Abstract

A lack of knowledge acquisition (LOKA), among engineering staff members in supply firms (e.g., vendors), owner/operator utilities (e.g., licensees), and in regulatory agencies (e.g., the NRC), can impair nuclear power plant (NPP) safety in ways that can persist throughout the operating lifetime of an NPP. A LOKA occurs when experienced technical reviewers fail to pass enough information, or technology, to less-experienced technical reviewers. The existence of a LOKA, among technical reviewers, can lead to errors and omissions that can result in misleading or incomplete licensing bases. Eight examples of errors and omissions are presented, each of which is evaluated in the context of physical phenomena, logic, licensing strategy, and effects upon regulation. These errors and omissions could be attributed to several causes, one of which could be a LOKA. Reliable attribution to a LOKA or its causes is not directly addressed, since attention is focused principally upon the safety implications of errors and omissions that may possibly, but not exclusively, be due to a LOKA. The epistemology of a LOKA, which may consider training or human relations, is generally addressed in other studies, which apply to issues that affect more than the nuclear power industry. If those who design, analyze, license, operate, and regulate NPPs do not adequately understand and apply proven engineering principles, standards, and established regulations, critical thinking, and sound logical reasoning, then it could be said that a LOKA exists. A LOKA could hamper the development of defensible conclusions in safety analyses, viable licensing strategies, and fair regulatory judgments. Eight examples of errors and omissions are presented, each of which leads to a conclusion that seems to conflict with an industry standard, a federal regulation, an engineering principle or physical phenomenon, or just plain logic. The examples are generally evaluated in accordance with the requirements of a well-known, oft-cited nuclear industry standard, which is now almost half a century old. This standard was published in 1973 by the American Nuclear Society (ANS) (1973, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants, La Grange Park, IL, ANS-N18.2-1973). It expresses the fundamental principle of nuclear safety and licensing, which is applied by vendors, licensees, and regulators alike. This Standard defines nuclear safety criteria and plant design requirements for plant operating situations or events according to their expected frequencies of occurrence. Those events that have high frequencies of occurrence must not pose a danger to the public. Events that could pose the greatest danger to the public must be limited, by design, to extremely low expected frequencies of occurrence. This concept is implemented by grouping postulated plant situations (or events) into categories that are defined according to their expected frequencies of occurrence. Licensees are required to present analyses and evaluations of the events, in each category, to demonstrate that the events’ consequences do not exceed the category’s specified acceptance limits. Furthermore, licensees are required to demonstrate that certain events would not develop into more serious events (e.g., events that would be grouped into more serious, higher-consequence categories), without the concurrent occurrence of independent faults. That is, the Standard (American Nuclear Society, 1973, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants, La Grange Park, IL, ANS-N18.2-1973) requires that NPPs must be designed in a way that does not allow high-frequency, low-consequence events to degrade into high-frequency, high-consequence events. The errors and omissions that are considered in the example evaluations could be due to a LOKA, among other possible causes. In each example, a LOKA is sufficient; but not necessary, to produce the noted errors and omissions. Attention is focused upon the safety implications of a LOKA, not its epistemology. The LOKA in the nuclear power industry, including its regulators, is ongoing, since it is not recognized and remedied.

1 Introduction

A LOKA can result in a deficiency of understanding or critical thinking that leads to a misapplication of applicable standards, and to the consequent development of illogical, or inconsistent conclusions. Licensing records contain many examples of errors and omissions that can be attributed to a LOKA. A LOKA can afflict suppliers, licensees, and regulatory agencies. Eight examples are presented to illustrate how a LOKA can impair effective design, analysis, and regulation.

The most common and possibly the most damaging of these errors is discussed in Example 5, which pertains to the misapplication of pressurizer safety valves (PSVs) among accident analysis assumptions. In this example, the PSVs are equivalenced to pressurizer power-operated relief valves (PORVs), and assumed to operate, in certain classes of accidents, in lieu of PORVs.

The PORVs are part of a pressurized water reactor’s (PWR’s) automatic pressure control system, along with pressurizer heaters and spray, and used to maintain pressure within its acceptable operating range. They limit reactor coolant system (RCS) pressurization to levels below the high pressurizer pressure reactor trip setpoint, and thereby prevent unnecessary reactor trips, and the opening of any PSVs, which are set to open at a higher pressure than the PORVs.

The PSVs are part of a PWR’s protection system. They operate after the reactor is tripped (i.e., PSVs open at a pressure setpoint that is higher than the high-pressure reactor trip setpoint). Therefore, it can be concluded that unlike the PORVs, the PSVs are not designed to prevent reactor trips. Nevertheless, suppliers, licensees, and regulators have been producing accident analyses in which PSVs are assumed to operate under conditions during which the PORVs are designed to operate. Furthermore, they have been requiring said PSVs to operate like a control system, by repeatedly opening and closing, like PORVs, to limit RCS pressurization. The details are discussed further in Example 5.

Forty-eight years ago, the American Nuclear Society (ANS) issued Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants (ANS-N18.2-1973) [1]. A year later, the ANS issued Nuclear Safety Criteria for the Design of Stationary Boiling Water Reactor Plants (ANS-N212) [2]. The Nuclear Regulatory Commission (NRC) does not endorse either of these standards, but they contribute much to the NRC’s Standard Format and Content of Safety Analysis Reports for nuclear power plants [3]. They also form the basis for the NRC’s Standard Review Plan (NUREG-0800, formerly NUREG-75/087) [4].

Nuclear safety analyses, and licensing activities, since these standards’ publication, indicate that vendors, licensees, and the NRC have committed errors of fact, omission, and even of logic that imply an inadequate understanding of the Standards’ content, and use. Evaluations and discussion of the presented examples are based upon the first Standard [1], which addresses PWRs. (Many operating NPPs utilize PWRs that are of Westinghouse design.) Attention is focused upon the consequences and safety implications of a LOKA, not on its causes or its prevention.

The ANS Standard [1] is consistent with the General Design Criteria (GDCs) [5], which were issued 2 years earlier, in 10 CFR §50, Appendix A. The GDCs specify requirements for key nuclear plant components and systems, such as the fission product barriers (e.g., reactor vessel and containment building), reactivity control and protection systems, fluid systems, and fuel design features (e.g., the negative moderator temperature coefficient) and fuel storage pools.

Although licensees’ commitments to meet the ANS standards are a part of their licensing bases, they have not always done so. Moreover, the NRC staff has not always demanded that licensees abide by their commitments. Almost half a century on, the licensing bases of many plants indicate that important portions of these basic standards are not correctly applied. Sometimes, they are not applied at all.

Furthermore, the NRC has authorized all operating NPPs to continue operations for 20 or even 40 years past the expiration dates of their original, 40-year licenses.

Annex  1 presents a summary and review of the ANS Standard’s system for the classification of postulated events. It serves as a supplement and reference pertaining to the classification scheme.

Annex  2 outlines the position-specific qualification requirements for the NRC position of Reactor Technical Reviewer. The information in Annex  2 was copied from the NRC’s Agencywide Documents Access and Management System (ADAMS), when it was available to the public. Today, it is not found in ADAMS. It could have been deleted or removed from the publicly accessible portion of ADAMS. Annex  2 preserves this information for the record.

2 Classifications of Postulated Events

The ANS standards [1,2], the NRC’s Regulatory Guide (RG) 1.70 [3], and the Standard Review Plan [4] group all postulated events into categories that are defined by their expected frequencies of occurrence, and then specify acceptance limits for the consequences that are predicted, by analyses and evaluations, for each category.

The basis for specifying acceptance limits (i.e., nuclear safety criteria) was explicitly expressed by the ANS, in 1983 [6]. It stated, The nuclear safety criteria … have been established on the premise that: a. Those situations in the plant that are assessed as having a high frequency of occurrence shall have a small consequence to the public, and b. Those extreme situations having the potential for the greatest consequence to the public shall be those having a very low frequency of occurrence [5].

Although the classification scheme is based upon estimates of frequencies of occurrence of various events, it is deterministic in nature and predates the development of probabilistic risk assessment (PRA). It is fundamental to current, deterministic methods of nuclear plant safety analysis and licensing.

Among other things, the ANS Standards require that, By itself, a Condition II incident cannot generate a more serious incident of the Condition III or IV type without other incidents occurring independently. This criterion is commonly known as the nonescalation design requirement. This requirement enforces the boundaries between Condition II, III, and IV events. A plant design that does not meet this design requirement could allow the occurrence of Condition III or IV events with the same expected frequency of occurrence as Condition II events. Then it becomes possible to create high-frequency, serious consequence events.

The nonescalation design requirement continues to elude many licensees’ compliance efforts. It is the subject of many errors and omissions that are committed or overlooked by vendors, licensees, and the NRC staff. A LOKA could be a contributing factor to these compliance failures.

3 Issues and Examples

A common event escalation scenario begins when a Condition II event causes the pressurizer water level to rise, and eventually fill the pressurizer. This could be the result of adding water to the RCS, or heating the reactor coolant, and causing it to swell into the pressurizer. If a pressurizer PORV opens and relieves water, then it could stick open, since it is designed to relieve steam, not water.

It is conservative to assume that PORVs would not perform beyond their design capabilities. If a PORV opens and fails to reseat, then the stuck-open PORV would become a small-break loss-of-coolant accident (SBLOCA), a Condition III event, at the top of the pressurizer. If there is no concurrent incidence of another, independent fault, or operator error, then this scenario would indicate that the plant design does not comply with the nonescalation design requirement.

Two ways to comply with the nonescalation design requirement:

The nonescalation design requirement can be met either by (1) preventing water relief through a PORV or by (2) upgrading the PORVs to safety grade and qualifying them to reliably relieve water.

  1. If the event analysis shows that the PORVs relieve only steam, then they can be expected to reseat, as designed. During an inadvertent operation of the Emergency Core Cooling System (IOECCS), for example, water relief can be prevented by shutting off the ECCS flow before the pressurizer can fill. Unlike other Condition II events, the IOECCS is not remedied by a reactor trip. A reactor trip may be part of the initiating sequence in the IOECCS event. So, the remedy for an IOECCS is manual termination of the ECCS flow. This requires the operator to first determine that the ECCS is not required (e.g., to deal with an SBLOCA). The procedure could require 10min or more. In the meantime, the pressurizer could fill and cause the PORVs to open and relieve water. Accident analyses could be used to demonstrate that there is adequate time available for manual termination of the ECCS, and therefore, the event would not develop into a Condition III SBLOCA.

  2. Upgrading the PORVs requires modifying the PORV control system circuitry to meet Class 1E requirements, showing that the PORV discharge piping can support the weight of water loads, and by assuring that there is adequate power or air available to operate the predicted PORV opening/closing cycles during the Condition II event.

In 1994, Salem, Unit 1 experienced a reactor trip and ECCS actuation [7,8]. This caused the pressurizer to fill and the PORVs to open. The PORVs relieved water while opening and closing more than 100 times. However, they eventually reseated properly. The PORVs at Salem Units 1 and 2 were later upgraded to safety grade status and qualified for water relief duty. Salem Units 1 and 2 were the first NPPs to upgrade their PORVs (in 1997) [9]. This made it acceptable to assume the operation of the Salem PORVs, in Final Safety Analysis Report (FSAR) accident analyses. Salem’s PORV upgrade was also implemented at the Millstone [10] and Diablo Canyon [11] NPPs. Figure 1 [12] illustrates how the PORVs would cycle open and closed, while relieving water, after the pressurizer is filled.

Fig. 1
IOECCS event: pressurizer water volume and pressure [12]
Fig. 1
IOECCS event: pressurizer water volume and pressure [12]
Close modal

Both analysis strategies have been used by various licensees to demonstrate that their plant designs comply with the nonescalation design requirement. Either method would allow an NPP to resume operation relatively soon after the occurrence and termination of an IOECCS event. However, there are many licensees that do not identify the use of either method in their licensing bases. Here are some examples of how licensees and at least one vendor have attempted to address this issue.

3.1 Example 1: Redefinition of a Minor Reactor Coolant System Leak.

The ANS Standard [1] points to a minor RCS leak, as an example of a Condition II event. It is a leak that would not prevent orderly reactor shutdown and cooldown assuming makeup is provided by normal makeup systems only.

3.1.1 Critical Flow is Not Inventory Control.

In 1993, Westinghouse sent a Nuclear Safety Advisory Letter (NSAL) to its customers [13] suggesting methods and assumptions that can be used in the analysis of the Inadvertent Operation of the ECCS (IOECCS), a Condition II event. It states that, since the cause of the water relief is the ECCS flow, the magnitude of the leak will be less than or equivalent to that of the ECCS (i.e., operation of the ECCS maintains RCS inventory during the postulated event and establishes the magnitude of the subject leak). The NSAL converts the IOECCS into an inventory control problem. This rationale (and language, too) is repeated, 14 years later, in another NSAL regarding the analysis of Loss of Normal Feedwater events, another Condition II event [14]. At least one customer/licensee copied this language into its FSAR Chapter 15 analysis of the IOECCS [15].

3.1.2 Emergency Core Cooling System is Not Normal Makeup.

In Westinghouse plants, normal makeup is supplied by one of two or three charging pumps. However, in many plants, the charging pumps can also be used to supply ECCS flow. When they are actuated by a safety injection (SI) signal, at least two pumps operate, simply, at maximum capacity, and they do not shut down until the operator shuts them down. In this mode of operation, the charging pumps are not throttled by a pressurizer level program (i.e., they do not operate as a normal makeup system). Therefore, the NSALs cannot claim that a normal makeup system will offset water relief through a stuck-open PORV, during an IOECCS event.

Furthermore, the RCS is a highly pressurized, closed system. The flowrate through a PORV that sits atop a full pressurizer would be a two-phase (basically water) critical flow. The flowrate would be dependent upon the PORV flow area, the water temperature, the flow quality, and the pressure difference between the pressurizer and the pressurizer relief tank (PRT), and ultimately, the containment. Figure 2 illustrates the large difference that lies between the charging pump flowrate and the PORV water relief rate. It shows that the flow from one charging pump cannot replace the water flow that exits through an stuck-open PORV.

Fig. 2
PORV relief and normal makeup flow
Fig. 2
PORV relief and normal makeup flow
Close modal

Figure 2 also shows that even two charging pumps, running at maximum capacity, could not match the PORV water relief rate until the RCS pressure drops below about 1500 psia. At that pressure level, the ECCS charging flow is supplemented by the SI pumps.

The chart implies that the leak that is described in the NSAL might be one PORV relieving steam. A single PORV, relieving steam, is depicted in Fig. 3.

Fig. 3
PORV relief and ECCS flow
Fig. 3
PORV relief and ECCS flow
Close modal

The assumption of steam relief from one PORV allows the NSAL to redefine a particular SBLOCA (e.g., a stuck-open PORV) as a minor RCS leak. If this is true, then an IOECCS cannot ever develop into an SBLOCA (i.e., compliance with the nonescalation design requirement is demonstrated, by definition).

The NSAL seems to be based upon setting aside critical two-phase flow, and the characteristics of Westinghouse’s ECCS design and operation. Furthermore, the NSAL has been adopted by licensees and used in licensing submittals to the NRC. The NRC has not rejected the arguments that are copied from the NSAL. A LOKA could have played a part in the development of these outcomes.

3.2 Example 2: The Misuse of Case Analyses.

The ANS Standard specifies the nonescalation design requirement for Condition II events. It also specifies that Condition II events are, not expected to result in fuel rod failures or RCS or secondary system overpressurization [1]. Specifically, analyses or evaluations of Condition II events are required to show that there is (1) no overpressurization of the RCS or main steam system, (2) no fuel clad damage, and (3) no escalation to a more serious category of events (e.g., from Condition II to Condition III or IV).

3.2.1 Three Case Analyses to Meet Three Requirements.

To demonstrate compliance with these three requirements, it is often necessary to perform three different accident analyses. The objective of each analysis is to conservatively address one of the requirements. Assumptions and methods that are conservative, for one analysis, might not be conservative for any of the others.

Regulatory Guide 1.70 [3] recognizes the necessity to analyze various events and to test each event’s potential for exceeding specified safety limits. It states, It should be noted, however, that different initiating events in the same category/frequency group may be limiting when the multiplicity of consequences are considered. For example, within a given category/frequency group combination, one initiating event might result in the highest reactor coolant pressure boundary pressure, while another initiating event might lead to minimum core thermal-hydraulic margins or maximum offsite doses.

This approach would also impose different safety limits that apply within an event. For example, three analyses or evaluations would be presented to demonstrate compliance with the three Condition II requirements for an IOECCS event. The IOECCS adds water to the RCS, and this causes RCS pressure and pressurizer water level to rise. For the IOECCS, the three requirements: (1) no overpressurization of the RCS or main steam system, (2) no fuel clad damage, and (3) no escalation to a more serious category of events, are addressed in these ways:

  1. No RCS overpressure

    In this case, it is conservative to assume that the PORVs do not open. As ECCS water is added and pressurizes the RCS, the PSV opening setpressure is reached, and the PSVs open. At first, the PSVs relieve steam. Later, when the pressurizer fills, the PSVs would relieve water. The PSVs may or may not fail to reseat. In this case, that is not relevant, since the sole purpose of the PSVs is to limit the peak RCS pressure to levels that are below 110% of the RCS design pressure, or 2750 psia. Therefore, PSVs that open, and stick open, fulfill their safety function, if their relief capacity is large enough to prevent the RCS overpressure limit from being exceeded. So, this case is a design calculation that verifies the PSV relief capacity is sufficient to prevent the RCS pressurization, due to the IOECCS, to levels that exceed the safety limit. The case also shows that PORVs are not necessary to meet the RCS overpressure requirement. Incidentally, it would be conservative to assume that the PSVs would relieve water since water relief is not as efficient as steam relief in limiting pressurization.

    It would be even more conservative to assume that the PSVs do not open at all. Then the ECCS (charging) flow will continue to pressurize the RCS beyond the PSV opening setpressure (e.g., 2500 psia), until the pressure reaches the ECCS charging pumps’ shutoff head (e.g., about 2650 psia for Westinghouse plants, or 100 psi below 110% of RCS design pressure). As the ECCS flow delivery rate approaches zero, the RCS pressure eventually plateaus at the ECCS (charging) pumps’ shutoff head. Therefore, it is not necessary to assume the opening of any PORVs or PSVs to demonstrate compliance with the RCS overpressure requirement (i.e., an overpressure analysis is not necessary for the IOECCS event).

    It is not necessary to perform this analysis for an IOECCS. An explanation would be sufficient. The presence of this case analysis in licensing basis documents could be indicative of a LOKA among members of the licensee’s technical staff.

  2. No fuel clad damage

    Licensees demonstrate that no fuel clad damage is predicted by presenting analyses of Condition II events that indicate the minimum departure from nucleate boiling ratio (DNBR) would not drop below the DNBR limit, which is usually set at 1.2 or greater. The calculated DNBR is an indicator of thermal margin. A DNBR that is below the specified safety limit means that the onset of DNB (i.e., wherein heat removal from the fuel rods is impeded) is likely and that fuel clad damage could result.

    Events that could lead to DNB generally involve a reduction of RCS flow or pressure, as nuclear power is maintained, or even increased. A conservative analysis would be based upon low-pressure conditions (i.e., for the IOECCS, this would be an assumption that all PORVs open, and relieve steam, as designed).

    However, DNB is not a concern for the IOECCS event because the IOECCS event is caused by a spurious SI signal. The SI sequence begins with an immediate reactor trip. No power is generated, and no DNB occurs. This is verified by a look at the reported DNBR transients. They show a monotonic rise in calculated DNBR throughout the IOCCS event (i.e., the minimum DNBR, in the transient, is also the initial DNBR). The existence of this transient in the licensing basis could be an indication that the licensee’s licensing and accident analysis staff is afflicted by a LOKA.

  3. No escalation to a more serious category of events

    A review of the body of PWR licensing bases reveals that the nonescalation design requirement, for Condition II events, may be the least understood, and most difficult to fulfill of the ANS standard’s requirements.

    Section 2.1.2 of the ANS Standard requires that Condition II incidents shall be accommodated with, at most, a shutdown of the reactor with the plant capable of returning to operation after corrective action. Therefore, if the RCS pressure continues to rise, after the reactor is shut down, then the incident has not been accommodated by the reactor shutdown. The incident is not a Condition II event. So, it must be in Condition III or IV.

3.2.2 Can PSVs (or PSRVs) be Qualified to Relieve Water?.

In 1990, the NRC issued an Information Notice (IN 89–90) [16], which states, repetitive or frequent challenges to the PSVs may prevent the PSVs from reseating with a potential for an unisolable small-break loss-of-coolant accident (LOCA). However, Westinghouse issued an NSAL [13], 3 years later, that stated, Licensees should determine if their pressurizer safety relief valves (PSRVs) are capable of closing following discharge of subcooled water. If the PSRVs were designed or qualified to relieve subcooled water, the inadvertent ECCS Actuation at Power accident will not degrade into a more serious Condition III event, since these valves will close once ECCS flown has been terminated. More than 14 years later, in another NSAL [14], Westinghouse also noted that subcooled water relief through the pressurizer safety valves (PSVs) could potentially cause damage to the valves, rendering the RCS boundary unisolable.

Eventually, the use of PSVs to mitigate Condition II events became acceptable if they were qualified to relieve water. Westinghouse’s NSAL [13] provided this rationale: Although Westinghouse previously adopted the conservative criterion of preventing the pressurizer from becoming water solid, the acceptability of water leakage from the RCS for Inadvertent Operation of ECCS Condition is events is supported by NUREG-0800 and ANS-51.1. To meet the applicable Condition II criteria, the magnitude of any water relief must not exceed that of the normal makeup systems (which it will not by definition since this is the cause of the water relief) and the ability to orderly shutdown the reactor must be maintained. The latter implies that the RCS must ultimately be isolated. Hence the PSRVs must either not open or must be capable of closing after the release of subcooled water.

However, Fig. 2 shows that the PORV water relief rate will always exceed the water delivery rate from the normal makeup system (e.g., one charging pump), regardless of the NSAL’s attribution of water relief to normal makeup system flow. Furthermore, the NSAL appears to impose a new requirement for the PSVs (i.e., the ability to close after relieving water).

Water-qualified PSVs, if they exist, cannot be used to mitigate Condition II events because they will not open during Condition II events. By the time the RCS pressure reaches the PSV opening setpressure, the event will have progressed beyond the ANS Standard’s Condition II parameters. It is the PORVs that are designed to operate during Condition II events. The PORVs, which are part of the automatic pressure control system, along with the pressurizer heaters and spray, are used to maintain the plant operation within its acceptable operating range. They limit RCS pressurization to levels below the high pressurizer pressure reactor trip setpoint, and thereby prevent unnecessary reactor trips, and the opening of any PSVs.

Analyses that are based upon the assumption that PSVs can be operated during Condition II events are not consistent with the ANS Standard’s definition of Condition II events. They also indicate the presence of an error in logic. To take credit for operation of the PSVs, it is necessary to allow the event to pressurize the RCS to the opening setpressure of the PSVs, which is attained only after the reactor is shut down (on the high-pressure trip setpoint, which is set at least 100 psi below the PSV opening setpressure). Since the event has not been accommodated by a reactor shutdown, then the event cannot be in the Condition II category. That is, the PSVs would not open until after the event develops into a Condition III or IV event. In this rationale, it is necessary to violate the nonescalation design requirement to comply with the nonescalation design requirement. This demonstration of compliance amounts to nothing more than a circular argument.

3.2.3 Operation of Pressurizer Safety Valves During Condition II Events (or Anticipated Operational Occurrences).

Several licensees have invoked the PSVs to address Condition II events, and the NRC staff has accepted these licensees’ rationale. This is evident in the NRC’s response [17] to a 10 CFR §2.206 enforcement petition [18] that was filed in 2016. The NRC’s Petition Review Board (PRB) stated: There is no requirement to justify the use of PSVs as opposed to PORVs. The Byron/Braidwood UFSAR, Section 5.4.13.1, states, “The pressurizer power-operated relief valves are not required to open in order to prevent the overpressurization of the reactor coolant system. The pressurizer safety valves by themselves are sized to relieve enough steam to prevent an overpressurization of the primary system.” There is no statement that the PSVs cannot open during an AOO.

The PRB’s statement applied to the RCS overpressurization case analyses, which are performed solely for the purpose of testing the PSVs’ ability to limit RCS overpressurization. They do not evaluate the opening of PSVs during Condition II events (i.e., AOOs).

The PRB continued with, Petitioner refers to the ANS, “Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants.” N18.2, 1973 (ANS N18.2-1973), statement that AOOs “shall be accommodated with, at most, a shutdown of the reactor with the plant capable of returning to operation after corrective action.” This does not imply that relief or safety valves for other systems cannot function during an AOO. There are many AOOs where relief or safety valves (in both the primary and secondary sides) are credited, including events such as an excessive increase in secondary steam flow, loss of external electrical load/turbine trip, and loss of normal feedwater flow. The NRC staff interprets the ANS Standard to implicitly mean that no damage to reactor systems occurs while the worst thing occurring is a reactor shutdown.

The AOOs to which the PRB refers (excessive increase in secondary steam flow, loss of external electrical load/turbine trip, and loss of normal feedwater flow) are all Condition II events, with overpressurization case analyses that predict the PSVs will open: but only for the purpose of verifying the PSVs’ adequacy (or sizing) in limiting RCS pressure to acceptable levels. During these events, it is the PORVs that will open, not the PSVs (i.e., the PORVs will open and prevent RCS pressure from reaching the PSV opening setpressure).

The PRB’s implicit interpretation of the ANS Standard does not consider what happens after the shutdown (i.e., the worst thing occurring). A Condition II will have been accommodated (i.e., no further protective action is required). This requirement does not apply to Condition III or IV events. A plant that relies upon PSVs to respond to a Condition II event will have to allow the RCS to pressurize to its design pressure, after shutdown. This would be worse than just a shutdown (i.e., the worst thing occurring). It would also be a transition to a Condition III or IV event. An open PSV could damage some reactor systems inside containment, (e.g., if the PRT rupture disc is breached).

This example illustrates a creative interpretation of the Standard [1] that invokes circular reasoning. It is possible that a LOKA could have contributed to analysts’ application of this approach. Another LOKA could have led to its acceptance by regulators.

3.3 Example 3: Escalation from Condition III to Condition IV.

The nonescalation design requirement is also included among the Condition III requirements. That is, a Condition III event must not be allowed to become a Condition IV event. In FSARs, the inadvertent opening of a PORV or PSV (IOPORV) is analyzed as a Condition II event. It is conservatively assumed, in the analyses, that a PSV, not a PORV, spuriously opens, since PSVs are about twice as large as PORVs. The resulting RCS depressurization would be greater and faster than that of an open PORV, which is usually assumed to be conservative. The RCS depressurization, at power, degrades core thermal margin until the reactor is tripped. The reactor trip setpoint is a calculated value that is determined by RCS pressure, power, flow, and axial power offset. Low thermal margin reactor trips will generally occur sooner during faster depressurization rates but not always. It depends upon how the trip setpoints specified and calculated. The reactor trip typically occurs within about three or four seconds after the event begins. Consequently, the event simulation is usually ended by about 4 s.

3.3.1 IOPORV Modeled as a Mass Addition Event.

However, if the simulation were to be extended by several minutes, then the RCS depressurization would eventually cause the ECCS to be actuated by the low pressurizer pressure SI signal. (This would not be an inadvertent actuation.) The robust ECCS flow, against a relatively low RCS backpressure, would fill the pressurizer faster than would an IOECCS. Water relief through a PORV would then lead to a Condition III SBLOCA. The IOPORV, analyzed as a mass addition event, is presented in the licensing bases of only a handful of NPPs. The omission could be the result of a LOKA. Regulators’ failure to demand the submittal of this case analysis could be the result of another LOKA.

Also, the analysis does not ask how a PSV can be spuriously opened. There is no electrical signal to open the spring-loaded PSVs. Operating experience contains a few instances of “spurious” PSV openings, caused by a setpoint error (i.e., the PSV opening setpressure and the PORV opening setpressure were the same). In those cases, two conditions were necessary to open a PSV: (1) an undetected (or latent) setpoint error and (2) a Condition II event that pressurized the pressurizer to the PORV opening setpressure. That is, these “spurious” PSV openings resulted from two concurrent initiating events.

Another cause could be a mechanical fault that weakens or breaks the PSV spring. The low probability of such a fault could put it into the Condition III category. In that case, the opening of a PSV would be considered as a Condition III SBLOCA and that would remain in the Condition III category.

Licensees’ analysts could have provided case analyses like these, and regulators could have requested them. Their absence might be the result of a LOKA. The resulting licensing bases are incomplete.

3.4 Example 4: Escalation of Events Beyond Condition IV.

There is no nonescalation design requirement listed among the Standard’s Condition IV requirements. There are no postulated accidents, in the design basis, that are more serious than those in Condition IV.

If a PSV opens during a Condition III event, and sticks open, then the result is a Condition III SBLOCA. The Condition III event remains a Condition III event. If a PSV opens during a Condition IV event, and sticks open, then the result is a Condition III SBLOCA that is layered upon the ongoing Condition IV event.

3.4.1 Requiring Pressurizer Safety Valves to Reseat After Relieving Water.

The NRC noted that the Byron and Braidwood UFSAR analysis of the Feedwater System Pipe Break (Chapter 15.2.8) does not apply the single failure criterion PSVs. That is, a PSV is not assumed to stick open either during steam discharge or during water discharge [19]. The NRC did not ask how this single failure, i.e., a stuck-open PSV, would affect a Feedwater System Pipe Break, a Condition IV event during which RCS overpressure is a major concern, and event escalation is not at all relevant. (In this case, a stuck-open PSV would tend to mitigate the overpressurization of the RCS.)

Condition IV Feedwater Line Break analyses that predict PSV operation, with periods of water relief, are often cited, by the NRC and licensees, as evidence that PSVs are capable of reliably relieving water. A LOKA could have caused analysts and regulators to overlook the purpose and functions of the PSVs during Feedwater Line Break events. There might have been other factors at play, but it seems that LOKA had made a significant contribution to this oversight.

3.5 Example 5: Misapplication of Pressurizer Safety Valves in Accident Analyses.

Much time and effort has been devoted to planning and performing valve test programs that are designed to demonstrate that PSVs can relieve water, and then reseat properly. This implies that PSVs can somehow be required to relieve water, and then reseat. PSVs are designed to relieve steam, not water. In accident analyses, PSVs may be assumed to open but not necessarily to reseat. PSVs are part of a protection system that is designed to prevent RCS pressure from exceeding its pressure safety limit. So, it is conservative to assume that PSVs fail to open. In these analyses, there is no assumption of any PSVs failing to reseat.

In a Condition IV event, the failure of a PSV to reseat will create an unisolable hole at the top of the pressurizer, but that would create a Condition III SBLOCA during an ongoing Condition IV event. A LOKA might indicate that some analysts are inferring the existence of a nonescalation design requirement for Condition IV events.

The assumption that PSVs must be capable of reliably relieving water is evident in certain licensees’ application of PSVs, in lieu of PORVs, to demonstrate compliance with the nonescalation design requirement, during Condition II events. Accident analyses of Condition IV events (e.g., Feedwater Line Rupture) commonly predict that PSVs would open and relieve water. These are interpreted, by licensees and the NRC, to mean that PSVs are required to relieve water, as well as steam. This may have led to extensive, industry-wide valve testing programs aimed at demonstrating that PSVs are capable of relieving water without incurring any substantial damage.

In January 1988, Westinghouse issued WCAP-11677, which compared the Electric Power Research Institute (EPRI) test data with feedwater line break safety analyses [20]. Westinghouse determined that all nuclear power plants addressed in the EPRI testing program had PSVs that would operate reliably during water discharge. Westinghouse evaluated the performance of PSVs during the EPRI tests and concluded that valves can pass slightly subcooled water at least three times without damage. During the 1994, Salem, Unit 1 incident [7,8], more than 100 PORV cycles occurred without damage.

Could have a LOKA contributed to these efforts to qualify PSVs for water relief duty? In this respect, it is important to note that senior, more experienced persons supported these efforts. This is seen in the 2016 report [19] of the NRC’s Backfit Appeal Review Panel (BARP). The BARP, a panel of five senior NRC officials, was formed to evaluate a licensee’s appeal of a 2015 backfit order that was issued by the NRC staff. In its report, the BARP observed, The Panel notes that water discharge through various pressurizer valves is not a new issue because water discharge has always been credited (by the licensee for Byron and Braidwood and other licensees) for the feedwater line break analysis in UFSAR Section 15.2.8. The BARP report does not recognize the Feedwater Line Break as a Condition IV event, wherein there is no nonescalation design requirement. Consequently, the PSVs are not required to reseat, after relieving water, to satisfy a nonescalation design requirement. Analyses of the Feedwater Line Break typically model water relief through the PSVs. However, they do not model closure of any PSVs, because the Feedwater Line Break analysis acceptance requirements can be satisfied without closure of any PSVs. Furthermore, water relief is conservative, compared with steam relief, in calculations of peak RCS pressure, which are important in the Feedwater Line Break analyses, since the enthalpy of water is about half the enthalpy of steam, at the PSV opening setpressure.

The BARP’s report [19] concludes that PSVs are capable of water relief.

One year later, the NRC staff issued a memo that disagreed with the BARP’s conclusion [21]. The memo stated, A major finding of the NRC staff review concerned the qualification of PSVs for water relief. … some plants began crediting PSVs, which were certified for steam service, with a liquid relief function, despite the fact that the PSVs were not designed or certified to relieve liquid. Historically, the NRC has approved the use of EPRI test data to demonstrate that the PSVs would reseat following liquid discharge to preclude escalating an RCS mass addition event into a small-break LOCA. However, the staff has reviewed the EPRI test data and determined that test results reveal that valve damage following subcooled liquid discharge is likely. Thus, the staff no longer views the EPRI methodology as a generically acceptable means of justifying that PSVs would reliably reseat and preclude escalation of the RCS mass addition condition. … absent a qualification and inservice testing program to demonstrate the reliability of PSVs to pass subcooled water and reliably reseat, the staff generally does not have a basis to approve credit for qualification of the PSVs for liquid discharge and reliable reseating based on the EPRI test results.

The NRC staff still allowed for the possibility of assuming water relief through the PSVs, under certain circumstances. The staff stated, Variability in the EPRI test results may allow some plants under certain circumstances to acceptably demonstrate PSV performance using that method.

A LOKA might have contributed to the NRC’s failure to realize that PSVs cannot be credited with operation during Condition II events. Today, does not object to licensees’ assertions that PSVs can be applied in analyses of events in all of the ANS standard’s categories. For example, the staff continues to support the assertion that, PSV opening is required for Condition II events such as loss of load/turbine trip [22] (PSVs are modeled in Condition II accident analyses solely to demonstrate that the RCS overpressure safety limit can be satisfied with the operation of PSVs, alone.) In fact, PSVs would not open during Condition II events while they are still Condition II events.

3.6 Example 6: False Comparisons Between Conditions or Categories.

Westinghouse’s NSAL [13] states, Without appropriate operator action to terminate safety injection flow prior to reaching a water-solid pressurizer condition, the Inadvertent ECCS Actuation at Power event may progress from a Condition II to a more severe Condition III LOCA event … While this occurrence may result in a violation of one of the applicable licensing basis criteria for a Condition II event it is not considered a significant safety concern. As a LOCA event, discharge of coolant out of the PSRVs and PORVs due to ECCS flow is not significantly adverse relative to other Condition III LOCA events currently analyzed. This is because the pressurizer is located on the hot leg (a hot leg LOCA being less severe than a cold leg LOCA) and because the Inadvertent ECCS Actuation at Power event typically models maximum ECCS flow (to maximize the effects of the Initiating event) which is a benefit for LOCA. As such, the Inadvertent ECCS Actuation at Power induced LOCA Is bounded by the existing small-break LOCA analyses.

The NSAL conflicts with the ANS Standard in two ways:

First, there is no exception for situations that are not considered a significant safety concern. The NSAL also fails to define a significant safety concern. The NSAL suggests that the licensee, not just the regulator, can make an exception to meeting design requirements or licensing criteria.

Second, there is a false comparison between an SBLOCA that originates as a Condition II event, and other Condition III LOCA events. The former is an escalated event of moderate frequency or AOO. According to the ANS Standard, the former event’s expected frequency of occurrence dictates that it must meet the requirements of Condition II events. If a failure to meet the nonescalation design requirement merely transforms a Condition II event into a Condition III event that is subject to Condition III requirements, then the nonescalation design requirement is nullified.

In this case, the NSAL compares a Condition III accident that has a Condition II frequency of occurrence, against a Condition III SBLOCA that has a significantly lower, Condition III, frequency of occurrence.

Example 6 illustrates an error in logic (e.g., false comparisons), a misunderstanding of the analyzed events in the licensing basis (e.g., FSAR Chapter 15), as well as a LOKA regarding the Standard’s [1] requirements and application.

3.7 Example 7: False Comparisons Within Conditions or Categories.

False comparisons also occur within an ANS category of events. RG 1.70 [3] advises applicants to identify the limiting cases for presentation in the FSAR. The RG states, the initiating events for each combination of category and frequency group should be evaluated to identify the events that would be limiting. The intent is to reduce the number of initiating events that need to be quantitatively analyzed. That is, not every postulated initiating event needs to be completely analyzed by the applicant. In some cases, a qualitative comparison of similar initiating events may be sufficient to identify the specific initiating event that leads to the most limiting consequences. Only that initiating event should then be analyzed in detail.

Events are said to bounded by other, limiting events when their consequences, predicted by analyses or evaluations, are less severe, with respect to the criteria or requirements of the Condition or category of events in which they reside. Sometimes, this allowance is misused.

For example, a licensee has claimed that the Inadvertent Opening of a Pressurizer Safety or Relief Valve (IOPORV) bounds the IOECCS event, and the NRC review staff has accepted the claim. The Byron and Braidwood FSAR [15] states, The Inadvertent Operation of the ECCS during Power Operation Event does not progress into a stuck-open Pressurizer Safety Valve LOCA event. All three valves may lift in response to the event, but they will reclose. The resulting leakage from up to three pressurizer safety valves that are seated is bounded by flow through one fully open valve. The consequences of the event are bounded by the analysis described in UFSAR Section 15.6.1, “Inadvertent Opening of Pressurizer Safety or Relief Valve.” In this example, the licensee Exelon claims that their PSVs will relieve water, and reseat, and that any residual leakage from three seated PSVs will be bounded by another Condition II event.

There is no common basis for comparison. The FSAR discussion compares the IOECCS which is analyzed to demonstrate compliance with the nonescalation design requirement, with the IOPORV, which is analyzed to demonstrate that no fuel clad damage would be incurred.

The Byron and Braidwood FSAR [15] does not report a mass addition case analysis for the IOPORV event. Furthermore, leakage from seated PSVs will be water; but the relief flow through an IOPORV will be steam. The difference between steam and water relief is evident in Fig. 3.

Example 7 illustrates a misunderstanding of the analyzed events in the licensing basis. A LOKA could have led to such false comparisons between events, and to a failure to identify the omission of certain events from the licensing basis.

3.8 Example 8: General Design Criterion 21 (Single Failure).

When one or more of the PSVs fail to close during a Condition II event, then the result would be a Condition III SBLOCA. The nonescalation design requirement is not satisfied. If this occurs during a Condition III event, then the nonescalation design requirement is not relevant since the result would still be a Condition III event (i.e., no escalation occurs). If one or more of the PSVs fails to close during a Condition IV event, then accident analysis results need not demonstrate compliance with the nonescalation design requirement since it does not exist in Condition IV.

However, the use of PSVs, to relieve steam or water, as a protection system during Condition II events can prevent compliance with GDC 21. The GDC requires that, redundancy and independence designed into the protection system shall be sufficient to assure that … no single failure results in loss of the protection function. During Condition II events, the PSVs are required, by some licensees, to close, as well as open. If one PSV fails to open, then it may be shown that the other two PSVs can provide enough relief capacity to limit the RCS pressure to levels that remain below the specified pressure safety limit. However, if one PSV fails to close, during a Condition II event, then it would create an SBLOCA at the top of the pressurizer. This single failure would result in the loss of a protection function (i.e., the prevention of escalation of the event).

How can the PSVs comply with both GDC 21, and the nonescalation requirement when they are arranged in a parallel configuration? To meet the nonescalation requirement would require closure of all the PSVs. To meet GDC 21, it would be necessary to show that the nonescalation requirement could be fulfilled with a single PSV in a failed open position. How can valves that are required to open and close be connected in a configuration that allows such valves to meet both the nonescalation requirement, and the single failure requirement of GDC 21?

A LOKA might have allowed the licensee to set conflicting requirements for the PSVs (i.e., PSVs must close, and open, without failure). A LOKA might also have allowed the licensee to design a PSV configuration without considering this question. Another LOKA might have obscured this question from the reviewing regulator.

4 Safety Implications

Today, almost all NPPs have reached the ends of their original, licensed operating lifetimes, and have been authorized, by the NRC, to continue operations for another 20 or even 40 years.

The prospect of continued operations without fully complying with the design requirements of the ANS Standard [1] could jeopardize the public health and safety. However, there could be some relief or offset to be realized by following the principles of defense in depth. Defense in depth aims to prevent and mitigate accidents by establishing independent, redundant layers of defense to compensate for potential operator errors, and mechanical failures that no single system, component, or procedure could possibly provide. This layered approach would include the use of access controls and physical barriers to implement redundant and diverse safety functions, and emergency response features.

RG 1.174 [23] discusses the use of defense in depth to justify making changes to an NPP’s licensing basis. Among other things, defense in-depth measures could include system redundancy, independence, and diversity that is matched to the expected frequency, consequences, and uncertainties of the various failure and accident modes. Defense in depth would also focus upon adherence to the intent of the plant’s design criteria. In this case, the intent of the nonescalation requirement is to prevent events from developing into events of more serious categories, if consequential failures are incurred. The International Atomic Energy Agency (IAEA) also expressed similar defense in-depth principles [24].

If system redundancy, independence, and diversity can be regarded as horizontal protection measures (i.e., across systems), then conservatism and safety margin can be viewed as vertical measures (i.e., within a system). Either way, safety analysis acceptance criteria in the licensing basis must be met, with sufficient margin to account for analysis and data uncertainty [23]. Conservatism and safety margin, which are discussed in the examples, particularly Example 2, are prominent in the ANS standards [1,2], and in the principles of defense in depth [23]. However, the NRC’s evaluation of a 2016 backfit appeal [19] concluded that NRC staff had taken a new or modified position on PSV qualification, with respect to potential PSV failures following water discharge.

4.1 Conservatism and Safety Margin.

The NRC stated that this staff position was a well-intentioned and conservative approach that could provide additional safety margin, and then judged it to be an insufficient basis for a compliance backfit [19]. Example 2 argues that the position was not new or even conservative. Therefore, the NRC’s backfit evaluation effectively reduced the conservatism and safety margin that was embodied in prior staff reviews. According to the principles of defense in depth, the NRC should have endeavored to increase, not decrease, conservatism and safety margin, wherever feasible.

The principles of defense in depth are not a substitute for compliance with the design requirements in Ref. [1], which are in the original licensing basis, but applying them could mitigate the risk of continuing to operate NPPs beyond their originally licensed operating lifetimes.

Furthermore, an increased focus upon the design requirements of the ANS Standard [1], and how they work in concert with federal nuclear safety regulations (e.g., 10 CFR §50), and Standard Review Plans (SRPs or NUREG 0800) could help the NRC review staff to perform more effective reviews of LARs. This could result in more robust (i.e., complete) licensing bases, supported by relevant analyses and evaluations that definitively demonstrate compliance with all applicable design requirements, particularly the nonescalation design requirement that is important in ANS Conditions II and III.

The ANS standards [1,2] and the defense in-depth approach are similar insofar as they first focus upon prevention and control, with operational procedures, and automatic control systems, and then engage automatic protection systems (e.g., engineered safeguards), and emergency procedures during accidents that are within the design basis. (Defense in depth then goes further, to address severe accidents.)

Licensees and vendors could also benefit from more details, and clarity rendered by the NRC staff during its technical reviews of LARs, and from its applicable generic communications. For example, the NRC staff provided some guidance in a 2005 RIS, regarding analyses of the IOECCS [25], but then withdrew it, last year [22], with reference to Management Directive 8.18 [26], which states that an RIS, “may NOT…(i) Provide guidance for the implementation of rules and regulations.” This RIS was the only RIS that was withdrawn from among the more than 300 RIS documents that were issued since 2000.

5 Summary and Conclusion

All US licensees have committed to abide by two ANS Standards [1,2], which were issued almost half a century ago, and yet they still lie at the core of nuclear safety analysis methods, assumptions, and plant design requirements. However, the body of NPP licensing bases contains many accident analyses that fail to demonstrate compliance with some of these Standards’ design requirements, either by error or by omission.

These errors and omissions could be attributed to a LOKA, among other causes, either in part or in whole. The safety implications of these errors and omissions are discussed, herein, “as if” LOKA were the sole cause. That is, it is not necessary to find another cause to produce the same results. It is possible that other causes exist and contribute to the occurrence of each error or omission. This implies that solving the LOKA issue would not definitively prevent errors and omissions like those that are described in the examples.

It is expected that errors and omissions will continue to occur until the underlying NPPs are retired. Experience shows that NPPs are generally retired due to serious accidents, economic limitations, or technical issues (e.g., reactor vessel embrittlement. They have not been retired at the ends of their original operating lifetimes (40 years). The NRC has consistently been authorizing NPPs to continue operations for an additional 20 or even 40 years. The lengthening of NPPs’ operating lifetimes makes their compliance with applicable design requirements and standards more difficult and more important. Ideally, NPP designs and operations should continue to meet all the standards and design requirements that applied when their license was issued. The effects of errors and omissions that are seen during extended operations could grow as operating NPPs age.

A LOKA and its safety implications become increasingly important as NPPs continue to operate for 20 or 40 years past their originally licensed operating lifetimes. If the careers of the designers, analysts, and regulators who are responsible for nuclear plant safety can begin and/or end within an NPP’s operating lifetime, then the possibility of a LOKA, among them, could become an issue.

Eight examples and issues are evaluated, principally with respect to a common criterion (i.e., compliance with the requirements of the cited ANS Standards) [1,2]. (Many more can be gleaned from NPP licensing bases and NRC Safety Evaluation Reports.) The examples and issues that have been selected for discussion and evaluation are

  1. Redefinition of a minor RCS leak

  2. The misuse of case analyses

  3. Escalation of events from Condition III to Condition IV

  4. Escalation of events beyond Condition IV

  5. Misapplication of PSVs in accident analyses

  6. False comparisons between Conditions or categories

  7. False comparisons within Conditions or categories

  8. GDC 21 (application Single Failure criteria)

The errors and omissions that are identified in the examples would be likely to continue to occur because vendors, licensees, and regulators have not recognized them and have not taken any measures to remedy them. The only exception is seen in Example 5, and then only to a limited extent.

However, the application of the principles of defense in depth could partially address the issue. It is not clear, at this time, how the NRC would implement a defense in-depth approach. The record indicates that, in at least one instance, in 2015, the NRC demanded that the licensee apply a prudent design practice to preserve conservatism and safety margin, by issuing a backfit order. However, a year later, the NRC’s revoked the backfit order (i.e., the NRC granted the licensee’s backfit appeal) [19]. The withdrawal of the backfit order effectively reduced safety margin. The defense in-depth approach seeks to increase margin, not reduce it. In this instance, a better understanding of the ANS Standards [1,2] might have helped the NRC staff reviewers recognize the flaws in the licensee’s analyses and request the additional information and analyses that could have made this backfit order [19] unnecessary.

It is possible to identify a LOKA, and its effects, in organizations of suppliers, licensees, and in regulatory agencies. However, a LOKA is generally not recognized or overcome. A LOKA in NPPs with renewed licenses could contribute to the occurrence of more accidents over the plants’ extended lifetimes. Furthermore, accidents that are deemed to be senseless, or preventable should be evaluated as possible results of a LOKA.

6 Annexes 1 and 2

Annex  1 summarizes the system for classification of postulated events in the ANS Standard [1]. It supplements the description of the classification scheme Sec. 2.

Annex  2 presents the position-specific qualification requirements for the NRC position of Reactor Technical Reviewer. The contents of Annex  2 were copied from ADAMS, when they were available to the public. (ADAMS also contained position-specific qualification requirements for other NRC positions.) Today, they are not found in ADAMS. Either they have been deleted from ADAMS or withheld from the public.

The information in Annex  2 is drawn from a program in the NRC’s Office of Nuclear Reactor Regulation (NRR) [27] which issued NRR Office Instruction ADM-504. The Office Instruction stated, It is the policy of NRR that the qualification program shall be maintained to ensure the program reflects the skills needed for NRR to fulfill its mission.” This formal program included some of the following NRR positions: Reliability and Risk Analysts, Rulemaking Project Managers, License Renewal Project Managers, and Operating Reactor Licensing Project Managers. The Office Instruction stated that it was NRR’s policy that employees possess the knowledge and skills necessary to effectively perform regulatory activities in their position. The guidance recognized that the knowledge and skills required for regulatory activities can be obtained through formal training.

ADM-504 is no longer available, to the public, in ADAMS. However, ADAMS lists several, dated reports pertaining to knowledge management. They are designated as “NUREG/KM-####” reports.

Further information, regarding worldwide knowledge management activity, is available from the Nuclear Energy Agency (NEA) [28]. (The NRC is one of the regulatory bodies that contributed to Ref. [28].)

Conflict of Interest

There are no conflicts of interest.

Data Availability Statement

The datasets generated and supporting the findings of this article are obtainable from the corresponding author upon reasonable request. The authors attest that all data for this study are included in the paper. No data, models, or code were generated or used for this paper.

Nomenclature

ADAMS =

Agencywide Documents Access and Management System https://adams.nrc.gov/wba/https://adams.nrc.gov/wba/

aka =

also known as

AOO =

Anticipated Operational Occurrence (aka a Condition II Event)

BWR =

Boiling Water Reactor

CVCS =

Chemical and Volume Control System

DNB =

Departure from Nucleate Boiling

GL =

Generic Letter

NUREG =

Nuclear Regulation (report)

PSRV =

Pressurizer Safety Relief Valve (aka PSV)

PSV =

Pressurizer Safety Valve (aka PSRV)

SRP =

Standard Review Plan (NUREG-0800)

Annex 1

A Summary and Review of the ANS Standards’ System for the Classification of Postulated Events

The event classification system divides postulated events into four categories: Conditions I, II, III, and IV.

Condition I or Normal Operation

Operations that are expected frequently or regularly during power operation, refueling, maintenance, or maneuvering of the plant.

Condition I occurrences shall be accommodated with margin between any plant parameter and the value of that parameter which would require either automatic or manual protective action.

Condition I occurrences, or Design Transients, should not lead to a demand for a reactor trip. Analyses of Design Transients, in licensing bases, show that the plant design can tolerate these transients without a reactor trip. Examples of Condition I occurrences would be startup, shutdown, standby, partial load rejection, and operation with certain equipment out of service, as permitted by Technical Specifications (TS).

However, Condition I occurrences, and some Condition II events can cause pressure and temperature cycles, during the plant’s design lifetime, that must be tracked, and limited, so that the acceptable number of cycles is not exceeded. For example, the plant might be designed to experience 240 heatup and cooldown cycles, and 400 reactor trips, during its 40-year lifetime. License renewals, which extend plant lifetimes to 60 or 80 years could be affected by the accrual of pressure and temperature cycles.

Condition II or Incidents of Moderate Frequency

Condition II events are incidents, any one of which may occur during a calendar year for a particular plant. These events are also known as Anticipated Operational Occurrences (AOOs).

Condition II events shall be accommodated with, at most, a shutdown of the reactor with the plant capable of returning to operation after corrective action. By definition, these faults (or events) do not propagate to cause a more serious fault, i.e., Condition III or IV events. In addition, Condition II events are not expected to result in fuel rod failures or reactor coolant system or secondary system overpressurization [1].

By itself, a Condition II incident cannot generate a more serious incident of the Condition III or IV type without other incidents occurring independently. This criterion is commonly known as the nonescalation design requirement.

Condition I and II Events

Unlike Condition I events, Condition II events can lead to reactor trips: but only reactor trips.

Since design requirements are specified, for each category, according to the expected frequencies of occurrence for the events it contains, the most limiting design requirements are imposed upon the category with the most frequently occurring events (i.e., Condition II, not Condition I). Condition I events are tolerated during normal operation (i.e., the reactor is generally not tripped, and no other protective action is required). To deal with Condition I events (or Design Transients), a PWR, for example, would be equipped with a pressurizer that is large enough to admit the maximum credible reactor coolant swell, or insurge, which might result from a limited reduction in heat sink (e.g., a partial load rejection), and still maintain a steam cushion (or bubble). Therefore, a higher-rated PWR would be equipped with a larger pressurizer. NPPs are designed to remain online during Condition I events.

Condition III or Infrequent Incidents

Condition III events are, Incidents, any one of which may occur during the lifetime of a particular plant [1].

Condition III occurrences could result in the failure of a small fraction of the fuel rods, and thereby prevent resumption of operation for a considerable time. However, the resultant release of radioactivity must be limited to levels that would not interrupt or restrict public use of areas outside the exclusion radius.

A Condition III fault will not, by itself, develop into a Condition IV fault, or result in a consequential loss of function of the RCS or containment barriers [1].

Condition II and III Events

Unlike Condition II events, which could occur at any time during a calendar year, a Condition III event could occur during a plant’s lifetime. Therefore, lengthening a plant’s lifetime from 40 to 60 years (e.g., after a license renewal) could make it more likely that a Condition III event would occur during the plant’s extended lifetime.

Condition II events would not interrupt plant operation for an extended period. However, Condition III events could be serious enough to end an NPP’s operating lifetime. For example, the incident at Three Mile Island (TMI), in 1979, began with a Condition II Loss of Feedwater event, which developed into a stuck-open PORV, a Condition III SBLOCA. TMI operators failed to respond with effective measures, and that allowed the SBLOCA to partially melt the core [29]. This Condition III event ended TMI’s operating lifetime barely three months after it began.

Another escalated Condition II event had occurred at Beznau Unit 1, just 5 years earlier (i.e., a year after the ANS Standard had been issued) [30]. One of Beznau’s two turbines had tripped, a Condition II event (i.e., a 50% load rejection). This caused the pressurizer pressure to rise and open both PORVs. Eventually, when the pressurizer pressure had fallen to a level below the PORV closing setpoint, one of the PORVs failed to reseat. Thus, the Condition II event had developed into Condition III SBLOCA. The operators isolated the open PORV by closing its block valve. (An inspection later revealed that the PORV’s valve stem had broken.)

So, two PORVs, in two NPPs had stuck open, 5 years apart (i.e., two Condition II events had occurred and developed into Condition III SBLOCAs). At the first NPP, Beznau, the SBLOCA was handled correctly, the necessary repairs were made, and the plant resumed operation. Today, Beznau Unit 1 remains in operation, more than half a century after it began generating power. (Beznau Unit 1 is the world’s oldest operating NPP.) At the second NPP, TMI, the Condition III SBLOCA was aggravated by operator errors, and that ended the plant’s operating lifetime.

Before the TMI incident, Davis Besse had experienced a TMI-like event. There, the event was successfully mitigated. In fact, Davis Besse has also successfully navigated several other potentially dangerous events, from a direct strike by a tornado to the development of a large hole in the upper part of its reactor vessel head.

Condition IV or Limiting Faults

Faults that are not expected to occur but are postulated because their consequences would include the potential for the release of significant amounts of radioactive material. … Condition IV faults shall not cause a fission product release to the environment resulting in an undue risk to public health and safety beyond the guideline values of 10 CFR Part 100. A single Condition IV fault shall not cause a consequential loss of required functions of systems needed to cope with the fault, including those of the ECCS and the containment.

Since Condition IV faults are the most severe postulated events in the design basis, they are used to determine and specify the performance and sizing requirements for the ECCS design. (They are also known as design basis events.)

Condition I, II, III, and IV Events

Condition I events are transients that are characteristic of normal operation that can lead to changes in power, temperature, and pressure, which do not go beyond the plant’s normal operating range. They are limited by the automatic control systems or manually. Condition II events are accommodated by a reactor trip. After the reactor trip, the problem is corrected, and the plant is soon returned to power. Condition II events must not be allowed to develop into Condition III events. Condition III events might require more than a reactor trip (e.g., ECCS), and they might lead to some limited amount of fuel damage. Condition III events must not be allowed to develop into Condition IV events. Condition IV events are accidents or faults that are not expected to occur, at all.

The categorization of events, according to their expected frequencies of occurrence and their protection requirements may be summarized in this manner:

Table 0001
ConditionFrequency of occurrenceProtective measures
I≥1/yearNone
II≥0/year≤Reactor trip
III≥0/plant-lifetime≥Reactor trip*
IV=0/plant-lifetime≥Reactor trip*
ConditionFrequency of occurrenceProtective measures
I≥1/yearNone
II≥0/year≤Reactor trip
III≥0/plant-lifetime≥Reactor trip*
IV=0/plant-lifetime≥Reactor trip*
*

In addition to the reactor trip, these events might require the use of ECCS, containment isolation, and steamline isolation, all of which are designed to mitigate Condition IV events.

It is the events in Conditions II and III that can occur and require protective measures. The licensing record shows that many of the difficulties in interpretation and implementation of the ANS Standard are found in analyses and evaluations of the Condition II and III events: particularly with respect to demonstrations of compliance with the applicable nonescalation design requirements.

The most famous, and perhaps the most scrutinized of these events, is the IOECCS. A reading of FSARs, of record, reveals that many licensees, who operate PWRs, have not demonstrated that their plant designs comply with the nonescalation design requirement, for the IOECCS event. At least 17 PWRs have not produced analyses or evaluations that demonstrate their plant designs comply with the nonescalation design requirement. Another 16 plants have not produced analyses or evaluations that demonstrate their plant designs comply with other Condition II requirements. The pertinent analyses and evaluations are either incorrect or missing.

In 2005, the NRC issued a Regulatory Issue Summary (RIS) [25] to notify licensees that the NRC staff was concerned that many of them, particularly operators of PWRs, had not demonstrated compliance with the requirement that Condition II events must not be allowed to develop into Condition III or IV events, without the occurrence of additional faults (i.e., the nonescalation design requirement). The RIS reminded licensees that they are required to show that their plant designs are following the nonescalation design requirement. Consequently, the RIS informed licensees that the NRC staff planned to review their plants’ compliance with the nonescalation design requirement during its reviews of their license amendment requests (LARs). The RIS also informed licenses that new or additional evaluations, analyses, and/or hardware modifications could be compelled, as part of specific licensing dockets, under the terms of the compliance backfit provision of the Backfit Rule (10 CFR §50.109). (The compliance provision of the Backfit Rule is reserved for situations wherein licensees have not complied with their written license commitments.) This RIS was withdrawn last year [22].

Annex 2

Position-Specific Qualification Requirements for Reactor Technical Reviewer

Introduction

Reactor Tech Reviewer Study Activities (RxTR-SA)

(RxTR-SA-1): Code of Federal Regulation

(RxTR-SA-2): Current Licensing and Design Basis for Technical Determinations

(RxTR-SA-3): TS and the Final Safety Analyses Report (FSAR)

(RxTR-SA-4): Backfit Process

(RxTR-SA-5): Cross-cutting Technical Reviews

(RxTR-SA-6): Degraded and Nonconforming Conditions and Operability Determinations

Reactor Technical Reviewer On-The-Job Training (RxTR-OJT)

(RxTR-OJT-1): Acceptance Review and Request for Additional Information

(RxTR-OJT-2): Safety Evaluations

(RxTR-OJT-3): Concurrence Process

(RxTR-OJT-4): Interfacing and Exchange of Information with Licensees and Applicants, and Vendors

(RxTR-OJT-5): Briefings

Form 1: Reactor Tech Reviewer Signature Card

Introduction

The Reactor Technical Reviewer Position-specific Qualification Requirements, in conjunction with the General Qualification Requirements, require that employees complete a variety of activities, each of which is designed to assist employees learn information or practice a skill that is important to performing the functions of a Reactor Technical Reviewer. At the completion of the entire qualification plan, the employee will have demonstrated each of the competencies that comprise a successful Reactor Technical Reviewer.

Competency Areas:

A successful Reactor Technical Reviewer must

  1. Understand the legal basis for and the regulatory process used to achieve the NRC’s regulatory objectives by

    • Acquiring an understanding of the NRC organizational structure and objectives.

    • Understanding the basis for the authority of the Agency.

  2. Develop proficiency with the techniques and skills needed to collect, analyze, and integrate information using a safety focus to develop a supportable regulatory conclusion by

    • Gathering information through submitted documents, review of precedents, and independent research.

    • Determining acceptability of information by comparing with established criteria.

    • Approaching problems objectively, gathering and integrating information, and developing appropriate solutions.

  3. Have the communication and interpersonal skills to carry out assigned regulatory activities either individually or as part of a team by

    • Clearly expressing ideas or thoughts, carefully listening, and speaking and writing with appropriate safety focus and context.

    • Working collaboratively with others toward common objectives.

    • Working independently, exercising judgment, and exhibiting flexibility in the completion of activities during difficult or challenging situations.

    • Using technology to gather, manipulate, and share information.

Post-Qualification training:

  1. “Briefing Techniques” training course within 2 years of qualification.

Reactor Technical Reviewer Study Activity-1

Topic: (RxTR-SA-1): Code of Federal Regulations (CFR)

Purpose: The purpose of this activity is to acquaint employees with the regulations that specify the requirements for the licensing and regulating nuclear reactors. This study activity will assist employees to understand the content of Title 10 to the CFR and how to locate the specific requirements for any subject.

Competency Area: Regulatory Framework

Level of Effort: 8 hours

References:

  1. NRC Internal Home Page

  2. Paper copy of 10 CFR Parts 1 to 50 and 51 to 199, latest revision

  3. The U.S. Nuclear Regulatory Commission and How It Works

    (NUREG/BR-0256)

    http://www.nrc.gov/reading-rm/doc-collections/nuregs/brochures/br0256/ml031400642.pdf

  4. Regulatory Guide 1.174

Evaluation

Criteria:

Upon completion of the tasks in this activity, the employee should be able to demonstrate their understanding of the general content of 10 CFR Part 50 by successfully discussing the following:

  1. State the general purpose (topic) of Parts 2, 19, 20, 21, 26, 50, 50 Appendix A, B, E, 51, 52, 54, 55, 70, 73, 100.

  2. Discuss the general content of the information covered by the Part 50 quiz and the answers to the quiz to gain an understanding of the key portions of 10 CFR Part 50.

  3. Describe or define the specifics listed below:

++ Describe a 2.206 petition—Section 2.206

++ Define FOIA; Define “agency record”—9.13

++ Define ALARA—20.1003

++ Describe th epurpose of reporting defects and noncompliance—21.1

++ Define substantial safety hazard, commercial grade item, dedication, basic component—21.3

++ Describe the performance objectives for fitness for duty. Describe to whom the FFD regulations apply to—26.10

++ Define design basis, substantial safety hazard, station blackout (SBO)—50.2

++ Describe what is meant by “complete and accurate information”—50.9

++ Describe the criteria for an exemption—50.12

++ What are the categories/topics that TS will contain? 50.36(c)(1)—(4)

++ Define design change; describe the criteria for when a licensee can make a change without NRC approval—50.59

++ Describe a pressurized thermal shock event—50.61

++ Describe an anticipated transient without scram—50.62

++ Describe the requirements for licensees regarding the loss of all A/C (station black out)—50.63

++ Describe the objective of the maintenance rule—50.65

++ Describe what the “regulatory treatment of SSCs” (RTNSS) means; define what is a significant safety function—50.69

++ Describe what is the emergency response data system and its purpose—50.72

++ Describe what is a licensee event report and when is a licensee is required to submit one—50.73

++ Describe important to safety, redundancy and diversity, design basis reasonable assurance; Define single failure, anticipated operational occurrences. Loss of coolant accident—50 Appendix A, Introduction, Definitions and Explanations,

Criteria I Overall Requirements

++ Describe the double contingency principle—70.4

Tasks:

  1. Become familiar with and be able to use the search feature to locate the information available in NRC Regulations & Nuclear Regulatory Legislation web pages presented on the NRC’s Internal Web Site.

  2. Read the Parts to under the general purpose (topic) of the following parts listed in the evaluation criteria of 10 CFR: Parts 2, 19, 20, 21, 26, 50, 50 Appendix A, B, E, 51, 52, 54, 55, 70, 73, 100. Do not read the whole Part.

  3. Read the specific portions of the CFR to address the evaluation criteria and any other portions identified by your supervisor.

  4. Complete the Part 50 quiz to gain an understanding of the key portions of 10 CFR Part 50. The self-study, open-book quiz is located in ROP Digital City on the Internal Website. Since this is an ungraded self-study activity, you will also find the answers and references for the answer on Digital City. Be sure to complete the quiz before you print the answer sheet.

  5. Regarding Regulation Guide 1.174; CFR Appendix A; and NUREG/BR-0256, discuss Defense in Depth in from each document. Know the difference in enforcement using the definition/ philosophy based on the type of document.

  6. Regarding the Maintenance Rule (50.65), discuss with a “designated resource” performance-based versus prescriptive regulation.

  7. Meet with your supervisor or the person designated to be your resource for this activity and discuss the items listed in the Evaluation Criteria section.

Reactor Technical Reviewer Study Activity-2

Topic: (RxTR-SA-2): Current Licensing and Design Basis for Technical Determinations

Purpose: The purpose of this activity is to become familiar with the concepts of current licensing basis and design basis as it applies to reactor regulation.

Competency Area: Regulatory Framework

Level of Effort: 8 hours

References:

  1. 10 CFR 50.2, “Design Basis”

  2. Regulatory Guide 1.186, “Guidance and Examples for Identifying 10 CFR 50.2 Design Bases” (ML003754825)

  3. Nuclear Energy Institute 97-04, “Revised Appendix B Guidance and Examples for Identifying 10 CFR 50.2 Design Bases” (ML003771698)

  4. 10 CFR 54.3(a), “Definitions: Current Licensing Basis (CLB)” 10 CFR 54.33 Continuation of CLB and Conditions of Renewed License”

  5. Information Notice (IN) 96-17, “Reactor Operation Inconsistent with the Updated Final Safety Analysis Report,” March 18, 1996

  6. IN 98-22, “Deficiencies Identified During NRC Design Inspections,” June 17, 1998

  7. SECY-97-036, “Millstone Lessons Learned Report, Part 2: Policy Issues,” February 12, 1997

  8. 10 CFR 50.59, “Changes, Tests, and Experiments”

  9. RIS 2001-03; Changes, Tests, and Experiments

  10. 10 CFR 50.54(f), “…information sought to verify licensee compliance with the current licensing basis …”

  11. 10 CFR 52.63, “Finality of Standard Design Certifications”

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. Identify the staff’s guidance that provides an understanding of what constitutes design bases information.

  2. Identify the staff's guidance and regulations that define current licensing basis (CLB).

  3. State some historical examples of problems associated with operations outside of the CLB.

  4. Describe the regulatory basis for

    • Defense in depth

    • Adequate safety

    • Safety margin

  5. State the criteria for when the licensee may make changes to the facility or procedures or perform tests or experiments without getting prior NRC approval.

  6. State methods for changing Part 50 CLB (hint—see SECY-97-036, Part 2, Section II.A, “Current Licensing Basis”).

  7. State methods for changing Part 52 CLB (hint—see Part 52.63).

Tasks:

Use the references above and/or sections of the references above to answer the Evaluation Criteria. The activities listed below shall be performed under the guidance of a Qualified Reactor Technical Reviewer and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card.

  1. Review the references to understand the principles discussed in the evaluation criteria.

  2. Discuss differences in how design changes are made to Part 50 licenses and Part 52 rules.

Reactor Technical Reviewer Study Activity-3

Topic: (RxTR-SA-3): TS and the Final Safety Analyses Report (FSAR)

Purpose: The purpose of this activity is to develop an understanding of the control of licensing conditions and their bases for operating reactors. Included in this activity is familiarization with the requirements for TS and FSAR content, change control, and reporting.

Competency Area: Regulatory Framework

Level of Effort: 16 hours

References:

  1. 10 CFR 50.36

  2. LIC-100, “Control of Licensing Bases for Operating Reactors”

  3. 10 CFR 50.59, “Changes, Tests, and Experiments”

  4. 10 CFR 50.54, “Conditions of Licenses”

  5. 10 CFR 50.71, “Maintenance of Records, Making of Reports”

  6. 10 CFR 50.4, “Written Communications”

  7. RG 1.70, “Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants”

  8. RG 1.181, “Content of the Updated Final Safety Analysis Report in Accordance with 10 CFR 50.71(e)”

  9. Nuclear Energy Institute 98-03

  10. 58 Federal Register 39132

  11. DLPM Handbook (http://nrr10.nrc.gov/DLPMHandbook/index.html)

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. Describe the purpose and interrelationship of the TS and the FSAR.

    Describe the criteria used to determine TS content.

  2. Describe the requirements associated with TS and FSAR:

    • content.

    • change control.

    • reporting.

  3. Discuss safety limits and limiting safety system settings and the significance of these limits.

  4. Describe the requirements for limiting conditions for operation, and surveillance testing and what actions must be taken if the requirements are not met.

  5. Describe the process for reviewing TS bases and FSAR changes.

  6. Describe the regulatory relationship between TS and technical requirements manual.

  7. Discuss the definition of terms found in TS.

  8. Discuss the type of information found in the Design Features and Administrative Controls sections of the TS.

Tasks:

The activities listed below shall be performed under the guidance of a Qualified Reactor Technical Reviewer and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Review the references to understand the principles discussed in the evaluation criteria.

  2. Review the content and format of TS bases and FSAR for one plant, if possible, in conjunction with a license amendment review.

  3. Review the Final Policy Statement on TS Improvements for Nuclear Power Reactors (58 FR39132).

  4. Discuss the Evaluation Criteria with an assigned Qualified Reactor Technical Reviewer or with your Supervisor.

Reactor Technical Reviewer Study Activity-4

Topic: (RxTR-SA-4): Backfit Process

Purpose: The purpose of this activity is to develop an understanding of the procedures for managing plant-specific backfits and 50.54(f) information requests.

Competency Area: Regulatory Framework

Level of Effort: 4 hours

References:

  1. LIC-202, “Procedures for Managing Plant-Specific Backfits and 50.54(f) Information Requests”

  2. 10 CFR 50.54, “Conditions of Licenses”

  3. 10 CFR 50.109, “Backfitting”

  4. Management Directive 8.4, “Management of Facility-specific Backfitting and Information Collection”

  5. NUREG-1409

  6. Committee to Review Generic Requirements (CRGR) charter http://www.internal.nrc.gov/crgr/

  7. DLPM Handbook

    (http://nrr10.nrc.gov/DLPMHandbook/index.html)

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. Describe the provisions of 10 CFR 50.54 and 10 CFR 50.109 regarding backfitting of nuclear power plants.

  2. Describe the requirements needed by the NRC to justify a backfit, including the regulatory analysis.

  3. Describe the specific responsibilities and authorities for the NRR staff during the process of managing plant-specific backfits and for preparing 10 CFR 50.54(f) information requests.

  4. Describe the activities included in the backfit process.

  5. Describe the three different backfits and the criteria that apply to each.

  6. Describe the role of the CRGR.

Tasks:

The activities listed below shall be performed under the guidance of a Qualified Reactor

Technical Reviewer and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Review the references to understand the principles discussed in the evaluation criteria.

  2. If possible, get involved in a backfit process.

  3. View the process that was followed for a backfit that has already been closed, if possible in your technical area and/or one that had a significant impact on the nuclear industry.

  4. Discuss the Evaluation Criteria with a Qualified Reactor Technical Reviewer or with your Supervisor.

Reactor Technical Reviewer Study Activity-5

Topic: (RxTR-SA-5): Cross-cutting Technical Reviews

Purpose: The purpose of this activity is to become familiar with the cross-cutting technical review topics. Cross-cutting technical reviews have the potential to effect all review sections. These include Part 52 licensing process, Part 50 Licensing Criteria, Power Uprates amendments and license renewal applications have unique processes and technical issues that are addressed in these reviews.

Competency Area: Regulatory Framework

Level of Effort: 6 hours

References:

Licensing Criteria and Processes:

  1. 10 CFR [select portions]

  2. NUREG-0800, Review of Safety Analysis Reports for Nuclear Power Plants

  3. Backgrounder on Nuclear Power Plan Licensing Process.

    http://www.nrc.gov/reading-rm/doc-collections/nuregs/brochures/br0298/

  4. Backgrounder on New Nuclear Plant Designs—[skim]

    http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/new-nuc-plant-des-bg.html

  5. Backgrounder on Emergency Preparedness

    http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/emergplan-prep-nuc-power-bg.html

Power Uprates:

  1. RS-001, “Review Standard for Extended Power Uprates”

  2. Fact Sheet: Power Uprates for Nuclear Plants

    http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/power-uprates.html

  3. 10 CFR 50.90, “Application for Amendment of License or Construction Permit”

  4. RIS-2002-03, “Guidance on the Content of Measurement Uncertainty Recapture Power Uprate Applications”

  5. The NRC Power Uprate Web Site

    www.nrc.gov/reactors/operating/licensing/power-uprates.html

License Renewal:

  1. 10 CFR Parts 51 and 54

  2. Reactor license renewal orientation

    (http://nrr10.nrc.gov/licrenewal-train/index.html)

  3. Reactor license renewal public website:

    (http://www.nrc.gov/reactors/operating/licensing/renewal.html)

  4. Backgrounder: License Renewal

    (http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/license-renewal-bg.html)

  5. NUREG-1800, Standard Review Plan for License Renewal (SRPLR),

“Standard Review Plan for the Review of License Renewal Applications for Nuclear Power Plants” and NUREG-1555, Standard Review Plans for Environmental Reviews for Nuclear Power Plants,” (ESRP).

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

Licensing Criteria and Processes:

  1. Describe the plant design areas that the staff must review to license a nuclear plant.

[Backgrounder on Nuclear Power Plan Licensing Process]

  1. In 10 CFR, describe the purpose of the following:

    • Parts 20, 50, 73 and 100

    • Part 50 Appendix A, B, and E

    • Sections 50.34, 50.36, 50.47, 50.73, and 50.100

  2. In 10 CFR 50, Appendix A,

    • Describe the outcome for which the principle design criteria were established (Introduction, paragraph 1)

    • Define “loss of coolant accident,” “single failure,” “anticipated operational occurrence.”

    • Discuss the meaning of “adequate protection,” “reasonable assurance” and “redundancy and diversity”

  3. In 10 CFR 50, Appendix B,

    • Define what comprises “quality assurance”

  4. In 10 CFR 50.36,

    • Describe the categories in technical specifications for reactors.

    • Describe “safety limit,” “limiting safety system setting,” limiting control setting,” Limiting condition for operation,” and “design feature”

    • Describe the criteria for a technical specification limiting condition for operation [50.36(c)(2)(ii)]

    • Describe the purpose of the “surveillance requirements.”

  5. In 10 CFR 50.47,

    • Describe the NRC finding that must be made regarding emergency plans [50.47(a)(1)]

  6. Describe the three types, what they license/certify, and license/certification duration of Part 52 licensing processes:

    • Early Site Permits

    • Design Certification

    • Combined License

  7. Describe the major common elements for Part 50 and 52 licensing processes. Describe the major differences in Part 50 and 52 licensing processes. [Backgrounder on Nuclear Power Plan Licensing Process]

Power Uprates:

  1. Describe the three types of power uprates:

    • Measurement Uncertainty Recapture.

    • Stretch Power Uprate.

    • Extended Power Uprate (EPU).

  2. State the timeliness goals for the different types of power uprates.

  3. State other approvals typically needed to operate at the new, higher power level and describe why they are needed.

  4. Describe the unique process involved in an EPU.

License Renewal:

  1. State the regulations and major guidance for license renewal.

  2. Describe the reason for the Part 54 rule change in 1995.

  3. Know the two principles of license renewal safety reviews.

  4. Describe the scope of structure and components within the license renewal rule.

  5. Describe key parts to the license renewal review:

    • Know the two license renewal tracks.

    • Length of the review, with and without a hearing

    • Opportunities for public involvement

  6. Know these acronyms as they apply to license renewal: CLB, AMR, AMPs, TLAAs

Tasks:

The activities listed below shall be performed under the guidance of a Qualified Reactor Technical Reviewer and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Read the Backgrounders and review the remaining references to understand the principles discussed in the evaluation criteria.

  2. Discuss the Evaluation Criteria with a Qualified Reactor Technical Reviewer or with your Supervisor.

Reactor Technical Reviewer Study Activity-6

Topic: (RxTR-SA-6): Degraded and Nonconforming Conditions and Operability Determinations

Purpose: The purpose of this activity is to become familiar with the process of ensuring that equipment at nuclear power plants is capable of performing its safety function is continuous and consists primarily of verification by surveillance testing and formal determinations of operability. Whenever the ability of a system or structure to perform its specified function is called into question, licensees should make a prompt determination (or evaluation) of operability.

Competency Area: Regulatory Framework

Level of Effort: 4 Hours

References:

  1. GL 91-18, “Information to Licensees Regarding NRC Inspection Manual Section on Resolution of Degraded and Nonconforming Conditions”

  2. NRC inspection manual, Part 9900, Technical guidance (sections on Operability)

  3. Information Notice 97-78, “Credit of Operator Actions in Place of Automatic Actions and Modification of Operator Actions, including Response Time.”

Evaluation Criteria:

  1. Define the following terms and provide examples of each term.

    • Operable/operability

    • Degraded condition

    • Abnormal condition

    • Nonconforming condition

    • Justification for continued operation

    • Single failure

    • Consequential failure

    • Support system

    • Compensatory measures

Tasks:

  1. Review the references to understand the principles discussed in the evaluation criteria and Discuss Evaluation Criteria with a Qualified Reactor Technical Reviewer or your Supervisor.

Reactor Technical Reviewer On-The-Job Training-1

Topic: (RxTR-OJT-1): Acceptance Review and Request for Additional Information

Purpose: The purpose of this activity is to become familiar with performing acceptance reviews and the process to develop and issue requests for additional information (RAIs). Employees should develop the understanding for the format and philosophy of writing well-focused RAIs.

Note: RxTR-OJT-1 may be performed in conjunction with RxTR-OJT-2 and -3.

Competency Area: Regulatory Framework

Level of Effort: 4 hours (training time); time performing the licensing activity should be charged to the licensee, applicant, or vendor

References:

  1. LIC-101, “License Amendment Review Procedures,” Sections 1–10; Appendix B, Sections 1.0–1.2, 4.0–4.3, 5.0, 7.0–7.4, 9.0–9.3

  2. LIC-202, “Plant Specific Backfit,” Sections 1–10

  3. ADM-200, “Delegation of Authority”

  4. DLPM Handbook (http://nrr10.nrc.gov/DLPMHandbook/RAI.html)

  5. NUREG-0800, “Review of Safety Analysis Reports for Nuclear Power Plants”

  6. NUREG-1800, “License Renewal Applications for Nuclear Power Plants”

  7. 10 CFR 50.9, “Completeness and Accuracy of Information”

  8. 10 CFR 50.34, “Contents of Applications; Technical Information”

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. Describe the importance of the acceptance review.

  2. Describe the criteria a reviewer should use to determine the need for a RAI.

  3. Describe the importance of developing well-focused RAIs that will enable NRC to obtain all relevant information needed to make a decision that is fully informed, technically correct, and legally defensible.

  4. Describe the importance of communicating precedent setting issues and their regulatory bases to the Project Manager, licensee, vendor or applicant and other NRC employees, as necessary.

Tasks:

The activities listed below shall be performed under the guidance of a Qualified Reactor Technical Reviewer and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Review the references to meet the evaluation criteria.

  2. Search ADAMS for similar licensing actions (i.e., licensee submittal and RAI), precedence may also be identified by the Project Manager on work request forms.

  3. Review the submittal to determine whether an RAI needs to be prepared.

  4. Write a draft safety evaluation and the RAI in accordance with the guidance in LIC-101.

  5. Prepare and process the concurrence package which contains the RAI.

  6. Discuss the Evaluation Criteria with a Qualified Reactor Technical Reviewer or with your Supervisor.

Reactor Technical Reviewer On-The-Job Training-2

Topic: (RxTR-OJT-2): Safety Evaluations

Purpose: The purpose of this activity is to become familiar with the process used to develop safety evaluations (SEs) and the format and philosophy of writing well-focused SEs.

Note: RxTR-OJT-2 may be performed in conjunction with RxTR-OJT-1 and -3.

Competency Area: Regulatory Framework

Level of Effort: 4 hours (training time); time performing the licensing activity should be charged to the licensee, applicant, or vendor

References:

  1. LIC-101, “License Amendment Review Procedures,” Sections 1–10; Appendix B, Sections 1.0–1.2, 2.3, 4.0–4.5, 5.0, 7.0–7.4, 9.0–9.3

  2. ADM-200, “Delegation of Authority”

  3. DLPM Handbook (http://nrr10.nrc.gov/DLPMHandbook/RAI.html)

  4. NUREG-0800, “Review of Safety Analysis Reports for Nuclear Power Plants”

  5. 10 CFR 50.9, “Completeness and Accuracy of Information” If applicable to license activity:

    1. NUREG-1800, “License Renewal Applications for Nuclear Power Plants”

    2. 10 CFR 50.34, “Contents of Applications; Technical Information”

    3. 4 10 CFR 50.36, “Technical Specifications”

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. Describe the importance of identifying precedent safety evaluations.

  2. Describe the essential elements of a technical safety evaluation.

  3. Describe the importance of adequately documenting the technical, regulatory, and legal bases to support the staff's acceptance or denial of the proposed action.

  4. Describe the importance of adhering to the schedule for a technical review.

  5. Describe the other essential elements and the Project Manager’s process required for the final NRC approval of a license amendment.

Tasks:

The activities listed below shall be performed under the guidance of a Qualified Reactor Technical Reviewer and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Review the references to meet the evaluation criteria.

  2. Search ADAMS for precedent safety evaluations, precedence may also be identified by PM on work request forms.

  3. Review the licensee, applicant, or vendor submittal.

  4. Perform the acceptance review and communicate the results to the Project Manager

  5. Perform your technical review; determine the need for RAIs, and write the draft SE.

  6. Review any RAI response(s) and complete the SE in accordance with the guidance in LIC-101.

  7. Write an SE in accordance with the guidance in LIC-101.

  8. At the discretion of the supervisor, perform a peer review of another employee’s SE.

  9. Discuss the Evaluation Criteria with your designated resource or supervisor.

Reactor Technical Reviewer On-the-Job Training-3

Topic: (RxTR-OJT-3): Concurrence Process

Purpose: The purpose of this activity is to become familiar with the concurrence process for NRC documents.

Note: RxTR-OJT-3 may be performed in conjunction with RxTR-OJT-1 and -2

Competency Area: Regulatory Framework

Level of Effort: 4 hours (training time); time performing the licensing activity should be charged to the licensee, applicant, or vendor

References:

  1. Management Directive 3.57, “Correspondence Management”

  2. Office Instruction ADM-200, “Delegation of Signature Authority”

  3. DLPM Document Distribution Guide (ADAMS ML051600012), page iii

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. Describe the process to determine who needs to concur on any given document that a technical reviewer might originate.

  2. Describe the format of a concurrence grid and the meaning of entries on that grid.

  3. Describe “do’s and don’ts” for concurring on a document (MD 3.57).

  4. Describe how to “manage” concurrence of documents (i.e., how to get timely concurrence to meet the branch’s objectives). For example, discuss “parallel” concurrence and how to deal with unavailability of persons designated to concur.

Tasks:

The activities listed below shall be performed under the guidance of a Subject Matter Expert and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Review the references to meet the evaluation criteria.

  2. Prepare and process the concurrence package that transmits the SE to project management.

  3. Following the review by a qualified reviewer, discuss any comments with the qualified reviewer.

  4. Discuss the evaluation criteria above with a Qualified Reactor Technical Reviewer or with your Supervisor.

Reactor Technical Reviewer On-The-Job Training-4

Topic: (RxTR -OJT-4): Interfacing and Exchange of Information with Licensees, Applicants, and Vendors

Purpose: The purpose of this activity is to become familiar with the office instruction that provides staff guidance for interfacing with licensees and applicants in less formal circumstances, and for documenting such interfaces. It applies to licensing actions associated with operating reactors, license renewal, new reactor license applications, etc.

Level of Effort: 12 hours (training time); if this activity is associated with an employee’s work on a licensing activity should be charged to the appropriate licensee, applicant, or vendor TAC.

References:

  1. COM-203 “Informal Interfacing and Exchange of Information with Licensees and Applicants”

  2. Section 182 of the Atomic Energy Act

  3. 10 CFR 2.790, “Public inspections, exemptions, requests for withholding”

  4. 10 CFR 9-Subpart A, “Freedom of Information Act Regulations”

  5. 10 CFR 50.4, “Written Communications”

  6. RIS 2001-05, “Guidance On Submitting Documents To The NRC By Electronic Information Exchange Or On CD-ROM”

  7. RIS 2001-18, “Requirements For Oath Or Affirmation”

  8. Management Directive 3.4, “Release of Information to the Public”

  9. Management Directive 3.53, “NRC Records Management Program”

  10. NRR Office Instruction ADM-200, “Delegation of Signature Authority”

  11. NRR Office Instruction LIC-101, “License Amendment Review Procedures”

  12. NRR Office Instruction LIC-204,“Handling Requests to Withhold Proprietary Information From Public Disclosure.”

  13. NRR Office Instruction ADM-304, “ADAMS Document Submission and Use.”

  14. NRR Office Instruction OVRST-200, “Management of Allegations”

  15. NRC Inspection Manual, Part 9900: Technical Guidance, “Operations-Notices of Enforcement Discretion”

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. Describe the documentation requirements for information exchange between licensees, applicants, or vendors and NRC staff related to:

    • Informal meetings and discussions.

    • Phone calls, e-mails, facsimiles (faxes).

    • Exchange or review of draft information.

    • Receipt of unsolicited information.

  2. Identify formal verses informal documents.

  3. Describe the criteria that defines official agency records, which should be placed in ADAMS.

Tasks:

The activities listed below shall be performed under the guidance of a Subject Matter Expert and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Complete GEN-SA-4 Objectivity, Protocol, and Professional Conduct prior to this activity.

  2. Review the references to meet the evaluation criteria.

  3. Attend a conference call to discuss or resolve a technical issue with licensee, vendor, applicant, or industry representatives with an experienced technical reviewer.

  4. Attend a meeting to discuss or resolve a technical issue with licensee, vendor, applicant, or industry representatives with an experienced technical reviewer.

  5. Discuss the Evaluation Criteria with your designed resource or supervisor.

Reactor Technical Reviewer On-The-Job Training-5

Topic: (RxTR-OJT 5): Briefings

Purpose: The purpose of this activity is to become familiar with the various types of briefings for which

Reactor Technical Reviewers are involved. The ability to convey your technical judgment in a clear and concise manner is essential for a successful briefing. The regulatory basis and risk significance of an issue should be considered in any decision-making briefings.

Competency Area: Regulatory Framework

Level of Effort: 8 hours (if the briefing is regarding a licensing action or another direct billable activity, then the portion of time to review the references to understand Agency or Office practices and policies should be charged to a training TAC and time should be charged to the licensee, vendor or applicant)

References:

  1. DLPM Handbook (http://nrr10.nrc.gov/DLPMHandbook/index.html)

  2. Memorandum from John Craig, “Revised Guidance for Developing Briefing Materials,” dated March 28, 2003

  3. CRGR Charter, (ADAMS Accession Number: ML0037183740)

  4. Procedures for requesting CRGR review, http://www.internal.nrc.gov/crgr/procedures.html

  5. Purpose and responsibilities of the Commission review, http://www.nrc.gov/who-we-are/organization/commfuncdesc.html

Evaluation Criteria:

Use the references above and/or sections of the references above to answer the Evaluation Criteria.

  1. State the purpose and responsibilities of the CRGR, the Advisory Committee on Reactor Safeguards (ACRS), and the Commission.

  2. Identify examples of regulatory activities that could require a briefing of the CRGR, ACRS, and/or the Commission.

Tasks:

The activities listed below shall be performed under the guidance of a Qualified Reactor Technical Reviewer and discuss the Evaluation Criteria with your Supervisor for documentation on the signature card:

  1. Review the references to meet the evaluation criteria.

  2. Attend an ACRS meeting and Commission meeting.

  3. Prepare for and perform a management briefing at the Branch level or higher.

  4. Discuss the Evaluation Criteria with your designated resource or supervisor.

Form 1: Reactor Technical Reviewer Signature Card

Reactor Technical Reviewer (RxTR) Study Activities

Activity Number

Activity Suggested

Completion

Actual Level of Effort (hours)

Employee’s Initials/date

Supervisor’s Initials/date

RxTR-SA-1 Code of Federal Regulations 3-Months

RxTR-SA-2 Current Licensing and Design Basis for Technical Determinations 3-Months

RxTR-SA-3 TS and the Final Safety Analyses Report (FSAR) 9-Months

RxTR-SA-4 Backfit Process 15-Months

RxTR-SA-5 Cross-cutting Technical Reviews 15-Months

RxTR-SA-6 Degraded and Nonconforming Conditions and Operability Determinations 18-Months

Reactor Technical Reviewer On-the-Job Training Activities

RxTR-OJT-1 Acceptance Reviews and Requests for Additional Information 6-Months

RxTR-OJT-2 Safety Evaluations 6-Months

RxTR-OJT-3 Concurrence Process 6-Months

RxTR-OJT-4 Interfacing and Exchange of Information with Licensees, Applicants, and Vendors 6-Months

RxTR-OJT-5 Briefings 18-Months

References

1.
American Nuclear Society
,
1973
,
Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants
,
La Grange Park, IL
, ANS-N18.2-1973.
2.
American Nuclear Society
,
1974
,
Nuclear Safety Criteria for the Design of Stationary Boiling Water Reactor Plants
,
La Grange Park, IL
, ANS-N212.
3.
Regulatory Guide 1.70, Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants, Rev 3, November 1978 (ADAMS No. ML011340116).
4.
Standard Review Plan, NUREG-0800 (formerly NUREG-75/087), Draft Rev 3, April 1996.
5.
10 CFR §50, Appendix A, 36 FR 12733, July 7, 1971.
6.
Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants, ANSI/ANS-51.1-1983, April 29, 1983.
7.
Information Notice 94-55, Problems With Copes-Vulcan Pressurizer Power-Operated Relief Valves, USNRC, August 4, 1994 (ADAMS No. ML031060536) part of a May 8, 1989, response to a request for additional information related to Seabrook.) This document is not in ADAMS; but is available through the NRC Public Document Room using Accession No. 8905120191 and microfiche location 49755:336–49756:017.
8.
Press Release No. 94-157, NRC Staff Proposes to Fine PSE&G $500,000 for Alleged Violations at Salem Nuclear Power Plant, USNRC, October 5, 1994 (ADAMS No. ML003702822).
9.
Amendment Nos. 194 and 177, Salem Nuclear Generating Station, Unit Nos. 1 and 2, USNRC, June 4, 1997 (ADAMS No. ML011720397).
10.
Issuance of Amendment-Millstone Nuclear Power Station, Unit No. 3, June 5, 1998 USNRC (ADAMS No. ML011800207).
11.
USNRC
, Diablo Canyon Power Plant, Unit Nos. 1 and 2—Issuance of Amendment Re: Credit for Automatic Actuation of Pressurizer Power Operated Relief Valves (TAC NOS. MB6758 AND MB6759), dated July 2, 2004 (ADAMS No. ML041950260).
12.
PSEG Nuclear, LLC, Salem Generating Station, Units 1 & 2, Revision 31 to Updated Final Safety Analysis Report, Chapter 15, Accident Analysis, December 5, 2019 (ADAMS No. ML19360A110) Figure 25.2-44.
13.
NSAL-93-013, Inadvertent Operation of ECCS at Power, G.G. Ament and K.J. Vavrek, Westinghouse ESBU, June 30, 1993, and NSAL-93-013, Supplement 1, Inadvertent Operation of ECCS at Power, J.S. Galembush, Westinghouse ESBU, October 28, 1994 (ADAMS No. ML052930330).
14.
NSAL-07-10, Loss-of-Normal Feedwater/Loss-of-Offsite AC Power Analysis PORV Modeling Assumptions, J.T. Crane and A.J. Macdonald, Westinghouse, November 7, 2007 (ADAMS No. ML100140163).
15.
Final Safety Analysis Report, Braidwood Station, Units 1 and 2, and Byron Station, Unit Nos. 1 and 2, Chapter 15.5.1, Inadvertent Operation of Emergency Core Cooling System During Power Operation (ADAMS No. ML14363A495).
16.
NRC Information Notice No. 89-90: Pressurizer Safety Valve Lift Setpoint Shift, December 28, 1989 (ADAMS No. ML031190006).
17.
Office of the EDO (OEDO)-16-00783—Closure Letter for Enforcement Petition Regarding Exelon's Byron and Braidwood Stations, Michael Case, John Billerbeck, Timothy Drzewiecki, Gladys Figueroa, Sara Kirkwood, June 23, 2017 (ADAMS No. ML17108A808).
18.
10 CFR §2.206 Petition OEDO-16-00783, filed by S. Miranda, November 15, 2016 (ADAMS No. ML17010A051).
19.
Holahan
,
G. M.
,
Scarbrough
,
T. G.
,
Spencer
,
M. A.
,
Clark
,
T. V.
, and
Steven West
,
K.
,
2016
, USNRC, Report of the Backfit Appeal Review Panel Chartered by the Executive Director for Operations to Evaluate the June 2016 Exelon Backfit Appeal, August 23, 2016 (ADAMS No. ML16236A208).
20.
Dickinson
,
R. J.
, and
Bass
,
J. G.
,
1988
, “Pressurizer Safety Relief Valve Operation for Water Discharge During a Feedwater Line Break,” Westinghouse, WCAP-11677, dated January 1988 (Submitted to the NRC as).
21.
Response to NRC-2019-000363, Freedom of Information Act (FOIA) Request, submitted by S. Miranda on July 18, 2019, for NRC Memorandum from Eric R. Oesterle, et al. to Mirela Gavrilas et al., “Supporting Information for Staff Recommendations in Response to Executive Director for Operations Tasking in September 15, 2016, Exelon Backfit Appeal Decision,” dated September 6, 2017 (ADAMS No. ML19266A445)—This is a Redacted Version of ML17237C035, which is not available to the public.
22.
Withdrawal of Regulatory Issue Summary 2005-29, and Draft Revision 1, Anticipated Transients That Could Develop Into More Serious Events, May 15, 2019 (ADAMS No. ML19121A534).
23.
Regulatory Guide 1.174, Revision 3, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,” January 2018 (ADAMS No. ML17317A256).
24.
1996/08/31-NRC000035-A Report by the International Nuclear Safety Advisory Group (INSAG). INSAG-10, “Defense in Depth in Nuclear Safety,” International Atomic Energy Agency Vienna, Austria (ADAMS No. ML102500651).
25.
NRC RIS 2005-29, Anticipated Transients That Could Develop into More Serious Events, S. Miranda, December 14, 2005 (ADAMS No. ML051890212).
26.
USNRC, Management Directive MD 8.18, NRC Generic Communications Program, dated December 9, 2015 (ADAMS No. ML15327A372).
27.
Office Instruction No. ADM-504, Rev 3, “Qualification Program,” February 16, 2015 (ADAMS No. was not available).
28.
NEA/CNRA/R(2012)1, “Knowledge Transfer and Management of Operating Experience,” Organisation for Economic Co-Operation and Development, Nuclear Energy Agency, Committee on Nuclear Regulatory Activities, March 13, 2012.
29.
Kemeny
,
J. G.
,
1979
,
The Need for Change, the Legacy of TMI: Report of the President’s Commission on the Accident at Three Mile Island
,
Pergamon Press
.
30.
USNRC
,
1979
, Transmittal of Reports Regarding Foreign Reactor Operating Experiences, September 25, ADAMS No. ML031320181 and Generic Letter 79-45.