Resolution of Generic Safety Issues: Issue 101: BWR Water Level Redundancy (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
Issue 50 addressed several areas of concern with BWR water level instrumentation and its resolution involved voluntary implementation of water level measurement improvements for all of the staff concerns, except the one related to a break in an instrument line in conjunction with the worst single failure.720
This concern was first identified in an AEOD draft report721 which was later issued as AEOD/C201322 in January 1982. In the interest of the expeditious resolution of Issue 50, it was decided697 to address the AEOD concern as Issue 101.
Water level is measured in BWRs by means of differential pressure sensors connected between the reactor vessel (at a point low enough in elevation to be below the expected water level) and reference columns (which are completely full of water and connected at the top to the steam dome). The differential pressure sensed by the dp cell corresponds to the difference in elevation between the "collapsed" water level in the reactor and the water level in the reference column. If the reference column is broken, the water in it will flash to steam and the water level indication in all channels connected to the broken column will give a false "high" reading.
Typically, a BWR will have two reference columns. (There is a variety of design, however.) A break in one column will cause all instrumentation associated with that column to indicate full scale high level. This can simultaneously cause a transient and interfere with safety systems. A single failure associated with the other reference column can completely defeat mitigation systems. The following points were stated in an RRAB memorandum:722
"Consequences of such an event depend upon (1) the location of the postulated reference leg break, whether it is a single reference leg or a common line; (2) the physical location of an additional postulated single failure, and (3) the various combinations thereof.
"Further, effects of such an event depend upon plant specific design. In some older plants, a postulated reference leg break itself without any additional single failure will cause failure of ECCS initiation due to a reactor water level condition.
"The greatest vulnerability occurs when the same sensor is used to initiate more than one system. In one plant where core spray initiation and MSIV initiation share the same set of sensors, a single failure in either system in addition to a pipeline break in the instrument reference leg may cause a core uncovery. In another plant, the consequences of the additional single failure becomes of concern only when the coolant injection system initiation transmitter fails. In such an event, operator action is required to prevent core uncovery in about 45 minutes. Further, several indications are available in the control room to give the operator information relative to the accident progression and status of the plant."
The references cited above do not recommend specific modifications since individual plant designs are apparently too varied to permit generic solutions.723 However, it appears to be possible to fix the problem by modification to the logics which use reactor level as an input.722
The RRAB memorandum722 contains a probabilistic assessment of the concern. This assessment estimated a core-melt frequency of 10-5/RY and a public risk of 50 man-rem/RY. The affected plants were estimated to have roughly 20 effective full-power years of remaining life for a total risk of 1,000 man-rem/reactor.
The RRAB assessment722 contained a cost-benefit ratio of $1,000/man-rem for the concern in this issue. This translates into $1M/reactor.
Based on an estimated risk reduction of 1,000 man-rem/reactor and a cost of $1M/reactor, the value/impact score is given by:
It must be emphasized (as virtually every reference points out) that both the affected accident sequences and the modifications to resolve the issue will vary from plant to plant. The resolution of this issue will be more case-specific than most and some plants may not require modification.
The RRAB calculations722 assume an operator error probability of 0.1. This figure is based on judgment balancing the relatively high likelihood of initial operator confusion, due to conflicting level indicators, against a relatively long time (45 minutes) available for problem diagnosis before core uncovery in the primary sequence. Specific plant designs and other more rapid sequences may well indicate a higher figure for operator error probability, which would increase the priority figures above.
In some cases, ORE associated with the modifications may be a significant factor. This area should be addressed in specific plant reviews.
The priority parameters were on the borderline between medium and high priority; however, it was believed that some specific plants would fall well into the high area, others well into medium or below. At the time of prioritization, the specific plants for which this issue was particularly important could not be identified. Therefore, this issue was given a high priority.
In resolving this issue, the staff concluded that all BWR designs, in conjunction with operator training and procedures, provide adequate protection in the event of an instrument line break in any of the reactor vessel water level instrument systems. The staff believed that emergency procedures for an operator to identify and mitigate the consequences of instrument line breaks exist at all plants and that reactor operators were being trained to achieve safe shutdown, if needed. The technical basis for this conclusion was documented in NUREG/CR-51121212 in which plant-specific design features, such as common sensing lines for the water level instrumentation, automatic initiation logic for vital protection systems, inhibition of vital protection systems, and additional single failures of safety-related and non-safety-related systems, were considered. The results, including the value/impact analyses of the alternatives considered for plant improvements for BWR plant designs, were provided for information.
Generic Letter 89-111213 was issued to all holders of OLs and CPs for BWRs with the expectation that the information provided would be reviewed to verify that the design of the affected plants had been correctly represented. The staff recommended that consideration be given to a reassessment of plant procedures and operator training to ensure that plant operators can readily detect and mitigate a leak or break of a sensing line. Thus, this issue was RESOLVED and no new requirements were established.1214