Resolution of Generic Safety Issues: Issue 8: Inadvertent Actuation of Safety Injection in PWRs ( NUREG-0933, Main Report with Supplements 1–34 )
This concern was identified by the ACRS as a result of their review4 of LERs covering a period from 1976 through 1978 and, subsequently, a comprehensive review of the problem was completed which covered the LERs and other related material from 1969 to October 1980.103 The findings of these reviews revealed that a high rate of spurious and/or inadvertent safety injections (SI) were occurring, particularly for Westinghouse (W) and Babcock & Wilcox (B&W) plants.
In the case of B&W reactors, the practice in the past was to manually turn on one or more high pressure safety injection pumps after a reactor trip in order to recover the pressurizer level. This practice contributed to the high rate of safety injections for these plants. After the Three Mile Island accident, all B&W plant operators were instructed not to initiate safety injection manually after each reactor trip. It was subsequently demonstrated104 that this operator action was not necessary to recover pressurizer level. The practice appears to have been discontinued by the B&W operators with the result that the rate of unneeded SIs in B&W plants is now significantly lower.
Many W reactors, although not all, also have a high rate of unneeded SIs. A possible reason for the higher incidence of unneeded SIs in W plants may be due to the fact that the Westinghouse design provides more signals for initiating SI.
As stated in the ACRS Report,4 safety injection systems are required to operate during loss-of-coolant accidents and other severe transients that require borated water addition to the primary system. Actuation of the system injects cold borated water into the reactor subjecting injection nozzles to thermal stresses and requiring removal of boron from the primary system before startup. The present number of occurrences is probably not significant with respect to the thermal cycling of the injection nozzles. However, at present rates the design limit may be approached sooner than initially projected. However, this is an economic problem for the plant operator, since continued plant operation beyond the ASME Code thermal cycle limit would have to be justified to the NRC.
However, the conditioning of the operator's response by repeated unnecessary safety injections is pertinent, although difficult to quantify. Because SI introduces additional boron, the operator desires to terminate unnecessary injections as quickly as possible. This generally occurs within 1 to 8 minutes following the start of injection and follows a check of other plant status instrumentation. Repeated operator exposure to inadvertent safety injection and its termination may produce an inappropriate response in cases where the injection is required to provide core cooling water.
After the TMI accident, the need to verify the safe status of the plant thoroughly before terminating SI has been greatly emphasized. All licensees were required to include a specific set of SI termination criteria in the emergency procedures.
This provision was thought to have solved the problems. However, since TMI, at least in two instances (Surry 2, August 26, 1980 and H. B. Robinson, January 29, 1981) SI was terminated in a very short period of time (less than 2 minutes) which does not seem to be consistent with the time needed for a thorough check of the SI termination criteria. Moreover, an analysis of the H. B. Robinson event (January 29, 1981) revealed that, though the SI termination criteria required by the NRC have been included in the LOCA emergency procedures, the operator would not use them unless he has determined that the SI was not spurious and he has entered the proper emergency procedures. But apparently there is no specific criteria to determine whether an SI is spurious, inadvertent, or really needed and the operator has to rely upon judgment and experience.
Therefore, there may be a need to develop and provide all plant operators with a diagnostic tool based on a definite set of criteria to determine whether an SI is needed. In addition, there is the need of a specific procedure for recovery from an unneeded SI in order that subsequent operator actions would not incapacitate further possible SI automatic initiation in the course of the following event sequence.
A partial solution to this problem in the W plants would be hardware modifications to reduce the frequency of unneeded SIs. For example, the Duquesne Light Co. submitted a license amendment for Beaver Valley 1 to incorporate a new steam line break protection system design. The new system includes the suppression of the high steam P signal, the high steam flow signal in coincidence with either low steam pressure or low-low Tavg and their replacement by a low steam pressure in any loop set at 500 psig. The NSSS designer made the statement that the new system is as comprehensive for protection as the former system and that it is expected to be more reliable. Such simplifications of the safety injection actuation system that result in a significant decrease in the number of unneeded SIs would tend to ease the problem of the operators having to deal with so many unneeded SIs.
Thermal fatigue of the SI nozzle is only a matter of economics. The immediate safety concern with inadvertent actuation of safety injection involves the unacceptable response of the operator resulting in the termination of the injection in cases where it is required. This may result from repeated exposure to spurious or inadvertent safety injections which may improperly condition the operator to terminate the injection and reset the injection signal without carefully assessing the status of the reactor plant and the real need for emergency cooling. Task I.C of NUREG-066048 addresses problems of this nature. Sub-task I.C.1 has as its objective the improvement of operating procedures to provide greater assurance that operator and staff actions are technically correct, explicit, and easily understood for normal, transient, and accident conditions. A principal part of sub-task I.C.1 is to improve procedures for dealing with abnormal conditions and emergencies by improving the delineation of symptoms, events, and plant conditions that identify emergency and off-normal situations that confront the operators. In view of the intention and objectives of sub-task I.C.1, the safety concern involved in this issue is being adequately addressed and, therefore, this safety issue should not be carried as a separate issue.