Click for next page ( 142


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 141
5 LESSONS LEARNED: PLANT OPERATIONS AND SAFETY REGULATIONS The final three chapters of this report are intended to address the third and fourth charges of the study task (see Sidebar 1.1 in Chapter 1):  Lessons that can be learned from the accident to improve commercial nuclear plant safety and security systems and operations.  Lessons that can be learned from the accident to improve commercial nuclear plant safety and security regulations, including processes for identifying and applying design basis events for accidents and terrorist attacks to existing nuclear plants. The focus of this chapter is on nuclear plant safety systems, operations, and regulations. Chapter 6 focuses on offsite nuclear emergency planning and emergency management, whereas Chapter 7 focuses on the nuclear safety culture. As noted in Chapter 1, a discussion of spent fuel and related security issues will be addressed in a subsequent report. This NAS study is one of many investigations/assessments initiated in the wake of the Fukushima Daiichi nuclear accident (see Table 1.1 in Chapter 1). The reports from these other studies have been invaluable for informing the committee’s thinking about potential lessons learned. The committee has provided a tabular summary of key recommendations from selected reports in Appendix E. The committee presents three findings and five recommendations in this chapter. These findings and recommendations are organized into two major sections: 1. Nuclear plant systems, procedures, and training 2. Nuclear plant safety risks Additional supporting information is provided in Appendixes E through L. These findings and recommendations are directed primarily at the U.S. nuclear power industry and its regulator (U.S. Nuclear Regulatory Commission [USNRC]). However, the committee anticipates that they will also have value for nuclear power industries and regulators in other countries. Prepublication Copy 5-1

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations 5.1 NUCLEAR PLANT SYSTEMS, PROCEDURES, AND TRAINING FINDING 5.1: Nuclear plant operators and regulators in the United States and other countries have identified and are taking useful actions to upgrade nuclear plant systems, operating procedures, and operator training in response to the Fukushima Daiichi accident. In the United States, these actions include the nuclear industry’s FLEX (diverse and flexible coping strategies) initiative as well as regulatory changes proposed by the U.S. Nuclear Regulatory Commission’s Near-Term Task Force. Implementation of these actions is still underway; consequently, it is too soon to evaluate their comprehensiveness, effectiveness, or status in the regulatory framework. In the weeks following the Fukushima nuclear accident, many national governments and international bodies initiated reviews of nuclear power plant performance and current safety measures (see Table 1.1 in Chapter 1). Some of the outputs of these efforts are described in Appendix E. In the United States, two major initiatives were begun:  The U.S. Nuclear Regulatory Commission (USNRC) appointed a six-member task force headed by Dr. Charles Miller, the Near-Term Task Force. Its charge was to perform a “systematic and methodological review of the U.S. Nuclear Regulatory Commission processes and regulations to determine whether the agency should make additional improvements to its regulatory system and to make recommendations to the Commission for its policy direction, in light of the accident at the Fukushima Dai-ichi Nuclear Power Plant” (USNRC NTTF, 2011, p. vii).  At about the same time, the U.S. nuclear industry, led by the Institute of Nuclear Power Operations (INPO), Nuclear Energy Institute, and Electric Power Research Institute (EPRI), initiated a voluntary effort to “integrate and coordinate the U.S. nuclear industry's response to events at the Fukushima Daiichi nuclear energy facility. This will ensure that lessons learned are identified and well understood, and that response actions are effectively coordinated and implemented throughout the industry” (NEI, INPO, EPRI, 2012, p. 1). Brief discussions of these initiatives and key results to date are provided in Appendix F. The results from these initiatives that have been documented to date have been helpful to the committee in informing its thinking about potential lessons learned. However, these initiatives were still in progress when the present report was completed; many decisions have yet to be made or fully implemented. Moreover, the committee had neither the time nor resources to carry out in-depth reviews of these initiatives, which in some cases would have required plant- by-plant examinations. Prepublication Copy 5-2

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations 5.1.1 Nuclear Plant Systems RECOMMENDATION 5.1A: As the nuclear industry and its regulator implement the actions referenced in Finding 5.1 they should give specific attention to improving plant systems in order to enable effective responses to beyond-design-basis events, including, when necessary, developing and implementing ad hoc1 responses to deal with unanticipated complexities. Attention to availability, reliability, redundancy, and diversity of plant systems and equipment is specifically needed for  DC power for instrumentation and safety system control.  Tools for estimating real-time plant status during loss of power.  Decay-heat removal and reactor depressurization and containment venting systems and protocols.  Instrumentation for monitoring critical thermodynamic parameters in reactors, containments, and spent fuel pools.  Hydrogen monitoring (including monitoring in reactor buildings) and mitigation.  Instrumentation for both onsite and offsite radiation and security monitoring.  Communications and real-time information systems to support communication and coordination between control rooms and technical support centers, control rooms and the field, and between onsite and offsite support facilities. The quality and completeness of the changes that result from this recommendation should be adequately peer reviewed. 5.1.1.1 DC power for instrumentation and safety system control As noted in Chapter 4, the loss of DC power at the Fukushima Daiichi plant severely impacted operators’ ability to monitor the status of reactor pressure, temperature, and water level and operate critical safety equipment. A lesson that emerges from this accident is that high priority must be given to protecting DC batteries and power distribution systems at nuclear plants so that they remain functional during beyond-design-basis events. Both the USNRC and industry are taking useful steps to improve the ability of nuclear plants to cope during extended loss of power (see Appendix F). The USNRC issued a Mitigation Strategies Order requiring U.S. nuclear plant licensees to implement strategies for coping 1 The term ‘ad hoc’ in this finding refers to responses that are not planned and trained on in advance but rather are developed on the spot—operators’ use of car batteries at the Fukushima Daiichi plant (see Chapter 4) is an example of an ad hoc response. This type of on-the-spot reasoning and problem-solving is referred to as “knowledge-based” performance in the human factors literature. Knowledge-based performance is necessary when a situation is novel or not fully covered by the available procedural guidance. In these situations individuals need to have a deeper level of understanding of how a system works (e.g., the physical laws and principles that apply) to be able to correctly assess the situation, establish appropriate response goals, and formulate a plan of action to achieve those goals (Rasmussen, 1983; Mumaw et al., 1994). Prepublication Copy 5-3

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations without permanent electrical power sources for an indefinite period of time. This order is being followed by a formal rulemaking. The industry’s FLEX initiative (Appendix F) is intended to address this USNRC order using installed and portable equipment. The specific strategies to be used will be different for each nuclear plant. Neither the USNRC order nor FLEX specifically addresses the need to protect station DC batteries and power distribution systems so that they remain functional during beyond-design- basis events. The baseline FLEX strategy for the Peach Bottom plant, for example, simply assumes that station DC batteries and power systems would be available during a beyond-design- basis external2 event and that emergency portable power would be needed only for battery charging.3 However, the functional requirements in NEI (2012) provides for capabilities that can be effective in responding to the loss of DC power. This includes the ability to operate the reactor core isolation cooling system, the capability to read certain instruments, and the capability to depressurize the reactor pressure vessel without DC power. The Fukushima Daiichi accident demonstrates that without AC or DC power, operators would have a few hours at most to restore critical reactor monitoring and cooling functions to prevent core damage.4 If station DC batteries or power distribution systems are destroyed or damaged there may not be enough time to install backup DC power even if the necessary equipment were available onsite. Existing battery rooms and associated power distribution systems at U.S. nuclear plants might need to be retrofitted and/or relocated to protect them during beyond-design-basis events. The specific actions required, if any, will be plant specific. That is, it will depend on both the design of the plant as well as the specific event scenarios that emerge from plant risk evaluations. 5.1.1.2 Tools for Estimating Real-time Plant Status during Loss of Power During abnormal transients or accident conditions in nuclear reactors, key thermodynamic parameters (e.g., temperature, pressure, and water level in the reactor vessel; temperature, pressure, and radiation level in the containment; and water level and temperature in spent fuel pools) must be known to facilitate appropriate operator actions. Indeed, the reliability of information gained from the instruments is a key to decision making and action taking by operators. Another lesson that emerges from the Fukushima Daiichi accident is that alternative means for estimating these parameters is needed during loss-of-power situations. Under certain severe accident conditions and with disruption in power supplies, instruments may give faulty information. Although the committee is recommending that critical instruments be upgraded to cope with events that may severely impact their reliability (see Section 5.1.1.4), alternative means are still needed to guide the operators in coping with accident situations in which power is unavailable or unreliable. 2 FLEX was developed specifically to address external events. See Appendix F. 3 See http://pbadupws.nrc.gov/docs/ML1305/ML13059A305.pdf 4 The time limitation has been known since the early days of reactor engineering and can be estimated from basic engineering principles of heat transfer and thermodynamics for a given accident sequence. Some of the earliest estimates the time to uncover the core and time to core melt are documented in the Reactor Safety Study published in 1975 (USNRC, 1975). The engineering models and examples of estimates for BWRs are given in Appendix VIII- A of that study and more recent results are given in the State-of-the-Art Reactor Consequence Analyses Study draft report published in 2012 (USNRC, 2012a,b). Prepublication Copy 5-4

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations Operators and Technical support center staff should be provided with upgraded simulation tools and knowledge-based reasoning aids for both training and operation: for example, system-level analysis software installed on independent computers (e.g., laptops with extended battery life) to aid the operators and Technical support center staff with the diagnosis of the plant state and appropriate actions under conditions of incomplete or confusing information. Such software needs to execute rapidly to provide operators with immediate feedback in crisis situations; have a modern, intuitive graphical interface; and carry out simplified mass and energy balances to give realistic estimates of plant states, particularly critical reactor and containment parameters. The software needs to have an inference engine that uses both operator inputs and a knowledge-base of plant systems, including fail-safe control logic, and provides prioritized recommendations on diagnostic and corrective actions. It is also important to provide Technical support center staff with similar or greater capabilities, which could include enhancement of simulators to include accident scenarios involving core damage. Currently, operators perform only table-top exercises for severe accidents because presently available simulators cannot handle core-damage events. These new capabilities should be integrated with existing procedures, guidance, computational aids, and software tools. Any future changes to procedures, guidance, aids, and software tools also need to be reflected in these capabilities. The committee recognizes that the real-time decision-support tools and aids called for above will require some developmental efforts; the committee judges that the potential benefits of these tools and aids warrant the necessary investments in such efforts. The shortfalls in real- time situation assessment that were exhibited by control room and emergency response center (ERC) staff at the Fukushima Daiichi plant underscore the value of providing real-time decision support tools and aids for plant status assessment and response planning, both for control room and Technical support center staff. The committee further judges that the existing thermal- hydraulics knowledge base can be leveraged to create aids for generating real-time estimates of key thermodynamic parameters and liquid level in the reactor pressure vessel and provide real- time support for response planning. 5.1.1.3 Decay-Heat Removal, Reactor Depressurization, and Containment Venting Systems The loss of AC and DC power at the Fukushima Daiichi plant severely impacted operators’ ability to remove decay heat from the Unit 1-3 reactors and depressurize reactor pressure vessels and vent containments, both to restore cooling to the core and to prevent leakage of fission products. Another lesson that emerges from the accident is that strategies and capabilities must be in place for removing decay heat from reactors, depressurizing reactor pressure vessels, and venting containments under loss of AC and DC power conditions. Reactors continue to generate decay heat even after shutdown (see Chapter 2). This decay heat must be removed reliably over a long period of time to avoid damage to the integrity of the reactor core. Boiling water reactors have a number core cooling systems that can be used to remove decay heat (see Chapter 2):  Low-pressure cooling systems (low-pressure coolant injection system) require power to operate pumps and actuate valves. Prepublication Copy 5-5

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations  High-pressure cooling systems (isolation cooling,5 reactor core isolation cooling, and high-pressure coolant injection systems) require power to actuate valves.  “Ad hoc” cooling systems (e.g., injection of water from the fire protection system using diesel-driven fire pumps or fire truck pumps) can be utilized only when reactor pressure vessels are at low pressure (see Chapter 4). The Fukushima Daiichi accident revealed two problems with the operation of these cooling systems under loss-of-power conditions (Chapter 4): 1. The isolation condenser system in Unit 1 did not function after AC and DC power were lost apparently because the valves inside containment were closed. 2. Ad hoc low-pressure water injection systems were not effective for cooling the Unit 1-3 reactors because of difficulties in depressurizing reactor pressure vessels and venting containments. The subtle fail-safe logic of the DC electrical system impacted the ability of the isolation condenser system of Unit 1 to function following loss of AC and DC power. This same logic system was also operative in the reactor core isolation cooling system in Unit 2 (however, because of the fortunate time sequencing of the loss of AC power the Unit 2 system was able to operate for many hours). There may well be other safety-critical plant control systems and subsystems that could be similarly affected by the near-simultaneous loss of AC and DC power. The design bases for these systems need to be better understood and appropriately reflected in plant operating procedures. Alternatively, such systems need to be redesigned to reduce the subtleties of the interactions. Section 4.3.3.1 in Chapter 4 describes the careful orchestration required to depressurize a reactor pressure vessel and begin injection of low-pressure water. Depressurization removes heat from the reactor core through steam flashing, which provides time to bring external cooling water injection systems online. However, steam flashing can also result in the loss of a significant fraction of a reactor pressure vessel’s water inventory. Core damage can occur if low- pressure injection does not restore water levels in a timely fashion.6 Consequently, reactor operators must have well-defined strategies and capabilities for depressurizing reactor pressure vessels and venting containments in a timely manner under loss-of-power conditions. Additionally, there must be a low-pressure heat removal capability that is independent of electrical power. The use of ad hoc water sources for cooling reactors is not addressed in standard design- basis accidents involving loss of reactor coolant. Moreover, the use of ad hoc water sources requires the availability of portable pumps, not installed core cooling systems. To the committee’s knowledge, the only analysis relevant to the type of scenario that occurred in Unit 1 at Fukushima Daiichi is a rudimentary discussion in EPRI (2012c, Volume 2, Appendix AA). The U.S. nuclear industry has already identified depressurization as an issue and recognizes that there is a tradeoff between lowering pressure and operating steam-driven cooling 5 Isolation condensers can provide cooling for an indefinite period of time as long as water is available on the secondary (shell) side of the heat exchanger and system valves are open. See Chapters 2 and 4. 6 The time window could be established through a fuel cladding heat-up analysis. Prepublication Copy 5-6

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations systems (i.e., reactor core isolation cooling and high-pressure coolant injection systems). Williamson et al. (2013) reported on the BWR Owners Group revisions to Emergency Procedures Guidelines. The guidance on depressurization places core cooling as the highest priority: if depressurization of the reactor pressure vessel results in the loss of systems needed for core cooling then the guidelines specify that operators: (1) terminate depressurization; and (2) maintain reactor pressure vessel pressure as low as possible. This guidance applies during all depressurization steps. The revised guidelines instruct operators of reactors with reactor core isolation cooling systems to lower reactor pressure to about 200 psi during an extended loss of AC power event. This will enable a more timely response and less loss of water inventory when transitioning to low-pressure cooling sources such as might be provided through FLEX, thereby helping prevent the core from becoming uncovered. The FLEX guidance (NEI, 2012) also addresses depressurization: “Regardless of installed coping capability, all plants will include the ability to use portable pumps to provide RPV/RCS/SG makeup as a means to provide a diverse capability beyond installed equipment. The use of portable pumps to provide RPV/RCS/SG [reactor pressure vessel/reactor coolant system/ steam generator] makeup requires a transition and interaction with installed systems. For example, transitioning from RCIC [reactor core isolation cooling] to a portable FLEX pump as the source for RPV makeup requires appropriate controls on the depressurization of the RPV and injection rates to avoid extended core uncovery.” There is a specification in this guidance for providing an indefinite capability to depressurize reactor and supply water to the reactor pressure vessel under loss-of-power conditions.7 However, the details of how this strategy will be implemented are left up to each plant. Moreover, if FLEX is not initially successful and core degradation occurs, radiation levels may impede access to locations where FLEX water and power connections are made—just as radiation levels hindered workers’ responses at the Fukushima Daiichi plant. FLEX would be greatly enhanced if it focused on preventing core damage as well as on mitigating damage severity should it occur. 5.1.1.4 Instrumentation for Monitoring Critical Thermodynamic Parameters The loss of AC and DC power in Units 1 and 2 at the Fukushima Daiichi plant shut down key monitoring instrumentation for the reactor pressure vessel, drywell, and suppression chamber (see Chapter 4). The DC-powered monitoring instrumentation in Unit 3 shut down when that unit’s batteries were depleted nearly a day and a half later. The validity of readings from working instruments was difficult to ascertain after power was restored. Thermocouples on the exterior surfaces of reactor pressure vessels had been exposed to temperatures above their operating ranges and therefore were likely unreliable. Water level gauges were likely affected by pressure transients and seawater use for cooling. Some pressure gauges also gave erroneous 7 This 12-hour coping requirement is inconsistent with the 72-hour power loss experienced by some units at the Fukushima Daiichi plant. See Chapter 4. Prepublication Copy 5-7

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations readings.8 A lesson that emerges from these observations is that robust and diverse monitoring instrumentation that can withstand severe accident conditions is essential for diagnosing problems; selecting, and implementing accident mitigation strategies; and monitoring their effectiveness. The availability and adequacy of monitoring instrumentation were identified as important issues following the Three Mile Island accident in 1979 (see Rempe et al., 2012). In the 1990s, U.S. nuclear power plant licensees and the USNRC addressed this issue through a systematic needs analysis. This analysis involved the identification of (1) sensor information required to monitor key plant functions; (2) locations and operating ranges of sensors that provide such information, and (3) environmental conditions that these sensors must withstand during the accident sequences that dominate risks. Additional monitoring instrumentation was added to U.S. nuclear plants as a result of this analysis: e.g., reactor pressure indications, a wider range of reactor core temperature indications, and more robust temperature sensors. The Fukushima Daiichi accident demonstrates the need to further harden essential reactor, containment, and spent fuel pool monitoring instrumentation to better withstand severe- accident conditions. The U.S. nuclear industry and the USNRC have already recognized the need for enhanced reactor and containment monitoring instrumentation, in particular with respect to monitoring spent fuel pool water levels (see Appendix F). The committee judges that further work is needed to evaluate the adequacy and reliability of existing reactor, containment, and spent fuel pool monitoring instrumentation for the risk-dominant accident sequences that emerge from the committee’s recommended plant-specific risk evaluations (see Recommendation 5.2A later in this chapter). The USNRC issued an order9 on March 2012 requiring that all U.S. nuclear power plants install additional water-level instrumentation in their spent fuel pools (see Appendix F). The order required that this instrumentation provide at least three distinct water levels (the following material is quoted from p. 35 of the Order): 1. level that is adequate to support operation of the normal fuel pool cooling system, 2. level that is adequate to provide substantial radiation shielding for a person standing on the spent fuel pool operating deck, and 3. level where fuel remains covered and actions to implement make-up water addition should no longer be deferred. The USNRC staff provided interim guidance on implementing this order.10 The USNRC’s Advisory Committee on Reactor Safeguards11 (ACRS) commented on the sufficiency of this monitoring instrumentation12: 8 See Gauntt et al. (2012a) for further discussion of data reliability during the accident. 9 Order Modifying Licenses with Regard to Reliable Spent Fuel Pool Instrumentation. Available at http://pbadupws.nrc.gov/docs/ML1205/ML12056A044.pdf. 10 JLD-ISG-2012-03 Compliance with Order EA-12-051, Reliable Spent Fuel Pool Instrumentation, August 29, 2012. Available at http://pbadupws.nrc.gov/docs/ML1222/ML12221A339.pdf. 11 Committee member Dr. Michael Corradini is a member of the Advisory Committee on Reactor Safeguards. 12 ACRS, Draft Interim Staff Guidance Documents in Support Of Tier 1 Orders, July 17, 2012. Available at http://pbadupws.nrc.gov/docs/ML1219/ML12198A196.pdf. Prepublication Copy 5-8

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations “[Water level monitoring] instrumentation should be capable of detecting unexpected changes in SFP [spent fuel pool] level and provide appropriate alarms to alert the operations staff. Emphasis should be on the ability to detect water level reductions early during the event. The system should also have the capability to track and display changes in the SFP water level. This capability would provide the operations staff with the ability to know whether the rate of water level reduction was accelerating, slowing, or remaining constant.” Additionally, “The [interim staff guidance] should be modified to specify direct measurement of temperature in the SFP. Operators should know, as early as possible, if pool cooling is degrading. Information about SFP temperature provides operators with defense-in-depth information about the status of spent fuel cooling. Temperature information about the approach to boiling may also affect decisions regarding local personnel actions in the vicinity of the SFP. The temperature instrumentation should be simple, capable of being monitored continuously, and displayed in the main control room.” As a result of the systematic evaluation recommended here, nuclear plant licensees and the USNRC might conclude that additional temperature sensors should be placed in pools to provide confirmatory information about the thermodynamic state of water inventories.13 5.1.1.5 Hydrogen Control Based on what has been known about hydrogen behavior since 1980 (see Appendix G), the explosions and damage to reactor buildings at the Fukushima Daiichi plant should not have been that surprising. They illustrate in dramatic fashion the importance of hydrogen control in severe reactor accidents. Hydrogen explosions in Units 1, 3, and 4 at the Fukushima Daiichi plant caused severe structural damage to reactor buildings, created pathways for radioactive material releases to the environment, and greatly impeded onsite accident responses (see Chapter 4). The explosions also caused damage to fuel handling equipment and cooling systems for these units’ spent fuel pools. Large additional releases of radioactive materials to the environment might have occurred had the integrity of the spent fuel pools in Units 1, 3, and 4 been compromised. The accident highlighted the need to examine the adequacy of current hydrogen mitigation measures in some types of reactor containments. Nuclear plants with Mark I and Mark II containments worldwide are equipped with nitrogen inerting systems to maintain reduced oxygen concentrations in containment (see Appendix G). Igniters are also used in boiling water reactors with Mark III type containments (see Chapter 2) and pressurized water reactors with ice condenser-type containments14 to prevent the buildup of hydrogen. 13 Water-level sensors provide no information about the thermodynamic state of the pool water until water levels begin to decrease due to boil-off. 14 Plants with ice condenser containments utilize water ice to condense steam generated during an accident. Plants of this design generally have smaller-volume containments than pressurized water reactors with dry containments. Prepublication Copy 5-9

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations The Fukushima Daiichi accident demonstrated in dramatic fashion that inerting containment is inadequate for preventing hydrogen explosions if the containment fails. This emphasizes the key importance of managing thermal and pressure loads inside containment in order to maintain containment integrity. Being able to safely vent containment in timely fashion with a minimum release of fission products is a key accident management step that must be available to operators (see Sidebar 2.2 in Chapter 2 for a discussion of venting). Preventing accidental releases of hydrogen into a reactor building even though containment is inerted is important—the large volume of hydrogen generation during a severe accident can overwhelm the inert gas when a hot hydrogen-nitrogen-steam mixture is released into a reactor building. When this mixture leaks into confined spaces outside of containment (i.e., into a reactor building) the steam will condense and a flammable mixture can be formed if the concentration of hydrogen is sufficiently high. Following the Fukushima Daiichi accident the USNRC issued orders requiring installation of reliable venting systems in reactors with Mark I and Mark II containments. In June 2013 the USNRC modified this order to require severe-accident capable venting systems (see Appendix F). These vents should help to reduce hydrogen explosion hazards during severe accidents. However, the Fukushima Daiichi accident demonstrated that the mere presence of containment vents15 does not eliminate hydrogen explosion hazards during severe accidents. Indeed, the effectiveness of these vents in limiting hydrogen releases in the buildings will depend on their operability under severe accident conditions (e.g., under loss of DC power and compressed air, as happened at Fukushima Daiichi), as well as the interaction of the vents with building ventilation systems. The committee judges that re-examination is needed of the potential hazards of hydrogen explosions within the secondary containment (i.e., reactor buildings) of Mark I and Mark II plants. Mitigation strategies such as deliberate ignition, passive autocatalytic recombiners, and post-accident inerting that have been previously examined for large dry containments (NAS, 1987) could be re-examined for secondary containments. Such efforts are in progress in Japan and other countries with Mark I and II BWR plants. The USNRC has identified hydrogen control as an important safety issue but has designated it as a TIER III issue (see Appendix F) to be addressed at some later time. Flames propagating in spaces filled with equipment and piping or within a building complex generate turbulence that results in substantial increases in flame speed, accelerating flames from low to high speeds and substantially increasing the pressure loading on structures. The severity of the explosions at the Fukushima Daiichi plant also suggests that the deliberate ignition strategies currently in use in Mark III and ice condensers reactors should be re-examined to determine if they will be adequate for accidents involving severe core damage under loss-of- power conditions. 5.1.1.6 Instrumentation for Onsite Radiation and Security Monitoring The loss of AC and DC power shut down the Fukushima Daiichi plant’s onsite radiation monitoring and security systems. The loss of the plant’s radiation monitoring systems impeded 15 All of the units at the Fukushima Daiichi plant had containment vents (see Section 2.5.2 in Chapter 2). Prepublication Copy 5-10

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations efforts to monitor radioactive material releases from the Unit 1, 2, and 3 reactors and estimate the timing, and magnitude of offsite releases (see Chapter 6). The loss of onsite security monitoring systems reduced physical protection of the plant grounds and critical plant infrastructure. The reduction of physical protection at the plant increases its vulnerability to attacks from external forces or determined insiders. Additionally, the voluminous amount of information published about the accident provides potential adversaries with data about critical plant systems, their inter-dependencies, and key personnel; this information could potentially be used to plan and carry out attacks on other nuclear plants. The committee intends to discuss security issues in its second report (see Chapter 1). A clear lesson learned from the accident is that onsite radiation and security monitoring systems need to be hardened so that they continue to function during severe accidents. Alarm annunciation and communication equipment at U.S. nuclear plants are currently required to have a secondary power supply such as an emergency diesel generator. Additionally, intrusion detection and assessment equipment at the protected area perimeter of the plant is required to have an uninterruptible power supply so that it remains operable in the event of the loss of normal power. This equipment may need to be hardened to protect it against severe accidents. The need for and approaches to hardening should be based on plant-specific risk evaluations recommended elsewhere in this chapter (see Recommendation 5.2A). 5.1.1.7 Communication and Real-time Information Systems The Fukushima Daiichi accident highlighted the need for reliable communication links between control rooms and Technical support centers, control rooms and the field, and between onsite and offsite support facilities during severe accidents. The limited means of communication during the Fukushima Daiichi accident degraded the ability of plant personnel to plan and coordinate their response actions. The loss of the offsite emergency response center disrupted lines of communication with local and national government agencies. The loss of communication infrastructure contributed to the central government’s concerns that it was not receiving timely and accurate information about the status of plant. The USNRC’s Near-Term Task Force (USNRC NTTF, 2011) report highlighted the need for reliable communications equipment (e.g., hardwired telephones, cellular telephones, satellite telephones, radios, and pagers) for communicating onsite and offsite, including during events that may involve extended loss of AC power and/or damage to external telecommunication infrastructure (e.g., phone switches and cell towers). The committee concurs with this assessment. The committee suggests that there is also a need to ensure the reliability of data communications, both onsite (e.g., between the control room and the technical support center16) and offsite (e.g., between the plant and offsite government and regulatory agencies), particularly during extended AC-power loss. The Fukushima Daiichi accident highlighted the importance of real-time information systems (e.g., Safety Parameter Display Systems) for enabling personnel to maintain situational awareness of plant conditions. In discussions with the committee, TEPCO personnel commented that the lack of availability of this system in the control rooms and ERCs contributed to delays in diagnosing plant conditions (see Chapter 4). 16 Technical Support Centers at U.S. nuclear plants carry out many of the same functions as ERC’s at Japanese plants. More information about this and related facilities is provided elsewhere in this chapter. Prepublication Copy 5-11

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations including PRA in the process for changing regulatory requirements should be developed and followed. It is, of course, understood that the intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised.” 3. “PRA evaluations in support of regulatory decisions should be as realistic as practicable and appropriate supporting data should be publicly available for review.” 4. “The Commission’s safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgments on the need for proposing and backfitting new generic requirements on nuclear power plant licensees.” This policy, coupled with additional Commission guidance issued in 1999, has resulted in a variety of risk-informed program-specific improvements: for example, the maintenance rule for operating reactors,38 the pressurized thermal shock rule,39 and the backfit rule (Sidebar 5.5 and Appendix L). Nevertheless, slow progress has been made in risk-informing the USNRCs regulations. The Fukushima accident, which was initiated by an extreme external event, further confirms the need for more expeditious consideration of risk-informed approaches to safety, particularly for beyond-design-basis events. The USNRC’s Near-Term Task Force (USNRC NTTF, 2011; see Appendix F) recommended that the agency establish “a logical, systematic, and coherent regulatory framework for adequate protection that appropriately balances defense-in- depth and risk considerations” (USNRC NTTF, 2011, p. ix). Another USNRC task force (USNRC, 2012c) has recommended that a risk management regulatory framework be adopted by the Commission. The Nuclear Energy Institute has commented40 on the lack of progress in implementing risk-informed regulations (RIRs): “Over the past five years, progress in RIR has been stunted. A variety of factors have contributed to this, but the result has been a growing distrust of risk- informed processes. Ironically in the post-Fukushima era, where nuclear power faces many decisions that could be better informed by a risk perspective, the reluctance to use PRA in new regulatory activities has removed a valuable tool from the process.” The difficulty in expanding risk-informed regulations has been greater than some had anticipated. On the other hand, expansion has continued steadily in spite of resistance in some quarters of the USNRC and industry. The committee judges that the broader use and expanded scope of modern risk concepts in nuclear reactor safety regulations could improve safety and lead to better policy decisions. 38 Title 10, Section 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. Available at http://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0065.html. 39 Title 10, Section 50.61, Fracture Toughness Requirements for Protection against Pressurized Thermal Shock Events. Available at http://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0061.html. 40 Industry Support and Use of PRA and Risk-Informed Regulation, Letter to USNRC Chair Allison M. Macfarlane (December 19, 2013). Available at http://pbadupws.nrc.gov/docs/ML1335/ML13354B997.pdf. Prepublication Copy 5-28

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations SIDEBAR 5.1 Brief History of Severe Accident Analyses The U.S. Atomic Energy Commission sponsored the first major study of the theoretical consequences of severe accidents at large nuclear power plants in the mid-1950s. This study was performed by Brookhaven National Laboratory and resulted in the WASH-740 report (AEC, 1957). The subsequent Reactor Safety Study, which was issued as the WASH-1400 report in 1975 (USNRC, 1975), concluded that a severe accident was “the only way that potentially large amounts of radioactivity could be released by melting the fuel in the reactor core.” All risk studies performed subsequent to WASH-1400 have found this to be the case. Industry also advanced the state-of-the-art of severe accident analysis in the early 1980s as a result of the full scope PRAs performed for the Indian Point, Zion (Commonwealth Edison, 1981; Consolidated Edison, 1982), and Limerick nuclear plants (Philadelphia Electric, 1981). These PRAs made major advancements to severe accident analysis particularly with respect to containment response analysis and to radiological source term analysis. A substantial research program on severe accident phenomenology was planned and initiated by the USNRC following the Three Mile Island, Unit 2 accident in 1979. This program included experimental and analytical studies of accident phenomenology (i.e., the physical, chemical, and radiological processes that occur during a severe accident). In 1980, USNRC issued a Federal Register Notice for a proposed rulemaking on severe accident design criteria (45 Federal Register 65474, Severe Accident Design Criteria, published on October 2, 1980). In parallel to this regulatory effort, the nuclear industry sponsored the Industry Degraded Core Rulemaking (IDCOR) program. This program, which was active during 1981-1984, also involved experiments and analytical studies. The USNRC later withdrew the proposed rulemaking and issued a severe accident policy statement in 1985 (50 Federal Register 32138, Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants, August 8, 1985) which set the regulatory course for addressing severe accidents. The USNRC also issued a policy statement on safety goals in 1986 (51 Federal Register 30028, Safety Goals for the Operation of Nuclear Power Plants, August 21, 1986). By the mid-1980's, new computational models of severe accident phenomenology had been developed and subjected to peer review. Studies of reactor severe accidents and their public health consequences were being carried out throughout the 1980s in many countries with light water reactor programs. Many conferences and symposia took place and papers and reports were widely disseminated. In the United States, a major update of WASH-1400 report was issued in 1990 (USNRC, 1990). It evaluated severe accident risks at five nuclear plants. Beginning in 1988, the U.S. nuclear industry performed assessments of severe accident vulnerabilities for each licensed nuclear power plant. These individual plant examinations were done for both internal and external event initiators and were essentially PRAs. The USNRC issued its perspectives documents starting in the late 1990s (USNRC, 1997b, 2002a) which summarized the plant vulnerabilities and proposed modifications for each plant. At present, severe accident studies are continuing in most countries with light water reactors. Many international conferences and symposia feature studies on refinement of tools and confirmation of theoretical models based on experiments. Most university programs on nuclear engineering cover severe accidents in their curricula and the topic is covered in contemporary textbooks and monographs on reactor safety. Short courses on severe accidents are typically Prepublication Copy 5-29

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations offered in conjunction with conferences on PRA. Severe accident management guidelines have been developed and refined based on insights from phenomenological studies. The most recent risk study which uses current severe accident information is the State-of- the-Art Reactor Consequence Analyses (USNRC, 2013b,c). The USNRC is also performing a Level 3 risk analysis of a pressurized water reactor which will be completed in the next few years. Prepublication Copy 5-30

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations SIDEBAR 5.2 Coronal Mass Ejections Coronal mass ejections (CMEs) are massive bursts of charged plasmas from the surface of the Sun that travel through space at hundreds of kilometers per second. They can produce severe geomagnetic disturbances (e.g., terawatt-scale oscillating electrical currents) if they encounter Earth’s magnetosphere, which in turn can induce quasi-DC currents in electrical transmission lines. These currents can enter and exit power systems at transformer grounds, disrupting power system operations and damaging equipment (EPRI and NEC, 2011). Large CME-induced geomagnetic disturbances have affected the electrical and communications infrastructure in North America during recent history:  The “Carrington Event” in September 1859 produced aurorae that could be seen as far south as Cuba and Hawaii. This event induced currents in telegraph lines causing large- scale failures of telegraph systems; some systems continued to operate even after they were disconnected from their power sources (Carlowicz and Lopez, 2002).  In May 1921 the largest CME of the 20th century, the “Great Storm,” disabled most telegraph service in the United States and damaged underwater trans-Atlantic cables. A CME in March 1989 collapsed the Hydro-Québec power grid and nearly toppled the U.S. grid. The net cost of the grid failure was estimated to be $13.2 million; some damaged transmission-system equipment was not returned to service for several months (Bolduc, 2002, p. 1794). Riley (2012, p. 1) notes that “By virtue of their rarity, extreme space weather events [e.g., geomagnetic disturbances], such as the Carrington event of 1859, are difficult to study, their rates of occurrence are difficult to estimate, and prediction of a specific future event is virtually impossible.” Nevertheless, Riley (2012) and Kappenman (2010, 2012) suggest that such events have occurrence frequencies on the order of one or more per century; Kappenman (2012) also suggests that extreme geomagnetic disturbances can cause severe damage to the electrical grid. A 2011 JASON report (Mitre, 2011) questions the plausibility of Kappenman’s worst-case scenario for damage to the electrical grid from an extreme geomagnetic disturbance but also calls for a study of the vulnerability of the U.S. grid. The potential impacts of CME-induced geomagnetic disturbances on the electrical grid are well recognized (e.g., CENTRA, 2011; EPRI and NEC, 2011). Measures can be taken to protect the grid from damage from such disturbances, for example as was done by Hydro- Québec following the 1989 CME (see Bolduc, 2002). In 2013, the Federal Energy Regulatory Commission ordered the development of electrical grid reliability standards for geomagnetic disturbances (FERC, 2013). The standards are to be developed over a two-year period and implemented thereafter. It could be several more years before a plan is developed and executed to implement those standards. The USNRC has initiated a phased rulemaking to ensure long-term cooling and unattended water makeup of spent fuel pools that could be affected by prolonged disruptions to the electrical grid resulting from geomagnetic disturbances (USNRC, 2012e). This action was initiated in response to a petition asserting that prolonged outages of the North American power Prepublication Copy 5-31

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations grid caused by geomagnetic disturbances could result in diesel generator fuel depletion and failure of resupply. Prepublication Copy 5-32

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations SIDEBAR 5.3 Race and Corner Conditions The response of engineering safety systems in Units 1 and 2 at the Fukushima Daiichi plant to the loss of AC and DC power revealed a subtle but significant vulnerability of control systems; this vulnerability has important implications for risk analysis. As noted in Chapter 4, the power in both the AC and DC circuits was lost nearly simultaneously, resulting in a “race” between DC logic circuits commanding the fail-safe closure of the isolation valves and the loss of AC power to the valve motors. This race had different outcomes in Unit 1 and Unit 2: In Unit 1, the isolation condenser’s AC-operated valves inside containment were effectively closed before the power failed; in Unit 2, in contrast, the valves for the reactor core isolation cooling system remained open. These different outcomes were apparently determined by small differences in the timing and sequence of power failures resulting from the flooding of multiple power sources and distribution systems. The situation where two signals compete to perform actions is known as a “race condition.” This condition can occur whenever electronic logic circuits and computers are used to control safety systems. Such systems can be found in technologies ranging from nuclear power plants to your automobile. When a race condition is not anticipated or correctly resolved, the consequences can range from merely annoying (e.g., causing your personal computer to “blue screen”) to catastrophic (e.g., disabling the isolation condenser in Unit 1 at the Fukushima Daiichi plant). Understanding race conditions is of increasing importance in both system design and safety analysis (Levenson, 1995). The control system must not only handle all permutations of input states under normal operating conditions but also the failure of power supplies for the logic controller and all controlled systems. It is essential that the logic controller and controlled systems wind up in predictable and safe states following a power loss or transient. This did not happen at the Fukushima Daiichi plant: following the complete loss of AC and DC power, operators had no idea of the status for almost all critical systems. The inclusion of race conditions in risk analysis is complicated by several factors. First, it requires a more detailed analysis of the logic controller software and hardware, power circuits, and structures, systems and components than are usually considered in a plant-level risk assessment. Second, race conditions often happen when multiple abnormal conditions and seemingly unlikely combinations of events take place. These combinations are frequently found at extreme values of parameters, sometimes referred to as “corner conditions,” within the event space and fault sequences being considered as part of a risk analysis. Third, many power plant systems are large and respond slowly due to the inertia in the plant’s systems and components— except for the logic controller and electrical circuits. This creates a mismatch that has to be analyzed carefully; specialized engineering analysis may be required to examine high- consequence, low-probability corner conditions (e.g., multiple, nearly simultaneous power failures on buses that are expected to be independent). The simultaneous loss of all AC and DC power at Fukushima Daiichi appears to be a “corner condition” that the plant’s engineering systems were not designed to handle. The unknown state of multiple safety-related components and the inability to actuate those components greatly complicated management of the accident and may have contributed to its severity. This condition was manifested in at least three plant systems (see Chapter 4): Prepublication Copy 5-33

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations  The closure of isolation valves for Unit 1 and 2 cooling systems as discussed previously.  The interaction of containment venting with the standby gas treatment systems. Because the AC-powered dampers used to close the standby gas treatment systems were in an unknown position and could not be operated, the venting of the containments may have allowed hydrogen gas to enter the plant’s reactor buildings. Gravity-operated dampers in Units 1, 2 and 3 appeared to be effective in preventing hydrogen backflow into those units. Hydrogen backflow into Unit 4 apparently did result because dampers were never installed because they were considered unnecessary (TEPCO, 2012b, p. 351).  The interaction of water injection by fire truck pumps with the condensate make-up water system. A sequence of valves was used to connect the fire protection plumbing to the reactor pressure vessel using components of the condensate make-up water system. Unfortunately, the valves leading to the condensate storage tank were open, diverting water flow from the reactor and reducing the effectiveness of core cooling. The increased use of embedded controllers in process control, including the ongoing upgrades of nuclear power plant control rooms, and the unanticipated corner and race conditions at Fukushima indicate that increased attention to race and corner conditions is needed in future risk assessment for nuclear power plants as well as future design and verification and validation activities for next generation nuclear power plants. Prepublication Copy 5-34

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations SIDEBAR 5.4 East Coast Tsunamis Although tsunamis in the Atlantic Ocean Basin do not occur with the frequency of those in the Pacific and Indian Ocean Basins, the potential for tsunami generation is high in some locations. One such location is the eastern edge of the United States. The eastern edge of the United States has a broad and gently sloping continental shelf comprising sediments derived from erosion of the North American continent. Sediment slumps and slides along the outer margins of this shelf have the potential to create large tsunamis. Slumps and slides could be initiated by earthquake shaking or by the release of methane hydrates, which are plentiful along the continental margin. (Hydrate release could be caused by ocean warming or by uncovering by a previous slide.) Driscoll et al. (2000) propose that the sediment slides along the shelf margin can be characterized by power-law distributions—that is, by a large number of small-scale slides and a small number of large-scale slides. An example of such a large-scale slide is the Albemarle- Currituck slide shown in Figure S.5.2. This slide displaced approximately 150 km3 of sediment, similar to the Grand Banks slide described in Appendix K. Such slides are both infrequent and unpredictable. Within about half an hour of such a slide, ocean surface levels above the slide will decrease rapidly by a few meters. This would be followed by a rapid increase in ocean surface levels minutes to about an hour later. A large, rapidly moving coherent slide has the potential to produce a tsunami of considerable size. Its effect on coastal regions, however, will depend on factors such as the tidal cycle, ocean floor topography, and coastal geometry. Prepublication Copy 5-35

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations FIGURE S.5.2 (A) High-resolution image of the continental shelf and slope offshore of Virginia and North Carolina showing the Albemarle-Currituck slide and several large canyons. (B) Inset map showing location of image in (A). (C) Close-up image of continental shelf edge showing gas blowouts. SOURCE: Driscoll et al. (2000). Prepublication Copy 5-36

OCR for page 141
Chapter 5: Lessons Learned: Plant Operations and Safety Regulations SIDEBAR 5.5 Backfit Analysis “Backfitting” is any mandated modification to the design or operations of an already- licensed nuclear plant under 10 CFR 50.109. Except in some narrowly designed circumstances,a the USNRC requires that its staff estimate all the costs to the licensee and the USNRC for the proposed backfit and balance these costs against the potential benefits in reduced risks to the facility, its employees, and the public. If the benefits exceed the costs then the proposed backfit is determined to be cost effective. The USNRC’s Regulatory Analysis Technical Evaluation Handbook (USNRC, 1997a) provides guidance on how to carry out the required analysis. PRA plays a central role in estimating the risk reduction for the proposed backfit. A backfit analysis was carried out recently by the USNRC for adding filtered vents to the containments of Mark I and Mark II boiling water reactors (see Chapter 2 for a description of these reactors) to reduce the release of radioactive materials to the environment following a core meltdown. The analysis used a simple PRA for containment failure modes and the MELCOR code for estimating how much radioactivity would escape from containment for each failure mode. Population radiation doses, population evacuations, and land contamination areas were calculated for a reference plant (the Peach Bottom plant in Pennsylvania) and averaged over weather and wind conditions at the plant location. The quantitative analysis (see Appendix L) concluded that the cost of installing filtered vents on reactors with Mark I and Mark II containments would exceed the benefits. Installation of filtered vents therefore failed the backfit cost-benefit test based on this quantitative analysis. Appendix L describes the hypothetical costs for the accident at the Peach Bottom Plant used in the USNRC’s backfit analysis and compares them to the projected costs for the accident at the Fukushima Daiichi plant. This comparison illustrates the sensitivity of cost estimates to assumptions made about the accident scenario, the plant, and its location. As shown in Appendix L, the likely costs for the Fukushima Daiichi nuclear accident exceed the estimated costs for the hypothetical accident at the Peach Bottom plant by a factor of about 33. __________ a 10 CFR 50.109 states that “The Commission shall always require the backfitting of a facility if it determines that such regulatory action is necessary to ensure that the facility provides adequate protection to the health and safety of the public and is in accord with the common defense and security.” Prepublication Copy 5-37

OCR for page 141