Water Relief Through Safety or Relief Valves is not Just a Leak

In 1993 and 2007, Westinghouse Electric Corporation distributed two Nuclear Safety Advisory Letters (NSALs) to its customers (i.e., utilities that owned or operated its pressurized water reactors (PWRs)) that recommended several assumptions and methods that may be applied in licensing basis accident analyses of certain postulated plant events. These NSALs pertained to the following US plants:

(These NSALs also applied to about an equal number of foreign PWRs.)

These NSALs address licensing basis analyses of the inadvertent operation of emergency core coolant system (ECCS) at power (IOECCS) [1] and the loss-of-normal feedwater/loss-of-offsite AC power (LONF) [2] accidents, which are presented in final safety analysis reports (FSARs). Additionally, analyses of the chemical and volume control system (CVCS) malfunction, and the inadvertent opening of a power-operated relief valve (IOPORV) or pressurizer safety valve (PSV) are affected.

All these accidents are classified as events of moderate frequency or anticipated operational occurrences (AOOs) [3]. They are also known as Condition II events [4]. AOOs can occur one or more times during a year of plant operation. AOOs must not be serious enough to cause any radioactive releases into the environment. Analyses of the listed AOOs simulate additions of heat (or loss of heat sink) or mass (ECCS flow) that can cause the pressurizer water level to rise, and eventually fill the pressurizer with water. If any of the PORVs or PSVs open, then they would relieve water. Since PORVs and PSVs are designed to relieve only steam, they are conservatively assumed, in accident analyses, to fail to reseat when pressure falls below the opening pressure setpoint.

The following requirements [3–6] pertain to the evaluation of all AOOs. There are more than a dozen AOOs in plant licensing bases, in addition to the IOECCS, LONF, CVCS malfunction, and the IOPORV events.

1. Pressure in the reactor coolant and main steam systems shall be maintained below 110% of the design values. In accident analyses that are intended to demonstrate compliance with this requirement, all PORVs are assumed to be inoperative, to maximize the resultant RCS pressure. This requirement is also known as the overpressure requirement.

   The overpressure requirement is not an issue for the IOECCS since the ECCS pumps cannot pressurize the RCS to 110% of its design pressure. For example, in Westinghouse PWRs, the PSVs typically open at the RCS design pressure (2500 psia), and the PORVs typically open at about 50 psia below the high-pressure reactor trip setpoint (2400 psia), to avoid unnecessary reactor trips during AOOs. The shutoff head of the charging pumps is typically about 2600 psia, or 150 psia below 110% of RCS design pressure (2750 psia). So, there would be no flow available to pressurize the RCS to any pressures greater than about 2600 psia.

• (2) 

  Fuel cladding integrity shall be maintained by ensuring that the minimum departure from departure from nucleate boiling ratio (DNBR) remains above the DNBR safety limit, which is derived at a 95% confidence level and a 95% probability (i.e., DNB is likely to occur if the calculated DNBR falls below the DNBR safety limit during the event analysis.). In accident analyses that are intended to demonstrate compliance with this requirement, all PORVs are assumed to operate, as designed (i.e., they will open at the opening setpressure), to minimize the calculated DNBR. If a PORV fails to reseat, for any reason, then the RCS will depressurize and thereby encourage the onset of DNB. This is known as the DNB requirement.  The DNB requirement is not an issue for the IOECCS since the ECCS actuation sequence causes an immediate reactor trip. There is no power generated during an IOECCS.

• (3) 

  An incident of moderate frequency shall not generate a more serious plant condition without other faults occurring independently. In accident analyses that are intended to demonstrate compliance with this requirement, all PORVs are assumed to operate, as designed. That is, valves that are not assumed to open cannot be tested by analysis (i.e., they connot be predicted to fail open). This requirement is also known as the non-escalation requirement.

The general design criteria (GDCs) [3] define two basic types of events: AOOs, and postulated accidents (PAs). AOOs are, those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit. PAs are less frequent; but more serious events, such as loss of coolant accidents (LOCAs). If risk is defined as the product of consequences and frequency of occurrence, then the risk of an AOO would be about the same as the risk of a LOCA. This principle was established in 1971 [3] and explicitly expressed in 1983 [5] by, … nuclear safety criteria … have been established on the premise that: a. Those situations in the plant that are assessed as having a high frequency of occurrence shall have a small consequence to the public, and b. Those extreme situations having the potential for the greatest consequence to the public shall be those having a very low frequency of occurrence. The IOECCS, LONF, CVCS malfunction, and the IOPORV events are classified as AOOs.

Compliance with the non-escalation requirement is particularly important for AOOs, since it prevents AOOs (i.e., events in a low consequence, high frequency category) from developing into events of a high consequence, high frequency category. That is, a plant that is not designed in compliance with the non-escalation requirement could be subjected to new, unanalyzed events of high consequence, and high frequency.

In the IOECCS event, an excessive (i.e., unnecessary) amount of water is added to the RCS [6]. This could generate a more serious plant condition by filling the pressurizer and raising its pressure to the PORV opening setpoint, which could cause one or more PORVs to open and relieve water. If the PORVs are not qualified to relieve water, then they cannot be relied upon to reseat (i.e., they must be conservatively assumed to stick open). In this way, stuck-open PORVs produce a more serious plant condition (e.g., a small LOCA) by creating a hole at the top of the pressurizer. If there is no concurrent instance of another, independent fault, or operator error, then the development of a LOCA indicates that the plant design does not meet the non-escalation requirement.

If the PORVs are not available (e.g., if the plant is operating with isolated PORVs), then the RCS pressure could rise to the PSV opening setpressure, which would cause three PSVs to open and create an even bigger hole at the top of the pressurizer. This hole would be equivalent to a 3.7 in. diameter hot leg LOCA. The NSAL [1] states, a water-solid pressurizer condition should be precluded when the pressurizer is at or above the set pressure of the PSRVs. An exception to this criterion can be made if the utility can support a position that their PSRVs are designed and qualified to relieve subcooled water.

There are two problems with this recommendation: (1) both supplier and maker of a plant's PSVs state that their PSVs are not qualified for water relief duty, and (2) PSVs, even if they’re qualified for water relief, cannot be used to demonstrate compliance with the non-escalation requirement since they would not open until after the event has escalated (i.e., RCS design pressure has been reached, the reactor has tripped, and the event has become an event of a more serious event category) before any PSVs can be opened.

In the LONF event, a loss of normal feedwater (i.e., loss of heat sink) could generate a more serious plant condition by heating the reactor coolant water, causing it to swell and surge into the pressurizer, eventually filling it and raising its pressure to the PORV opening setpoint. Like the IOECCS event, water relief through any PORVs or PSVs could produce a more serious plant condition (e.g., a small LOCA) by creating a hole at the top of the pressurizer. Escalation will not occur if there is adequate heat removal, via the auxiliary feedwater system, to prevent the pressurizer from filling with water. In that case, any PORVs that may open would relieve only steam, and would subsequently reseat properly.

A CVCS malfunction could be caused by an operator error, or failure of the controlling pressurizer water level sensor (in the low direction). Either of these could start both charging pumps, run them at maximum capacity, and ultimately fill the pressurizer. (Normally, only one charging pump is operating.) Like the IOECCS event, water relief through any PORVs or PSVs could produce a more serious plant condition (e.g., a small LOCA) by creating a hole at the top of the pressurizer. Unlike the IOECCS event, only charging (i.e., makeup) flow is added to the RCS. The higher capacity, lower head Safety Injection pumps are not operated until a safety injection (SI) signal is generated. The conservative assumption, used in accident analyses, is to apply a relatively charging high flow, which is supplied by both charging pumps (e.g., in Fig. 1). Even with the operation of two charging pumps, makeup flow cannot replace water relief, through one open PORV, until the RCS pressure drops below 1400 psia.

The PORVs, as well as pressurizer spray and heaters, comprise the pressurizer pressure control system. They are designed to prevent unnecessary reactor trips, and unnecessary challenges to the PSVs. The PORVs are designed to relieve enough pressure to keep the plant online during AOOs (e.g., turbine trips and partial load rejections). Some Westinghouse plants, known as full load rejection plants, are equipped with three PORVs, which enable them to tolerate a full load rejection or turbine trip without tripping the reactor.

In analyses of the IOPORV, it is conservatively assumed that a PSV, not a PORV, spuriously opens, since PSVs are about twice as large as PORVs. The resulting RCS depressurization would be greater and faster than that of an open PORV. That is, the IOPORV event is treated, in licensing basis analyses (e.g., in FSARs), as a depressurization of the RCS, at power, which degrades core thermal margin until the reactor is tripped. The low thermal margin reactor trip setpoint is based upon a calculated value that is determined by RCS pressure, power, flow, and axial power offset. Low thermal margin reactor trips will generally occur within about three or four seconds after the event begins. Consequently, the event simulation is usually ended soon after the reactor is tripped, at about four seconds. This demonstrates that the DNB requirement is satisfied, since DNB would not occur when no power is being generated.

However, this does not address the non-escalation requirement. If the IOPORV simulation were to be extended by several minutes, then the RCS depressurization would eventually cause the ECCS to be actuated by the low pressurizer pressure SI signal. (This would not be an inadvertent actuation) The robust ECCS flow, which would be enabled by a relatively low RCS backpressure, would fill the pressurizer faster than would an IOECCS. Water relief through an unqualified PORV could then lead to a LOCA.

During an IOPORV, alert operators could close or isolate a spuriously opened PORV before the ECCS is actuated, and thereby end the AOO.

Later, if the ECCS is actuated, then the IOPORV begins to resemble an IOECCS. The pressurizer can fill with water and cause the PORVs to open and relieve water. The PORVs would conservatively be assumed to become stuck in the open position. If the ECCS is somehow actuated after the PORVs are isolated, then the PSVs could open, relieve water, and stick open. Open PORVs can be isolated by closing their manual block valves. Open PSVs cannot be isolated.

The IOPORV analysis is usually reported in licensing bases (e.g., FSARs) only to demonstrate compliance with the DNB requirement. Mass addition case analyses of the IOPORV event, to demonstrate compliance with the non-escalation requirement, are not generally provided.

The NSALs refer to [4], in which an AOO is defined as, minor reactor coolant system leak which would not prevent orderly reactor shutdown and cooldown assuming makeup is provided by normal makeup systems only. …. normal makeup systems are defined as those systems normally used to maintain reactor coolant inventory under respective conditions of startup, hot standby, power operation, or cooldown, using onsite power. The NSALs conclude that, since the cause of the water relief is the ECCS flow, the magnitude of the leak will be less than or equivalent to that of the ECCS (i.e., operation of the ECCS maintains RCS inventory during the postulated event and establishes the magnitude of the subject leak).

The NSALs imply that the ECCS is a normal makeup system. The ECCS is not a normal makeup system. It is an emergency system that is actuated by an SI signal or by the operator, usually to deal with a LOCA. Furthermore, the SI signal causes a reactor trip, which is not an orderly shutdown. Onsite power may or may not be available. ECCS is not designed to mitigate AOOs (i.e., ECCS actuation, during an event, is an indication that the event is more serious than an AOO.)

The NSAL of 1993 [1] states, the Inadvertent ECCS Actuation at Power induced LOCA Is bounded by the existing small break LOCA analyses. This is a false comparison, since it compares accidents of different categories which must meet different requirements. For example, the IOECCS must not incur any fuel damage, whereas it is acceptable for a LOCA to incur a limited amount of fuel damage.

The NSAL states, a water-solid pressurizer condition should be precluded when the pressurizer is at or above the set pressure of the PSRVs. An exception to this criterion can be made if the utility can support a position that their PSRVs are designed and qualified to relieve subcooled water [1]. When the pressurizer is at or above the opening set pressure of the PSVs, it means that the AOO has not been mitigated by a reactor shutdown, which occurs at a lower pressure. The AOO has already developed into a more serious event (i.e., the non-escalation requirement is not satisfied). Qualification of the PSVs to relieve water has no bearing upon compliance with the non-escalation requirement or upon their effectiveness in mitigating any AOOs!

The PSVs are designed to open and prevent RCS pressure from exceeding its safety limit. The PSVs are not designed to relieve water, and then reseat, or even to open during AOOs. That is, the PSVs are designed only to limit RCS pressure. When PSVs open, they fulfill their required safety function. When PSVs fail, they fail closed. Furthermore, PSVs are designed to open at pressures that are greater than the pressures of AOOs. Stuck-open PSVs do not indicate a failure to comply with the non-escalation requirement since PSVs open during events that are already more serious than AOOs.

Furthermore, each PSV is about twice the size of a PORV, and it is not designed to cycle open and closed, like a PORV. Test results [7] indicate that a few such cycles would likely damage a PSV.

According to the NSALs, the abundance of ECCS flow would compensate for water relief through open PORVs or PSVs. The IOECCS event would not progress beyond a minor reactor coolant system leak that could be made up by normal makeup systems only. The ECCS is not a normal makeup system. The charging pumps, when actuated by an SI signal, cannot treated like a normal makeup system. This charging flow is not controlled by a pressurizer level program or influenced by letdown flowrates. The charging pumps operate, simply, at maximum capacity, and they do not shut down until they are shut down by the operators. That is, when the charging pumps are actuated by an SI signal, their function is to supply emergency core cooling, not to maintain a programmed pressurizer water level.

The following figures compare the inflow and outflow rates described in the NSAL conclusions:

1. Normal makeup flow is supplied by one charging pump, not two charging pumps. The flow supplied by one charging pump cannot compensate for the water relief (as determined by critical flow calculations) through one open PORV.

2. The flow supplied by two charging pumps (i.e., as a contributor to ECCS flow) could exceed the water relief through one PORV: but only at pressures below about 1400 psia. By then, the AOO event will have become a more serious event.

Figure 2 depicts a comparison of ECCS flow to PORV relief rates. Two PORVs are assumed to be opened. The ECCS flowrate is conservatively assumed to be high (i.e., no pump or valve failures are assumed), so that it would tend to match the PORV relief rate at higher RCS pressures.

1. At RCS pressures that are greater than about 1500 psia, ECCS flow is supplied by two charging pumps. At lower RCS pressures, charging flow is supplemented by flow from SI pumps (The rapid increase in ECCS flow, at about 1500 psia, is due to additional flow from the SI pumps.) The total ECCS flowrate will not exceed the PORV steam relief rate from two PORVs until the RCS pressure drops to about 2000 psia (Steam relief occurs only when the pressurizer is not full of water).

2. The total ECCS flowrate will not exceed the PORVs’ water relief rate until the RCS pressure drops to about 1300 psia. At that time, ECCS flow is supplied by charging and SI pumps, and the pressurizer is full.

3. One PSV has about twice the steam relief capacity of one PORV, and there are three PSVs. To estimate the steam relief rate of three stuck-open PSVs, triple the depicted steam relief rate of two PORVs. (If any PSVs open, it is possible that all three PSVs will open since they all share the same opening setpressure.)

Figure 3 shows that ECCS flow can replace the steam flow through a PORV; but not the water flow until the RCS pressure drops below about 1500 psia.

The NSAL’s mass-balance argument (i.e., what goes in, comes out) treats the pressurizer like an open bucket that is filled to the brim with water. Whatever spills over the top is matched, exactly, by the water flowing into the bucket. However, the pressurizer is more like a closed, pressurized tank with a hole in it. The flow exiting through the hole is determined by critical flow calculations that are based upon the size of the hole, the tank pressure, the flow quality (e.g., the steam/water mixture), and the backpressure (i.e., the pressure of the space into which the steam/water mixture flows). It is not determined by any flow that may be entering the tank. Certain utilities have adopted the NSAL mass-balance argument and used it in their licensing basis analyses of mass addition AOOs (e.g., IOECCS, CVCS Malfunction, and IOPORV). The Nuclear Regulatory Commission (NRC) has not questioned this rationale until 2015, when it issued a backfit order to have this corrected [8,9].

The backfit order was appealed [10] by the affected licensee to the issuing office, i.e., Office of Nuclear Reactor Regulation (NRR). NRR denied the appeal [11]. The licensee appealed again, this time directly to the Executive Director for Operations (EDO) [12] (Two appeals are permitted by 10 CFR §50.109, the Backfit Rule.) The EDO granted the second appeal [13]. In both appeals, the licensee asserted that its PSVs were capable of water relief.

About a year later, the NRR staff reviewed the basis of the EDO’s backfit appeal decision and concluded that it had no confidence in the licensee’s use of certain PSV test results to support its claim that PSVs are capable of water relief without damage (i.e., that PSVs would reseat properly after relieving water). Specifically, the NRR staff deemed the licensee’s water relief test results to be inconclusive. The NRR staff stated that it had no confidence that these test (EPRI, i.e., Electric Power Research Institute) results provide reasonable assurance that the PSVs will reliably close following subcooled liquid discharge. … The staff now believes that referencing the EPRI test results as a demonstration of PSV closure capability following subcooled liquid discharge to be inappropriate [7].

When issued, the NSALs applied to 31 operating Westinghouse-designed PWRs in the US and to approximately an equal number of PWRs outside the US. Each plant employs at least two PORVs and three PSVs. That amounts to more than 300 valves. They are designed to relieve steam, not water. Therefore, accident analysis assumptions conservatively model these valves as failed-open if they relieve water. The NSAL [1] states, … it is assumed that PSRVs must not pass water in order to ensure their integrity and continued availability. … Hence, a water-solid pressurizer condition should be precluded when the pressurizer is at or above the set pressure of the PSRVs. An exception to this criterion can be made if the utility can support a position that their PSRVs are designed and qualified to relieve subcooled water.

There are no utilities that have qualified their PSVs for water relief. However, there is one notable exception. The NRC has accepted the PSVs of the Byron and Braidwood plants as capable of water relief [13]. This is despite the presence of water relief test results that indicate these PSVs could not relieve water without sustaining extensive damage [7]. Consequently, the NRC has distinguished one licensee from among all the others. The situation could be sui generis, or it could be indicative of a double standard in the NRC’s regulatory practice [9]. In contrast, there are some utilities that have qualified their PORVs (not PSVs) to relieve water. There are about half a dozen PWRs that are equipped with upgraded PORVs (i.e., they are qualified for water relief, and suitable for use as safety grade components). For these plants, PORVs that relieve water need not be assumed to fail open in accident analyses of AOOs.

The NSAL’s comparison of an AOO to a LOCA is not justified. AOOs and LOCAs are events of different categories, with different frequencies of occurrence, which are required to meet different analysis acceptance criteria. Comparison of events of different categories cannot be used to conclude that an event of one category bounds an event of another category unless both events are required to meet the same analysis acceptance criteria. The applicable analysis acceptance criteria would be the more limiting criteria of the two categories. That is, AOO-induced LOCAs should meet the AOO analysis acceptance criteria and requirements, not the LOCA analysis acceptance criteria and requirements. The NSALs use a false comparison to bound the consequences of AOO-induced LOCAs with the consequences of LOCAs, events of a more serious category.

The NSALs claim that since the cause of the water relief is the ECCS flow, the magnitude of the leak will be less than or equivalent to that of the ECCS (i.e., operation of the ECCS maintains RCS inventory during the postulated event and establishes the magnitude of the subject leak). This is analogous to an overflowing bucket, in which the spillover is exactly matched by water that is poured into the bucket. The argument neglects to account for critical flow.

Figures 1–3 indicate that ECCS flow cannot replace the water that is discharged through PORVs or PSVs at or near the nominal RCS pressure (i.e., the pressure at which AOOs occur). At lower pressures, the AOOs will have been resolved or they will have developed into LOCAs. The development of an AOO-induced LOCA means that the plant design is not in compliance with the non-escalation requirement.

It is also apparent that the NSALs do not consider water relief through the PORVs or PSVs. If all the PSVs open, relieve water, and stick open, then the resulting hole at the top of the pressurizer would be equivalent to a 3.7 in. diameter hole in the RCS hot leg. The flow through the hole would have to be analyzed as a LOCA, not a leak.

The NSALs’ overflowing bucket argument could be an error or a false statement. If the argument is an error, it is an error that has not been corrected in more than two decades, as it passed among designers, operators, and regulators. Furthermore, it is reasonable to assume that the authors of both NSALs are familiar with critical flow models since they use them to calculate break flow rates in LOCA analyses. Therefore, the omission of the effects of critical flow, in two NSALs, issued 14 years apart, could be a false statement, not an error. If it is submitted willfully and knowingly to the NRC, by a licensee, then it could be regarded as a materially false statement. Submission of a materially false statement could be a violation of 18 USC § 1001, which makes it a crime to: (1) knowingly and willfully; (2) make any materially false, fictitious, or fraudulent statement or representation; (3) in any matter within the jurisdiction of the executive, legislative, or judicial branch of the United States.

The NSALs contain this significant reservation: Westinghouse is unable to determine if this issue would cause a substantial safety hazard or a failure to comply resulting in a substantial safety hazard because sufficient plant specific information is not available. This Information is being transferred to the applicable plants pursuant to 10 CFR 21.21(h). The NRC has not been notified of this issue. Indeed, NSALs are not normally distributed to the NRC. However, NSALs that are referenced in License Amendment Requests can become part of the licensing basis if applicants submit them in response to Requests for Additional Information they receive from NRC staff reviewers. (This is how the NRC has obtained the NSALs that are discussed herein.)

There are no conflicts of interest. This article does not include research in which human participants were involved. Informed consent not applicable. This article does not include any research in which animal participants were involved.

The data and information that support the findings of this article are freely available.¹

ADAMS =

Agencywide Documents Access and Management System

AOO =

anticipated operational occurrence (a.k.a. Condition II event)

CVCS =

chemical and volume control system

ECCS =

emergency core cooling system

EDO =

Executive Director for Operations (at NRC)

EPRI =

Electric Power Research Institute

GDC =

general design criterion

LOCA =

loss of coolant accident

NRC =

Nuclear Regulatory Commission

NRR =

Office of Nuclear Reactor Regulation

NSAL =

Nuclear Safety Advisory Letter (issued by Westinghouse to its customers)

PA =

postulated accident

PORV =

pressurizer power-operated relief valve

PSRV =

pressurizer safety relief valve (a.k.a. PSV)

PSV =

pressurizer safety valve (a.k.a. PSRV)

RCS =

reactor coolant system