The “Race” to Resolve the Boiling Water Reactor Safety Limit Problem

April 24, 2018 | 6:00 am
Dave Lochbaum
Former Contributor

General Electric (GE) informed the Nuclear Regulatory Commission (NRC) in March 2005 that its computer analyses of a depressurization event for boiling water reactors (BWRs) non-conservatively assumed the transient would be terminated by the automatic trips of the main turbine and reactor on high water level in the reactor vessel. GE’s updated computer studies revealed that one of four BWR safety limits could be violated before another automatic response terminated the event.

Over the ensuring decade-plus, owners of 28 of the 34 BWRs operating in the US applied for and received the NRC’s permission to fix the problem. But it’s not clear why the NRC allowed this known safety problem, which could allow nuclear fuel to become damaged, to linger for so long or why the other six BWRs have yet to resolve the problem. UCS has asked the NRC’s Inspector General to look into why and how the NRC tolerated this safety problem affecting so many reactors for so long.

BWR Transient Analyses

The depressurization transient in question is the “pressure regulator fails open” (PRFO) event. For BWRs, the pressure regulator positions the bypass valves (BPV in Figure 1) and control valves (CV) for the main turbine as necessary to maintain a constant pressure at the turbine inlet.

When the reactor is shut down or operating at low power, the control valves are fully closed and the bypass valves are partially opened as necessary to maintain the specified pressure. When the turbine/generator is placed online, the bypass valves are closed and the control valves are partially opened to maintain the specified inlet pressure. As the operators increase the power level of the reactor and send more steam towards the turbine, the pressure regulator senses this change and opens the control valves wider to accept the higher steam flow and maintain the constant inlet pressure.

Fig. 1 (Source: Nuclear Regulatory Commission, annotated by UCS)

If the sensor monitoring turbine inlet pressure provides a false high value to the pressure regulator or an electronic circuit card within the regulator fails, the pressure regulator can send signals that fully open the bypass valves and the control valves. This is called a “pressure regulator fails open” (PRFO) event. The pressure inside the reactor vessel rapidly decreases as the opened bypass and control valves accept more steam flow. Similar to how the fluid inside a shaken bottle of soda rises to and out the top when the cap is removed (but for different physical reasons), the water level inside the BWR vessel rises as the pressure decreases.

The water level is normally about 10 feet above the top of the reactor core. When the water level rises about 2 feet above normal, sensors will automatically trip the main turbine. When the reactor power level is above about 30 percent of full power, the turbine trip will trigger the automatic shut down of the reactor. The control rods will fully insert into the reactor core within a handful of seconds to stop the nuclear chain reaction and terminate the PRFO event.

The Race to Automatic Reactor Shut Down

The reactor depressurization during a PRFO event above 30 percent power actually starts two races to automatically shut down the reactor. One race ends when high vessel level trips the turbine which in turn trips the reactor. The second race is when low pressure in the reactor vessel triggers the automatic closure of the main steam isolation valves (MSIV in Figure 1). As soon as sensors detect the MSIVs closing, the reactor is automatically shut down.

BWRs do not actually stage PRFO events to see what parameter wins the reactor shut down race. Instead, computer analyses are performed of postulated PRFO events. The computer codes initially used by GE had the turbine trip on high water level winning the race. GE’s latest code shows MSIV closure on low reactor vessel pressure winning the race.

The New Race Winner and the Old Race Loser

The computer analyses are performed for reasons other than picking the winner of the reactor shut down race. The analyses are performed to verify that regulatory requirements will be met. When the winner of the PRFO event reactor shut down race was correctly determined, the computer analyses showed that one of four BWR safety limits could be violated.

Figure 2 shows the four safety limits for typical BWRs. The safety limits are contained within the technical specifications issued by the NRC as appendices to reactor operating licenses. GE’s latest computer analyses of the PRFO event revealed that the reactor pressure could decrease below 785 pounds per square inch gauge (psig) before the reactor power level dropped below 25 percent—thus violating Safety Limit 2.1.1.1. The earlier computer analyses non-conservatively assumed that reactor shut down would be triggered by high water level, reducing reactor power level below 25 percent before the reactor pressure decreased below 785 psig.

Fig. 2 (Source: Nuclear Regulatory Commission)

Safety Limit 2.1.1.1 supports Safety Limit 2.1.1.2. Safety Limit 2.1.1.2 requires the Minimum Critical Power Ratio (MCPR) limit to be met whenever reactor pressure is above 785 psig and the flow rate trough the reactor core is above 10 percent of rated flow. The MCPR limit protects the fuel from being damaged by insufficient cooling during transients, including PRFO events. The MCPR limit keeps the power output from individual fuel bundles from exceeding the amount that can be carried away during transients.

As in picking reactor shut down race winners, BWRs do not slowly increase fuel bundle powers until damage begins, then back it down a smidgen or two. Computer analyses of transients also model fuel performance. The results from the computer analyses establish MCPR limits that guard against fuel damage during transients.

The computer analyses examine transients from a wide, but not infinite, range of operating conditions. Safety Limit 2.1.1.1 defines the boundaries for some of the transient analyses. Because Safety Limit 2.1.1.1 does not permit the reactor power level to exceed 25 percent when the reactor vessel pressure is less than 785 psig, the computer analyses performed to establish the MCPR limit in Safety Limit 2.1.1.2 do not include an analysis of a PRFO event for high power/low pressure conditions.

Thus, the problem reported by GE in March 2005 was not that a PRFO event could violate Safety Limit 2.1.1.1 and result in damaged fuel. Rather, the problem was that if Safety Limit 2.1.1.1 was violated, the MCPR limit established in Safety Limit 2.1.1.2 to protect against fuel damage could no longer be relied upon. Fuel damage may, or may not occur, as a result of a PRFO event. Maybe, maybe not is not prudent risk management.

The Race to Resolve the BWR Safety Limit Problem

The technical specifications allow up to two hours to remedy a MCPR limit violation; otherwise the reactor power level must be reduced to less than 25 percent within the next four hours. This short time frame implies that the race to resolve the BWR Safety Limit problem would be a dash rather than a marathon.

The nuclear industry submitted a request to the NRC on July 18, 2006, asking that the agency merely revise the bases for the BWR technical specifications to allow safety limits to be momentarily violated. The NRC denied this request on August 27, 2007, on grounds that it was essentially illegal and unsafe:

Standard Technical Specifications, Section 5.5.14(b)(1), “Technical Specifications (TS) Bases Control Program,” states that licensees may make changes to Bases without prior NRC approval, provided the changes do not involve a change in the TS incorporated in the license. The proposed change to the TS Bases has the effect of relaxing, and hence, changing, the TS Safety Limit. An exception to a stated TS safety limit must be made in the TS and not in the TS Bases. In addition,  a potential exists that the requested change in the TS Bases could have an adverse effect on maintaining the reactor core safety limits specified in the Technical Specifications, and thus, may result in violation of the stated requirements. Therefore, from a regulatory standpoint, the proposed change to the TS Bases is not acceptable. [emphasis added]

and

… the staff is concerned that in some depressurization events which occur at or near full power, there may be enough bundle stored energy to cause some fuel damage. If a reactor scram does not occur automatically, the operator may have insufficient time to recognize the condition and to take the appropriate actions to bring the reactor to a safe configuration. [emphasis added]

In April 2012, the nuclear industry abandoned efforts to convince the NRC to hand wave away the BWR safety limit problem and recommended that owners submit license amendment requests to the NRC to really and truly resolve the problem.

Forget the Tortoise and the Hare—the Snail “Wins” the Race

On December 31, 2012, nearly ten years after GE reported the problem, the owner of two BWRs submitted a license amendment request to the NRC seeking to resolve the problem. The NRC issued the amendment on December 8, 2014. Table 1 shows the “race” to fix this problem at the 34 BWRs operating in the US.

Table 1: License Amendments to Resolve BWR Safety Limit Problem
Reactor License Amendment Request License Amendment Original Reactor  Pressure Revised Reactor  Pressure
Susquehanna Units 1 and 2 12/31/2012 12/08/2014 785 psig 557 psig
Monticello 03/11/2013 11/25/2014 785 psig 686 psig
Pilgrim 04/05/2013 03/12/2015 785 psig 685 psig
River Bend 05/28/2013 12/11/2014 785 psig 685 psig
FitzPatrick 10/08/2013 02/09/2015 785 psig 685 psig
Hatch Units 1 and 2 03/24/2014 10/20/2014 785 psig 685 psig
Browns Ferry Units 1, 2, and 3 12/11/2014 12/16/2015 785 psig 585 psig
Duane Arnold 08/06/2015 08/18/2016 785 psig 686 psig
Clinton 08/18/2015 05/11/2016 785 psig 700 psia
Dresden Units 2 and 3 08/18/2015 05/11/2016 785 psig 685 psig
Quad Cities Units 1 and 2 08/18/2015 05/11/2016 785 psig 685 psig
LaSalle Units 1 and 2 11/19/2015 08/23/2016 785 psig 700 psia
Peach Bottom Units 2 and 3 12/15/2015 04/27/2016 785 psig 700 psia
Limerick Units 1 and 2 01/15/2016 11/21/2016 785 psig 700 psia
Columbia Generating Station 07/12/2016 06/27/2017 785 psig 686 psig
Nine Mile Point Unit 1 08/01/2016 11/29/2016 785 psig 700 psia
Oyster Creek 08/01/2016 11/29/2016 785 psig 700 psia
Perry 11/01/2016 06/19/2017 785 psig 686 psig
Nine Mile Point Unit 2 12/13/2016 10/31/2017 785 psig 700 psia
Brunswick Units 1 and 2 None found None found 785 psig Not revised
Cooper None found None found 785 psig Not revised
Fermi Unit 2 None found None found 785 psig Not revised
Grand Gulf None found None found 785 psig Not revised
Hope Creek None found None found 785 psig Not revised

 

UCS Perspective

BWR Safety Limits 2.1.1.1 and 2.1.1.2 provide reasonable assurance that nuclear fuel will not be damaged during design bases transients. In March 2005, GE notified the NRC that a computer analysis glitch undermined that assurance.

The technical specifications issued by the NRC allow BWRs to operate above 25 percent power for up to six hours when the MCPR limit is violated. GE’s report did not reveal the MCPR limit to be violated at any BWR; but it stated that the computer methods used to establish the MCPR limits were flawed.

There are only four BWR safety limits. After learning that one of the few BWR safety limits could be violated and determining that fuel could be damaged as a result, the NRC monitored the glacial pace of the resolution of this safety problem. And six of the nation’s BWRs have not yet taken the cure. Two of those BWRs (Brunswick Units 1 and 2) do not have GE fuel and thus may not be susceptible to this problem. But Cooper, Fermi Unit 2, and Hope Creek have GE fuel. It is not clear why their owners have not yet implemented the solution.

The NRC is currently examining how to implement transformational changes to become able to fast track safety innovations. I hope those efforts enable the NRC to resolve safety problems in less than a decade; way, way less than a decade. Races to resolve reactor safety problems must become sprints and no longer leisurely paced strolls. Americans deserve better.

UCS asked the NRC’s Inspector General to look into how the NRC mis-handled the resolution of the BWR safety limit problem. The agency can, and must, do better and the Inspector General can help the agency improve.