Request for Action Related to Resolution of Unresolved Safety Issue A-47 "Safety Implication of Control Systems in LWR Nuclear Power Plants" Pursuant to 10 CFR 50.54(f) (Generic Letter 89-19)
September 20, 1989
TO: ALL LICENSEES OF OPERATING REACTORS, APPLICANTS FOR OPERATING
LICENSES AND HOLDERS OF CONSTRUCTION PERMITS FOR LIGHT WATER
REACTOR NUCLEAR POWER PLANTS
SUBJECT: REQUEST FOR ACTION RELATED TO RESOLUTION OF UNRESOLVED SAFETY
ISSUE A-47 "SAFETY IMPLICATION OF CONTROL SYSTEMS IN LWR
NUCLEAR POWER PLANTS" PURSUANT TO 10 CFR 50.54(f) - GENERIC
LETTER 89-19
As a result of the technical resolution of USI A-47, "Safety Implications of
Control Systems in LWR Nuclear Power Plants," the NRC has concluded that
protection should be provided for certain control system failures and that
selected emergency procedures should be modified to assure that plant
transients resulting from control system failures do not compromise public
safety.
The NRC has provided to all utility and reactor vendor executives copies of
NUREG-1217, "Evaluation of Safety Implications of Control Systems in LWR
Nuclear Power Plants" and NUREG-1218, Regulatory Analysis for Resolution of
USI A-47." These reports are identified as items 1 and 2 in Enclosure 1.
These reports summarize the results of the analyses conducted for USI A-47.
During the A-47 review a number of different designs for reactor vessel and
steam generator overfill protection were evaluated. Plant specific features
such as: power supply interdependence, sharing of sensors between control and
trip logic, operator training, and designs for indication and alarms available
to the operator were considered in developing risk estimates associated with
failures of the feedwater trip system. The results of NRC's studies of the
A-47 issue including the analysis for other events evaluated, such as overheat
and overcool events, are provided for information. It is expected that each
licensee and applicant will review the information for applicability to its
facility. The results of the analyses and the technical bases for the NRC
conclusions are documented in the references listed in Enclosure 1.
The staff has concluded that all PWR plants should provide automatic steam
generator overfill protection, all BWR plants should provide automatic reactor
vessel overfill protection, and that plant procedures and technical specifica-
tions for all plants should include provisions to verify periodically the
operability of the overfill protection and to assure that automatic overfill
protection is available to mitigate main feedwater overfeed events during
reactor power operation. Also, the system design and setpoints should be
selected with the objective of minimizing inadvertant trips of the main feed-
water system during plant startup, normal operation, and protection system
surveillance. The Technical Specifications recommendations are consistent
with the criteria and the risk considerations of the Commission Interim Policy
Statement on Technical Specification Improvement. In addition, the staff
recommends that all BWR recipients reassess and modify, if needed, their
operating procedures and operator training to assure that the operators can
mitigate reactor vessel overfill events that may occur via the condensate
890920223
.
Generic Letter 89-19 2 September 20, 1989
booster pumps during reduced system pressure operation. Enclosure 2 (Sections
1 through 4, a and b) describes the requested action for the different NSSS
designs.
Enclosure 2 outlines a number of designs that satisfy the objectives for
overfill protection and provides guidance for an acceptable design. The staff
believes that a significant number of plants already provide satisfactory
designs for overfill protection; many plants also have technical
specifications dealing with overfill protection system surveillance which were
previously approved by the staff.
The staff also concluded that certain Babcock and Wilcox plants should provide
either automatic initiation of auxiliary feedwater on low steam generator
level or another acceptable design to prevent steam generator dryout on a loss
of power to the control system. Most B&W plants have already incorporated
automatic initiation circuits for this purpose. Enclosure 2, Section 3c,
identifies the plants that have not, and describes the requested action.
The staff also concluded that certain Combustion Engineering plants should
reassess their emergency procedures and operator training to assure safe shut-
down of the plants during any postulated small break loss of coolant accident.
Enclosure 2, Section 4c, identifies these plants and describes the requested
action.
On the basis of the technical studies the staff requests that the recommen-
dations in Enclosure 2 be implemented by all LWR plants to enhance safety.
These recommendations result from the staff interpretation of General Design
Criteria 13, 20, and 33, identified in 10CFR50, Appendix A.
The implementation schedule for actions on which commitments are made by
licensees or applicants in response to this letter should be prior to start-up
after the first refueling outage, beginning nine (9) months following receipt
of the letter.
In order to determine whether any license or construction permit for
facilities covered by this request should be modified, suspended or revoked,
we require, pursuant to Section 182 of the Atomic Energy Act and 10 CFR
50.54(f), that you provide the NRC, within 180 days of the date of this
letter, a statement as to whether you will implement the recommendations in
Enclosure 2 and, if so, that you provide a schedule for implementation of the
items in Enclosure 2 and the basis for the schedule. If you do not plan to
implement these recommendations, provide appropriate justification. This
information shall be submitted to the NRC, signed under oath and affirmation.
The licensee should retain, supporting documentation consistent with the
records retention program for their facility.
With regard to the recommendations in Enclosure 2 that specify modification to
plant procedures and Technical Specifications, the intent is that the
appropriate plant procedures be modified in the short-term to provide periodic
verification and testing of the overfill protection system. As part of future
upgrades to Technical Specifications, licensees should consider including
appropriate limiting conditions of operation and surveillance requirements in
future Technical Specification improvements.
.
Generic Letter 89-19 3 September 20, 1989
This request is covered by Office of Management andudget Clearance Number
3150-0011 which expires December 31, 1989. The estimated average burden hours
is 240 person hours per licensee response, including assessment of the new
recommendations, searching data sources, gathering and analyzing the data, and
the required reports. These estimated average burden hours pertain only to
these identified response-related matters and do not include the time for
actual implementation of the requested actions. Send comments regarding this
burden estimate or any other aspect of this collection of information,
including suggestions for reducing this burden, to the Record and Reports
Management Branch, Division of Information Support Services, Office of
Information Resources Management, U.S. Nuclear Regulatory Commission,
Washington, D.C. 20555; and to the Paperwork Reduction Project (3150-0011),
Office of Manage-ment and Budget, Washington, D.C. 20503.
If you have any questions on this matter, please contact your project manager.
Sincerely,
James G. Partlow
Associate Director for Projects
Office of Nuclear Reactor Regulation
Enclosures:
1. Enclosure 1, List of References
2. Enclosure 2, Control System Design and Procedural Modification for
Resolution of USI A-47
3. Enclosure 3, List of Recently Issued NRC Generic Letters
.
Enclosure 1
REFERENCE
LIST OF SIGNIFICANT
INFORMATION RELATED TO
RESOLUTION OF USI A-47
1. NUREG-1217 "Evaluation of Safety Implications of Control
Systems in LWR Nuclear Power Plants" - Technical
Findings Related to USI A-47.
2. NUREG-1218 "Regulatory Analysis for Resolution
of USI A-47."
3. NUREG/CR-4285 "Effects of Control System Failures on
Transients, Accidents and Core-Melt Frequencies
at a Westinghouse PWR."
4. NUREG/CR-4386 "Effects of Control System Failures on
Transients, Accidents and Core-Melt Frequencies
at a Babcock and Wilcox Pressurized Water
Reactor."
5. NUREG/CR-4387 "Effects of Control System Failures on
Transients, Accidents and Core-Melt Frequencies at a
General Electric Boiling Water Reactor."
6. NUREG/CR-3958 "Effects of Control System Failures on
Transients, Accidents and Core-Melt Frequencies
at a Combustion Engineering Pressurized Water
Reactor."
7. NUREG/CR-4326 "Effects of Control System Failures on Transients and
Accidents at a 3 Loop Westinghouse. Pressurized
Water Reactor." Vol. 1 and 2.
8. NUREG/CR-4047 "An Assessment of the Safety Implications of Control
at the Oconee 1 Nuclear Plant-Final Report."
9. NUREG/CR-4262 "Effects of Control System Failures on Transients and
Accidents At A General Electric Boiling Water
Reactor." Vol. 1 and 2.
10. NUREG/CR-4265 "An Assessment of the Safety Implications of Control
at the Calvert Cliffs - 1 Nuclear Plant" Vol. 1 and
2.
11. Letter Report "Generic Extensions to Plant Specific Findings of the
ORNL/NRC/ Safety Implications of Control Systems
Program." LTR-86/19
.
Enclosure 2
CONTROL SYSTEM DESIGN AND PROCEDURAL MODIFICATION
FOR RESOLUTION OF USI A-47
As part of the resolution of USI A-47, "Safety Implications of Control
Systems," the staff investigated control system failures that have occurred,
or are postulated to occur, in nuclear power plants. The staff concluded that
plant transients resulting from control system failures can be mitigated by
the operator, provided that the control system failures do not also compromise
operation of the minimum number of protection system channels required to trip
the reactor and initiate safety systems. A number of plant-specific designs
have been identified, however, that should provide additional protection from
transients leading to reactor vessel or steam generator overfill or reactor
core overheating.
Reactor vessel or steam generator overfill can affect the safety of the plant
in several ways. The more severe scenarios could potentially lead to a steam-
line break and a steam generator tube rupture. The basis for this concern is
the following: (1) the increased dead weight and potential seismic loads
placed on the main steamline and its supports should the main steamline be
flooded; (2) the loads placed on the main steamlines as a result of the
potential for rapid collapse of steam voids resulting in water hammer; (3) the
potential for secondary safety valves sticking open following discharge of
water or two-phase flow; (4) the potential inoperability of the main steamline
isolation valves (MSIVs), main turbine stop or bypass valves, feedwater
turbine valves, or at-mospheric dump valves from the effects of water or
two-phase flow; and (5) the potential for rupture of weakened tubes in the
once-through steam generator on B&W nuclear steam supply system (NSSS) plants
due to tensile loads caused by the rapid thermal shrinkage of the tubes
relative to the generator shell. These concerns have not been addressed in a
number of plant designs, because overfill transients normally have not been
analyzed.
To minimize some of the consequences of overfill, early plant designs provided
commercial-grade protection for tripping the turbine or relied on operator
action to control water level manually in the event the normal-water-level
control system failed. Later designs, including the most recent designs,
provide overfill protection which automatically stops main feedwater flow on
vessel high-water-level signals. These designs provide various degrees of
coincident logic and redundancy to initiate feedwater isolation and to ensure
that a single failure would not inhibit isolation. A large number of plants
provide safety-grade designs for this protection.
On the basis of the technical studies conducted by the staff and its
contractors, the staff recommends that certain actions should be taken by some
plants to enhance plant safety. These actions are described in the material
that follows, and include design and procedural modifications to ensure that
(1) all plants provide overfill protection, (2) all plants provide plant
procedures and
.
- 2 -
technical specifications for periodic surveillance of the overfill protection,
(3) certain Babcock and Wilcox plants provide an acceptable design to prevent
steam generator dryout on a loss of power to the control system, and (4)
certain Combustion Engineering plants reassess their emergency procedures and
operator training to ensure safe shutdown during any postulated small break
loss of coolant accident. With regard to the recommendations that specify
modification to plant procedures and Technical Specifications, the intent is
that the appropriate plant procedures be modified in the short-term to provide
periodic verification and testing of the overfill protection system. As part
of future upgrades to Technical Specifications, licensees should consider
including appropriate limiting conditions of operation and surveillance
requirements in future Technical Specification improvements.
(1) GE Boiling-Water-Reactor Plants
(a) It is recommended that all GE boiling-water-reactor (BWR) plant designs
provide automatic reactor vessel overfill protection to mitigate main
feedwater (MFW) overfeed events. The design for the overfill-protection
system should be sufficiently separate from the MFW control system to
ensure that the MFW pump will trip on a reactor high-water-level signal
when required, even if a loss of power, a loss of ventilation, or a fire
in the control portion of the MFW control system should occur. Common-
mode failures that could disable overfill protection and the feedwater
control system, but would still result in a feedwater pump trip, are
considered acceptable failure modes.
It is recommended that plant designs with no automatic reactor vessel
overfill protection be upgraded by providing a commercial-grade (or
better) MFW isolation system actuated from at least a 1-out-of-1 reactor
vessel high-water-level system, or justify the design on some defined
basis.
In addition, it is recommended that all plants reassess their operating
procedures and operator training and modify them if necessary to ensure
that the operators can mitigate reactor vessel overfill events that may
occur via the condensate booster pumps during reduced pressure operation
of the system.
(b) It is recommended that plant procedures and technical specifications for
all BWR plants with main feedwater overfill protection include provisions
to verify periodically the operability of overfill protection and ensure
that automatic overfill protection to mitigate main feedwater overfeed
events is operable during power operation. The instrumentation should be
demonstrated to be operable by the performance of a channel check,
channel functional testing, and channel calibration, including setpoint
verification. The technical specifications should include appropriate
limiting conditions for operation (LCOs). These technical specifications
should be commensurate with the requirements of existing plant technical
specifications for channels that initiate protective actions. Previously
approved technical specifications for surveillance intervals and limiting
conditions for operation (LCOs) for overfill protection are considered
acceptable.
.
- 3 -
Designs for Overfill Protection
Several different designs for overfill protection have already been
incorporated into a large number of operating plants. The following
discussion identifies the different groups of plant designs and provides
guidance for acceptable designs.
Group I: Plants that have a safety-grade or a commercial-grade overfill
protection system initiated on a reactor vessel high-water-level signal based
on a 2-out-of-3 or a 1-out-of-2 taken twice (or equivalent) initiating logic.
The system isolates MFW flow by tripping the feedwater pumps.
The staff concludes that this design is acceptable, provided that (1) the
overfill protection system is separate from the control portion of the MFW
control system so that it is not powered from the same power source, not
located in the same cabinet, and not routed so that a fire is likely to affect
both systems and (2) the plant procedures and technical specifications include
requirements to periodically verify operability of this system. Licensees of
plants that already have these design features that have been previously
approved by the staff should state this in their response.
Group II: Plants that have safety-grade or commercial-grade
overfill-protection systems initiated on a reactor vessel high-water-level
signal based on a 1-out-of-1, 1-out-of-2, or a 2-out-of-2 initiating logic.
The system isolates MFW flow by tripping the feedwater pumps.
The staff concludes that these designs are acceptable provided conditions (1)
and (2) stated for Group I are met. Licensees of plants that already have
these design features that have been previously approved by the staff should
state this in their response. Plant designs with a 1-out-of-1 or a 1-out-of-2
trip logic for overfill protection should provide bypass capabilities to
prevent feedwater trips during channel functional testing when at power
operation.
Group III: Plants without automatic overfill protection.
It is recommended that the licensee have a design to prevent reactor vessel
overfill and justify the adequacy of the design. The justification should
include verification that the overfill protection system is separated from the
feedwater control system so that it is not powered from the same power source,
not located in the same cabinet, and not routed so that a fire is likely to
affect both systems. Common-mode failures that could disable overfill pro-
tection and the feedwater control system, but would still result in a
feedwater pump trip, are considered acceptable failure modes. The staff
review identified three plants; i.e., Big Rock, LaCrosse (permanently
shutdown), and Oyster Creek; that fall into this group. If any of these
plants wish to justify not including overfill protection, part of the
requested justification should demonstrate that the risk reduction in
implementing an automatic overfill protection system is significantly less
than the staff's generic estimates of risk reduction. In determining the risk
reduction, specific factors such as low plant power and population density
should be considered. Other applicable factors that are plant unique should
also be addressed.
.
- 4 -
(2) Westinghouse-Designed PWR Plants
(a) It is recommended that all Westinghouse plant designs provide automatic
steam generator overfill protection to mitigate MFW overfeed events. The
design for the overfill protection system should be sufficiently separate
from the MFW control system to ensure that the MFW pump will trip on a
reactor high-water-level signal when required, even if a loss of power, a
loss of ventilation, or a fire in the control portion of the MFW control
system should occur. Common-mode failures that could disable overfill
protection and the feedwater control system, but would still result in
the feedwater pump trip, are considered acceptable failure modes.
(b) It is recommended that plant procedures and technical specifications for
all Westinghouse plants include provisions to periodically verify the
operability of the MFW overfill protection and ensure that the automatic
overfill protection is operable during reactor power operation. The
instrumentation should be demonstrated to be operable by the performance
of a channel check, channel functional testing, and channel calibration,
including setpoint verification. The technical specifications should
include appropriate LCOs. These technical specifications should be
commensurate with existing plant technical specification requirements for
channels that initiate protective actions. Plants that have previously
approved technical specifications for surveillance intervals for overfill
protection are considered acceptable.
Designs for Overfill Protection
Several different designs for overfill-protection are already provided in most
operating plants. The following discussion identifies the different groups of
plant designs and provides guidance for acceptable designs.
Group I: Plants that have an overfill-protection system initiated on a steam
generator high-water-level signal based on a 2-out-of-4 initiating logic which
is safety grade, or a 2-out-of-3 initiating logic which is safety grade but
uses one out of the three channels for both control and protection. The
system isolates MFW by closing the MFW isolation valves and tripping the MFW
pumps.
The staff concludes that the design is acceptable, provided that (1) the
overfill protection system is sufficiently separate from the control portion
of the MFW control system so that it is not powered from the same power
source, not located in the same cabinet, and not routed so that a fire is
likely to affect both systems, and (2) the plant procedures and technical
specifications include requirements to periodically verify operability of this
system.
Group II: Plants with a safety-grade or a commercial-grade overfill
protection system initiated on a steam generator high-water-level signal based
on either a 1-out-of-1, 1-out-of-2, or 2-out-of-2 initiating logic. The
system isolates MFW by closing the MFW control valves.
.
- 5 -
The staff finds that only one early plant (i.e., Haddam Neck) falls into this
group; therefore, a risk assessment was not conducted. Considering the
successful operating history of the plant regarding overfill transients (i.e.,
no overfill events have been reported), this design may be found acceptable,
provided that (1) justification for the adequacy of the design on a plant-
specific basis is included and (2) plant procedures and technical specifica-
tions are modified to include requirements to periodically verify operability
of this system. As part of the justification, it is requested that the
licensee include verification that the overfill-protection system is separate
from the feedwater-control system so that it is not powered from the same
power source, not located in the same cabinet, and not routed so that a fire
is likely to affect both systems. Common-mode failures that could disable
overfill protection and the feedwater-control system, but would still cause a
feedwater pump trip, are considered acceptable failure modes.
Group III: Plants without automatic overfill protection.
It is recommended that the licensee have a design to prevent steam generator
overfill and justify the adequacy of the design. The justification should
include verification that the overfill-protection system is separated from the
feedwater-control system so that it is not powered from the same power source,
not located in the same cabinet, and not routed so that a fire is likely to
affect both systems. Common-mode failures that could disable overfill pro-
tection and the feedwater-control system, but would still result in a
feedwater pump trip, are considered acceptable failure modes. The staff's
review identified two plants; i.e., Yankee Rowe and San Onofre 1; that fall
into this category. If either of these plants wish to justify not including
overfill protection, part of the requested justification should demonstrate
that the risk reduction in implementing an automatic overfill protection
system is significantly less than the staff's generic estimates of risk
reduction. In determining the risk reduction, specific factors such as low
plant power and population density should be considered. Other applicable
factors that are plant unique should also be addressed.
(3) Babcock and Wilcox-Designed PWR Plants*
(a) It is recommended that all Babcock and Wilcox plant designs have auto-
matic steam generator overfill protection to mitigate MFW overfeed
events.
* On December 26, 1985, an overcooling event occurred at Rancho Seco Nuclear
Generating Station, Unit 1. This event occurred as a result of loss of power
to the integrated control system (ICS). Subsequently, the B&W Owners Group
initiated a study to reassess all B&W plant designs including, but not limited
to, the ICS and support systems such as power supplies and maintenance. As
part of the USI A-47 review, failure scenarios resulting from a loss of power
to control systems were evaluated; and the results were factored into the A-47
requirements. However, other recommended actions for design modifications,
maintenance, and any changes to operating procedures (if any) developed for
the utilities by the B&W owners group is being resolved separately.
.
- 6 -
The design for the overfill-protection system should be sufficiently
separate from the MFW control system to ensure that the MFW pump will
trip on a steam generator high-water-level signal (or other equivalent
signals) when required, even if a loss of power, a loss of ventilation,
or a fire in the control portion of the main feedwater control system
should occur. Common failure modes that could disable overfill
protection and the feedwater-control system, but would still result in a
feedwater pump trip, are considered acceptable failure modes.
It is recommended that plants that are similar to the reference plant
design (i.e., Oconee Units 1, 2, and 3) have a steam generator
high-water-level feedwater-isolation system that satisfies the
single-failure criterion. An acceptable design would be to provide
automatic MFW isolation by either (1) providing an additional system that
terminates MFW flow by closing an isolation valve in the line to each
steam generator (this system is to be independent from the existing
overfill protection which trips the main feedwater pumps on steam
generator high-water level); (2) modifying the existing
overfill-protection system to preclude undetected failures in the trip
system and facilitate online testing; or (3) upgrading the existing
overfill-protection system to a 2-out-of-4 (or equivalent)
high-water-level trip system that satisfies the single-failure criterion.
(b) It is recommended that plant procedures and technical specifications for
all B&W plants include provisions to periodically verify the operability
of overfill protection and ensure the automatic main feedwater overfill
protection is operable during reactor power operation. The
instrumentation should be demonstrated to be operable by the performance
of a channel check, channel functional testing, and channel calibration,
including setpoint verification. Technical specifications should include
appropriate LCOs. These technical specifications should be commensurate
with the requirements of existing technical specifications for channels
that initiated protective actions.
(c) It is recommended that plant designs with no automatic protection to
prevent steam generator dryout upgrade their design and the appropriate
technical specifications and provide an automatic protection system to
prevent steam generator dryout on loss of power to the control system.
Automatic initiation of auxiliary feedwater on steam generator low-water
level is considered an acceptable design. Other corrective actions
identified in Section 4.3(4) of NUREG-1218 could also be taken to avoid a
steam generator dryout scenario on loss of power to the control system.
The staff believes that only three B&W plants, i.e., Oconee 1, 2, and 3,
do not have automatic auxiliary feedwater initiation on steam generator
low water level).
Designs for Overfill Protection
Several different designs for overfill protection are already provided on most
operating plants. The following discussion identifies the different groups of
plant designs and provides guidelines for acceptable designs.
.
- 7 -
Group I: Plants that provide a safety-grade overfill-protection system initi-
ated on a steam generator high-water-level signal based on either a 2-out-of-3
or a 2-out-of-4 (or equivalent) initiating logic. The system isolates main
feedwater (MFW) by (1) closing at least one MFW isolation valve in the MFW
line to each steam generator and (2) tripping the MFW pumps.
The staff concludes that this design is acceptable, provided that (1) the
overfill protection system is sufficiently separated from the feedwater
control system so that it is not powered from the same power source, not
located in the same cabinet, and not routed so that a fire is likely to affect
both systems (common-mode failures that could disable overfill protection and
the feedwater control system, but still result in a feedwater pump trip are
considered acceptable failure modes) and (2) the plant procedures and
technical specifications include requirements to periodically verify
operability of this system.
Group II: Plants that have a commercial-grade overfill-protection system ini-
tiated on a steam generator high-water level based on coincident logic that
minimizes inadvertent initiation. The system isolates MFW by tripping the MFW
pumps.
This design may be found acceptable, provided that (1) the overfill-protection
system is sufficiently separate from the feedwater control system so that it
is not powered from the same power source, not located in the same cabinet,
and not routed so that a fire is likely to affect both systems and (2) the
design modifications are implemented per the guidelines identified in the
second paragraph of item (3)(a) above and that the plant procedures and
technical specifications include requirements to periodically verify
operability of this system. The technical specifications should be
commensurate with existing plant technical specification requirements for
channels that initiate protection actions.
It is also recommended that plant designs that provide a separate 1-out-of-1
or a 1-out-of-2 trip logic to close the feedwater isolation valves for
additional overfill protection provide bypass capabilities to prevent
feedwater trips during channel functional testing when at power or during
hot-standby operation.
(4) Combustion Engineering-Designed PWR Plants
(a) It is recommended that all Combustion Engineering plants provide
automatic, steam generator overfill protection to mitigate main feedwater
(MFW) over-feed events. The design for the overfill-protection system
should be sufficiently separate from the MFW control system to ensure
that the MFW pump will trip on a steam generator high-water-level signal
when required, even if a loss of power, a loss of ventilation, or a fire
in the control portion of the MFW control system should occur. Common
failure modes that could disable overfill protection and the feedwater
control system, but would still result in a feedwater pump trip, are
considered acceptable failure modes.
.
- 8 -
(b) It is recommended that plant procedures and technical specifications for
all Combustion Engineering plants include provisions to verify
periodically the operability of overfill protection and ensure that
automatic MFW overfill protection is operable during reactor power
operation. The instrumentation should be demonstrated to be operable by
the performance of a channel check, channel functional testing, and
channel calibration, including setpoint verification, and by identifying
the LCOs. These technical specifications should be commensurate with
existing plant technical specifications requirements for channels that
initiate protection actions.
(c) It is recommended that all utilities that have plants designed with high-
pressure-injection pump-discharge pressures less than or equal to 1275
psi reassess their emergency procedures and operator training programs
and modify them, as needed, to ensure that the operators can handle the
full spectrum of possible small-break loss-of-coolant accident (SBLOCA)
scenarios. This may include the need to depressurize the primary system
via the atmospheric dump valves or the turbine bypass valves and cool
down the plant during some SBLOCA. The reassessment should ensure that a
single failure would not negate the operability of the valves needed to
achieve safe shutdown.
The procedure should clearly describe any actions the operator is
required to perform in the event a loss of instrument air, or electric
power prevents remote operation of the valves. The use of the
pressurizer PORVs to depressurize the plant during an SBLOCA, if needed,
and the means to ensure that the RTNDT (reference temperature, nil
ductility transition) limits are not compromised should also be clearly
described. Seven plants have been identified that have high pressure
injection pump discharge pressures less than or equal to 1275 psi that
may require manual pressure-relief capabilities using the valves to
achieve safe shutdown. They are: Calvert Cliffs 1 and 2, Fort Calhoun,
Millstone 2, Palisades, and St. Lucie 1 and 2.
Designs for Overfill Protection
CE-designed plants do not provide automatic steam generator overfill protec-
tion that terminates MFW flow. Therefore, it is recommended that licensees
and applicants for CE plants provide a separate and independent safety-grade
or commercial-grade steam generator overfill-protection system that will serve
as backup to the existing feedwater runback, control system. Existing
water-level sensors may be used in a 2-out-of-4 initiating logic to isolate
MFW flow on a steam generator high-water-level signal. The proposed design
should ensure that the overfill protection system is separate from the
feedwater-control system so that it is not powered from the same power source,
is not located in the same cabinet, and is not routed so that a fire is likely
to affect both systems (common-mode failures described above are considered
acceptable) and the plant procedures and technical specifications should
include requirements to periodically verify operability of the system. The
information that is requested to be addressed in the plant procedures and the
technical specifications is provided in item (4)(b) above.
Page Last Reviewed/Updated Tuesday, March 09, 2021