLB), given spillover into alterna- tives. the core-melt frequency and risk calcula- the steamlines at power, was conservatively assumed tions were performed for a genene plant. Adjustments , to be 0.95, decreasing to 0.5 for the probability of an were then made to factor m vendor-specific or plant- MSW given spillover after shutdown.This conser-specific design considerations associated with the particu- vative assumption was based on a few overfill events lar alternative. Ihe release categoriesin NRC s ' Reactor in foreign plants where some damage to the main Safety Study (WASII-1400) raost representative of steamlines was reported. Although several spillover these core. melt scenarios were used to estimate risk.The events resulting in support damage have occurred to computer program C R AC-2 was used for the genede risk date in U.S. commercial plants, no steamline fail-calculations applied to a typical Midwest site. urcs have occurred.
For this analysis, break location was also assumed to occur Assumptions and parameters used in the calculations are:
(i.e.,50-percent probability) upstream of the main steam is lation valves (MSIVs), making isolation impossible.
(1) Dose convguences represent whole-body popula-tion dose co mmitment (man-rem) received within 50 For the pressurized-water reactor (PWR) analysis, the l
miles of Ihe site. MSLil was also assumed to have a probability of inducing a steam generator tube rupture (SGTR).The values were l
(2) Exclusion area of 1/2-mile radius was assumed, with taken from the results of USI A-3, A-4, and A-5 studies a uniform population density of 340 persons per (NRC, NUREG-0844), and varied from 0.017 to 0.003.
square mDe bevond the 1/2-mile distance. (Ihis is
~
depending on the number of tubes niptured.The combi-the projected average 50-mile-radius population nation of SGTR and umsolatable MSLB was therefore density around U.S. light-water reactors [LWRs] for used as the major contributor to core damage for PWRs.
the year 2000.)
For the purpose of estimating the release of radionuclides, severe core damage resulting from MSLB (3) Evacuation was not considered. and SGTR was taken from the relevant plant-specific (4) Meteorological data were taken from the U.S. probabilistic risk assessments (PRAs), modified to Weather Service station at Moline Illinois. include control system failures. Severe core damage was conservatively assumed to be equivalent to core melt.
(5) The core inventory at the tit m of the accident was assumed to be represented by a 3412-MWt Although a large number of alternatives >were evaluated (ll20-MWe) plant. (NRC, NUREG/CR-3958. -4385, -4386, and -4387),
only those alternatives that are thought to be more impor-(6) A remaining 3tl ycars of plant life was assumed for tant and could significantly reduce risk are discussed in each unit (except as noted). detail in Section 4 of this report. The rest of the 5 NUREG-1218
Alternatives alternatives that were considered but rejected on the ba- overfill-protection system (Section 3.2.1), prevent
' sis that the risk reduction in implementing these alterna- overcooling transients (xction 3.2.2), and prevent over-tives was insignificant are included in Section 3, for pressure transients (Section 3.2.3).
completeness. These alternatives are summarized in Ap-pendix A to this report, but they have not been included An additional ninth alternative considers action to mini-for detailed discussion in Section 4. mize potential control system failures that could cause an SGTR event to be more severe than previously analyzed (Section 3.2.4).
3.1 GE BWR Plant Design Review of the GE BWR design identified three failure 3.2.1 Overfill Events
- scenarios that could potentially lead to reactor vessel (1) Include automatic shutoff of the auxiliary feedwater overfillevents(NRC,NUREG-1217).* Twoof thethree system on steam generator high-water level.
failure scenarios could also contribute to overcooling events during low-pressure startup or shutdown opera. (2) Issue an information letter to all utilities with E tion. Table 3.1 of NUREG-1217 identifies the failure plants informing them of the evaluation regarding scenarios and the failure mechanisms contributing to overfill transients via auxiliary feedwater.
these events.
(3) Modify plants with overfill-protection designs simi-lar to the reference plant to improve the' steam gen-The following alternatives, discussed in more detail in #I" E *" ### " " * *" # E 878 "*'
Section 4, consider modifications to some BWR plants in order to improve the overfill-protection system.They are: (4) Take action to change the steam generator high-water-level main feedwater trip system.
(1) Modify plants designed with overfill protection simi-lar to the reference plant (2-out-of-3) to improve 3.2.2 Overcooling Events -
their reactor vessel high-water-level feedwater trip system. (1) Include n.omatic actuation of the steam isolation block wives to the atmospheric dump valves (2) Modify plants designed with less-reliable overfill- (ADVs) and of the isolation valves to the steam protection systems (1-wt-of-1,2-out-of-2, etc.) to a dump valves to the condenser, reference plant equivaknt.
(2) Modify the ADV controller logic to reduce the fre-(3) Issue an information letter to all utilities with BWR quency of spurious opening of the ADVs.
plants informing them of the analytical results re-garding overfill protection.
3.2.3 Overpressure Events 3.2 W 3-Loop PWR Plant Design (1) I ke n acti n f r additi n 1 m difi ati ns t the uesign of the control system for pressunzer power-Review of the E PWR design identified eight failure sec- operated relief valves (PORVs).
narios that could potentially lead to undesirable events (2) Issue an information letter to all utilities with E (NRC, NUREG-1217). Two of these scenarios were PWR plants about the potential overpressure identified as contributors to overfill events, two others vulnerabilities resulting from operating procedures contributed to overcooling events, two contributed to re- at low-temperature and low-pressure shutdown actor coolant system overpressure events at lovi tempera- conditions.
ture and pressure startup and/or shutdown conditions, and two contributed to release of radioactive material during a steam generator tube rupture (SGTR) event.Ta 3.2.4 SGTR Events ble 3.2 of NUREG-1217 identifies the failure scenarios Issue an information letter to all applicants and licensees and the failure mechanisms contributing to these events. with E PWR plants informing them of the potential for non-safety-related control system failures to occur that The eight alternatives that follow are discussed in more could make SGTR events more severe than previously detail in Section 4. 'Ihese alternatives consider actions to analyzed. This alternative is also discussed in detail in be taken at different E plants in order to improve the Section 4.
'See also Appendix B, " General Electric (GE) BWR 'See also Appendix B, " Westinghouse (E) 1 i oop PWR Plant Design." Plant Design."
l l
Alternatives i
3.3 B&W PWR Plant Design any) developed for the utilities by the BWOG will be coordinated with the NRC staff and are outside the scope Review of the J&W PWR design identified three failure of this study.
scenarios that conid potentially lead to undesirable events (NRC, NUREG-1217). One failure scenario could Icad to steam generator overfill and two failure sce- 3.4 CE PWR Plant Design narios could lead to reactor core overheating. Table 3.3 of p NUREG-1217 identifies the failure scenarios and the Rev ew of the CE PWR design identified four failure sce-failure mechanisms contributing to these events. The fol- narios that could potentially lead to undesirable events lowing alternatives are discussed m more detail in Sec- (NRC, NUREG-1217): Two could lead to steam genera-tion 4. tor overfill,* one could lead to reactor core overheating, and one could lead to an overcooling event. The overcool-ing event could potentially result in a possible thermal 33J Overfill Events
- shock event m a plant with a vulnerable pressure vessel.
(1) Test the steam generator high-water-level main Table 3.4 of NUREG-1217 identifies the failure scenar- ,
feedwater trip system monthly to reduce the likeli. ios and the failure mechanisms contributirig to these hood of undetected failures. events. The following alternatives are discussed in more detail in Section 4.These alternatives are intended to im-(2) Test the steam generator high-water-level main prove overfill protection and prevent overheating or pos-feedwater trip system monthly and also modify the sible pressurized thermal shock events during shutdown existing trip logic to preclude undetected failures of operations following a small-break loss-of-coolant acci-the trip circuit and facilitate online testing. dent (SBLOCA).
~
(3) Improve the steam generator high-water-level main feedwater trip system.
(1) Include an automatic steam generator high-water-level main feedwater pump or main feedwater isola-tion valve trip system.
33.2 Overheating Events (2) Improve operator procedures to manually depres-Provide automatic protection to prevent steam genera- surize the primary system following an SBLOCA.
tors from drying out on loss of " hand" and/or " auto" power to the integrated control system. On December 26, Several other alternatives were also considered (NRC, 1985, an overcooling event occurred at Rancho Seco NUREG/CR-3958), but the risk reduction associated Nuclear Generating Station, Unit 1. The overcooling with implementing them was not found to be significant.
event occurred as a result of a loss of power to the inte- 'Ihese other alternatives focused on (1) different design ,
grated control system (ICS) (NRC, NUREG-1195). As modifications to the existing feedwater control system to part of the US! A-47 review, failure scenarios resulting improve the overfill-protection capabilities and (2)im-from a loss of power to control systems were evaluated for proving administrative proc ~dures to preclude possible each of the teference plants. In addition two B&W plant pressurized thermal shock events during shutdown op-designs using the ICS 820 model were reviewed. erations following an SBLOCA. -
As a result of the Rancho Seco event, however, the B&W It was also concluded that the fregency of the failure sce-Owners Group (BWOG) has initiated a comprehensive nario leading to a possible pressurized thermal shock study to reassess all B&W plant designs, inluding, but event and eventual vessel failure was extreme'y small (es-not limited to, the ICS and support systems such as power timated to be 1 x 10 8 event per year) and, therefore, not supplies and maintenance (Fucker, May 15,1986). Rec- judged to be a significant concern. These other alterna-ommended actions for design modifications for main- tives were, therefore, not considered practical and are not tenance and for any changes to operating procedures (if discussed in this report.
'See also Appendix B " Babcock & Wilcox (B&W) PWR *See also Appendix B, " Combustion Engineering (CE)
Plant Design." PWR Plant Design."
4 Discussion of Alternatives Alternatives for possible regulatory actions are discussed mated to cost utilitics a total sum ranging from $3 million in the sections Ihat follow.Th ese alternatives focus on de- to $13 million. It is estimated that it would cost NRC less sign modifications that could reduce the frequency of the than $75,000, based on a 0.5 staff-month effort per plant, initiating failure or could climinate the mechanisms of to review the design modifications.
control system failure that the staff found to be major contributors to events of concern. Only those alternatives Value//mpact judged to be important are discussed here.
This alternative is not considered viable, considering the questionable safety benefit of adding another channel 4.1 GE BWR Plant Design and the high cost for changing the reference plant design The following alternatives propose methods to minimize the frequency of reactor vessel oserfill. The detailed risk (2) Modify plant designs with less-rcliable overfill-analyses and value/ impact analyses are presented in NRC protection systems WouFofi, 2-out-of-2, etc.)
document NUREGICR-.4387.
to a referenceplant equivalent.
(1) Modifyplant designs with overfillprotection simi- Most operating IlwR plants provide commercial-grade lar to the reference plant (i.e., 2-out-of-3) to im. protection against reactor vessel overfill identical to the protection provided for the reference plant (that is, a j prove their reactorvessc/high-water-levelfeed- 2-out-of-3 high-water-level pump trip system with sepa-water trip system. rate and independent electrical power supplies for each Such modifications would upgrade plants with a 2-out. level sensor). Several plants, however, L.ve overfill-of-3 reactor vessel high-water-level feedwater trip system protection designs with less independence and less reli-to a 2-out-of-4 system. Implemer. ting this alternative ability. These designs vary from 1-out-of-1 or 1-out-of-2, would minimize the effect 01 equipment failures that to a 2-out-of-2 reactor vessel high-water-level feedwater could le'ad to reactor vessel overfill, pump trip. On some designs, logic separation and electri-cal power independence could not be verified. Three The reference plant design has a ccmmercial-grade early plants do not have any overfill-protection systems 2-out-of-3 reactor vessel high-water-level feedwater trip that automatically isolate feedwater on a reactor vessel system. The level sensors are powered by independent high-water level, and rely solely on the operator to miti-power sources.Two of the three water-levelinstruments, gate overfeeding events (see Table A.1 in Appendix A).
however, share a common tap for the reference leg. Im- .
.I'he relative safety benefits afforded by the different com.
plementing this alternative would add another high-binations of high-water-level trip logics were evaluated water-level trip channel and logic to improve the reliabil-using the reference plant as a model. The nsk associated ity and increase the redundancy of the existing design, with the different trip systems was also estimated (NRC, NUREG/CR-4387).
In NUREG/CR-4387, the core-melt frequency is esti- 88[C#7 Of"#[I' mated to be reduced by 7 x 10 7 per reactor-year by chang- Although some safety benefit could be gained by provid-ing the existing 2-out-of-3 system to a 2-out-of-4 system. ing additional reactor vessel water-level redundancy and The estimated risk reduction is 123 man-rem over the life independence to the existing designs for llWR overfill-of the plant, protection systems that are less reliable than the refer-ence plant design, the benefits are not considered sig-Cost nificant for plants that have some sort of automatic re-actor vessel high-water-level feedwater trip system. In Adding another channel and modifying the logic circuits is NUREG/CR-4387, however, it is estimated that for estimated to cost between $150,000 and $1.3 million per plants with no automatic feedwater trip, the overfill fre-plant. This variation in cost depends on whether addi- quency is 15 times greater than estimated for the refer-tional containment penetrations and electrical cabinets ence plant. For plants with no automatic feedwater trip are needed.It is estimated that 50 percent of these plants on high-water level in the vessel, except for the early vin-would require additional penetrations and electrical cabi- tage very-low-power-rated plants located at low-density nets. Therefore, implementing this alternative is esti- population sites, it is estimated that implementing (as a NUREG-1218 8
l Discussion minimum) a single reactor vessel high-water-level trip design for BWR plants (see Table A.1 in Appendix A).
system would reduce the risk by 3600 man rem over the Sensitivity studies were performed to determine if the dif-lifc of the plant. Implementing a 2-out-of-4 reactor vessel ferences in the designs were significant. Although the high-water level trip system would reduce the overall risk staff cencluded that only trivial safety benefit could be by 3800 man-rem over the life of the plant. Although the gained by providing additional redundant water-level sen-diffuence in the risk reduction between these two sors for the feedwater trip system of plants that have de signs is not significant, the additional redundancy pro- overfill-protection systems, variations in these designs vided in the 2-out-of-4 design provides operational flexi- can exist that may have not been considered in this review bility during maintenance and online testing. It also mini- because of the assumptions made in utilizing the refer-mizes spurious actuation of the feedwater trip system. For ence plant design as a base model. Plant-specific differ-the early vintage low-power-rated plants located in low- ences (such as power supply interdependencies, sharing density population sites such as Big Rock Point and la of sensors between control and trip logic, operator train-Crosse, the risk reduction to implement overfill protec- ing and procedures, and design for indication and alarms tion is insignifictmt (i.e., less than 0.4 man-rem over the available to the operator) may exist. Ilowever, the staff life of the plant). believes that plant-specific differences will not signifi-cantly Uter the estimate of failure rate utilized in the ctaff gg,f study. It is proposed that the staff issue an information letter to all utilities whose BWR plants have auto-The cost of adding a single high-water-level pump trip or matic overfill-protection systems advising them of the g-a 2-out-of-4 high-water-level pump trip to plants that tential failure mechanisms for overfill and associated have no existing automatic trip logic could not be accu. consequences.
rately determined, but is estimated to cost between
$100,000 and $500,000 per plant. Of Ihe three plants that Lfdy Benefit do not have automatic high-water-level feedwater trip systems, one plant (i.e., Oyster Creek) warrants an uP- Implementing this attemative would provide licensees grade. Therefore, implementing this alternative is esti- with information that could allow them to identify poten-mated to cost utilitics approximately $100,000. For a tial improvements in plant designs and minimize poten-more versatile design that would facilitate online testing, tial common-mode failures that could increase the likeli-the estimated total industry cost would be approximately hood of overfill events.
$500.000 (for this plant, additional penetrations are not needed to complete the modifications). It is estimated Some safety benefit could be gained by modifying existing that it would cost NRC $5000, based on a 0.5 staff-month overfill-protection designs if the designs are susceptible effort per plant, to review the design modification. to common-cause failures associated with the plant-specific design. It is difficult, however, to determine this Value/ Impact safety benefit accurately.
This is a viable alternative, considering the safety benefit cg3f that can be gained by upgrading certain plants that have no overfill protection to a 1-out-of-l high-water-level trip The utilities would incur no appreciable cost by imple-configuration or better and the relatively low cost esti- menting this alternative.
mated for implementing the designs. It should be noted that although a single high-water-level feedwater trip sys-tem is adequate, a more redundant design that facilitates Value/ Impact online testing, minimizes spurious actuation, and permits .
bypass capabilities during equipment inoperability is pre- No value/ impact is associated with implementing this alternative, ferred. It should also be noted that for early vintage low, pov.cr-rated plants located in remote areas (i.e., Big Rock Point and La Crosse), this alternative is not viable.
4.2 W 3-leop PWR Plant Design
~
(3) issue an information letter to cil utilities with BlVR plants informing them of the analytical re- The following proposed alternatives are methods to mini-sults regarding orcrfillprotection. mize steam generator overfill, reactor vessel overcooling, and overpressure events. The detailed risk analyses and The review evaluated a large number of BWR plant de- value/ impact analyses are presented in NRC document signs and identified variations ir. the overfill protection NUREG/CR-4385.
Discussion !
(1) Provide automatic shutoff (orflow restriction) of (2) Issue an information letter to all applicants and Ihe amiliaryfeedwatersystem cn steam t;enerator licensees that have M PWR plants informing high-water level. them of the results of reviews ofsteam generator
. overfill transients via the AFWsystems.
This alternative proposes that the existing auxiliary feed-water (AIM) system be modified to automatically restrict Review of other E PWR plants identified variations in the AIM flow or trip the AIM pumps on steam genera- the design of the AIM systems that could change the time tor high-water level. required to overfill the steam generators via the AFW system. Some plant designs represented improvements For the reference plant study (i.e., event #1), the onset of over the reference plant design. 'Ihese improveo signs steam generator overfill via the AIM system was pre- utilize restricting orifices or flow-restricting control dicted to occur in about 3 minutes. The AIM system is valves in the flow lines that prevent excessive AIM flow automatically initiated when the MIM pumps trip, and to any steam generatorand allow more time for operators overfill conditions would occur via AIM flow if the opera- to respond to overfeeding events. This design feature tor failed to manually terminate AIM on steam genera- would result in less-severe transients than those postu-tor high-water level. lated for the reference plant. The review did not identify any plants at which overfill transients could be more se-Safety Benefit vere than at the reference plant. Although it is the staff's judgment that the analysis conducted on the reference In NUREG/CR-4385, core-melt frequency is esti nated plant is a bounding analysis, there may be some plant de-to be reduced by about 6 x 10 8 per reactor-year byprovid- signs for which some safety benefit could be gained either ing such automatic shutoff. It is estimated that risk would by providing automatic shutoff or flow restriction of the be reduced by about 9 man rem over the life of the plant. AIM system on steam generator high-water level or by improving administrative procedures to preclude such The potentially negative consequences of implementing overfill events. Therefore, an information letter could be this alternative (i.e., increasing the potential for inadver- issued to all utilities to provide them with the data and the tent isolation of the AIM system) have not been factored results of staff analysis.
into these estimates. Inadvertent isolation of the AIM system when the system is required could decrease the overall reliability of the system and could reduce plant 88[##7 N#"#[l#
safety. By implementing this alternative, personnel could poten-tially identify plant-specific designs for which some safety Cost benefit could be gained in providing a steam generator high-water-level trip to existing AIM designs or to im-The switches on the steam generator that are used to con. prove administrative procedures to preciude overfill trol water level and that are already used to trip the reac. events via the AIM system. It is impractical, however, to tor or initiate Ihe feedwater isolati5n system could also be quantify this safety benefit.
utilized for this modification, thus reducing equipment costs associated with implementing this alternative. The Cost estimated cost to implement a high-water-level trip or re-strict flow for the AIM system is about $45,000 per The utilities would incur no appreciable cost by imple-3-loop plant. Implementing this alternative is estimated menting this alternative.
to cost utilities a total of $2.3 million. This does not in-clude the cost for electrical penetrations and electrical Valuellmpact systems cabinets that may be needed. Assuming that 50 percent of the plants would require additional penetra. No value/ impact is associated with implementing this al-tions, the estimated cost to industry is $27 million. It is es- ternative.
timated that it would cost NRC $250,000, assuming a 0.5 stafE-month cffort per plant, to review the design (3) Modify plants with overfillprotection designs ,
""'ifi'*1""*'
similar to the reference plant to upgrade the steam generator high-water-level mainfeedwater i Valuellmpact trip system. l This alternative is not considered viable because the implementing this alternative would upgrade designs for safety benefit is questionable and because a potentially plants with a 2-out-of 3 steam generator high-water-level high cost may be incurred. main feedwater trip system to a 2-out-of-4 system.
NUREG-1218 10
1 Discussion Implementing this alternative would minimize redundant level interlock which automatically shuts the MFW con.
equipment failures that could lead to steam generator trol valves to the steam generator.The newer designsin-overfill and ensures compliance with Section 4.7(3) of corporate the more redundant 2-out-of-4 system that 1 IEEE Standard 279-1971 relating to control and protec- gives additional flexibility during testing and satisfies all tion system interaction. the prescribed safety requirements, including those that relate to control and protection systems interactions ad-1he reference plant design has a safety-related 2-out-of-3 dressed in Section 4.7(3) of IEEE Standard 279-1971.
steam generator high-water-level MFW trip system.'Ihis '1he licensee event report (LER) review of operating his-alternative v/ould mclude an additional safety-related, tory of E PWR plants revealed that no steam-generator-water-level mstrument and logic modification for each overfill events have occurred as a result of feedwater steam generator, overfill transients. The staff, therefore, concludes that sufficient design features are provided on all but three E Safety Benefit plants for feedwater isolation and for operator training to
- E " E """ " " " '" * "E The estimated core-melt frequency associated with the ## "*"
"" ""* E#"
overfill transient is extremely small (less than 10 4 per reactor-year) because the high-quality redundant safety-Safety Benefit related trip system has already been incorporated into the design. Therefore, risk could be reduced only insignifi- Not applicable.
cantly by incorporating additional redundancy.
Cost Cost Itc utilities would incur no appreciable cost by imple-The estimated cost for adding another safety channel is menting this alternative, between $250,000 and $1.3 million per plant.'Ihe cost de-pends on whether additional containment penetrations Value/ Impact and electrical cabinets are needed for these modifica-tions. It is estimated that 65 percent of the plants would This alternative is not viable. The existing designs provide need some modification and that half of these plants an adequate degree of protection for overfeeding tran-could require additional penetrations and cabinets. sients to prevent steam generator overfill events; there-
'Iherefore, implementing this alternative is estimated to fore, no additional requirements are recommended.
cost utilities a total sum ranging from $8 million to $24 million. It is estimated that it would cost NRC $250,000, (5) Provide automatic actuation of the steam isola-assuming a 0.5 staff-month effort per plant, to review the tion block valves to the atmospheric dump valves design modifications. (ADVs) and of the isolation valves to the steam dump ndves to the condenser.
Valuellmpact The following control system failure modes were identi-
'Ihis alternative is not considered viable because virtu- fied that could lead to reactor overcooling transients:
ally no safety benefit will be derived from it and becausc Case l: Inadvertent opening of all five steam dump valves the cost of modifying the existing design is potentially to the condenser during full-power operation.
high.
Case 2: Inadvertent opening of the atmospheric dump (4) Change the steam generator high-water-/crcl valves, steam dump valves to the condenser, or main tur-bine stop valves during hot-shutoown conditions.
main feedwater trip system.
This alternative requires that the control system design Review of a number of operating plant designs and new be modified to automatically close the isolation block designs under review for an operating license confirmed valves to the steamh,ne power-operated relief valves (i.e.,
that all but three E PWR plant designs (IIaddam Neck, atmospbc hmp valus psp aW to ty steam San Onofre 1, and Yankee Rowe) have either a 2-out-of-3 dump vales to &c wn&nsa Ws momition wwM or a 2-out-of-4, steam generator high-water level trip sys- ,
isol te the steam flow resulting from inadvertent openmg tem to terminate the MFW flow during an overfill event. o cualms,andwM mWgammmung ewnts m These systems are redundant and are designed to meet sutting fr m such failures. l safety-related requirements. San Onofre and Yankee l Rowe do not have automatic overfill protection, lladdam for Case 1: Multiple independent failures are needed to Neck has an overfill-protection system consisting of a open all five steam dump valves to the condenser. A spe-safety-related 1-out-of 2 steam generator high-water- cial arming circuit installed at most E plants would have 11 NUREG-1218
l l
Discussion to fail or be disabled, in addition to another single failure Cost in the control circuit, for all valves to fail open. In addi-tion, most E plants also provide for c<mdenser-steam For Case 1: The estimated cost of providing' instruments-dump isolation on a protection-grade low-low T,,g sig, tion for automatic isolation valve closure logic for the nal which closes the steam dump valves regardless of the steam dump valves to the condenser is $65,000 per plant.
control-grade demand signal. The failure frequency to implementing this alternative is estimated to cost utilities open all the steam dump valves to the condenser is, there- a total of $3.4 million. If additional valves are needed to fore, estimated to be very low. In addition, most operating replace the existing valves, the cost would be significantly plants and plants under review for operating licenses greater and would vary from plant to plant, dependmg on have system designs that represent an improvement over how many steam dump valves the plant has.
the reference plant design.1hese designs will automati- For Case 2:1he estimated cost of providing automatic cally terminate steam flow by isolating the steamlines via bk)ck valve closure logic for ADVs is between $123,000 the MSIVs on a low steamline pressure signal. For those and $1.2 million per plant.The variation in cost depends plantsin which a control system failure results in inadver- on whether additional containment penetrations and tent opening of steam dump valves downstream of the electrical cabinets are needed. It is estimated that 50 per-MSIVs, the overcooling transient should be less severe cent of the plants could require additional penetrations than for the reference plant design. and cabinets. Therefore, implementing this alternative is estimated to cost utilities a total sum between $6.5 million and $37 million. It is est; mated that it would cost NRC For Case 2: The major control system contributors in
$250,000, assuming a 0.'i staff-month effort per plant, to terms of the frequency of initiating failures to an review the design modifications.
overcooling event were failures associated with inadver-tent opening of the ADVs. 'Ihe contribution associated with failures of the steam dump valves to the condenser Value/ Impact (i.e., failure frequency) is estimated to be a factor of 10 For Case 1: This alternative is not considered viable be-less than the ADVs and the contribution associated with cause virtually no safety benefit will be derived from im-the failures of the turbine stop valves is estimated to be a plementing automatic isolation of the steam dump valves factor of 100 less than the ADVs. For Case 2, only ADVs to the condenser.
are considered.
For Case 2: This alternative is not ccmsidered viable be-cause the safety benefit is insignificant and the cost of Safety Benefit m difying the existing design to provide automatic isola-tion of the ADVs is potentially high.
For Case 1: In NUREG/CR-4385, public risk associated It thould be noted that Generic Issue 70 (Hernero, April with failures has been estimated. The estimated core- 30,1985) was established to assess the need for improving melt frequency associated with this failure scenario is ex-the reliability of the PORVs and block valves in light of tremely small (less than 10 S per reactor-year). This is plant-protection and accident-mitigation requirements.
due to a combination of the low initiatmg frequency and This study will be applicable to all PWRs that have the low probability of subsequent fuel damage or core PORVs. Once that issue is resolved, additional insight melt following an accident on the steara side of a PWR.
may warrant reconsideration of the existing designs.
The estimated public risk is less than 0.003 man-rem for the life of the plant. For those plants that provide auto- l matic MSIV closure on a low steamhne pressure signal, (6) Modify theADVcontrol/cr /0gic to reduce thefre- I the core-melt frequency contribution would be even quency of synnious opening of the ADVs.
smaller than predicted for the reference plants. This alternative also deals with false ADV lifts resulting from control system failures (same as Case 2 of Alterna-tive 5). This alternative would not eliminate mechanical For Case 2: A higher core-melt frequency was calculated failures, but isintended to minimize the ADV failure rate because of potential single failures that could open the resulting from electrical faults. It was assumed that an en-ADVs. The estimated core-melt frequency associated able circuit to the existing design would be required.
with such overcooling events is 8 x 10 7 per reactor-year.
'Ihe estimated public risk is 118 man-rem for the life of the plant. The estimated reduction in core-melt fre- Syfeg, Benefit quency associated with implementing automatic Mtua- In NUREG/CR-4385, the estimated redu; tion in the fre-tion of the block valvedfor ADVs only)is 1.3 x 10 7 per quency of core melt from implementing this alternative is reactor-year. The estimated risk reduction was 20 man- 1.5 x 10 7 per reactor-year.The estimr.ted risk reduction is rem for the life of the plant. about 20 man-rem for the life of the plant.
NUREG-1218 12 I
- _ __ _ - -~- i
Discussion-Cost In addition, two major ongoing generic studies are deter-mining the need for additional modifications to existing The estimated cost to the utilities of modifying the ADV pressurizer PORV systems (i.e., Generic issue 70 [Ber-controller logie is between $123,000 and $1.2 million per nero, April 30, 1985] and Generic Issue 94 [Denton, plant.1he variation in cost depends on whether addi- July 23,1985]). Conditioned on the satisfactory resolu-tional penetrations and electrical cabinets are needed. It - tion and completion of these generic issues, this alterna-is estimated that 50 percent of the plants could need addi- tive is considered a viable option.
tional penetrations and cabinets.1herefore, implement-ing this alternative is estimated to cost utilities a total ranging from $6.5 million to $37 million. Syfefygyngfjf In NUREG/CR-4385, the contribution of frequency of Value/ Impact core melt for the overpressure event on the reference lhis alternative is not considered viable because only a plant design isless than 1 x 10 S per reactor-year.This is d ue primarily to the low initiating frequency estimated for very small safety benefit could be gained, and because the identified failure mode. Because most of the plants the cost of implementing this modification is potentially provide equivalent or better designs than the reference high.
plant provides, the core-melt frequency contributions for other plants are expected to be as low. No safety (7) Improve the design ofthe controlsystemforpres- benefit would be gained by instituting additional surizer PORVs. requirements.
Although a number of alternatives were considered in Section 3 to minimize overpressure events, the alterna- go,,
tive for additional modification for overpressure protec-tion was not considered appropriate for the followinF The utilities would incur no appreciable cost by imple-reasons: menting this alternative.
- The pressurizer PORVs in W PWR plants are pow-cred from independent safety-related power sup- Value/ Impact plies in essentially the same configurations as in the Not applicable.
reference plant design. Some plants provide inde.
pendent non-Class 1E battery-backed power sup-plies, which the staff has also found acceptable.This design minimlics the potential of a common-mode (8) Issue an information letter to all applicants and failure resulting from a loss of electric power and licensees thut will operate E FWR plants about minimizes the potential for an overpressure event the potential overpressure vulnerabilities result-resulting from control system failures. ing from operating procedures at low-e A large number of plant designs contain addition- temperature and low-pressure shutdown al improvements over the reference plant design. conditions.
These improvements consist of overpressure. relief capability through the residual heat removal (R11R) 1his alternative was cansidered because variations in system (during cold-shutdown operations) which plant jeocedures could exist that could create the poten.
allows the operator more time to respond to over. tial for the operator to cause reactor vessel overpressure pressure events. This design feature results in less. conditions by prematurely transferring the PORV set-severe transients than are produced on the refer. points to a higher value during shutdown or startup op-ence plants.
erations.1he staff did not review the appropriate plant procedures to determine which plants are susceptible to this problem. The nuclear steam supply system vendor Only a few plant designswereidentified asbeingiden- stated (Westinghouse, WCAP-10797) that most E tical to the reference plant design in which additional pWRs have procedural and administrative controls that pressure-relief capability via the RHR system was not would make the pressure transients at these conditions provided.1he staff believes, however, that sufficient re- less severe than conditions analyzed for the reference views were conducted previously (NRC, NUREG-0371 plants, primarily because of the capability of the RHR and -0748) to conclude that all the 3V designs provide a system to relieve pressure.The adequacy of this capability design system equivalent to or better than the design sys- is currently being reevaluated within the framework of tem of the reference plant. the Generic issue 94 study.
13 NURiiG-1218
Discussion Safety Benefit opening of the ADV, is less than 1 x 10 M per reactor-year. Therefore, any design modification would reduce in NUREG/CR-4385, the overpressure consequences the frequency of core melt only insignificant!y. The con-for this scenario have been estimated. He estimated tribution to the frequency of core inelt for the event in-contribution of this overpressure event (frequency of core volving an inadvertent opening of the ADV coincident melt) is less than 1 x 10 2 per reactor-year. This is due with a loss of offsite power, however, is estimated to be 1 x primarily to the low initiating frequency estimMed for the 10 s per reactor-year. The estimated public risk associ-identified failure mode. A reduction in the frequency of ated with this event is about 2 man-rem for the life of the core melt for any modification to the procedures would, plant, therefore, be insignificant.
Cost ,
Not applicable.
The utilities would incur no appreciable cost by imple- i menting this alternative. Valuc/ Impact This alternative is not considered viable. Variations in the Value/ Impact reliability of offsite power for different plant designs may This alternative is not considered viable because essen- m dify the frequency of loss of offsite power (up to 8 tially no safety benefit is to be gained from implementing hours) by a factor of 30 (NRC, NUREG-1032). Such vari-this alternative. He resolution of Generic Issue 94 may ations would not change the contribution to the frequency of c re melt enough to warrant modifications to the result in additional changes which have not been consid-cred here. design.
(9) Issue an information letter to all applicants and 4.3 B&W PWR P1 ant Design licensecs with E 3-loop PWR plants informing The following alternatives propose methods to minimize them of the potential for non-safety-related steem generator overfill and reactor vessel overheating control . system failurcs to occur that could make events.The detailed risk analyses and value/ impact analy-SGTR events more severe than previously ses are presented in NRC document NUREGICR-4386.
analyzed.
(1) Test the steam generator high-water-level main Two control system failure scenarios were identified dur- feedwater trip system cvery month to reduce the mg the review. One was an madvertent opening of a ADV (or safety-related relief valve) coincident with a loss of likelihood of undetectedfailures.
off-site power. The other was an instantaneous, main The design of the reference plant (Oconee Nuclear Sta-feedwater, overfeed transient coincident with an inadver- tion, Unit 1) calls for a non-safety-related main feedwater tent opening of the ADV (or safety / relief valve). pump trip utilizing a 2-out-of-2 steam generator high.
.. . water-le ci trip system from each steam generator. The l Staff analysis indicates that the contribution of these design is subject to a number of single failures, each of events to the frequency of core melt is extremely small,
, which can prevent a feedwater trip on high-water level.
primarily because of the low estimated mitiating fre- The system is designed in an " energized to trip" configu-quency for the combination of failures identified.This al-ration in such a way that a loss of control power (i.e.,
ternative was considered, however, because the designs of 125-V de) to the trip relay would not trip the feedwater the offsite power systems on different plants vaiy and be- pumps. A loss of power to the !evel sensors with available cause the reliability of these systems can alter assum;7- 125-V de control power to the tnp relay would cause the tions made in this report about the frequency of acci- main feedwater pumps to trip. This alternative was con-dents. Such variations could change the calculations on sidered in order to reduce the frequency of undetected core-melt frequency. failures which could lead to steam-g. :rator-overfill events. Only three plants (Oconee Nuclear Station, Units Safety #cncfit 1,2, and 3) utilize this design. Other B&W designs are dis-
! cussed below.
In NUREG/CR-4385, the safety benefit of informing ap-plicants and licensees about this potential was estimated.
Safety Benefit l The estimated contribution of the event to the frequency ;
of core melt, involving a simultaneous failure of the fred. In NRC document NUREG/CR-4385, the safety benefit l water control system coincident with an inadvertent of such monthly testing was estimated. The estimated NUREG-1218 14 l
)
Discussion reduction in the frequency of core melt as a result of per- (a) additional redundancy to the existing trip logic, and forming monthly inspections is 3.2 x 10.e per reactor g ar.
The estimated reduction of risk is 450 man-rem for the (b) additional circuit modifications to permit full-test life of the plant. An increased test frequency, howevt r, capability of the overfill-protection system.
could increase the likelihood of inadvertent loss-cf-feedwater (LOF) events. The challenges to the protec, Safety Benefit tion systems resulting from these inadvertent LOF events could potentially lead to adverse overheating In NRC document NUREG/CR-4386, the safety benefit transients. It was impractical to estimate the risk asso- of implementing such modifications and instituting ciated with these negative contributions. monthly testing as described was estimated to reduce the core-melt frequency by 7 x 10 e per reactor-year.The esti-mated risk reduction is 1000 man-rem for the life of the Cost plant.
The estimated cost of developing test procedures and in-specting the system on a monthly basis is about $100,000 cost per plant.This estimate does not include plant downtime that could occur because of inadvertent feedwater pump The estimated cost for developing new test procedures, trips caused by additional testing. Only Oconee 2 and 3 providing monthly inspections, and modifying existing are similar in design to the reference plant. Therefore, logic is $200,000 per plant. his does not include down-the estimated total cost to utilities for implementing this time costs that could be incurred as a result ofinadvertent alternative is $300,000. The NRC would incur no costs if feedwater pump trips caused by additional testing. Only this attemative were implemented. Oconec 2 and 3 are similar to the reference plant.There-fore, implementing this alternative is estimated to cost utilities a total of $600,000. It is estimated that it would Value/ Impact cost NRC $15,000, based on a 0.5 staff-month effort per Tnis alarnative is not considered viable. Considering plant, to review the design modification. l only the benefits derived from implementing this altema-tive and the relatively low cost incurred, it would at first Value//mpact appear that this alternative is viable.The staff finds, how- liven given the potential for LOF events resulting from i ever, that the likelihood of increasing the number of tran- additional testing, the risk reduction gained from these sients from an, inadvertent loss of feedwater resulting modifications makes this alternative viable.ne potential from more testmg is sufficiently high that potential risks uncertainty for an increased number of LOF transients outweigh any estimated safety benefits. In addition, it tuay exists for this alternative as for alternative 1 (p.14). De not be possible to test a complete control system circuit improved reliability of the design as a result of imple- !
on the present design dunng normal plant operation, and menting this alternative, however, improves the esti- i the utility could incur additional costs m providmg a fully mated risk reduction. It should be noted that other alter.
testable system. natives may be preferred.
1 (2) Test the steam generator high-water-level main (3) Improve the steam generator high-water-level i feedwater pump trip system monthly, and also main feedwaterpump trip system. j modify the existing trip logic to preclude smde-
.Du.s alternative would propose that the overfill-tectedfailures of the trp circuit andfacilitate on- ,
pmtects n system on the reference plant be improved to line testin8' This offernative is "Elslicable only to satisfy the single-fail ure crit rion.Two cases were consid- i i Oconce /, 2, and 3 plants. ered to improve the existing plant design. Case 1 would j This alternative would also include additional design pr vide an additionalindependent MFW trip system ac-tuated from a separate steam generator high-water-level i modifications to: channel to isolate the feedwater flow via a trip of the I
(a) permit full online testing of the trip system, and MIM block valves. The current design provides a 2-out- !
of-2 high-water-level trip Fystem that only trips the MFW ;
(b) provide an additional trip relay in parallel with the pumps. Case 2 would propose that the existing design be j i
cxisting master trip relay to prevent a single failure upgraded to a 2-out-of-3 or 2-out-of-4 high-water-level (or an undetected failure) from initiating a trip. trip system. Several modifications to the trip system logic l were evaluated in NRC document NUREG/CR-4386.
This alternative differs from alternative 1 (p.14) by As a result of that evaluation,it was concluded that most specifying of the benefits gained from implementing a 2-out-of-4 15 NURilG-1218
Discussion trip system rather than a 2-out-of-3 system were associ- transmitters are needed, the cost per plant could be as ated with greater flexibdity and case in testing the trip high as $ 1.1 million and the total cost to utilities could be system during power operation. ncre was no substantial as high as $3.3 million.
difference between the reduction in risk for a 2-out-of-3 or a 2-out-of-4 trip logic system. Rese alternatives would For case 2, the estimated cost for modifying the design to ,
not require additional testing beyond what is presently a 2-out-of-3, high-water-level pump trip configuration is provided. $300,000; the estimated cost per plant is $600,000 for modifying the design to a 2-out-of-4 system. These esti-Only the two other B&W PWR plants (Oconce 2 and 3) mates do not include installation of additional electrical have overfill-protection systems similar to the overfill- penetrations or c(mtrol cabinets that may be needed.
protection system of the reference plant. All other oper. Or.ly Oconec 2 and 3 are similar to the reference plant; ating plant designs and plants currently in the licensing therefore, the estimated total cost to utilities is $900,000 review stage have modified their designs or have commit- and $1.8 million, respectively. If additional penetrations
. ted to modify theirdesigns by the time of the next refuel- and cabinets are needed,it could cost the utilities as much ing. These modified designs are safety related. The initi- as $5 million to install a 2-out-of-4 system in the three ating logic is either a 2-out-of-4 or a 1-out-of-2 taken- plants. It is estimated that it would cost NRC $15,000 (for twice high-water-level trip system actuating redundant either case), assuming a 0.5 staff-month effort per plant, MFW isolation systems (i.e., closure of MFW isolation to review the design modifications.
and control valves). One plant design currently under re-view for an operating license will use a safety-related Valuc/Ir" pact 2-out-of-3 trip logic system. The design at other B&W PWR plants offers, or will offer, an adequate dcgree of For case 1, this alternative is considered viable, consider-protection for steam generator overfill. Rese der.igns ing the substantial risk reduction that can be gained by im-represent a substantial improvement; therefore, no addi- plementing it and the potentially moderate costs that tional changes are recommended for these plants. It would be incurred. For case 2, this alternative is also con-should be noted, however, that the plants that have com- sidered viable, considering the significant risk reduction mitted to but have not yet implemented these designs are that can be gained from implementing an upg ade and the more at risk than the reference plant design because they relatively low cost. If, however, additional electrical pene-lack a high-water-level MFW trip. It is recommended that trations are needed, this alternative could become too ex-these design modifications be implemented at other pensive and of less benefit than case 1.
plants in a timely manner.
(4) Provide automatic protection to prevent steam Safety Benefit generators from drying out on loss of " hand" (manual) control or " auto" (automatic) control In NUREG/CR-4386, the safety benefit of this upgrade
, power to the integrated control system.
was estimated. For case 1, the estimated reduction m the frequency of core melt is 9 x 10_e per reactor-year. The Two scenarios were identified that could potentially lead estimated risk reduction is 1300 man-rem over the life of to core overheating events. These events could occur if the plant. For case 2, the estimated reduction in the fre- the operator did not take proper action to ensure feed-grency of core melt is 8 x 10.e per reactor-year. The esti- water flow to the steam renerators. loss of hand power mated risk reduction is 1200 man-rem over the life of the and loss of auto power in the integrated control system plant. (ICS) were identified as the initiators of the overheating scenarios.
Cost A number of corrective actions could be taken to avoid Cost is not estimated for case 1. It is assumed that existing steam generator water-level transmitters used for other (a) Provide automatic initiation of the emergency feed-functions (e.g., startup range transmitters) could be util- water system on steam generator low-water level ized to monitor a high-water-level condition in the steam (preferred).
generator.The cost per plant for implementing *his alter-native would, therefore, be relatively low (less than (b) Provide sufficient feedwater flow at minimum pump
$100,000). If additional electrical penetrations, electrical speed to keep the steam generator from drymg out.
cabinets, and water-level transmitters are required, the cost would be higher. Only Oconee 2 and 3 are similar to (c) Trip the main feedwater pumps on loss of hand the reference plant; therefore, the estimated cost per power (a main feedwater pump trip would automati-plant is S300,000,1f additional penetrations, cabinets, and cally initiate the emergency feedwater systems).
NUREG-1218 16
Discussion (d) Train operators to cope with a loss of hand or auto Implementation of this alternative would mean that all power to the ICS. CE PWR plant designs have a 2-out-of-4 steam generator i high. water-level feedwater isolation system. The refer- l (c) Install alarms in the control room to alert operators ence plant design currently utilizes a 2-out-of-4 steam I to loss of hand and auto power to the ICS. generator high-water-level signal to trip the main steam i turbine. A turbine trip signal will, in turn, trip the reactor, l Some of these actions take place automatically;others re-quire operator interaction. shut the MFW valves, and open the startup feedwater valves to 5 percent of rated flow. Although the current ]
All B&W PWR plants, with the exception of the refer- feedwater runback system does reduce the frecuency of I ence plant and Oconec 2 and 3 designs, provide auto- steam generator overfill should an overfeed transient oc-matic initiation of the emergency feedwater system on eur, the operator is still needed to manually trip the feed-steam generator low-water level (action i), minimizing the water pumps or the feedwater isolation valves to prevent potential for loss of steam generator cooling. 7herefore, overfill if a failure renders the feedwater-water runback this concern is plant specific and applies only to Oconee 1, system inoperable. This design is similar to the design of 2, and 3 plants. other CE PWR plants.
De MFW isolation system should be it.itiated at a higher Safety Benefit steam generator water-level setpoint than is used for the runback control. This would permit the existing control In NRC document NUREG/CR-4386, the safety benefit system to perform its function and would minimize the of implementmg such automatic protection was ests- need to automatically terminate MFW.
mated.He estimated reduction in the frequency of core melt to implement the different options is between 2 x Safety Berefit 10 8 per reactor-year and 9 x 10_e per reactor-year. The preferred option of the five options listed above is to pro. In NUREG/CR-3958, the safety benefit of such a system vide automatic initiation of the emergency feedwater sys- was estimated. The estimated reduction in the frequency tem on steam generator low-water level. The estimated of core melt is 4 x 10_e per reactor-year. The estimated risk reduction for the preferred option is between 155 risk reduction is 570 man-rem over the life of the man-rem and 870 man-rem over the life of the plant. plant.
Cost Cost was amme e n mentahn m gennak It is considered extremely unhkely that the cost of imple-menting the suggested corrective actions would exceed
- " "I S'E" ' " # # "E *"
$150,000 per plant.Therefore, it wo"ld cost utilities a to- op r ted feedwater isolagon valves could be used.The mst for implementmg tius alternative (i.e., a 2-out-of-4 tal of $450,000 to impl ement this alternative. It is esti- steam generator high-water-level feedwater isolation) mated that it would cost NRC $15,000, assuming a 0.5 would be less than $200,000 per plant. It would cost utili-staff-month effort per plant, to review the design modifi- ties a total of $3 million to provide this automatic trip sys-c tions.
tem. If additional electrical penetrations and electrical cabinets were required, the cost would be higher. It is as-Value/ Impact sumed that existing penetrations and cabinets can be used for implementing this alternative. It is estimated that it This altetaative is wnsidered viabic because some safety would cost NRC $75,000, assuming a 0.5 staff-month ef-benefit could be gained with minimal modifications. fort per plant, to review the design modifications.
4.4 CE PWR Plant Design Value/ Impact This alternative is considered viable, considering that a The following alternatives propose modifications to mini-m derate safety benefit can be gained and the potentially mize steam generator overfill and reactor vessel over, m derate cost of modifying the existing designs.
pressure events. The detailed risk analyses and value/
impact analyses are presented in NRC document NUREGICR-3958. (2) Imprwe operator procedurcs for manually depressurizing the primary system following an (1) Provide an automatic redundant steam generator SMM.
h/gh-water-icre! AflWpump orfeedwater isola- This alternative would specify to those utilities that have tion v(dre inp system. operating plants with low-head high-pressure injection 17 NUREG-1218
-.________________j
Discussion pumps having limited discharge flow capacities at tion in the frequency of core melt is 8 x 10 e per reactor- .l pressures greater than or equal to 1275 psi, to revise their year. The estimated risk reduction is 850 man-rem over emergency procedures and operator training programs to the life of the plant.
ensure that the operators can safely depressurize the secondary (steam) system via the atmospheric dump Cost talves or the turbine bypass valves and can cool the plant down during any SBLOCA. His preferred cooldown via He cost of revising both procedural changes and opera-the secondary system would, in turn, depressurize the tor training programs to implement the alternative is not
. primary system. The primary PORV would provide expected to exceed $10,000 per plant. Seven plants (Cal-additional backup.The procedure should clearly describe vert Cliffs Nuclear Power Plant, Units 1 and 2; Fort Cal-any transfers the operator performs in the event that a houn Station, Unit 1; Millstone Nuclear Power Station, loss of fastament air or loss of electric power prevents Unit 2; Palisades Nuclear Plant Unit 1; and St. Lucie manual operation of the valves. The use of the Plant, Units 1 and 2) use high-pressure safety injection pressurizer PORVs and spray valves to depressurize the pumps that have discharge heads less than or equal to plant during an SBLOCA and to ensure that the R NDT 1275 psi. It is estimated to cost utilities no more than a limits are not compromised should also be clearly total of $70,000 to implement this alternative. No NRC described. staff costs are anticipated.
Va uellmpact Safety Benefit This alternative is considered viable, considering the In NUREG/CR-3958, the safety benefit of such im- moderate safety benefit that can be gained and the very proved procedures was estimated. He estimated reduc- low cost to implement this alternative.
NUREG-1218 18
5 Summary of Alternatives l
l L
19 NUREG-1218
l j ll gE9mW?> -
n i
t o?e .
pl
- r oba s s s e si o o e e o e o o o o t
a I v N N Y Y N Y N N N N e r
g l
y l
a K it l
a M 0 M n t M 0 1
0 5 M 7 3 t a
t o 3 1 $ $ 4 2 $ b s
y $
K $ u i
t - M 0 e
n M e n
- M M5 s l
i t
M 3
2 0 o 3 2 o 8 M 4 b
e 1 1 3 6 t
U $ $ $ N $ N $ - $ $ d .
l s u o o C MM K M M w 3 0 3 2 3 5 t s
1 1 1 t
n $ $ $
1 1
$ o c
a - - - - -
e l
p K K K e e K
- K r 0 0 0 n K n 0 K 3 ht e 5 1
5 1
0 1 o 5 4 o 5 2
5 6
2 1 s P $ $ $ N $ N $ - $ $ e l
v a
v t t g 0 n n n a a i n m s
)r 0 8 ic ic t
s o e a 3 3 f i
f i
i x
it c r. e ny 2 - n n e 1 0 g ig u a0 3 - 0 is s e d h s
e r M3( 2 1
5 4
6 3 - 9 - I n - i n 0 2 t y
e k f i
v s i
d t
a i
r ) o :
n d r m r e t l ya M- m- r e t a
e cnye o .
t 7 8 0 0 3 l -
e y f
a i t
m m.
t qau n.
et 0 1
0 1
1 x
1 x 0 1
c a -
o s n o el x x 1 1 x l p
y r
E Cfr p( 6 - - - 6 - < - < i e a r m o m
u d t
A f e S r o d e s e . -
t t
n n e 4- e o 4- y n f
o- n b it r io f lr e g r p o t p o a r t
u is o m t
a t e a e r m u s -
o- d f l
- u s e u s o- y r e v
2 t o- s n s 2 e s l n a e a v e a o a t g o e v v t l p u d d t e l n
3- o- n a m n a 3- r a v o f e 1 s
a e f h i o- c s o- t k t a
n a l t t s t r c r t
u e r o u s n l
u s
t u f o l o e los o- f e t p e r o e o- ) b s n
i r t e
l 2 e 2 p m a r ir t
g n
W g n e a d n m
o a l i F i m c x
e n o p o f
r t
o l i
f dr A dr f
o r
(
e t
s c m i
i t
r a f a f o u d n n e g o g n n o t d d o io v o
e r f f
e r o io e p ic f a
i r
it c
t c o r o r t c
t c u m r I e e n e t u e e e s u e .
t t t s t o h ly o o ht te n t n h s
t t
o t
o lc d p n r
p r
p l io a c le r p
r p m s o o n n c i
l w nt c P a n s
l l
i l )
l i3 s oe it t R it al oio l li l
l i
it a e t m o mev f - t t t
n a
r e dfeo t
n aor W it a ec f
r f
r) m s a it a
l v v - la) mp F t oe mt e v
e s vn o r o
r o t n
P o otu p4 r u r l r ro o oig t
u F F R e eo ef f
ol l i
p c a e fop e e e s a e e W d a
d 2-a dat o- nfr o et a ilnl d da d id e 1- 2
- m u
eve v r i
L dw i a r i
B g r ,
g e.
. r u go -
i vh ef r r rt gn v e e u se v gp t
t a E p p p- uo 3 og pa o s s s s
sf ri r a a n m
e G U U (i U( 2 I o W Ph Is o U Ulp P C C i r
t r o r o t . . . o F .
A 1 2 3 4 F 1 2 3
- 4. 5
. 1 g:o *? n 0 j T
' 1 l ,l rl jj.
o ba " s s s s
o o o o o e e e o e I
si v N N N N N Y -
Y Y N Y 1
1 h h l
9 )
a 7 i x t 3 3 t
o 5 $
2 h a
$ m ty t h e e K K K - i e K i
l 5 n n 0 0 0 t h n 0 i
t 6 o o 0 3
0 6
0 3
h i
5 o 5 4
t U $ - N N $ $ $' S(
N $
s o
C f h
i h K 2 0
- l. 0 t 1 1 6 n $ $ $
a - - -
l p K e e K K K K e K 3 n n 0 0 0 0 n 0 r 2 o o 0 0 0 0 o 5 e 1 1 2 1 3 1 P $ - N N $ $ $ $ N $
n m s
)r 0 o e a 7
)
it r- e 8 d c ny e u 0 0 0 0 -
u a0 5 0 0 0 5 n d f 3 0 4 0 3 2 5 e A ( 2 - - 2 1 1 1 - 1 i
t r -
n k o s C(
i r )
d r s e lt ya 7 o e e c e t mny t -
i v a - 0 8 8- s. 8- 8 - e. 8 -
t m et 1 0 0 0 0 0 00 a e- uqa n x 1 1 1 1 1 1 1 n it s r r
E o el r p 5 x x x x x xx t
e Cf ( 1 - - 1 3 7 9 8 - 29 la r s e e y it i
t r l a i e n t
a w a m e d m
r e ig lo n -V S
u n t a o f
r d u sR lu h l
e e e st v t t
a m r loh e s e
d i w e e e e r
u r v o d t s id zh t u e y v s
s l r
p e s o imo it e
r ia f d f
t 4 r
p inr p n n f t
e r
e m a e o- a mw v e ly ly d
n t
u ht oop o t s
y h ht e o s t
f l
s t p - t Vo ia n n n e 2 Rss
~
m t l
o o o i a a e n r m m m r lp Ao t
s e t i y t n o n f l
c s o p o c
m e
m e
l a
n 3- o o no n
_ ig l o R r
V O
n o
r n
o rR t
s y
s n
t s
y s
n it n
o c
io it d
f t
o u
it n
o c io og it n al i
le P e e d o e eT o o it t t io t o a - t o nc lo r t t eG i
t t 2 r e le l S c c r p
n a a r
pn i
r t
n z
n n e s e e co o
i t t r o e e it o u o iot t n o l l
l aar t
_ r r d d fl it i i V
c s s
e i
t a
t a ab r l P
a p p
n f
r e
i v
o i
v o
r c e e mem onet e D r p
m r mc r c R ll i
f l
l io fi v
o Po P r n r vt o o r t
ugs y A o o ax r rt ep a e ms e f f W e ea e - a t
i -
_ e v f y d a
n i i ne P v o
vc of i
d a 1 n 2 dl al i d aol r
ivtert i
r e ed i e rf i
t d o
g u u lu W t s ts d g emi s s gr pe os n
_ a p s s & e eo p ar a n s o Ct e Uvv rf o
_ i s
r h U I I c Br T Tm U C Pcc lte o
_ A 6 7. 8 9 F 1 2 3 4. 5 M
n o
i?
t e pl oba s s e e si I v Y Y l
t a
t o
y i
l t M 0 K it 0 3 7 t
U $ $
s
' o C
t n K l
a 0 p 0 K 2
r $ 0 e 1 P < $
n m as)r o e
) r ny e d it e c u u a0 0 0 d 7 5 i
t n e r M3( 5 8 n k o s C
(
i r )
d r s e lt ya e e c e mny t
i v a - s_ s-m e t t
a n
i t
e- un r qa 0
1 0
1 r s o elr p x x t
e E Cf ( 4 8 l
a f
o y
r a
m m
u p n S m w u
p o
dt r u t
e h a s w f e
d a e) fep it s
(i r
nt m r
ir oe e p
t cu eso o t t ol r c s pe e r
l l l v u ia d f
r v e c
e v n oA rC oiot pO ic a r ta lo oL s s t
a B t
n mi or rS e n l
a t e p a P ut a aw o g e
R ed e vi n v W de i owo r
i t F ve pl a
E of n
r C Po r r mlo I f e r o
t F
lA 1 2 g=*? C O O
J 6 Resolution of USI A--47 The following alternatives represent recommended ac- analysis. Because plant-slacific differences exist tions for resolution of Unresolved Safety Issue (USI) (described in item 6.1(3) above), failure-rate esti-A-47. A generic letter will be issued to all LWR licensees mates for initiating events assumed in the staff's requesting a a umber of actions and will provide details for evaluation may differ from plant to plant.The infor-the control system desigr and for procedural modification mation letter would allow individual applicants and for resolving USI A-47. These actions are summarized licensees to assess the consequences of potential below. overfill transients.
6.1 GE BWR Plant Design 6.3 B&W PWR Plant Design (1) Improve designs of plants with no automatic reactor (1) Modify plants that am similar to the reference plant vessel overfill protection to a I-out-of-1 (or better) ( .e., Oconee 1) to enher:
reactor vessel high-water-levei feedwater trip sys- (a) Provide additional instrumentation to limit or tem (except Big Rock Point and La Crosse plants). tenninate main feedwater flow on steam gen-
-(2) Modify technical specifications on all plants to in- erator high-water level. The instrumentation clude provisions to periodically verify the operability should be separate from the existmg main feed-of the overfill-protection :ystem and ensure that water pump inp mstrumentation. A system that automatic overfill protection is provided during tmtiates closure of main feedwater isolation power operation. valves on steam generator high-water level is acceptable; or (3) Issue an information lever to all applicants and li-censeesinformingthem ni ne 'esultsof theoverfill (b) Modifytheexistingoverfill-protectionsystemto analysis. Because design w t @as exist in individual minimize undetected failures in the system and plants (e.g., in the overh% mp logic, in the power facilitate online testing; or supplies for the trip logic, in operator training, in plant procedures, and in the design of plant alarms (c) Improve the existing overfill-protection system and indication systems), the failure rate estimates to a redundant high-water-level trip system for the initiating events assumed in the staff's evalu. that satisfies the single-failure criterion for ation may vary from plant to plant. The information overfill protection. A 2-out-of-4, steam genera-let*er would allow individual applicants and licen- tor high-water-level trip sysm.: activating re.
seo *o assess the consequences of overfill transients dundant main feedwater isolation equipment is on incir plants. acceptable.
(2) Plants similar to the reference plant (i.e., Oconee 1) 6.2 E 3-Lc9p PWR Plant Design should i stall Class 1E instrumentation to automati-
. cally fiiate auxiliary (emergency) feedwater to (1) Take no action to upgrade existing main feedwater minimate the potential for loss of steam generator overfill-protection svstems on plar.ts that have in- cooling during a loss-of-control-power event.
stalled redundant steam generator high-water-level overfill-potection systems consistiniof 2-out-of-3 (3) TaNnoactiononotherN utsthathaveinstalledor (or better), steam generator high-water-level feed. havt committed to install rn emergency feedwater water trip isolation system. initiation and control (EFIC) system (or its equiva-lent) incorporating a redundant steam generator (21 Modify technual specifications on all plants to in- high-water-level overfill protection.
clude provisions to periodically verify the operability . .
of the overfill protection system and ensure that (4) Modify techm. cal specifications on all plants to m-automatic everfill protection is provided during re, clude provisions to periodic-Ily verify the operability actor power operation. of the overfill-protection system and ensure that automatic overfill protection is provided at all times (3) Take no auian to upgrade existing reactor overpres- during reactor pewer operations.
- "**' (5) Issue an information letter to att applicants and li-(4) Issue an information le" to all spplicants and li- censeesinforming them of the results of the overfill censeee informing them t,. tac rest.!ts of the overfill analysis.
23 NUREG-1218
- --__ _- _ A
JSI A-47 Resolution 6.4 CE PWR Plant Design (3) Reevaluate plant designs similar to the reference plant (i.e, Calvert Cliffs Nuclear Power Plant, Units I and 2: Fort Calhoun Stelion, Unit 1; Millstone (1) Modify all plants to provide additional instrumen- Nuclear Power Station, Unit 2; Palisades Nuclear tation to terminate main feedwater flow on steam Plant, Unit 1; and St. Lucie Plant, Units 1 and 2) to generator high-water level. 'Ihe instrumentation modify, if necessary, their emergency procedures should provide sufficient redundancy and be suffi- and operator training program to ensure that the ciently separate from the main feedwater control operators can safely 1. hut down the plant during any i system. SUI OCA utilizing the ADVs or the TilVs. 'the reassessment should ensure that a single failute wou d n t negate the operability of the valves >
(2) Modify technical specifications on all plants to in-needed to achieve safe shutdown.
l clude provisions to periodically verify the operability of the overfill-protection system and ensure that (4) Issue an information letter to all appliennts and automatic overfill protection is provided during licensees informing them of the results of the over-reactor operation. fill analysis.
l NUlWG-1218 24
l l
7 Application of the Backfit Rule,10 CFR 50.109
'The staff finds that the supporting analyses documented cation of overfill-protection operability proved to be in this regulatory analysis comply with t he provisions of 10 impractical. Justification for the technical specification CFil 50.109/Ihe following information is provided in an- requirement is based on the fact that overfill protection is swer to tbc specific requirements in paragraph (c) of 10 needed to mitigate a design-basis accident (DHA)(i.e., i CFR 50.109. feedwater malfunctions that result in increased feed- l water flow). "Ihis requirement is consistent with the pro-(1) Statement ofspecific objectives that theproposed backfit posed Commission policy statement of what is needed in is designed to achieve. technical specifications.
'lhe specific objective of the proposed A-47 actionsiden- 'Ihe safety benefit for providing and improving existing tified in Section 6 is to increase the safety of operating nu- automatic overfill protection for different NSSS vendors clear power plants by; and the safety benefits for the other proposed require-ments are estimated and discussed in Section 4 of this re-(a) minimizing the potential for water entering the port. 'Ihey are also summarized below.
st camlines, thereby decreasing the potential to dam-age the main steamline or the equipment associated For GE BWR plants, design change to improve existing with the steamlines (such as valves, pumps, and overfill-protect;on systems does not significantly reduce sensing lines); risk. Modifications to only one plant that does not have (b) minimizing the potential for a loss of steam genera- any overfill protection (i.e., Oyster Creek) is, however, tor cooling under any condition of operation that warranted. It is estimated that provyding automatic over-could cause a significant reduction in flow of main fill protecti n can potentially resu't m reducing the risk bv feedwater; as much as 3600 man-rem over plant life.
(c) enst ring that the operators can safely depressurize For Westinghouse plants, changes to improve existing the primary system and cool dowo the plant during overfill-protection systems from a 2-out-of 3 to a 2-out-of any small-bicak lots-of-coolant accident, 4 steam generator high-water-h. vel trip does not signifi-cantly reduce risk. Modification to two plants that do not (2) General descripti on of the activity that would be re- have any overfill protection is, however, worranted.
.juired by the hcensee or applicard in order to complete the backfit. For Babcock & Wilcox plants, improving overfill protec-tion at three plants (i.e., Oc(mee 1,2, and 3)is warranted.
The resolution of USl A-47 is based mainlyon providing: 'Ihe estimated risk reduction to provide additional redun-
. . .. dancy in the existing, overfill-protection system could be (a) or improvmg exisung control systems to ensure automatic overfill protection of the mam steamhnes as much as 1200 to 1300 man-rem over the plant life for m the event of a mam feedwater overfeeding tran- each of the three plants.
sient, and to periodically verify its operability to en- To provide automatic initiation of auxiliary (emergency) i sure that overfill protection is operable at all times feedwater on loss of, or significantly reduced, main durmg reactor operation; feedwater flow, the risk reduction is estimated to be be-(b) automatic initiation o auxiliary (emergency) feed. tween 155 to 870. man-rem over the life of the plant for water under any condition of operation that results each of the three Oconec plants that warrant a design in a significant reduction in the main feedwater flow; modification.
For Combustion Engineering plants, the risk reduction to (c) a tecvaluation and modification, if necessary, of se- provide automatic overfill protection is estimated to be lected CE plant emergency procedure < and operator 570 man-rem over the life of each plant.
training to ensure that operators can safely depres-surize the primary system (via the atmospheric To improve ope ating procedures at CE plants to manu-dump vakes or the turbine bypass valves) and cool ally depressurize the primary system following an down the plant during any small-break loss-of- SHLOCA, an cstimated risk reduction of 850 man-rem coolant accident. over the life of 9.ch plant is estimated.
(3) Potential change in the risk to thepublicfrom the acc' (4) Pote.a.d impact of radiological exposure offacility dental of1 site release of radioactive material. employees.
Quantifying the net safety benefit in terms of risk for re- No estimate was made. However, it would add to the quiring technical specifications to include periodic verifi- estimated public risk given in Section 4 of this report.
25 NUREG-1218 l .
Application of the Rule Modifications could be made during plant shutdown, procedures and operator training to ensure that the op-thereby reducing radiological exposure to employees. erator can safely shut down the plant during any SBLOCA is estimated not to exceed $10,000 per plant.
(5) Installation and continuing costs associated with the back)it, including the cost offacility downtime or Ihe (6) Thepotentialsafetyimpact ofchangesinplant oropera-cost ofconstruction delay. tional complexity including the relationship to proposed ne estimated costs to the licensees for complying with
"" ##'"# "E" ##### *l"'**#"'#'
the proposed resolutions of USI A-47 are presented in None.
Section 4 of this report and are summarized below. ne cost oiiacility downtime is not included in the estimates. (7) The estimated resource burden on the NRC associated Implementation should be scheduled to take place beiore with theproposed backjit and the availability ofsuch re-startup, after the first refueling outage (but no later than sources.
the second refueling outage) beginning 9 months follow- .
ing receipt of the generic letter. The proper integration ne cost to the NRC ,for implementing the proposed i resolution of USI A-47 :s estimated and discussed in Sec-of the proposed work scope into each plant's schedule tion 4 of this report.
may allow for the modifications to be conducted during plant outages. ne principal cost to NRC would be the cost for reviewing the designs submitted by the individual licensees. It is es-For BWRs, the cost to incorporate overfill protection at ,
timated that a review of 22 plant design modifications and Oyster Creek is estimated at $100,000. For a more versa.
a review of the emergency procedure modifications on 7 tile design that facilitates online testing and repair, the es.
timated cost is $500,000. The cost to incorporate testing Pl ants would be needed. It is estimated that 0.5 staff-requirements into the technical specifications is about month effort will be needed to review each of these changes, for a total expenditure of 14.5 staff-months. In
$15,000 per plant. It should be noted that most BWR addition,it would require 0.1 staff-month per plant to ver-plants that comply with the Standard Technical Specifica.
tions already incorporate testing of overfill protection. fy the modified technical specification, for a total expen-diture of 12 staff-months. At an estimated rate of For Westinghouse plants, most technical specifications $120,000 per staff-year, the total cost would be $265,000.
incorporate testing of overfill protection. The estimated cost to incorporate the testing requirements into the (S) Thepctential impact of differences in facility type, de-sign, or age on the relevancy andpracticality of thepro-technical specifications for the remaining plants is
$15,000 per pit.nt. Posed backfit.
The proposed backfit is rN specific. Differences in fa-For Babcock & Wilcox plants, the cost to improve the acen considered.
cility type design or age t.
Oconee overfill-protection systems is estimated to be
$ 100,000 per plant. For a more versatile design that incor- (9) Whether the proposed backfit is interim orfinal and, if parates more redundancy, the estimated cost is $6C0,000 interim, the justification for imposing the proposed per plant. If additional penetrations are needed to com- bacAfit on the interim basis.
plete the modifications, an additional $ 1 million per plant is needed. The estimated cost to incorporate testing re- ne proposed backfit represents the final staff position quirements into the technical specifications is $ 15,000 per on USI A-47.
plant. The cost to provide automatic initiation of auxiliary (emergency) feedwater on the three Oconee plants is es. The proposed method of implementation is issuance of a timated not ta exceed $150,000 per plant. generic letter under the provisions of 10 CFR 50.109.Th e staff is recommending implementation through issuance For Combustion Engineering plants, the cost to provide of a generic letter rather than through a standard review automatic overfill protection is estimated to be $200,000 plan revision orissuance of a regulatory guide because the per plant. It was assumed that existing instrumentation to proposed requirements apply only to the operating generate the high-water-level signal and existing motor- plants no more-recent plant designs incorporate im-operated feedwater isolation valves could be used, and provements that embody the proposed requirements. It is that existing penetrations and cabinets can be utilized. recommended, however, that the appropriate sections in The estimated cost to incorporate testing requirements the standard review plan be revised to reflect the staff re-into the technical specifications is $ 15,000 per plant. ne quirements (as discussed in the generic letter) for future cost to reassess and modify, if necessary, the emergency plants.
l NUREG-1218 26
8 References Bernero, R., NRC, Memorandum to T. Speis, " Generic ---, NUREG/CR-2899," Analysis of a Proposed One Issue 70, PORV and Block Valve Reliability-Task Ac- Thousand Dollars Per Man-Rem Cost Effectiveness Cri-tion Plan (TAC 5526)," April 30,1985. terion," October 1982.
Denton, H., NRC, Memorandum to R. Bernero,"Sched. -- , NUREG/CR-3568 (PNlr4646), "A Handbook l ule for Resolving and Completing Generic Issue No. 94, for Value-Impact Assessment," Pacific Northwest 12bo-Additional Low-Temperature Overpressure Protection ratory, December 1983.
for Light Water Reactors," July 23,1985.
-- , NUREG/CR-3958 (PNie5767), " Effects of Institute of Electrical and Electronics Engineers, Stan- Control System Failures on Transients, Accidents, and dard 279,
- Criteria for Protection Systems for Nuclear Core-Melt Frequencies at a Combustion Engineering Power Generating Stations," 1971. Prenurized Water Reactor," March 1986.
Tucker, H. (Chairman-BWOG), Letter to D.
~~-
' NUREG/CR-4385 (PNL-5543), " Effects of l Control oystem Failures on Transients, Accidents, and Crutchfield, NRC, "B&W Owners Group Plant Reas-sessment,,, May 15,1986.
Core-Melt Frequencies at a Westinghouse Pressurized Water Reactor," November 1985.
U.S. Nuclear Regulatory Commission, Generic Letter -- , NUREG/CR-4386 (PNL-5544), "Effer.ts of 83-20, " Integrated Scheduling for Implementation of Control System Failures on Transients, Accidents, and Plant Modification at Duane Arnold," May 9,1983. Core-Melt Frequencies at a Babcock and Wilcox Pressur-ized Water Reactor," December 1985.
-- , NUREG-0371, Vol.1, No.1, " Approved Cate-gory A Task Action Plans," November 1977. -- , NUREG/CR-4387 (PNL-5545), " Effects of Control System Failures on Transients, Accidents, and
-- , NUREG-0737, " Clarification of Bil Action Core-Melt Frequencies at a General Electric Boiling Plan Requirements," November 1980. Water Reactor," December !985.
-- , N UREG-0748, Vol. 4, No. 8, " Operating Reac. - - , WASH-1400 (NUREG-75/014), " Reactor tors Licensing Actions Summary," October 1984. Safety Study-An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants," Octc,ber 1975.
-- , NUREG-0800, " Standard Resiew Plan for the Review of Safety Analysis Reports for Nuclear Power -- , Office for Analysis and Evaluation of Opera-Plants," LWR Edition, July 1981. tional Data, "AEOD Observations and Rwommenda-tions Concerning the Problem of Steam Generator Over-
""d Combined Primary and Secondary Side Blow-
-- , NUREG-0844 (Draft for Comment), "NRC In- down, , December 17,1980.
tegrated Program for Resolution of Unresolved SafetyIs-sues A-3, A-4, and A-5 Regarding Steam Generator
,I ube Integrity, April 1985.
- - , Office ofInspection and Enforcement, IE Bulle-tin 79-27, "Imss of Non-Class IE Instrumentation and Control System Bus During Operation," November 30,
-- , NUREG-1032 (Draft for Comment), "Evalu- 1979, ation of Station Blackout Accidents at Nuclear Power Plants," May 1985. -- , Office of Inspection and Enforcement,Informa-tion Notice 80-70," Reliance on Water LevelInstrumen.
-- , NUREG-1195,"Imss ofIntegrated Control Sys- tation With Common Reference Leg," September 4, tem Power and Overcooling Transient at Rancho Seco on 1984: Supplement 1, August 26,1985.
December 26,1985 " February 1986.
Westinghouse Corp., WCAP-10797, " Westinghouse
-- , NUREG-1217 (Draft for Comment), "Evalu- Comments on EG&G Idaho, Inc., Report-Effects of ation of Safety Implications of Control Systems in LWR Cont rol System Failures on Transients and Accidents at a Naclear Power Plants, Technical Findings Related tc Un- 3-Imop Westinghouse Pressurized Water Reactor resolved Safety Issue A-47," April 1988. (August 1984), February 1985.
27 NUREG-1218 l
l l
Appendix A Rejected Alternatives In this appendix are discussed other alternatives that were ant injection (LPCI) or the core spray system (CSS).They considerd for possible regulatory action but were re- include: ;
iccted because the risk reduction in implementing these alternatives was extremely small, (jy p,gy;g,,,,,,,aticisolatior:ofcondensateflowonreat- <
for welhigh-water level. -l 1
(2) Provide automatic trip ofthe LPC1 or the CSS on reac-GE BWR Piant Des.ngn tor vessel high-water level.
- Several alternatives were considered that could minimize These alternatives were rejected because implementing -
potential failures (e.g., pipe cracks, leaks) in the primary such automatic trip features could cause other potentially i sensing lines of the common reference leg of the ree.ctor significant problems that could reduce the reliability of vessel water-level instruments associated with the vessel l the condensate feedwater system during startup or shut- 1
- overfill-protection syMem. They include: down operation or negate the LPCI and the CSS safety (1) Impect the instrument sensitig lines annually, function,if required.
-(2) R: place r'ie existirzg sensinglines with strongermaterials. W 3-Loop PWR Plant Design Several alternatives similar to those discussed for the G E (3) Provide independent sensing linesfor each wssel water. DWR plant designs were considered for the 2 PWR lew! instrument associated with the vessel overfill. plants. They mclude:
protection system.
(1) Inspect the ir.strument sensing lines annually.
Reactor vessel water-level primary-sensing-line installa- (2) Replace the existingprimary senving lines with stronger '
tions on all BWR plants were not reviewed. A review of materials.
the overfill-protection logic systems on of her plants (Ta-ble A.1), however, determmed that most BWR designs As in the case of the GE desi
. . 8n, the ev.imated high cost (18 to 20 plants) provide a 2-out-of-3 high-water-level and very s.nall reduction m nsk associated with imple-main feedwater trip system similar to the reference plant. men}ing these alternatives precluded them from senous The staff finds that the installation of the water-level in- c nsideration.
struments on these other plants is also similar, so that Several other alternatives ta minimize overpressure l 2-out-of 3 water-levelinstruments havc a commonrefer- events were also considered. In these cases, however, the ence leg. failure scenarios contributing to the events were caused
. . . by multiple independent failures of such low probability l Considering the very small reduction m the overall risk that the overall risk associated with these scenarios is in-l and the substantial cost m implementing these alterna- s gnificant and implementing these alternatives is not tives however, it was determmed that implementing such considered practical. These alternatives are summarized alternatives is not practical. below.
It should be noted that iE Information Notice 80-70 was (3) Provide independent poner sources to the letdown valve issued to all nuclear reactor facilities holding an operating and to thepressurizer PORVs.
license or a construction perrmt. This notice alerte:l the utilities to the potential degradation of safety associated A sing!c loss of power to the letdown valve and to one with operator reliance on water-level instruments that pressurizer PORV was identified as a dominant failure share a common reference leg. Recipients were expected that could potentially contribute to a reactor coolant to review the information for applicability to their own pressure transient dunng low-temperature and low-plants and to consider actions, if appropriate, to prevent preswe shutdown or startup operating conditions. An problems occurring at their facilities. additional independent failure m the second pressurizer PORV, however, would be needed to cause an overpres-Two additional alternatives summmized in this section sure transient. Be:cause all of the pressurizer PORV de-were also considered, but were rejected on the same basis signs (including the reference plant) are designed to (i.e., very small risk-reduction estimates associated with conform to NRC Branch Technical Position RSB 5-2 implementing these all rnatives). These alternatives (NRC, NUREG-0800), similar failure scenarios with were considered in order o minimize reactor vessel over- similar initiating frequencies identified in the review of fill via the condensate system or via the low-pressure cool- the reference plant could occur at other E plants. Some NUREG-1218 28
Appendix A new plants have impmved the reference plant design by tion event at Turkey Pomt Pltrh, Unit 4, in 1.981, the staff previding separate Class 1E power to each of the PORVs. is reevaluating the adequacy of this RHR overpressure-relief capability (Denton, July 23, 1985). Any require-ments resulting from that study will be furnished when Such designs could further reduce the m. i.tiating fre- that study is complete, quency of the identified failure scenarios, thereby further reducing the overall risk contribution of this event. (S) Modify thepressurizer POR Vcontroldrcuitry to reduce the frequency of component failures that could lead to It should be noted that dun,ng certam penods plants are overpressure events.
allowed to operate under limited conditions for operation .
(LCO), where one redundant pressurizer PORV may be The potential negative effects ofl.ncreasmg the complex-rendered inoperable for a limited period of time. Under sty f the existing control circuits is not considered a prac-these conditions, if the system is subjected to a pressure tical attemative.
transient (such as the one identified in this review), the (6) Modify the high-pressure safety injection system.
plant is vulnerable to an overpressurization event. A sin-Additional enable circuits were considered to prevent gle failure m the available pressunzer PORV system can spurious initiation of the injection pumps during low-yender the overpressure-protection system moperable. temperature startup or shutdown conditions.
Ihis concern and additional low-temperature overpres-sure-protection concerns for light-water reactors are be- It was estimated that a plant was vulnerable to overpres-ing evaluated separately under Generic issue 94 (Denton, sure transients during low-temperature and low-pressure July 23,1985). Any requirements resulting from that conditions for a few hours during each cooldown/heatup study will be furnished at the completion of that activity, sequence when the PORV setpoint is switched to the
. . higher setpoint, thus restricting the operation of the (4) Providepositive indication oflow-temperature and low- PORV to a much higher pressure-relici capability.
pressure mode switch position selecsion.
In addition to the low-risk contribution of such an event, A failure to properly realign the setpoints in the pres- the possible adverse consequences of reducing the reli-surizer PORV control logic when transferring from nor- ability of the safety injection system by implementing this mal operating mode to the cold-shutdown mode or vice alternative could significantly affect the overall safety of versa was identified as a potential common-mode failure the plant.His alternative is, therefore, not considered a that could prevent both pressurizer PORVs from opening viable option.
when required. His alternative would provide an indica- .. .
p) Modify the manualsafety mjection actuation switches.
tor light for each switch position, allowing positive indica-tion of the circuit connection in each pressurizer PORV's His alternative was considered to mini;oize operator cr-controllogic. Afailure of the pressurizerPORVs toopen ror that could lead to overpressure events as a resuit of a because of incorrect setpoint setting would then need single action during startup or shutdown conditions.
both a switch failure and an operator failing to notice an The present design has two switches in parallel; either improper connection. His alternative was considered t switch is capable of initiating safety injection. He present mmimize system failures that could lead to an overpres- design ensures that the failure of a single switch would not sure event dunng cold-shutdown conditions. Similar fail-prevent actuation of the safety injection system.
ure scenarios with similar amtiating frequency could occur at other W plants. A large number of plant designs, how- In addition to the low-risk contribution of such an event, ever, offer additional improvements over the reference the staff believes that changing the switch logic to actuate plant design.This improvement is by way of overpressure- both switches to initiate safety injection would increase relief capability through the RHR system during the potential for the safety injection system to fail. His the low-temperature operation of shutdown. This failure could be more detrimental to plant safety. Chang-overpressure-relief capability allows more time for the ing the logic of the manual switches would presume that operator to resp (md tc overpressure events, resulting in inadvertent actuation of the safety injection system pre-less severe transients than postulated for the reference sented a greater sLfety hazard than failure on demand, plant. As a result of a low-temperature, overpressuriza- which has not been shown to be the case.
29 NUREG-1218
n__-__ _ _ -
l Appendix A:
Table A.1 Reactor vessel overfill protection systems i
~ BWRplants with no automatic oserfillprotection l e Big Rock
- e. 12 Crosse e Osster Creek ,
BWR plan:s with aatomatic ossifillprotection equivalent to or better than the referenceplant design j e La Salle 1,2* e Nine Mile Point 1,2' l e Shoreham*
- Hatch 1,2' )
e WNP-2' e Duane Arnold" e Browns Ferry (1,2,3)*
- Cooper"*
- Susquehanna 1,2*
- Grand Gulf""
. Hope Creek 1,2' e Ilmerick 1,2"" i e River Bend 1,2*
- Fermi 2"" >
BWR plants with automatic entfillprotection, but with less independence and reliability than the refer-enceplant e Dresden 2,3t e Pilgrimitt e Quad Cities 1,2t e Vermont Yankeetttt e Peach Bottomtt e Monticellot
- Brunswick 1,2 tit e FitzPatrick It
- 2 outef-3 high-water-level trip-separate power supplies
" 24u1-of 3 high-water-level trip-power supply separation unknown
'" 3-level system-logie and power supply separation unknown
"" leut-of-2 taken twice-power supply separation unknown t 2-level system-logie and power supply icparation unkat wn it 2-out-of-2 high-water-level feedwater trip-separation of power unknown itt 2-out-of-2 high-watmlevel feedsater trip-common power supply tttt leut-of-1 high-water-level feedwater trip NUREG-1218 30
i l-l Appendix B Sensitivity Study for Reactor Vessel / Steam Generator Overfill Scenarios i
A number of postulated reactor vessel and steam genera- General Electric (GE) BWR Plant Design for overfill events were evaluated and their contribution to plant risk was estimated. Most overfills of the reactor The overfill-induced loss-of. coolant accident (LOCA) frequency (Pm ) was calculated using the followmg re-vessel or steam generator were initiated by failures m the lationship'-
main feedwater control and high-water-level trip circuits. j If these events were not terminated by the operator, they p m .(pop)ph3) gi7p )(pygg) could lead to water filling the steamlmes and could possi-bly result in stcamline damage or a total steamline failure. Pop = frequency of overfeeding events in-A large uncertain! exists concerning this potential and, duced by control system failures (based therefore, a high probability of main steamline break on the reference plant design)
(MSLB) given a spillover of water into the steamlines was conservatively assumed m the analysis summarized m pOA = probability of operator failure to manu- 4 Sectbns 3 and 4 of the present report. ally termm. ate an overfeeding event For overfill events to affect public safety significantly and PFP = probability that the main feedwater contribute to risk, the events must at some point make a pump will continue to operate after transition to a main steamline break coupled with failures water enters the .t.Jimimes leading to core melt, P m= probabilityof a main steamline breakaf-In modeling the risk contribution, dominant accident se- ter water enters the steamlines quences identified in the probabilistic risk assessments ne risk contribution was estimated by multiplying the (PRAs)of the reference plant (or PRAs of similar plants modified dominant LOCA sequences by the appropriate if none were available for the reference plant) were modi- release factors.
fied by estimating the frequency of control system failure-mduced overfill transients leading to mam steamhne The sensitivity to variations in the assumptions for overfeeding events and to variations in the conditional break. This frequency is dependent on the estimated fre-probability estimates for main steamline breaks given quency of overfeeding events mitiated by control system overfill is discussed below.
failurca, the operator s likelihood of manually terminat-ing the event, and by the probability of the main steamline The estimated probability of control system failure-break given an overfill event, for boiling-water reactors induced overfill events via the main feedwater and the (BWRs), or by the probability of a main steamline break condensate control system was calculated to be 3.3 x 10 3 and a steam generator tube rupture, for pressurized. event per reactor-year. The actual number of overfill water reactors (PWRs). event identified by the licensee event report (LER) search for BWR plants is 6 in approximately 415 reactor.
In this appendix the staff evaluates the sensitivity of the Y. cars or 14.5 x 10 8 event per reactor-year. This is 4.2 overfill event to core-melt frequency and plant risk when times greater than the probability calculated from scenar-these parameters are varied. tos on control system failure.
The estimated values for the conditional probability of a The sections that follow discuss the sensitivity analysis for main steamline break (MSLB) during an overfill event overfill events resulting from control system failures of was conservatively assumed to be 0.95 in the analysis sum-the main feedwater control system for each of the four marized in Sections 3 and 4 of the present report. On the ,
nuclear steam supply system (NSSS) vendors. basis of a literature search of operating history, there !
were two events in Europe in the late 1960s in which On the basis of this sensitivity analysis, it is concluded that steamline damage resulted from water entering the the probability estimates used for operator action to ter- Fleamline. The damage was limited to components minate overfill events and for steamline break accidents mounted on the steamlines (i.e., valve standpipes, instru-given steam generator or reactor vessel overlill are in line ment connections, etc.); no damage was reported to the with operating experience for precursors to such events. main steamline piping. On the basis of actual experience, This sensitivity analysis, which uses more-realistic prob- the conditional probability (of an MSLB occurring during ability estimates (derived from operating experience) for an overfill event) of 0.13 was, therefore, used for all overfill scenarios and steamline damage (given overfill plants (i.e., BWRs and PWRs)as n best estimate (i.e , two events), supports the proposed staff resolution. events, in which darrege Acutred, out of a total of 15 31 NUREG-1218
1 Appendix B i
1 overfill events identified); this probability would be 7.3 given MSill where K is the risk contribution estimated times smaller than the probability used in the initial for the reference plant and the other terms are as defined estimates. previously in this appendix.
Utilizing these operating experiences, the overfill. De estimated probability of control system failure-induced LOCA frequency would then be (14.5 x induced overfill events via the main feedwater contrul sys-10 3)(0.9)(0.13) - 188 x 10 3 event per reactor-year.'Ihis terns was calculated to be 2.7 x 10.e event per reactor-includes failure of the operator to take timely action to year. This number is very low because of the highly reli-terminate the event. This is a factor of 1.5 less than the able and redundant trip system that is used by all but initial estimate of 2.88 x 10 3 event per reactor-year. three of the oldest Westinghousedesigned plants. This .
i Steamline damage was also equated to steamline break in value is not contradicted by actual experience since there these estimates. The risk reduction to implement (as a have been no identified overfill events at Westinghouse minimum) a single reactor high-water-level trip system on plants to date. Although there was one overfill event at selected plants that do not have any automatic overfill the Ginna plant in 1982, that event occurred as a result of protection would, therefore be reduced by a factor of 1.5, a steam generator tube rupture, and not because of a coa-to a new estimated value of 2400 man-rem over the life of trol system failure. For the E PWR analysis, the esti-a plant. Cost estimates for the proposed design modifica. mated conditional probability of an MSLB during an tion is about $ 100,000 per plant. Utilizing $1000 per man. overfill event was conservatively assumed to be 0.5 com-rem saved as a guideline, design modifications that ap- pared to a best-estimate value of 0.13 based on actual ex-proach $2.4 million would still be justified. periences for all BWR and PWR plants (i.e., 2 plants damaged /15 overfill events). Utilizing this operating ex-Reducing the conditional probability of an MSLB event perience, the overfill-induced MSLB frequency would be given reactor vessel overfill by as much as two orders of (2.7 x 10 8)(0,9)(0.13) - 3.2 x 10 9 event per reactor-year magnitude from the initial estimates, the risk reduction instead of 1.2 x 10.eevent per reactor-year used in the in-would be reduced by a factor of 23 to 157 man-rem over itial analysis summarized in Sections 3 and 4 of the pre- i the life of the plant. Even with this sizable reduction in sent report. That is, the frequency is a factor of 3.75 less {
the conditional probability estimates for a steamline than the staff's initial estimates.The risk reduction to im- l break (given overfill) and using overfill frequency esti- prove the existing overfill-protection system (i.e.,2-out-mates that are more m ime with operatmg expenence, the of.3 steam generator high-water-level system) would, proposed staff resolution is still warranted for plants that therefore, also be reduced by a factor of 3.75. Because of do not have any automatic oserfill protection. the already indgnificant risk reduction estimated for add-ing an additional independent char.ncl, this additional re-Table B.1 summarizes the sensitivity of the risk esti- ,
duction in nsk strengthens the p coposed resolution that mates to changes in overfill frequen 'y estimates and the ,
n action is required to modify the existingE designs for probability estimates for MSLB events (given overfi!! overfill protection.
conditions).
Even increasing the probability estimates for the overfill Westinghouse (E 3-Loop PWR Plant Design frequency by four orders of magnitude, the risk contribu-tion would still not warrant any action and, therefore, In the BWR analysis, vessel overfill leading to an MSLB would not change the proposed resolution for overfill was the major contributor to risk. In PWRs, however, the protection for Westinghouse plants.
core-melt frequency contribution associated with the Table B.2 summarizes the sensitivity of the risk estimates overfill scenarios with only an MSLB is less significant.
The major contribut' ors to core-melt frequency for PWRs t changes m overfill frequency estimates and the prob-are overfill events that lead to an MSLB and a steam gen-ability estimates for MSLB events (given overfill condi-erator tube rupture (SGTR). In order to determine the tions).
probability for SGTR given a steamline break (PSGTR Babcock & Wilcox (B&W) P%R Plant Design given an MSLB), the probability estimates addressed as part of the staff's evaluation of USI A-3, A-4, and .A-5 The methodology used for the Westinghouse plants were und. These estimates were modified by the MSLB (above) was applied to the B&W analysis. The esti-frequencies associated with the overfill-event fregt.encies mated probability of control system failure-induced over-developed by this review.The total risk contribution asso. fill events via the main feedwater control systems was
! ciated with the overfill event scenarios was calculated by calculated to be 6.0 x 10 3 event per reactor-year. The ac-the fol owing: tual number of overfill events identified by the LER search for B&W plants is 3 in approximately 110 reactor years (or 2.7 x 10 2 event per reactor-year). This is 4.5 Risk = (KPoF)(PaA)(PMStE)(PSGTR) times the initial estimates used in the analysis summa-rized in Sections 3 and 4 of the present report.
NUREG-1218 32
Appendix B De probability of an MSM (given overfill) was inmally 10 3 event per reactor-year for one of the two overfill sce-conservatively assumed to be 0.95. On the basis of actual narios identified in Sections 3 and 4 of the present report experience, the best-estimate probability of an MSG and 4.4 x 10 4 event per reactor-year for the other. He (given overfill) was determined to be 0.13, which is 7.3 actual number of overfill events identified by the LER times smaller than used in the initial estbnates. search for CE plants is 1 in approximately 125 reactor-years (or 8.0 x 103 evem per reactor-year), which was es-Using estimates based on actual plant experience, the overfill. induced LOCA frequency would be (2.7 x sentially the same as mitially estimated for one of the events and 18 times greater than mitially estimated for 10J)(0.13) - 3.5 x 10 3 event per reactor-year instead of the other event, 5.7 x 10 3 event per reactor-year, or a factor of 1.6 less than the initial estimates. He risk reduction to imple- The probability of an MSG (given overfill) was initially ment an additional independent feedwater trip on a conservatively assumed to be 0.5. On the basis of actual steam generator high-water level or to modify the existing expericnce, the best-estimate conditional probability of d2 :,n to incorporate a 2-out-of-4 steam generator high- an MSG (given overfill) was determined to be 0.13.His wer-level feedwater-trip system would therefore be re- is 3.85 tirnes smaller than used in staff estimates.
duced by a factorof 1.6 to 820 man rem over the life of the Using estimates based on operating experience, the over-plant. This change is not considered sigmficant enough t fill-induced LOCA frequency for each scenario would modify the proposed resolution. Staff cost estimates for then be (8.0 x 10>)(0.13) - 1.04 x 10 3 event per reactor-the proposed design modification are about $100,000 to year instead of 4.7 x 10 3 event per reactor-year, or a fac- '
$600,000 per plant, depending on which option the utility '
tor of 2.3 less than the initial estimates used in Sections 3 chooses. On the bas,s i of the modified estimates, design and 4 of the present report.He risk reduction to modify modifications that cost $820,000 would be justified.
the existing design and incorporate a 2-out-of-4 steam It should be noted that if the probability of an MSw generator high-water-level feedwater trip system would, (given an overfill) was further reduced by as much as 2 or- ther6 ore, be reduced by a factor of 2.3 to a new estimated ders of magnitude, the risk reduction would not be signifi- value of 248 man-rem over the life of the plant. This cant enough to warrant a design change. I br a 1-order-of- change is not considered significant enough to modify the magnitude reduction in the MSw probability, however, proposed resolution.The estimate for thi design modifi-justificatir for a design modification would be marginal. cation is less than $100,000 per plant. On the basis of Table B.3 summarizes the sensitivity study. these estimates, design modifications that cost $248,000 would still be justified.
Combustion Engineering (CE) P%Tt Plant It should be noted th:d if the probability of an MSLB Design event (given ov:rfilt) was further reduced by an e.jditional The methodology used on the ~W plants (p. 32) was also order of magnitude, the proposed design changes could n t be justified.
applied to the CE analysis. The estimated probability of control system failure-induced overfill events via the Table U.4 summarizes . he sensitivity of the risk estimates main feedwater control systems was calculated to be 9.0 v to changes in overfill a nd MSLB frequencies.
33 NUREO-1218
p
- Appendix B Table B.1 GE plants Condition Case 1 Case 2 Case 3 Overfill frequency events per year 3.38 x 104 14,5 x 104* 14.5 x 10A*
MSLB probability (given overfill) 9.5 x 101 1.3 x 10 " 9.5 x 10> j Risk reduction (man-rem) 3600 2400 157 ,
-i Cost of proposed design th $100K $100K $100K Proposed fix warranted Yes Yes Yes j
- Operating experience data: Case 1 -initial analysis; Case 2- modified to reflect operating ex;ericace; Case 3- reduc- l ing conditional MSIB failure probability by 2 orders of magnitude.
Table B.2 E plants Condition Case 1 Case 2 Case 3 f i
Overfill frequency events per year 2.7 x 10.e 2.7 x 10 e 2.7 x 10 4 j MSLB probability (given overfill) 5.0 x 101 1.3 x 10 " 5.0x10>
Risk reduction (man-rem) < 1.0 x 10 4 < 1.0 x 10 4 < 1.0 x 102 )
Cost of proposcd design fix N/A N/A N/A f Proposed fix warranted No No No
- Operating experience data: Case 1 -initial analysis; Case 2- modified to reflect operating experience; Case 3-reduc-ing conditional MSLB failure probability by 1 orders of magnitude and increasing overfill frequency estimates by 4 orden of magnitude.
Table B.3 B&W plants Condition Case 1 Case 2 Case 3 Overfill frequency events per year 6.0 x 10 3 2.? x 10>* 2.7 x 102*
MSLB probability (given overfill) 9.5 x 10J 1.3 x 10J' 1.3 x 104 Risk reduction (man-rem) 1170 to 1340 696 to 818 6.7 to 7.8 Cost of proposed design fix $100K to $100K to $100K to
$600K $600K $600K Proposcd fix warranted Yes Yes No
- Operating experience data: Case 1 -initial analysis; Case 2 - modified to reflect operating experience: Case 3- reduc-ing conditional MSIR failure probability by 2 orden of megnitude.
(
NUREG-1218 34 1' - _ _ _ _ - _ _ _ _ _ _ - - -
I Appendix B h
Table B.4 CE plants Cemdition Case 1 Case 2 Case 3 Overfill frequency events per year 9.0 x 104(OF1) 8 x 10)(OF1)* 8 x 10 3*
4.4 x 10 *(OF2) 8 x 104(OF2)* 8 x 103*
MSIE probability (given overfill) 10 x 10J 1.3 x 10 " 1.3 x 10 3 Risk reduction (man-rem) 570 248 2.48 Cost of proposed design fix $200K $200K $200K Proposed fix warranted Yes Yes No
- Operating experience data: Case 1 -initial analysis; Care 2 -modified so reflect operatmg experience: Caw 3- reduc-ing conditional MSill failure probability by 2 orders of magnitude.
35 NUlWG-1218
i Appendix C Control System Design and Procedural Modification for Resolution of USI A-47 As part of the resolution of USI A-47,"SafetyImplica- Dese actions are described in the material that follows, !
tions of Control Systems," the staff investigated control and include design and procedural modifications to en-system failures that have occurred, or are postulated to sure that (1) all plants provide overfill protection, (2) all occur, in nuclear power plants. The staff concluded that plants provide plant procedures and technical specifica-plant transients resulting from control system failures can tions for periodic surveillance of the overfill protection, be mitigated by the operator, provided that the control (3) certain Babcock & Wilcox plants provide an accept-system failures do not also compromise operation of the able design to prevent steam generater dryout on a loss of minimum number of protection system channels required power to the control system, and (4) certain Combustion to trip the reactor and initiate safety systems. A number of Engineering plants reassess their emergency procedures plant-specific designs have been identified, however, that and operator training to ensure safe shutdown during any should provide additional protection frora transients postulated small-break loss-of-coolant accident leading to reactor vessel or steam generator overfill, or (SBLOCA). With regard to the recommendations that reactor core overheating, specify modification to plant procedures and technical specifications, the inten t is that the appropriate plant pro-Reactor vessel or steam generator overfill can affect the cedures be modified in the short term to provide periodic safety of the plant in several ways. The more severe sce- verification and testing of the overfill-protection system.
narios could potentially lead.to a steamline break and a As part of future upgrades to technical specifications,li-steam generator tube rupture.The basis for this concern censees should consider including appropriate limiting is the following: (1) the increased dead weight and poten- conditions for operation and surveillance requirements in tial seismic loads placed on the main steamline and its future technical specification improvements.
supports should the main stcamline be flooded;'(2) the loads placed on the main steamlines as a result of the po- GE BWR Plant Design l
tential for rapid collapse of steam voids resulting in water hammer; (3) the potentid for secondary safety valves (1) It is recommended that all GE boiling-water-reactor sticking open followmg discharge of water or two-phase (BWR) plant designs provide automatic reacter ves-flow;(4) the potentialinoperability of the main steamhne set overfill protection to mitigate main feedwater isolation valves (MSIVs), main turbme stop or bypass (MFW) overfeeding events. The design for the valves, feedwater turbme valves, or atmospheric dump overfill-protection system should be sufficiently valves from the effects of water or two-phase flow; and separate from the MFW control system to ensure (5)the potential for rupture of weakened tubes m the that the MFW pump will trip on a reactor high-once-through steam generator on B&W nuclear steam wuter-levd signal when required, even if a loss of supply system (NSSS) plant due to tensile loads caused power, a loss of ventilation, or a fire in the control by the rapid thermal shrinkage of the tubes relative to the portion of the MFW control system should occur, generator shell.nese concerns have not been addressed Common-mode failr.rer that could disable overfill in a number of plant de..igns because overfill transients protection and the feedwater control system, but normally have not been tmalyzed. would still result in a feedwater pump trip, are con-sidered acceptable failure modes.
To minimize some of the consequences of overfill, early It is recommended that plant desips with no auto. 1 plant designs provided commercial-grade protection for matic reactor vessel overfill protection be upgraded I tripping tne turbine or relied on operator action to con- by providing a commercial-grade (or better) MFW trol water level manually in the event the normal-water- isolation system actuated from at least a 1-out-of-l level control system failed. Later designs, including the reactor vessel high-water-level system, or justify the me recent designs, provide overfill protection which design on some defined basis.
automatically Ftops main feedwater flow on vessel high-In addition,it is recommended that all plants reas-water-level signab;. These designs provide various de- 3 grees of coincident logic and redundancy to initiate feed-sess their operating procedures and operator train- i ing and modify them, if necessary, to ensure that the waterisolation and to ensure that a single failure wayld operators can mitigate reactor vessel overfill events not inhibit isolation. A large number of plants provide safety-grade designs for this protection. that may occur via the condensate booster pumps 4 during reduced pressure operation of the system. )
On the basis of the technical studies conducted by the (2) It is recommended that procedures and technical staff and its contractors, the staff recommends that some specifications for all BWR plants with main feed-plants should take certain actions to enhance plant safety. water overfill protection include provisions to verify NUREG-1218 36 I
Appendix C periodically the operability of overfill protection it is recommended thr' *e licensee have a design to pre-and ensure that automatic overfill protection to vent reactor vesselovt ,andjustifytheadequacyof the mitigate MFW overfeeding events is operable dur- design. The justification. ;hould include verification that ing power operation.The instrumentation should be the overfill-protection system is separated from the feed-demonstrated to be operable by the performance of water control system so that it is not powered from the a channel check, channel functional testing, and same power source, not located in the same cabinet, and channel calibration, including setpoint verification. not routed so that a fire is likely to affect both systems.
He technical specifications should include appro- Common-mode failures that could disable overfill protec-priate limiting conditions for operation (LCO), tion and the feedwater control system, but would still re-These technical specifications should be commen- sult in a feedwater pump trip, are considered acceptable surate with the requirements of existing plant tech- failure modes. The staff review identified three plants nical specifications for channels that initiate protec- (i.e., Big Rock,1;iCrosse [ permanently shut down], and five actions. Previously approved technical Oyster Creek) that fall into this group. If any of these specifications for surveillance intervals and LCO for plants wish to justify not including overfill protection, overfill protection are considered acceptable. part of the requested justification should demonstrate that the risk reduction in implementing an automatic Designs for Overtill Protection overfill-protection system is significantly less than the Several different designs for overfill protection have al- staff's generic estimates of risk reduction. In determining ready been incorporated into a large number of operating the risk reduction, specific factors such as low plant power plants. The following discussion identifies the different and population density should be considered. Other ap-groups of plant designs and provides guidance for accept- plicable factors that are plant unique should also be ad-able designs. dressed.
Group I: Plants that have a safety-grade or a commercial-grade overfill protection system initiated on a reactor ves. H3-Loop PWR Plant Design 4
sel high-water-level signal based on a 2-out-of-3 or a (1) It is recommended that all Westinghouse plant de-1-out-of4 taken twice (or equivalent) initiating logic. nc signs provide automatic steam genesator overfill system isolates MFW flow by inppmg the feedwater protection to mitigate MIM overfeed events.The pumps.
desiga for the overfill-protection system should be The staff concludes that this design is acceptable, pro- sufficiently separate from the MFW control system vided that (1) the overfill-protection system is separate to ensure that the MFW pump will trip on a reactor from the control portien of the MFW control system so high-water-level signal when required, even if a loss that it is not powered from the same power source, not of power, a loss of ventilation, or a fire in the control located in the same cabinet, and not routed so that a fire is portion of the MFW control system should occur.
likely to affect both systems and (2) the plant procedures Common-mode failures that could disable overfill and technical specifications include requirements to peri- protection and the feedwater control system, but odically verify operability of this system. Licensees of would still result in a feedwater pump trip, are con-plants that already have these design features that have sidered acceptable failure modes.
previously been approved by the staff should stale this in their response' (2) It is recommended that plant procedures and techni-Group il: Piants that nave safety-grade or commercial- cal specifications for all Westinghouse plants in-gmde overfill-protectkm systems initiated on a reactor clude provisions to periodically verify the operability vessel high-water-level signal based on a 1-out-of-1, of the MFW overfill protection and ensure that the 1 out-of-2, or a 2-out-of 2 initiating logic De system iso- automatic merfill protection is operable during re-lates MFW flow by tripping the feedwater pumps. actor power operation. The instrumentation should The staff concludes that these designsare acceptable pro- be demonstrated to be operable by the performance vided that conditions (1) aral (2) stated for Group 1 are of a channel check, channel functional testing, and met. Licensees of plants that already have these design annel cabbration, including setpomt verification.
features that have been previously apprmed by the staff The techmcal specifications should mclude appro-shou?.d state this in their response. Plant designs with a p e O. hse technical specifications should 1-out-of-1 or a 1-out of-2 trip logic for overfill protection be commensurate with existing plant technical specification requirements for channels that initiate should provide bypass capabilities to prevent feedwater tripsduring channel functional testing when at power pr tective actions. Plants that have previously ap-opemtion. prmed techmcal specifications for surveillance m-tervals for overfill protection are considered Group lit: Plants without automatic overfill protection. acceptable.
37 NUREG-1218
Appendix C Designs for Overfill Protection protection and the feedwater control system, but would still result in a feedwater pump trip, are considered ac-Several different designs for overfill protection are al-ready provided in most operating plants. De discussion cePtable failure modes. The staff's review identified two plants;i.e., Yankee Rowe and San Onofre 1; that fallinto that follows identifies the different groups of plant de- this category. If either of these plants wishes to justify not signs and provides gt idance for acceptable designs. mcludmg overfill protection, part of the requested justifi-Group 1: Plants that have an overfill-protection system in- cation should demonstrate that the risk reduction in im-itiated on a steam generator high-water-level signal based plementing an automatic overfill protection system is sig-on a 2-out-of-4 initiating logic which is safety grade or a nificantly less than the staff's generic estimates of risk 2-out-of-3 initiating logic which is safety grade but uses reduction. In determining the risk reduction, specific fac-one out of the three channels for both control and protec- tors such as low plant power and population density tion. The system isolates MITV by closing the MITV isola- should be considered. Other applicable factors that are tion valves and tripping the MITV pumps. plant unique should also be addressed.
The staff concludes that the design is acceptable, pro- , B&W PWR Plant Design
- vided that (1) the overfill-protection system is sufficiently separate from the control portion of the MITV control (1) It is recommended that all Babcock & Wilcox plant system so that it is not powered from the same power designs have automatie steam generator overfill pro- '
source, not kicated in the same cabinet, and not routed so tection to mitigate MITV overfeed events. The de-that a fire is likely to affect both systems, and (2) the plant sign for the overfill-protection system should be suf.
procedures and technical specifications include require- ficiently separate from the MITV control system to ments to periodically verify operability of this syste a ensure that the MITV pump will trip on a steam gen-erator high-water-level signal (or other equivalent
)
+
Group #: Plams with a safety-grade or a commercial' signals) when required, even if a loss of power, a loss grade overfill-protection system imtiated on a steam gen- of ventilation, or a fire in the control portion of the crator high-wa*er. level signal based on either a 1-out- MITV coatrol system should occur. Common failure -
of-1,1-out-of-2, or 2-out-of-2 initiating logic. The system modes that could disable overfill protection and the I isolates MITV by closing the MITV control valves. feedwater control system, but would stT. result in a l The staff finds that only one early plant (i.e., Haddam feedwater pump trip, are considered acceptable fail-Neck) falls into this group; therefore, a risk assessment ute modes.
was not condr.cted. Considering the successful operatin8 It is recommended that plants that are similar to the history of the plant regarding overfill transients (i.e., no reference plant design (i.e., Oconec Units 1,2, and overfill events have been reported), this design may be 3) have a steam generator high-water-level feed-found acceptable, provided that (1) justification for the water isolation system that satisfies the single-fail-adequacy of the design on a plant-specific basis is included ure criterion. An acceptable design would be to pro-and (2) plant procedures and technical specifications are vide automatic MITV isolation by either (a) modified to include requirements to periodically verify providing an additional system that terminates operability cf this system. As part of the justification,it is MITVflowbyclosing an isolation valve in the line requested that the licensee include verification that the to each steam generator (this system is to be inde-overfill-protection system is separate from the feedwater pendent from the existing overfill protection which control system so that it is not powered from the same trips the main feedwater pumps on steam generator power source, not h)cated in the same cabinet, and not high-water level), (b) modifying the existing overfill-routed so that a fire is likely to affect both systems. protection system to preclude undetected failures in Common-raode failures that could disable overfill protec- the trip system and facilitate online testing, or (c) up-tion and t'ie feedwater control system, but would still grading the existing overfill-protection system to a cause a feedwater pump uip, are ctmsidered acceptable failure modes. *0n December 26.1985, an overcooling event occurred at Ran-cho Seco Nuclear Generating Station, Unit 1. This event oc Group l#: Plants without automatic overfill protection. curred as a result of kiss of rower to the integrated control sys-It is recommended that the licensee have a design to pre- tem (ICS). Subsequently, the Il&W Owners Group initiated a study to reassess all ll&W plant designs including, but not hm.
vcnt steam generator overfill and justify the ade9urcy of ited to, the ICS and support systems such as power supplies and the design. I'he justification should m.clude verification maintenance. Aspart of the USI A-47 review. failure scenarios that the overfill-protec* ion system is separated from the resulting from a kiss of power to control systems were evalu-ated, and the results were factored into the A-47 requirements.
feedwater control system so that it is not powered from H wrver, ther recommended actions for design modifica-the same Power source, not located in the sarne cabinet, tions. maintenance. arid any changes to operating procedures and not routed so that a fire is likely to affect both sys- (if any) developed for the utilities by the B&W Owners Group tems. Common-mode failures that could disable overfill are being resolved separately.
NUIEG-1218 38
l 1
Appendix C I I
2-out-of-4 (or equivalent) high-water-level trip sys- dures and technical specifications incitic requirements tem that satisfies the single-failure criterion. to verify periodically operability of this system.
(2) It is recommended that plant procedures and techni- G w p #: Plants that have a commercial-grade overfill-cal specifications for all B&W plants include provi- pr tection system mitiated on a steam generator high-sions to periodically verify the operability of overfill waterlevel based on coincident logic that minimizes inad-protection and ensure the automatic MFW overfill vertent initiation. The system isolates MFW by tripping protection is operable during reactor power opera- the MFW pumps.
tion.The instrumentation should be demonstrated 'Diis design may be found acceptable, provided that (1) to be operable by the performance of a channel the overfill-protection system is suiUciently separate check, channel functional testing, and channel cali- from the feedwater control system so that it is not pow-bration, including setpoint verification. Technical cred from the same power source, not located in the same specifications should include appropriate LCO. cabinet, and not routed so that a fire is likely to affect both
'lhese technical specifications should be commensu- systems and (2) the design modifications are implemented rate with the requirements of existing technical per the guidelinesidentified above and that the plant pro-specifications for channels that initiated protective cedures and technical specifications include require-actions. ments to periodically verify operability of this system.The technical specifications should be commensurate with ex-(3) It is recommended that plant designs with no auto- isting plant technical specification requirements for matic protection to prevent steam generator dryout channels that initiate protective actions.
upgrade 1 heir design and the appropriate technical specifications and provide an automatic protection h is & meM h @ Mm M pb system to prevent steam generator dryout on loss of separate 1-out-of-1 or a 1-out-of-2 trip logic to close the power to the control system. Automatic imtiation of feedwater isolatina valves for additional overfill protec-auxthary feedwater on a steam generator low water tion provide bypass capabilities to prevent feedwater trips level is considered an acceptable design. Other cor- during channel functional testing when at I10wer or dur-ing hot-standby operation.
rective actions identified in Section 4.3(4) of NUIEG-1218 could also be taken to avoid a steam CE PWR Plani Design generator dryout scenario on loss of power to the . .
control system. The staff believes that only three (1) It is recommended that all Combustion Engineering Il&W plants (i.e., Oconee 1, 2, and 3) do not have plants provide automatic steam generator overfill a storn 'c nuxiliary feedwater initiation on steam PTOtection to mitigate MFW overfeed events.The gancrator low-water level. design for the overfill-protection system should be sufficiently separate from the MITV control system
. to ensure that the MFW pump will trip on a steam Designs for Overfill Protection generator high-water-level signal when required, Several different designs for overfill protection are al- even if a loss of power, a loss of ventilation, or a fire ready provided at most operating plants. The discussion in the control portion of the MFW control system that follows identifies the different groups of plant de, should occur. Common failure modes that could dis-signs and provides guidelines for acceptable designs. able overfill protection and the feedwter control system, but would still result in a feedwater pump Group 1: Plants that provide a safety-grade overfd!- trip, are considered acceptable failure modes.
protection system initiated on a steam generator high- (2) It is recommended that procedures and technical water-level signal based on etther a 2-out-of-3 or a 2-out-specifications for all Combustion Engineering of-4 (or equivalent) initiating logic. The system isolates plants include provisions to verify periodically the MFW by (1) cf osing at icast one MFW isolation valve in operability of overfill protection and ensure that ,
the MISV line to each steam generator and (2) tripping automatic MFW overfill protection is operable dur-the MFW pumps.
ing reactor power operation. 'lhe instrumentation The staff concit. des that this design is acceptable, pro. should be demonstrated to be operable by the per-vided that (1) the overfill-protection syncro is sufficient!y formance of a channel check channel functional separated f rom the feedwater control sysicm so that it is testing, and channel calibration, including setpoint not powered from the same power sou.rce, not located in verification, and by identifying the LCO.'lhese tech-the same cabinet, and not routed so that a fireis likely to nical specifications should be commensurate with ;
affect both systems (common-mode failures that could existing plant technical specification requirements l
disable overfdl protectica and the feedwater control sys- for channels that mitiate protective actions.
tem, but still result in a feedwater ptimp trip are consid- (3) It is recommenJcd that all utilities that have plants cred acceptable failure modes)and (2) the plant procc- designed with high-pressure injection pump 39 NUlEG-1218 !
l
_ _ _ _ _ _ _ _ _ - - _ _ - _ - a
Appendix C discharge pressures less than or equal to 1275 psi re- shutdown.They are: Calvert Cliffs I and 2, Fort Cal-assess their emergency procedures and operator houn, Millstone 2, Palisades, and St. Lucie 1 and 2.
training programs and modify them, as needed, to l ensure that th,e operators can handle the full spec- Designs for Overfill Protection i trum of possible small-break loss-of-coolant-acci-CE-designed plants do not provide automatic steam gen-dent (SULOCA) scenarios. His may mclude the need to depressurize the primary system via the at.
crator overfill protection that terminates MFW flow.
Therefore, it is recommended that licensees and appli-mosphenc dump valves or the turbine bypass valves cants for CE plants provide a separate and independent I and cool down the plant during some SBLOCA sce-safety-grade or commercial-grade steam generator over-nanos. I he reassessment should ensure that a single ill-protection system that will serve as backup to the ex-failure would not negate the operability of the valves isting feedwater runback control systems. Existing water-needed to achieve safe shutdown.
level sensors may be used in a 2-out-of-4 initiating logic to The procedure should clearly describe any actions isolate MISV flow on a steam generator high-water-level the operator is required to perform in the event a signal. The proposed design should ensure that (1) the loss of instrument air or electric power prevents re- overfill-protection system ia separate from the feedwater mote operation of the valves. He use of the pres- control system so that it is not powered from the same surizer power-operated relief valves to depressurize power source, is not located in the same cabinet, and is the plant during an SBLOCA, if needed, and the not routed so that a fire is likely to affect both systems means to ensure that the RrNDT (reference tem- (common-mode failures described above are considered perature, nil ductility transition) limits are not com- acceptabk) and (2) the plant procedures and technical promised should also be cicarly described. Seven specifications should include requirements to periodically plants have been identified that have high-pressure verify operability of the system. The information that is injection pump discharge pressures less than or requested to be addressed in the plant procedures and the equal to 1275 psi that may require manual pressure- technical specifications is provided in the preceding relief capabilities using the valves to achieve safe item 2.
I l
l I
l NUREG-1218 40
Nr.c oau ns u s. rdUCLE AR REGULATORY COMMISSION 1 FQTNg[,R EE' BIBLIOGRAPHIC DATA SHEET isaa omtn,cr,om on ena n,,rsai *MM D 8
- 2. TITLE AND SUBTIT LE Regulatory Analysis for Resolution of USI A-47 Safety Implications of Control Systems in LWR 1 DATE REPORT PUBLISHED Nuclear Power Plants "ca ' ~ j " *a July ; 1989 Final Report 4. r eN OR cRANT NuMBE R
- b. AUTHOR (S) 6 T YPE OF REPORT A. J. Szukiewicz Technical
- 1. PE R IOD Cov E R E D unsruswe cores
- 8P F ORMIN RCANIZ AT ION ~ N AME AND ADDR ESS tar Nac. provoor Owas?on.ce ar neeoon. v.s Nueneer neoutorers commmeon. eno menti.op ecorou n contractor. orovie.
Division of Safety Issue Resolution Office of 5.aclear Regulatory Research {,
U.S. Nuclear Regulatory Commission Washington, DC 20555 l j
- 9. O OR G G ANIZATEON - NAME AND ADDR E SS Its Nat. svor "same ns aoour". tr ontractor. e oronor Nac Owman. over er neuen. u s Nuesvar neeuratory commmen, l
I Same as above 10, SUPPLE MENT ARY NOT E S
- 11. ABST R AC T (200 worm or seul This report presents a summary of the regulatory analysis conducted by the NRC staff to evaluate the value impact of alternatives for the resolutica of Unresolved Safety Issue (US!) A-47, Safety Implications of Control Systems." The NRC staff proposed resolution is based on these analyses and the technical findings and conclusions presented in NUREG-1217.
The staff has concluded that certain actions should be taken to improve safety in light-water reactor (LWR) plants. The actions recommended that certain plants upgrade their control systems to preclude reactor vessel / steam generator overfill events and to prevent steam generator dryout, modify their technical specification to periodically verify operability of these systems, and modify selected emergency procedures to ensure plant safe shutdown following a small-break loss-of-coolant accident.
This report was issued as a draft for public comment on May 27, 1988. As a result of the public comments received, this reoort t:as revised. The NRC staff's responses to and resolution of the public comments are included as Appendix C to the final report, NUREG-1217.
- 12. K L Y WORDS 'DE SCH:P I OR S frest worm ar carsees rase =riewsr oeseerram sn iocar<ae the renorr.i is Ava*L Aeiu s v st Al t uu,'t~
unlimited 14, $t Cusu l y (L A$$es .. A i a ore fiscos ' des Unresolved Safety issue unclassified A-47 < ra a -
Control Systems unclassified Regulatory Analysis & NUV6L R OF PAMS 16 PRICE WIC FOmu 33b I?491 e u. 3, co vE R AsE h T PR ikT I kG OFF 1 CC e198 9441.590 s 00156
g-o-l; . . .
p' , . UNITED STATES . . snciat ,oupwciass man l -lg
- i. NUCLEAR HEGULATORY COMMISSION
,, . WASHINGTON, D.C; 20555 " S'^G&'d'
,,,, g 3 ' ','^' j
+
. OFFICIAL BUSINESS -
PENALTY FOR PRIVATE USE, $300
- n 1?0553137531 1 1ANIAI1ED115 U:3 rec-oA39 JIV Tus c9:a ,; PUBLICATIONS pr3-nen: c, SVCS
._,3 WASHINGTON OC 20555
- h0 i
11 o
]
u
- l 1
-s
.l
.]
l p.
o I
1 i
E l
. _ . . . _ . . . . . _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _