Resolution of Generic Safety Issues: Issue 59: Technical Specification Requirements for Plant Shutdown When Equipment for Safe Shutdown Is Degraded or Inoperable (Rev. 2) ( NUREG-0933, Main Report with Supplements 1–34 )
As a result of the loss of high head injection capability at McGuire Unit 1 on February 12, 1982, this issue was raised by Region II because plant TS require (somewhat rapid) plant shutdown if certain safety equipment is inoperable.553 The main concern is that the TS requirements may not adequately consider the potential for placing the plant in a "less safe" condition by requiring shutdown of an otherwise normally functioning unit or by requiring a plant to proceed to cold shutdown when "hot shutdown" may be the more desirable condition.767
Plant TS LCOs are typically written to require proceeding to various stages of shutdown if certain systems are inoperable. If some systems are inoperable and a plant is required by the TS to go to some stage of shutdown, this action may increase the probability of needing the inoperable systems as a line of defense. In some cases, the shutdown process itself may require operation of the inoperable equipment.
A resolution could require TS modifications to acknowledge when continued power operation or other mode of operation is preferable. Because of the wide range of possible system failures, operating conditions, and plant configurations, a systematic quantification of all the alternatives could be a fairly large task and would probably result in a number of decisions based on very close calls.
In order to provide some indication of what a quantitative analysis may involve, an assessment of this issue was done by PNL.64 A number of assumptions were made in this analysis in an attempt to quantify a potential core-melt frequency reduction for a case in which a plant was left operating, as opposed to rapidly shutting it down, given some safety equipment is inoperable.
The ORNL Precursor Study (NUREG/CR-2497)76 was used along with data from an EPRI ATWS study (NP-2230)307 to calculate a base case and and adjusted-case core-melt frequency for this issue. The techniques and data presented in NUREG/CR-249776 were modified to allow a comparison of the risk of core damage with a safety system inoperable for continued reactor operation versus immediate shutdown. To accomplish this, specific systems were chosen for failure and appropriate event trees developed. Data on system failure were then adapted to fit the need for: (1) failure frequency, (2) failure on demand, or (3) failure over a specified time interval. For this analysis, a BWR was chosen and it was assumed that the HPCI and RCIC are redundant safety systems. Failure of both the RCIC and HPCI was then postulated.
To examine this issue, generic event trees were developed based on the flow logic developed in the Precursor Study76 for BWR transients. The first event tree64 depicted a failure of safety systems followed by a shutdown by the operator. The transient which could then follow was shown as "loss of feedwater given shutdown," chosen here as representative of transients which would challenge the ECCS. The second event tree depicted the case where operation continues. Another initiating event is then required, taken here as loss of feedwater given an ECCS subsystem failure. The following data were taken from NUREG/CR-2497:76
|Event Description||Occurrences||Plant- Years
|Demands||Failure Frequency(RY)-1||Failure Probability on Demand|
|Loss of Feedwater||39||66||-||0.58||-|
|Reactor Subcritical||-||-||-||-||1.3 x 10-6|
|Long-Term Core Cooling Failure||-||-||-||-||1.1 x 10-4|
The analysis results hinge on the probability of inducing a feedwater transient on shutdown vs. a feedwater transient occurring at power during the time the systems remain inoperable. Data for these values are lacking at this time so values are estimated based on the ATWS report.307 For BWR Transient Category 26 (decreasing feedwater flow during startup or shutdown), the frequency reported is 0.07/RY. It is assumed here that the plant is shutdown about 12 times per year resulting in a probability of about 0.01 for a feedwater transient on shutdown. It is further assumed that 50% of these transients are decreases in feedwater during shutdown with 50% of these resulting in complete loss of function. The probability (p1) of loss of feedwater on scram is therefore assumed to be (0.01)(0.5)(0.5) = 0.0025.
To estimate the probability of feedwater failure during an ECCS subsystem outage, a one-day failure duration is assumed with the plant remaining at power for that 1 day. The probability (p2) of independent loss of feedwater over the one-day ECCS subsystem outage is approximated by p2 = λt = 0.0016, where λ = 0.58/RY and t = (1 day)/(365 day/RY) = 0.0027 RY.
These data were entered in the event trees by PNL,64 Sequences 5, 6, 7, and 8 were summed and then Sequences 12, 13, 14, and 15 were summed. The core-melt frequency was calculated to be 3.5 x 10-6/RY for the base case, i.e., the rapid shutdown of the plant. The core-melt frequency was calculated to be 2.2 x 10-6 /RY for the adjusted case, i.e., where the plant continued to operate.
The event trees developed for the Precursor Study76 give a measure of core damage only. To equate this with the core-melt frequency used in other risk studies, the above core-damage frequencies were divided by a factor of 30 for the reasons given below.
An analysis of the ORNL Precursor Study by INPO claims that the chances of a severe nuclear accident were estimated 30 times too high.64 Furthermore, severe core damage (assumed to be analogous to that at TMI-2 in the Precursor Study) is presumably less severe than core-melt, the level of core damage normally considered in nuclear power plant risk studies. Based on these considerations, it is assumed that the frequency of core damage as assessed using the Precursor Study should be divided by INPO's factor of 30 to result in the frequency of core-melt.
Thus, the base case and adjusted case core-melt frequencies become 1.2 x 10-7/RY and 7 x 10-8/RY, respectively and the core-melt frequency reduction is 5 x 10-8 /RY. An average LWR dose factor of 3.3 x 10* man-rem was calculated from NUREG/CR-2800,64 (Appendices A-D). Based on this factor, the potential risk reduction would be (5 x 10-8/RY)(3.3 x 106 man-rem) or 0.17 man rem/RY.
The result shows a slight decrease in risk. However, the calculation is heavily dependent on the assumed value for the probability of loss of feedwater on shutdown vs. the probability of loss of feedwater over a 1 day ECCS outage. This dependency can be seen by doing the same type of calculation but assuming a 1.5 day outage time. Then, for the adjusted case, P = λt = 0.0024 and evaluating events 12, 13, 14, and 15 yields an adjusted case frequency of about 3.2 x 10-6 /RY. This would then show an even smaller risk reduction when compared to the base case result of 3.5 x 10-6/RY. (Again, these would be reduced by a factor of 30). Similarly, if 2 days were assumed, P = λt = 0.32 and the core-melt frequency would be about 4.3 x 10-6/RY which would show a slight increase in risk for staying at power. These calculations show the sensitivity of the results to the assumptions and the data.
Industry Cost: The direct cost would be $4,000/plant for a Class III amendment to an operating license. Other costs for implementation could be significant for analysis of various plant situations to identify the preferred mode and, therefore, justify the change.
Based on 71 operating plants, the industry cost was assumed to be (71 plants) ($4,000/plant) or $0.28M and 1 man-year/plant for supporting analysis or ($100,000/plant)(71 plants) = $7.1M. Since most changes would involve a justification for continued power operation, a potential large cost saving could be involved. For calculation purposes, it could be assumed that over the life of a typical plant, at least 1 day of shutdown may be saved. At $300,000/ day, the industry cost saving for 134 plants is $40M.
NRC Cost: NRC cost for issue development was based on the assumption that considerable analysis (and review of licensee submittals) would be needed to quantify safety benefits associated with TS modifications. This was assumed to be about 3.5 man-years or $3.5M.
Since this issue was originally raised, the NRC has published a rule which allows relief from TS requirements in an emergency situation. This rule leaves the decision to the licensees of determining: (1) what constitutes an emergency, and (2) what is the most prudent action to take. During the comment period on the rule, it was requested that comments be provided regarding whether or not the rule should have more specific guidance. It was concluded, based on comments received, that it was not feasible to provide detailed guidance as to when deviations are permissible. It was felt that this would defeat the purpose of the rule which is to provide flexibility in situations that cannot always be anticipated.
More recently, the general issue of whether TS are properly focused or are unduly burdensome has been raised. In response to this problem, a Technical Specification Improvement Project has been established.768 This project will consider the safety relevance and burden of the TS as a whole and of specific sections. This issue is one example of a possible modification to improve the TS.
The above analysis was done based on assuming a situation in which a plant is at power and the question is whether to require the plant to proceed to shutdown. It was pointed out that a clearer case could be made for situations of the plant being in hot shutdown and requiring proceeding to cold shutdown. Regardless, both situations could lead to potentially large cost savings for the industry and it may be to a licensee's advantage to try to anticipate the possibility of these situations and submit modified TS to avoid crisis-type decisions (i.e., emergency TS relief) when the emergency arises or to avoid second-guessing after the emergency passes if, for example, the rule is used.
The McGuire event (which is part of the basis for raising this issue) could have been a case for application of the rule. The question would have been if, as postulated, the situation would have continued (i.e., no charging/SI pumps), would it have been preferable for the licensee to deviate from the TS and keep the plant on line and, if so, how long should power operation be continued?
The situations of concern are typically beyond the design bases of the plant and, therefore, should occur rather infrequently.
For cases like McGuire where shutdown would require the inoperable equipment, it appears that a TS change may not solve the problem because, no matter what length of time is chosen for continued operation, there is some probability that the equipment would not be restored in the allowed time and shutdown would be necessary anyway (either due to the TS or a transient). For such cases, it is probably best to let the licensee use the rule based on a consideration of the specific plant circumstances at that time. It should be pointed out that the AFW system TS 22.214.171.124 (which was suggested as a solution553) was written prior to the Rule767 and would probably not be included in the TS if the rule had been in effect at that time.
Although we did not calculate a specific value/impact score for this issue, the calculation of potential man-rem reduction for the assumed scenario gave an indication of the uncertain nature of this type of analysis. After consideration of the new rule, we concluded that to a large extent the safety implications of this issue have been addressed. The rule gave the licensees the flexibility to consider their individual plant circumstances and make a decision to deviate from the TS if they decide it is necessary. However, as has been pointed out, there may be specific cases where changes should be considered.767 Because the risk was so hard to quantify, we originally assumed a small change in public risk, acknowledged the potential cost saving, and concluded it should be a Regulatory Impact issue to be addressed by the Technical Specification Improvement Project.768
As a part of the improvements to NUREG-0933, the NRC staff clarified in SECY-11-0101, “Summary of Activities Related to Generic Issues Program,” dated July 26, 2011,1967 that the Generic Issues Program will not pursue any further actions toward resolution of licensing and regulatory impact issues. Because licensing and regulatory impact issues are not safety issues by the classification guidance in the legacy Generic Issues Program, these issues do not meet at least one of the Generic Issues Program screening criteria and do not warrant further processing in accordance with Management Directive 6.4, “Generic Issues Program,” dated November 17, 2009.1858 Therefore, this issue will not be pursued any further in the Generic Issues Program.
- NUREG/CR-2800, “Guidelines for Nuclear Power Plant Safety Issue Prioritization Information Development,” U.S. Nuclear Regulatory Commission, February 1983, (Supplement 1) May 1983, (Supplement 2) December 1983, (Supplement 3) September 1985, (Supplement 4) July 1986, (Supplement 5) July 1996.
- NUREG/CR-2497, “Precursors to Potential Severe Core Damage Accidents: 1969–1979, A Status Report,” U.S. Nuclear Regulatory Commission, June 1982.
- EPRI NP-2230, “ATWS: A Reappraisal, Part 3,” Electric Power Research Institute, 1982.
- Memorandum for D. Eisenhut from J. Olshinski, “Loss of High Head Injection Capability at McGuire Unit 1 and Reconsideration of Technical Specification 3.0.3 and 3.5.2,” April 12, 1982. 
- Memorandum for W. Dircks from H. Denton, “Final Rule—Applicability of License Conditions and Technical Specifications in an Emergency,” February 17, 1983. 
Memorandum for T. Speis from H. Denton, “Formation of a Technical Specification Improvement Project Group,” December 31, 1984. 
- Management Directive 6.4, “Generic Issues Program,” U.S. Nuclear Regulatory Commission, November 17, 2009.
- SECY-11-0101, “Summary of Activities Related to Generic Issues Program,” July 26, 2011. [ML111590814]