ARTICLE 6 EXISTING NUCLEAR POWER STATIONS
6.3 Stations that Required Corrective Actions/Programs for Safety Upgrading
The following are corrective actions/programs for safety upgrading applied to specific power stations as results of safety assessments. Such actions/programs have either been completed or are in the process of being completed.
6.3.1
Darlington Nuclear Power Station
DARLINGTON LOSS OF FLOW
Under normal operating conditions, the reactor coolant is circulated by the primary heat transport pumps to cool the fuel inside the reactor. If one or all of these pumps stop, drying out of the fuel sheath and overheating of the fuel could occur. To protect the reactor against such accidents, the reactor shutdown systems monitor the flow and the pressure of the coolant and automatically shutdown the reactor if these are not within certain limits. Safety analysis is done to show that these limits cover the entire range of allowed operation and, that the chance of any fuel heat-up is very low.
An analysis in 1997 of the loss of flow revealed that, for a range of reactor power above 60%, the shutdown systems would not act as effectively as originally calculated, and an increase in fuel temperature could result. This finding led to significant power derating for several months. Procedural and hardware changes were implemented before the reactors returned to high power operation.
6.3.2
Bruce Nuclear Generating Station
BRUCE A/B POSITIVE REACTIVITY DUE TO FUEL RELOCATION FOLLOWING A LOSS OF COOLANT ACCIDENT
OHN assessment in 1993 of the reactivity effects for the movement of fuel bundles during a postulated LOCA resulted in the Bruce reactors being derated to 60% full power operation. An elongation of fuel channels that resulted from creep produced a gap at the end of the channels. Therefore, a break at one end would result in fuel movement which would increase the reactivity in the core. Since this assessment, OHN implemented a number of equipment and operational changes and provided better technical support and analysis before raising power. These reactors are still derated to 90% of full power operation.
BRUCE A EMERGENCY CORE COOLING SYSTEM (ECCS)
Following the recognition that ECCS could not prevent fuel failures for Large Loss Of Coolant Accidents (LLOCA), AECB staff requested OHN to conduct a system-by- system review of the impact, which resulted in design changes. AECB also requested that major shielding be added to the Bruce A ECCS. This request also led to a redesign of the Bruce B ECCS, which was under construction at the time.
During the 1970s, experimental research showed that the gravity-fed ECCS which was the original design at Bruce A station was incapable of meeting the original design requirements. At the instruction of the AECB, the reactors were back-fitted with a high pressure ECCS and heat exchangers. High pressure ECCS and heat exchangers were subsequently incorporated into all subsequent reactors.
BRUCE A CONTAINMENT
Tests requested by the AECB at Bruce A revealed that the design of dousing system headers was inadequate and required a major redesign. These tests also indicated that changes were necessary at Pickering and these were back-fitted. The AECB also required major improvements to the emergency filtered air discharge systems at Bruce.
BRUCE A/B BOILER TUBE DEGRADATION
Boiler tube degradation as a result of stress corrosion cracking and fretting has been observed at Bruce A and B nuclear power stations. After a review of the relevant information, the AECB required a significant expansion of OHN’s inspection and technical support activities.
OHN is committed to a boiler tube life management program that involves inspection and plugging to maintain the number of tubes at risk of failure within tolerable limits.
6.3.3
Pickering Nuclear Generating Station
PICKERING A REACTOR BUILDING LEAKAGE
In 1992, improvements of the devices isolating the Pickering A units from the main containment duct were required to meet AECB instruction to increase the time at which venting the containment becomes necessary following an accident. The AECB also required extensive repairs to the dome of the Unit 1 reactor building to make sure safety margins were maintained.
SHUTDOWN SYSTEM ENHANCEMENT (SDSE) AT PICKERING A Pickering Nuclear Generating Station A (PNGS-A) reactors were licensed for operation by the AECB before the introduction of the regulatory requirement for two independent, diverse and fully capable shutdown systems. Therefore, the PNGS-A reactors were designed and built with only one fast-acting shutdown system and were judged acceptable on the basis of analysis presented at the time. Dual failure analysis that involved the loss of a shutdown event had been a licensing issue with the AECB since 1975.
Since the early 1980’s, the shutdown system has been upgraded to improve its reliability and effectiveness so that the probability of shutdown failure would be extremely low. Upgrades include:
• increasing the number of shutoff rods from 11 to 21; • upgrading the boiler room high pressure trip parameter;
• adding a boiler low level, a heat transport low pressure, and a boiler feedline low pressure trip parameters.
Following the 1986 Chernobyl accident, AECB staff requested OHN to reassess the safety of the PNGS-A reactors under the dual failure assumptions that involve the failure to shut down. In 1987, OHN submitted a revised analysis of the consequences of a LLOCA combined with failure to shut down. This analysis concluded that the structural integrity of containment would be maintained and that the dual failure reference dose limits would be met. AECB staff found this analysis to be speculative and concluded that the consequences could not be quantified with confidence.
Following discussions between AECB and OHN staff, and because verifying results of loss of shutdown analysis to the satisfaction AECB would require expensive and time-consuming research programs which in themselves would not increase reactor safety, OHN decided to investigate the SDSE. This would reduce the probability of failure of shut down so that loss of shut down analysis would no longer be required.
The results of the investigation, and the enhancement proposed, were documented in several submissions to the AECB and include such improvements as detailed below:
• The final SDSE design that was approved provides a new set of triplicated trip sensors and trip logics augmented with new moderator dump logic.
• The SDSE trip parameters are neutron overpower, high log neutron rate, heat transport high pressure and low pressure and manual trip.
• The enhancement also includes the addition of two more shutoff rods.
The existing shutdown system and the SDSE are independent of each other from trip sensing to the final relay contacts in the shutoff rod drop logic and the moderator dump logic. Both the new and the existing logic trains will actuate all the shutoff rods. If power rundown characteristics are not satisfactory after a reactor trip, a dump signal is generated by the existing shutdown system and/or SDSE, either of which causes the moderator dump valves to open and shut down the reactor.
OHN committed to installing this enhanced shutdown system on all PNGS-A operating reactors by the end of 1997. On this basis, PNGS-A operating licence contains a condition mandating this installation.
SDSE was installed in Unit 4 of PNGS-A, the installation commissioning was
successfully completed and the system was readied for future on-power testing. Some minor installation was also done on the other units. AECB staff was satisfied with the progress OHN made on the installation of SDSE. However, in August 1997, OHN announced that the PNGS-A reactors would be shut down at the end of 1997 and that work on the installation of SDSE would be suspended. In accordance with the requirements of the operating licence, OHN shut down all the four PNGS-A reactors by December 31, 1997, and made a business decision to lay them up. The restart of these units will require AECB approval.
6.3.4
Gentilly-2 and Point Lepreau Nuclear Generating Stations
AECB staff requested NB Power and Hydro-Québec to consider the potential effects of secondary side pipe failures. One of the main concerns was the protection of the main control room. The corrective actions required in 1992 were:
• identification of all practicable design changes
• enhanced protection of the main control room by a variety of means such as highly reliable in-service inspection and steam leak detection
• definition and demonstration of procedures for the secondary control room
NB Power and Hydro-Québec have followed up on these requirements. They have also put in place a risk reduction program including enhanced inspections programs.
6.3.5
All Nuclear Power Stations
POWERHOUSE DESIGN & ENVIRONMENTAL QUALIFICATION (EQ) AECB questions on the effects of high pressure piping failures in the powerhouse at Bruce A and B resulted in:
• a major program of work on all stations, including the installation of large pressure relieving devices in Bruce, Pickering and Point Lepreau generating stations • the back-fitting of a qualified electrical power supply at Bruce A
• a major environmental qualification program for all OHN stations
• design changes to protect safety equipment against harsh environment at all stations
EQ provides assurance that essential equipment will function in a harsh environment under accident conditions.
TWELVE-HOUR SHIFTS
Since 1989, the AECB has expressed concern about shift schedules for nuclear power station staff who work twelve-hour shifts. In 1989, only OHN power station shift
crews worked twelve-hour shifts. Beginning in 1992, AECB staff authorized twelve- hour shifts for Point Lepreau shift crews. In 1997, AECB staff authorized a one-year trial period for twelve-hour shifts at Gentilly-2 beginning April 1, 1997. The development of AECB policy on twelve-hour shifts is described below.
In response to Hydro-Québec’s request to adopt twelve-hour shifts and to better manage and deal with future requests for changes to shift schedules, AECB staff issued a contract with the objective of assessing the proposed shift schedule for Gentilly-2 and consolidating the AECB’s set of criteria. These criteria deal with six major categories:
• limits to hours of work,
• tracking and reporting hours of work, • overtime policy,
• rest and recovery provisions, • work organization,
• transition from 8- and 9-hour shifts to 12-hour shifts.
AECB staff expects licensees to:
• track employees’ hours of work; • report violations of the policies; • have a comprehensive overtime policy; • maintain a minimum shift complement;
• effectively manage the transition from 8- and 9-hour to 12-hour shifts.
AECB staff has identified a number of basic criteria for limits to hours of work, including: • a normal shift length of 12 hours, excluding travel and turnover time;
• a regular schedule designed to average no more than 48 hours per week; • limits on the amount of overtime in one year;
• a maximum of 60 hours in a seven-day period, including appropriate time off before and after;
• a maximum of five consecutive day shifts or four consecutive night shifts.
For rest and recovery provisions, AECB criteria include:
• after three or more consecutive night shifts, a minimum of 72 hours off; • after three day shifts or two night shifts, a minimum of 48 hours off; • after two day shifts, a minimum of 24 hours off.
All Canadian nuclear power station shift schedules are now in compliance with these criteria.