Title of document
ASSESSMENT REPORT
Unique Document ID and
Revision No:
ONR-CNRP-AR-14-066
TRIM Ref:
Revision 0
Project:
Boiler Spine Recovery Project
Site:
Heysham 1 and Hartlepool
Title:
Fault Studies Assessment of the Safety Case for Return to
Service of Heysham 1 Reactor 2, Hartlepool Reactor 1 and
Reactor 2 at Reduced Temperature Operation Following the
Discovery of a Defect on Heysham 1 Reactor 1 Boiler Spine
1D1
Nuclear Site Licence No:
Hartlepool 59, Heysham 60
Licence Condition(s):
LC22
IIS Rating (Mandatory):
3 – Adequate (Green)
2014/410785
(Rating should be based on
licensee's original safety case
submission)
COIN Service Order:
SVC4285367
Step-based Document Review
Step Description
*
Role
Name
Date
TRIM
Revision*
1
Initial Draft, including identification
and mark-up of SNI/CCI
Author
18/11/14
1
2
Main editorial review
Author
18/11/14
1
3
Peer Review in accordance with
AST/005 Rev 3
Peer Reviewer
19/11/14
3
4
Assessor update / sentencing of
comments and return to Peer
Reviewer
Author
20/11/14
3
5
Final editorial / clean draft review
Author
20/11/14
3
6
Acceptance review in accordance
with AST/003 Rev 7
AUH
21/11/14
15
7
Report Sign-off
Author / Peer
Reviewer /
Professional
Lead
21/11/14
15
TRIM revision to be identified upon completion of activity and incorporation of any changes to document
Template Ref: ONR-DOC-TEMP-004 Revision 7
Page 1 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
Office for Nuclear Regulation
Page 2 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
Document Acceptance
Role
Name
Author
†
Peer Review
Acceptance
‡
Position
Signature
Date
Principal Inspector
21/11/14
Principal Inspector
21/11/14
Superintending
Inspector
21/11/14
Revision History
Revi
sion
Date
0
21/11/14
Author(s)
Reviewed By
Accepted By
Description of Change
First formal issue
Circulation (latest issue)
Organisation
Name
ONR
†
Where required in accordance with ONR How2 BMS Document AST/005 Revision 3
Hard-copy of document signed-off, TRIM version updated with authors / approver / acceptor names and dates and record
finalised
‡
Office for Nuclear Regulation
Page 3 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
Civil Nuclear Reactor Programme
Fault Studies Assessment of the Safety Case for Return to Service of Heysham 1
Reactor 2, Hartlepool Reactor 1 and Reactor 2 at Reduced Temperature Operation
Following the Discovery of a Defect on Heysham 1 Reactor 1 Boiler Spine 1D1
Assessment Report ONR-CNRP-AR-14-066
Revision 0
21 November 2014
Office for Nuclear Regulation
Page 4 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
© Office for Nuclear Regulation, 2014
If you wish to reuse this information visit www.onr.org.uk/copyright for details.
Published November 2014
For published documents, the electronic copy on the ONR website remains the most current publicly
available version and copying or printing renders this document uncontrolled.
Office for Nuclear Regulation
Page 5 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
EXECUTIVE SUMMARY
This report presents the findings of my assessment of EDF Nuclear Generation Ltd’s (NGL)
safety case (Ref. 1) for the return to service of Heysham 1 Reactor 2 and Hartlepool Reactors
1 and 2 at reduced temperature operation following the discovery of a defect on Heysham 1
Reactor 1 boiler spine 1D1. The report considers the fault studies aspects of the safety case,
the structural integrity and probabilistic safety assessment aspects are addressed separately.
My assessment of Ref. 1 will inform ONR’s decision as to whether to Agree under LC22(1)
arrangements to the return to service of Heysham 1 Reactor 2 and Hartlepool Reactors 1 and
2 at reduced temperature operation as requested in Ref. 20 and 21 respectively.
Heysham 1 Reactor 1 was shut down in June 2014 for a planned outage to investigate
suspect indications in the Weld 12.3 region of the 1D1 boiler spine. These indications were
originally identified by Guided Wave Testing performed during the statutory outage in
September 2013.
A combination of non-destructive testing techniques performed during the 2014 outage
revealed significant cracking 450mm in length in the parent material just below Weld 12.3.
Following the discovery of this defect, its impact on the nuclear safety of the operating units of
Heysham 1 and Hartlepool was assessed by EDF NGL and it was decided to shutdown the
reactors for further inspections. This decision was supported by ONR.
EDF NGL has now completed its inspections and developed a safety case for the return to
service of 3 of the reactors that takes into account the increased likelihood for defects to be
present in the boiler spines. The safety case is based upon operating at reduced temperature.
Return to service of Heysham 1 Reactor 1 (the reactor with boiler spine 1D1) is to be
addressed separately.
The main focus of my assessment has been those aspects of the safety case that relate to the
consequences of boiler spine failure. This has included consideration of whether the fault
sequences analysed are appropriate, whether the analysis is adequately robust and whether
the lines of protection claimed are sufficient. I have concluded that an adequate safety case
has been made in this respect.
A further aspect of my assessment has been the claim that the method used to assess the
temperature of Weld 12.3 is conservative. This is important to the structural integrity aspects
of the safety case in terms of operating the reactor at reduced temperature to significantly
reduce the rate of creep crack growth. Based on the evidence and arguments provided by
EDF NGL I judge the claim that the Weld 12.3 algorithm is conservative to be reasonable.
However, I note that the heat transfer and fluid flow in the region of Weld 12.3 is very complex
and that confidence would be increased by additional thermocouple measurements. In this
respect I note that EDF NGL has made a commitment (Commitment 4) to carry out a review of
the boiler thermocouple strategy and that this review is to include an investigation into recommissioning of existing boiler thermocouples and also the feasibility of installing additional
thermocouples. I consider this to be an important commitment.
I also note the commitment (Commitment 13) to complete a detailed ALARP (As Low As
Reasonably Practicable) review of protection against boiler spine failure. This review is to
include, but not be limited to: automatic CO2 purge for the gas circulator motor compartment;
a spine restraint system; reliability improvements to the Vessel Overpressure Protection
Equipment and Quadrant Feed Trip systems, etc. I support this review particularly noting the
relatively low reliability of the single line of protection claimed for an infrequent seismic event.
In total EDF NGL has made 19 commitments in Ref. 1 that are important in the context of
ALARP. It is intended that EDF NGL’s progress against all of its commitments will be
Office for Nuclear Regulation
Page 6 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
monitored by ONR through regular project meetings and tracked through an issue (Issue
2714) on the ONR issues database.
Overall, from a fault studies perspective I recommend that ONR should Agree to the requests
(Ref. 20 and 21) made under LC22(1) arrangements for the return to service of Heysham 1
Reactor 2 and Hartlepool Reactors 1 and 2 at reduced temperature as justified in the safety
case presented in Ref. 1.
Office for Nuclear Regulation
Page 7 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
LIST OF ABBREVIATIONS
ALARP
As low as is reasonably practicable
BIF
Bifurcation Inlet Weld Failure
BOLMMS
Basement Off Load Moisture Monitoring System
BSL
Basic Safety level (in SAPs)
BSO
Basic Safety Objective (in SAPs)
CFD
Computational Fluid Dynamics
CO2
Carbon Dioxide
DB
Dose Band
EBF
Emergency Boiler Feed
EDF NGL
EDF Nuclear Generation Limited
fpd
failures per demand
GWT
Guide Wave Testing
HOW2
ONR Business Management System
HGPT
High Gas Pressure Trip
INSA
Independent Nuclear Safety Assessment
LC
Licence Condition
NDT
Non-Destructive Testing
ONR
Office for Nuclear Regulation
pa
per annum
pry
per reactor year
OLMMS
Off Load Moisture Monitoring System
PSA
Probabilistic Safety Assessment
PSD
Primary Shutdown
QFT
Quadrant Feed Trip
RVFDS
Reactor Vessel Flood Detection System
SAP
Safety Assessment Principle(s) (ONR)
SSD
Secondary Shutdown
SRV
Safety Relief Valve
SHTP
Superheater Tailpipe
TAG
Technical Assessment Guide(s) (ONR)
VOPE
Vessel Overpressure Protection Equipment
Office for Nuclear Regulation
Page 8 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
TABLE OF CONTENTS
1 INTRODUCTION ................................................................................................................ 10 2 ASSESSMENT STRATEGY ............................................................................................... 11 2.1 Standards and Criteria .............................................................................................. 11 2.2 Safety Assessment Principles ................................................................................... 11 2.3 Use of Technical Support Contractors ...................................................................... 11 2.4 Integration with Other Assessment Topics ................................................................ 11 2.5 Out of Scope Items ................................................................................................... 11 3 LICENSEE’S SAFETY CASE ............................................................................................. 12 3.1 Overview of Consolidated Boiler Spine Safety Case ................................................ 12 3.2 Claim 1 - Integrity of key butt welds is adequate to justify an infrequent boiler spine
failure at a frequency of 10-3 pry .......................................................................................... 12 3.3 Claim 2 - In the event of boiler spine failure, the consequences remain tolerable .... 13 3.4 Claim 3 - The risk associated with the proposed return to service of the three reactors
is Tolerable and ALARP ....................................................................................................... 16 4 ONR ASSESSMENT .......................................................................................................... 17 4.1 Scope of Assessment Undertaken ............................................................................ 17 4.2 Assessment ............................................................................................................... 17 4.3 Comparison with Standards, Guidance and Relevant Good Practice ....................... 25 4.4 Verification, INSA and Nuclear Safety Committee (NSC) ......................................... 25 4.5 IIS Rating .................................................................................................................. 26 5 CONCLUSIONS AND RECOMMENDATIONS .................................................................. 27 5.1 Conclusions ............................................................................................................... 27 5.2 Recommendations .................................................................................................... 28 6 REFERENCES ................................................................................................................... 29 Tables
Table 1:
Table 2:
Relevant Safety Assessment Principles Considered During the Assessment
Lines of Protection for Essential Safety Functions for Eight Inlet Bifurcation
Failures
Office for Nuclear Regulation
Page 9 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
1
INTRODUCTION
1.
This report presents the findings of my assessment of EDF Nuclear Generation Ltd’s
(NGL) safety case for the return to service of Heysham 1 Reactor 2 and Hartlepool
Reactors 1 and 2 at reduced temperature operation following the discovery of a defect
on Heysham 1 Reactor 1 boiler spine 1D1 (Ref. 1).
2.
Assessment was undertaken in accordance with the requirements of the Office for
Nuclear Regulation (ONR) How2 Business Management System (BMS) guide NSPER-GD-014 (Ref. 2). The ONR Safety Assessment Principles (SAP) (Ref. 3),
together with supporting Technical Assessment Guides (TAG) (Ref. 4), have been
used as the basis for this assessment. The methodology for the assessment follows
HOW2 guidance on mechanics of assessment within the Office for Nuclear Regulation
(ONR) (Ref. 5).
3.
Heysham 1 Reactor 1 was shut down in June 2014 for a planned outage to investigate
suspect indications in the Weld 12.3 region of the 1D1 boiler spine. These indications
were originally identified by Guided Wave Testing (GWT) performed during the
statutory outage in September 2013.
4.
A combination of non-destructive testing techniques performed during the 2014 outage
revealed significant cracking 450mm in length in the parent material just below Weld
12.3. Following the discovery of this defect, its impact on the nuclear safety of the
operating units at Heysham 1 and Hartlepool was assessed by EDF NGL and it was
decided to shutdown the reactors for further inspections. This decision was supported
by ONR.
5.
EDF NGL has now completed its inspections and developed a safety case (Ref. 1) for
the return to service of 3 of the reactors that acknowledges the increased likelihood for
defects to be present in the boiler spines. The safety case is based upon operating at
reduced temperature. Return to service of Heysham 1 Reactor 1(the reactor with boiler
spine 1D1) is to be addressed separately.
6.
From a nuclear safety perspective boiler spine failure would result in a drop of the
boiler with resultant loading and potential failure of boiler tubes and tailpipes, the gas
circulator and the gas circulator penetration. For an operating boiler unit water ingress
into the reactor could occur as a result of boiler tube or tailpipe failures giving rise to
pressure and moisture increases within the reactor circuit. This could challenge
containment integrity and reactor cooling. Given the potential significance of boiler
spine failure Ref. 1 has been presented as a Category 1 safety case by EDF NGL.
7.
The scope of this report covers the fault studies aspects of Ref. 1 and is described in
more detail in Section 4.1. The structural integrity and Probabilistic Safety Analysis
(PSA) aspects are addressed separately (Ref. 30 and 31 respectively). My
assessment of Ref. 1 will inform ONR’s decision as to whether to Agree under LC22(1)
arrangements to the return to service of Heysham 1 Reactor 2 and Hartlepool
Reactors 1 and 2 at reduced temperature operation as requested in Ref. 20 and 21
respectively.
Office for Nuclear Regulation
Page 10 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
2
ASSESSMENT STRATEGY
8.
My assessment strategy is set out in this section. The scope of the assessment and
the standards and criteria that have been applied are identified.
2.1
Standards and Criteria
9.
The relevant standards and criteria adopted within this assessment are principally the
Safety Assessment Principles (SAP) (Ref. 3).
2.2
Safety Assessment Principles
10.
The key SAPs applied within the assessment are included within Table 1 of this report.
2.2.1
Technical Assessment Guides
11.
No Technical Assessment Guides (Ref. 4) have been used directly as part of this
assessment.
2.2.2
National and International Standards and Guidance
12.
No national or international standards or guidance have been used directly to support
this assessment.
2.3
Use of Technical Support Contractors
13.
No Technical Support Contractors have been used in support of this assessment.
2.4
Integration with Other Assessment Topics
14.
The report addresses the fault studies aspects of Ref. 1. In the context of this report
the fault studies aspects are primarily those associated with the design basis. The
structural integrity and PSA aspects have been addressed separately (Ref. 30 and 31
respectively). During my assessment I have identified a number structural integrity
claims that are important to my assessment. These have been discussed with the
structural integrity assessor and an agreed position reached. The relevant points are
identified within my report and summarised in the conclusions. I have also discussed
with the structural integrity assessor my assessment of the claim that the temperature
algorithm used to determine Weld 12.3 temperatures is conservative and made them
aware of my conclusion.
2.5
Out of Scope Items
15.
The structural integrity and PSA aspects of Ref. 1 are outside the scope of this
assessment. My assessment only considers the changes to the safety case that arise
from Ref.1, I have not considered the validity of the extant boiler spine safety case
(Ref. 6) or the extant boiler tube safety case (Ref. 8) which have been assessed
previously by ONR (Ref. 9) and considered acceptable from a fault studies
perspective. Further details of the scope of my assessment are provided in
Section 4.1.
Office for Nuclear Regulation
Page 11 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
3
LICENSEE’S SAFETY CASE
16.
The safety case provided in Ref. 1 is based on 3 claims:



Claim 1 - Integrity of key butt welds is adequate to justify an infrequent boiler
-3
spine failure at a frequency of 10 pry.
Claim 2 - In the event of boiler spine failure, the consequences remain
tolerable.
Claim 3 - The risk associated with the proposed return to service of the three
reactors is tolerable and ALARP.
Each of these claims is outlined below with a focus on those aspects that relate to my
assessment. For a description of the affected plant the reader is referred to Ref. 1.
Before describing each of the claims a brief outline of the extant boiler spine safety
case is provided to aid understanding of the developments in Ref. 1.
3.1
Overview of Consolidated Boiler Spine Safety Case
17.
The extant boiler spine safety case is presented in Ref. 6. It identified that parts of the
spine are subject to potentially significant creep damage mechanisms, particularly with
respect to the potential for re-heat crack initiation. As a consequence an operating
temperature limit of 580ºC was imposed on boiler spine Weld 12.3 with the
temperature being predicted using a conservative methodology. This methodology
uses an algorithm (dating from ~2005) to determine Weld 12.3 temperatures and is
discussed further in paragraph 22 below.
18.
Boiler spine failure was conceded at a frequency of less than 10 pry. Should a boiler
spine fail a single line of protection was claimed for each of the essential functions.
This claim was made on the basis of failure of all 147 superheater tailpipes (above the
bifurcation). The possibility of multiple spine failures was discounted on the basis of it
being beyond the design basis.
3.2
Claim 1 - Integrity of key butt welds is adequate to justify an infrequent boiler
-3
spine failure at a frequency of 10 pry
19.
Claim 1 aims to demonstrate that boiler spine failure remains an infrequent event at
-3
-4
10 pry (compared to less than 10 pry in the extant case). The claim addresses three
key areas:
-4



The principal drivers for the formation and development of a defect and
whether such factors could be present on other boiler spines.
Inspection evidence demonstrating that widespread cracking is absent from the
boiler spine population.
Provision of a forewarning of failure leg.
Note; in EDF NGL’s terminology an initiating event is defined as frequent if it has a
-3
frequency of greater than 10 pry.
20.
The validity of Claim 1 is addressed in the structural integrity assessment. I have
however considered one aspect of Claim 1 in my assessment relating to the thermal
environment of Weld 12.3.
21.
A key element of Claim 1 is that the reactors will be operated at a reduced temperature
such that Weld 12.3 operates with a target temperature reduction of 40ºC. Whilst a
target reduction of 40ºC has been set the safety case recognises that this reduction
may not always be achieved and specifies the period of operation allowed at lower
temperature reductions. The operating temperature and associated allowable period of
Office for Nuclear Regulation
Page 12 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
operation relates to the time it would take for an un-revealed defect to grow by creep to
an intolerable size between GWT surveillances. The intent is that this will be
implemented and managed through the Boiler Assessment Working Group (BAWG).
22.
As indicated above the temperature at which Weld 12.3 operates is key to the
structural integrity safety case in terms of creep crack growth. Weld 12.3 temperatures
are calculated using an algorithm (dating from ~ 2005), the development of which was
based upon thermocouple measurements. The algorithm takes into account a number
of measured plant parameters in order to be able to determine Weld 12.3
temperatures. EDF NGL have reviewed the algorithm and concluded that it remains
conservative. Given the complexity of the heat transfer and flow paths that determine
the temperature of Weld 12.3 I have considered EDF NGL’s claim that the algorithm is
conservative in my assessment.
3.3
Claim 2 - In the event of boiler spine failure, the consequences remain tolerable
23.
Claim 2 addresses the consequences of boiler spine failure and is the main focus of
my assessment. Claim 2 aims to demonstrate that design basis fault sequences are
protected and the risk is tolerable. The sections below describe the key nuclear safety
risks that arise from boiler spine failure; the safety limits against which protection is
demonstrated; the safety functions required to protect against boiler spine failure and
associated key protection systems; and an outline of the accident sequences that have
been analysed to demonstrate that the consequences of boiler spine failure remain
tolerable.
24.
Claim 2 also presents the PSA aspects of the safety case. The PSA aspects are
addressed within the PSA assessment report.
Key Nuclear Safety Risks
25.
Ref. 1 identifies the key nuclear safety risks following guillotine failure of the boiler
spine as:









Containment failure arising from reactor vessel overpressure due to boiler tube
failures as a consequence of spine failure.
Reactor depressurisation in the event of a stuck open vessel Safety Relief
Valve (SRV).
Availability of gas circulation arising from steam/water ingress. Moisture ingress
into the gas circulator motor compartments represents a risk to circulator
operation, either through electrical faults or by entrainment of water in
lubricating oil.
Threat to the availability of the gas circulator in the affected boiler due to
loading from a dropped boiler.
Containment failure arising from failure of the gas circulator penetration as a
result of loading from a dropped boiler.
Damage to reactor internals as a result of debris arising from circulator
disintegration or detached boiler components.
Pre-trip power increase due to reactivity effects of steam ingress.
Spine failures leading to multiple boiler tube failures resulting in reactor internal
flooding and loss of forced and natural circulation. If a sufficient volume of
water is allowed to enter the reactor, there is a risk of liquid water accumulating
in the reactor lower plenum and impeding circulation of cooling gas. If the water
level rises above the lower gas ducts then both natural and forced gas
circulation will be prevented.
Multiple spine failures can also threaten redundancy of post trip cooling
quadrants.
Office for Nuclear Regulation
Page 13 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
Each of these risks is considered within the safety case. In terms of containment failure
arising from failure of the gas circulator penetration and damage to reactor internals
the arguments are unchanged from those presented in Ref. 6 and are not considered
further within my assessment.
Safety Limits
26.
There are three safety limits relevant to the consequence of water ingress (excluding
effects on reactivity which is considered separately), a brief outline of each is given
below. The aim of the safety case is to demonstrate that these limits are not breached
for appropriate fault sequences.
Circuit Overpressure and Reactor SRV Lift
27.
Circuit overpressure is prevented by SRV lift. It is assumed that the reactor contains
some pre-failed fuel so SRV lift with successful reseat results in a contribution to dose
band 1 (DB1 – 0.1 to 1 mSv). A further concern associated with SRV lift is the risk that
following lifting of the SRVs, one or more may fail to reseat. This can result in circuit
depressurisation with consequential pin failures and increased off-site release. The
main defence against failure of an SRV to reseat is operator action to identify the fault
and isolate the open SRV.
Gas Circulator Moisture Accumulation
28.
Water entering the gas circuit can accumulate in the gas circulator oil baths with the
accumulation rate depending upon circuit pressure, moisture content and circulator
speed. In the safety case it is assumed that if the concentration of water in oil reaches
20% (equivalent to 48.7 kg of water) the circulator will fail due to bearing damage. This
is based on tests that have shown that a gas circulator would operate for at least 60
minutes at this level of moisture content.
29.
The main protection against this is initiation of a CO2 purge flow to the gas circulators.
Initiation of the gas circulator purge is an operator action and is assumed within the
safety case to take place 30 minutes after reactor trip.
Lower Plenum Flooding
30.
Moisture entering the reactor circuit will eventually condense and accumulate in the
lower plenum. If sufficient water accumulates it could reach a depth at which the boiler
gas outlet ports would block and prevent gas circulation. This is a threat to both forced
and natural circulation. The volume of water at which gas circulation is threatened is
51m3 (~44 tonnes). At this point the gas circulator outlet ports would be overtopped
and water would cascade into the gas circulators resulting in their failure and loss of
forced circulation. Further water ingress would lead to the ports being blocked and loss
of natural circulation.
31.
Lower plenum flooding is prevented by reducing boiler pressure below reactor
pressure or by isolating the failed boiler to prevent further water ingress. In both cases
this can be achieved automatically or by operator action.
Essential Safety Functions and Protection Systems
32.
Ref. 1 identifies the essential safety functions required following boiler spine failure as:




Reactor Trip
Shutdown and Hold down
Gas Circulator Run On
Vessel Overpressure
Office for Nuclear Regulation
Page 14 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785




Boiler Venting
Boiler Feed & Feedwater Source
Gas Circulation
Vessel Flooding
For random failure of a single spine 2 lines of protection are claimed as detailed in
Table 2 of this report. For failure of up to two spines in different quadrants due to a
-4
10 pa seismic event a single line of protection is claimed.
33.
Clearly a number of protection systems play an important role in providing these safety
functions. Two key systems that are specific to the boiler tube safety case are the
Vessel Overpressure Protection Equipment (VOPE) and Quadrant Feed Trip (QFT). A
brief description of each is provided below.
34.
VOPE is designed to detect rising reactor gas pressure, indicative of a boiler tube leak,
and then automatically initiate boiler depressurisation via the normal boiler steam
dump route. Depressurising the boilers limits the ingress of water through failed boiler
tubes. Prior to the installation of VOPE boiler depressurisation was reliant upon
operator action. VOPE enables protection to be claimed earlier in the fault and
increases the time available for the operator to initiate gas circulator purge.
35.
The QFT is armed when VOPE initiates. If feed pressure falls below 55 bar(g) on any
quadrant within a set time period Emergency Boiler Feed (EBF) is automatically
isolated to that quadrant. Prior to the installation of QFT isolation of boiler feed was
reliant upon operator action.
36.
VOPE is essentially designed to limit water ingress at the lower end of boiler tube
failure ingress rate and the QFT at the higher end. The boiler tube failure ingress rate
for which the systems are effective overlaps and consequently it is claimed all water
ingress rates are covered.
Analysis of Accident Sequences
37.
The accident sequences considered within Ref. 1 are based on the claim that the
consequences of a boiler spine failure are bounded by failure of 8 bifurcation inlet
welds (compared to 147 superheater tailpipes above the bifurcation in the extant
case).
38.
Claim 2 of Ref. 1 considers a range of accident sequences and reports the results of
analyses performed using the MACE computer code. Protection is judged against the
safety functions and limits described above. The aim is to demonstrate that for a
random spine failure there are two lines of protection for each safety function. The
requirement for two lines of protection arises from EDF NGL’s own Nuclear Safety
Principles relating to frequent initiating events. This recognises that whilst Claim 1 is
-3
that boiler spine failure is an infrequent event, it is at the border (10 pry) between
infrequent and frequent events.
39.
The potential for multiple spines failing in different quadrants is also addressed. For a
10-4 pry seismic event two spines in different quadrants are assumed to fail. A single
line of protection is claimed for two spines failing. The failure frequency of 3 or more
spines in different quadrants is claimed to be beyond the design basis.
40.
The reactor physics effects of steam ingress are considered within Ref. 1. It is claimed
that for the accident sequences considered the water ingress is bounded by the case
presented in References 12 and 13. No new reactivity analyses are presented.
Office for Nuclear Regulation
Page 15 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
41.
Details of the analysis of the accident sequences considered are discussed in the
assessment section of my report. The overall conclusion of Ref. 1 is that the
consequences of spine failure remain tolerable.
3.4
Claim 3 - The risk associated with the proposed return to service of the three
reactors is Tolerable and ALARP
42.
Whilst I have not specifically assessed the overall ALARP case I note that although
Ref. 1 claims that return to service is ALARP it also identifies 19 Commitments to
further work aimed at further reductions in nuclear risk in the future. Depending upon
the commitment the target completion date is between 3 and 12 months. The
argument provided for not completing this work prior to return to service is that the cost
of the delay would be disproportionate to the potential benefit. A number of these
commitments are relevant to my assessment and consequently I have commented on
them as appropriate.
Office for Nuclear Regulation
Page 16 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
4
ONR ASSESSMENT
4.1
Scope of Assessment Undertaken
43.
My assessment has focussed on those aspects of Ref. 1 that are a change from the
extant boiler spine safety case (Ref. 6). The main focus of my assessment has been
Claim 2 which considers the consequences of boiler spine failure whilst at power and
shutdown. In assessing Claim 2 I have considered whether the fault sequences
analysed are appropriate, whether the analysis is adequately robust and whether the
lines of protection claimed are justified and sufficient.
44.
A further focus of my assessment has been the claim that the algorithm used to assess
the temperature of Weld 12.3 is conservative. This is key to the structural integrity
safety case presented in Claim 1 in terms the effect of operating the reactor at reduced
temperature to significantly reduce the rate of creep crack growth.
45.
In relation to Claim 3 I note that a number of the commitments for future work are
relevant to my assessment, consequently I have commented on them where
appropriate.
4.2
Assessment
46.
In general terms I consider that the claims made within Ref. 1 provide a logical
structure to the safety case and are appropriate to its aims. Consequently my
assessment is presented against each of the claims.
47.
As part of early engagement with EDF NGL I raised a number of preliminary questions
(Ref .7). A response to these questions was provided in Ref .15 and 22. Where
appropriate these responses are discussed within my assessment report. For the
remaining questions I am content with the response provided and have not
commented further within this report.
4.2.1
Claim 1 - Integrity of key butt welds is adequate to justify an infrequent boiler
spine failure at a frequency of 10-3 pry
48.
As part of ONR’s early engagement with EDF NGL I questioned (Ref. 7, question 1)
how the intended target reduction of 40ºC at Weld 12.3 was to be implemented and
compliance demonstrated. In my view simply specifying a target reduction in
temperature with no clear criteria to demonstrate whether it had been met would not
have been acceptable. I note that this concern has been addressed by Ref. 1. Whilst a
target reduction of 40ºC has been set the safety case recognises that this reduction
may not always be achieved and specifies (in Ref.19) the period of operation allowed
at lower temperature reductions. The operating temperature and associated allowable
period of operation relates to the time it would take for an un-revealed defect to grow
by creep to an intolerable size between GWT surveillances.
49.
The intent is that this will be implemented and managed through the Boiler
Assessment Working Group (BAWG) as detailed in Ref. 19. I note that Appendix A of
Ref. 19 includes a table detailing allowable periods of operation for different
temperature reductions and makes it clear that it is the BAWG’s responsibility to
remain compliant with the table. Overall I consider that my original concern has been
addressed.
50.
As noted above my assessment in respect of Claim 1 is focussed on the determination
of the temperature at which Weld 12.3 operates as this is key to the structural integrity
safety case in terms of creep crack growth. The purpose of operating the plant at
reduced temperature is to reduce the temperature of Weld 12.3 such that the potential
Office for Nuclear Regulation
Page 17 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
for creep crack growth is significantly reduced. It is therefore important to know what
temperature Weld 12.3 is operating at.
51.
Weld 12.3 temperatures are calculated using an algorithm, the development of which
was based upon plant thermocouple measurements and theoretical models. The
algorithm takes into account a number of plant parameters in order to be able to
determine Weld 12.3 temperatures. EDF NGL have reviewed the algorithm and
concluded that it remains conservative. Given the complexity of the heat transfer and
flow paths that determine the temperature of Weld 12.3 I challenged EDF NGL on the
basis of this claim (Ref. 7, question 2).
52.
Before considering whether the Weld 12.3 temperature algorithm is conservative it is
worth understanding the sensitivity of the safety case for Weld 12.3 to operating
temperature. The safety case specifies the following allowable period of operation
between GWT surveillances as a function of temperature reduction:





0ºC
10ºC
20ºC
30ºC
40ºC
– 27 days
– 46 days
– 81 days
– 144.5 days
– 262 days
On the basis of the above, for operation in the range 30-40ºC, a change of 2.5 ºC
equates to around 1 month’s operation. Hence, it is important that the Weld 12.3
algorithm is conservative.
53.
EDF NGL has provided a comprehensive response to my question, which was in a
number of parts. The algorithm was derived using plant data from thermocouples
installed in nine boiler pods in 2003-2005 which measured the gas temperature in the
boiler deadspace and at the bottom of the reheater inner shroud annulus (close to
Weld 12.3). It is made conservative by including a random component of uncertainty at
a 95% confidence level (this equates to adding 9.3ºC for pods on which thermocouples
were installed and 12.6ºC for the remaining pods – Ref. 16). Ref. 15 states that data
from the thermocouples has not provided any evidence to overturn the view that the
compliance algorithm is conservative. In general terms this appears a reasonable
argument.
54.
A specific point I raised was that the algorithm was developed for full load operation
and temperatures and may not be valid at reduced load and temperatures. Ref. 15
notes that this has been addressed in Ref. 17. Ref. 17 reports the results of CFD
analysis of Weld 12.3 temperatures over a range of operating loads and temperatures.
The reduction in temperature predicted by the CFD analysis has then been compared
with the algorithm. As noted in Ref. 15 the agreement between the CFD model and the
algorithm is good, this gives a reasonable level of confidence that the algorithm is valid
at reduced load and temperatures. I also note that the absolute temperatures predicted
by the CFD model are lower than those predicted by the algorithm. Note; Ref. 17 has
the title “Preliminary weld 12.3 temperatures at full power and reduced load”. I have
confirmed with EDF NGL that the preliminary nature of the report does not affect the
conclusions that they have drawn from it (Ref.23).
55.
In my question I noted that one of the parameters in the algorithm is the liner annulus
flowrate and that this appears inconsistent with the evidence that the liner annulus flow
does not enter the deadspace and hence the annular gap between the shroud and the
spine. In response EDF NGL reports that there is a strong statistical correlation
between measured gas temperatures and the liner annulus flowrate which is why it
appears in the algorithm and is believed to be pointing to a real physical effect. A
possible explanation based on analysis in Ref. 17 is provided relating carbon
deposition and hence spine temperature to liner annulus flowrate. Whilst there is
Office for Nuclear Regulation
Page 18 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
clearly uncertainty regarding the mechanism by which liner annulus flowrate affects
spine temperatures I accept that it is correlated with measured gas temperatures.
56.
My question also requested clarification of the effect of the cold plume from the liner
annulus flow and other thermal asymmetric effects (redundant cables, non-concentric
annular gaps) on the validity of the algorithm. Ref. 15 explains that these effects are
small and unlikely to have a significant effect on the temperature of Weld 12.3. I accept
EDF NGL’s judgement and note that work is ongoing as part of Commitment 6 to
better quantify such effects.
57.
Overall, based on the evidence and arguments provided by EDF NGL I judge the claim
that the Weld 12.3 algorithm is conservative to be reasonable. However, I note that the
heat transfer and fluid flow in the region of Weld 12.3 is very complex and that
confidence would be increased by additional thermocouple measurements. In this
respect I note that Commitment 4 is to carry out a review of the boiler thermocouple
strategy and that this review is to include an investigation and re-commissioning of
existing boiler thermocouples and also the feasibility of installing additional
thermocouples. I consider this to be an important commitment.
4.2.2
Claim 2 – In the event of boiler spine failure the consequences remain tolerable
Initiating Events
58.
The extant boiler spine and boiler tube leak safety case are presented in Ref. 6 and 8
respectively. ONR has previously assessed the deterministic fault analysis aspects of
these safety cases and concluded that the position was acceptable (Ref. 9).
Consequently my assessment has focussed on those aspects of the safety case that
have changed as a result of the crack found in boiler spine 1D1.
59.
As noted above, the existing boiler spine safety case (Ref. 6) assumes failure of all
-4
147 tailpipes on an infrequent basis (10 pry). Whilst Claim 1 is that the integrity of key
butt welds is adequate to justify an infrequent spine failure, Claim 2 concedes that the
frequency of a random spine failure is now challenged and must be considered as a
potentially frequent fault (ie Claim 1 concludes that the frequency of boiler spine failure
-3
-3
is 10 pry where a frequency of 10 pry is regarded as the border between frequent
and infrequent faults). As a consequence Ref. 1 aims to demonstrate that two lines of
protection exist following failure of a random single spine failure. This is in line with
EDF NGL’s own Nuclear Safety Requirements. I consider this approach to be
appropriate.
60.
Whilst accepting that failure of the boiler spine is potentially more frequent than
originally claimed, Claim 2 argues that improved understanding of boiler tube loading
following spine failure gives confidence that the likely number of tubes at risk of failure
is small and bounded by failure at the bifurcations of the nine mono-tubes (the stiffest
tailpipes). The validity of this claim from a structural integrity perspective is considered
within the structural integrity assessment.
61.
Ref. 1 therefore aims to demonstrate that for up to nine mono-tube bifurcations failing
in a single spine there are two lines of protection for each of the essential safety
functions. The lines of protection claimed are detailed in Table 2. In order to
demonstrate protection, accident sequences are analysed using the MACE computer
code. The validity of this analysis is considered below.
62.
In addition to considering the consequences of a single spine failure Ref. 1 also
addresses the potential for multiple spine failure and concludes that multiple spine
failure is only credible during a seismic event. In terms of seismic events Ref. 1
-3
-4
considers the consequences of both frequent (10 pa) and infrequent (10 pa) events.
The adequacy of the safety case for multiple spine failures is discussed further below.
Office for Nuclear Regulation
Page 19 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
63.
In addition to demonstrating protection against the safety limits described above, Ref.
1 also considers the implications of boiler spine failure in terms of the effects on
reactivity of water ingress. No new analysis is presented, it being claimed that the
existing safety case is bounding. This claim is considered further below.
64.
Overall, in respect of the identification of initiating faults I consider that Ref. 1 complies
with SAP FA.2 in that initiating faults of random single spine failure and multiple spine
failure arising from a seismic event have been considered within the safety case.
Fault Sequences and Transient Analysis
65.
The transient analysis supporting Ref. 1 is reported in Ref. 10. The MACE computer
code has been used to perform the transient analysis. MACE is a well-established
code within EDF NGL and it has been used widely within boiler tube safety cases. In
my view its use for this application is consistent with SAP FA.7 which requires that the
analysis of design basis fault sequences uses appropriate tools and techniques and
with SAP FA.17 which requires that theoretical models adequately represent the
facility.
66.
Whilst from a structural integrity perspective the safety case argues that the
consequences of spine failure are limited to failure at the bifurcations of the nine monotubes, the analysis presented in Ref. 1 is based on the failure of a number of
Superheater Tailpipes (SHTP) or Bifurcation Inlet Weld Failures (BIF). Failure of
bifurcations at the mono-tubes is not specifically analysed. However, Ref. 1 claims that
the water ingress rate resulting from failure of all nine “mono” bifurcations is bounded
by analyses performed for eight “double” bifurcations (note; failure is assumed to be a
double-ended guillotine failure of each of the two boiler tubes at inlet to the bifurcation).
I judge this to be a reasonable claim.
67.
With respect to the essential safety functions identified within Ref. 1 I judge that the
appropriate functions have been identified. Similarly the safety limits against which
protection is demonstrated are well established (e.g. Ref. 6), consequently I have not
reviewed the origin of the limits in my assessment.
68.
The analysis considers a number of Superheater Tailpipe (SHTP) and Bifurcation Inlet
Weld Failures (BIF) for a range of fault sequences:






Base case - VOPE, QFT and SRV lift all successful.
VOPE and QFT successful but SRVs fail to lift.
SRVs lift if challenged but VOPE and QFT fails and boilers depressurised
manually via SS/192 route.
High Gas Pressure Trip (HGPT) failure, operator manually trips reactor after 30
mins, VOPE and QFT successful.
SRVs lift if challenged, one fails to reseat and is closed after 30 mins. VOPE
and QFT fails, boilers depressurised manually via SS/192 route.
VOPE and QFT successful, EBF is assumed to be unavailable post-trip.
It should be noted that SHTP failures are included as sensitivity studies. The analysis
also includes BIF failures in two spines and aims to establish those fault sequences for
which protection against the safety limits described above can be claimed. Multiple
spine failure is considered separately below.
69.
A useful summary of the outcome of the analyses is presented in Table D1 of Ref. 1.
Included in this table is an estimate of the frequency of the different fault sequences. I
note that some of the sequences analysed are beyond the design basis, e.g. failure of
2 spines with SRV’s failing to lift (2x10-8 pry). In my view the fault sequences
considered within Ref. 1 are consistent with the intent of SAP FA. 6 concerning the
Office for Nuclear Regulation
Page 20 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
identification of design basis fault sequences and SAP FA.3 concerning the analysis of
the consequences of fault sequences.
70.
For the case of 8 BIFs failing combined with failure of VOPE/QFT (Case 2C8) I note
that the time to reach the Gas Circulator moisture limit is 27 minutes, i.e. broadly in line
with the guidance provided for human intervention (approximately 30 minutes) in SAP
ESS.9. I do not consider this to be a significant shortfall, noting the point made in
paragraph 80 below and that the second line of protection is natural circulation. I also
note that ALARP improvements to the reliability of VOPE/QFT are to be considered as
part of Commitment 13 which also includes consideration of implementation of auto
CO2 purge. In my view these would both be worthwhile improvements, not only in the
context of this specific accident sequence.
71.
Ref. 1 reports that the effectiveness of Secondary Shutdown (SSD) is challenged in
any sequences involving SRV lift because of the escape of Nitrogen through the SRVs.
For similar reasons it is noted that in the reactivity fault safety case it has not been
possible to claim two diverse lines of protection for frequent faults and that an ALARP
justification has been provided noting that the claimed Primary Shutdown (PSD) failure
-5
probability is 10 fpd. Whilst the effectiveness of SSD for the sequences considered in
Ref. 1 has not been analysed, it is assumed that SSD alone would not provide
sufficient shutdown and holdown capability. However, it is argued that the frequency of
this sequence is less than 10-7 pry and that the associated risk is ALARP. On balance I
accept this argument.
72.
Overall I consider the claim that there are two lines of protection (with the exception of
the above point) for a single spine failure with up to 8 BIF’s to be reasonable and that
SAP FA.4 relating to fault tolerance of the design and effectiveness of the safety
measures has been adequately addressed. I also note that the linking of faults, fault
sequences and safety measures is clear, and consistent with SAP FA.8.
Seismic Event - Multiple Spine Failures
73.
For a 10-3 pa seismic event Ref. 1 states that consequential spine failure is not
predicted, the validity of this claim has been considered by the structural integrity
assessor who considers it a reasonable claim (Ref. 11).
74.
For a 10-4 pa seismic event Ref. 1 estimates the consequential failure probability as
follows:


Spines fail across 2 quadrants = 1.8x10-2
Spines fail across 3 quadrants = 1.3x10-3
75.
On the basis of the above Ref. 1 argues that the failure of three or more spines in
different quadrants is beyond the design basis (~10-7 pry), which is reasonable given
the above. Ref. 1 also considers the sensitivity of this claim to visual inspection
coverage and indicates a failure on demand of 5.5x10-3 for reduced coverage. I have
discussed this with the structural integrity assessor who has confirmed (Ref. 11) that it
is reasonable to assume that the failure on demand for three spines is no greater than
5.5x10-3. This leads to the failure of three or more spines in different quadrants to
being less than 5.5x10-7 pry. I also note that the safety case verifier has made the
judgement that the risk from three or more spine failures is less than 10-6 pry. This
highlights that there is some uncertainty attached to the ~10-7 pry claim made within
the safety case. In recognition of this I note that the risk of three or more spines failing
is included within the risk assessment as a DB5 release at 10-6 pry (ie not 10-7 pry).
Overall I believe this is a reasonable position.
76.
In respect of failure of two spines in different quadrants the above indicates a failure
frequency of 1.8x10-6 pry. I note that the verifier has made the judgement that the
Office for Nuclear Regulation
Page 21 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
failure frequency is less than 10-5 pry. This difference has no impact on the
deterministic justification in that it remains appropriate to demonstrate a single line of
protection.
77.
From a deterministic point of view a 10-4 pa seismic event leading to a single spine
failing is bounded by that for two spines failing in different quadrants. The risk
associated with a single spine failing as a consequence of a 10-4 pa seismic event is
discussed within the PSA assessment.
78.
For the case of a 10-4 pa seismic event with two spine failures across two quadrants a
single line of protection is claimed within Ref. 1, with minimum post-trip cooling
provided by:

Emergency Boiler Feed (EBF) to two quadrants plus Forced Gas Circulation.
Initially forced gas circulation is by the Gas Circulator Pony Motors which auto start. It
is assumed that the seismic event also leads to a minor depressurisation fault and
consequently once a pressure of 6 bar(a) is reached the operator needs to restart the
Gas Circulator Main Motors, this is required at around 8 hours from the start of the
event.
79.
In Ref. 7 I questioned (question 6) whether EBF was qualified for a 10-4 pry seismic
hazard. I note that the position has been clarified within Ref.1. Essentially whilst it is
considered by EDF NGL that the intent to qualify EBF for a 10-4 pry seismic hazard has
been met this was not recorded at the time. Consequently EDF NGL has performed
plant walkdowns and a seismic SQEP has confirmed that any issues identified during
the walkdowns were not significant in the context of return to service I note that
Commitment 18 has been raised to review all close-out records for EBF seismic
qualification and formally update the seismic qualification status of the EBF system.
80.
With respect to forced gas circulation the MACE transient analysis for failure of two
spines in different quadrants calculates that the time to reach the Gas Circulator
moisture limit is ~20 minutes, which may be insufficient time to ensure manual CO2
Gas Circulator purge by the operator. However, Ref. 1 makes a claim on the benefit of
the motor ‘wind back seals’, which are designed to allow only a small flow of gas into
the oil bath whilst the shaft is rotating. It is claimed that work reported in the recent
shutdown boiler safety case (Ref. 18) gives confidence that greater than 30 minutes is
expected to be available for operator action to initiate CO2 gas purge. I note that the
verifier has reviewed the evidence supporting this claim and considers it robust. Given
this and that failure of 2 spines is an infrequent fault I accept EDF NGL’s judgement
that the operator would have greater than 30 minutes to respond is reasonable. This
does however add weight to Commitment 13 which includes consideration of
automatic CO2 purge of the gas circulator motor compartment.
81.
Ref. 1 reports that VOPE/QFT forms part of the single line of protection for boiler
isolation following an infrequent seismic event. I note that Technical Specification LCO
5.2.5 is to be revised to require a 4 hour reactor shutdown if VOPE/QFT becomes
unavailable in two or more quadrants. Similarly I note that LCO 8.2.1 is to be revised to
require a 4 hour reactor shutdown (or an alternative means for ensuring manual valve
action is available local to the plant) if CO2 purge becomes unavailable. I consider
these revisions to be appropriate.
82.
In the PSA section of Ref. 1 EDF NGL make the judgement that the overall risk of plant
protection failing for an infrequent seismic event is 0.1 fpd. I note this is a judgement
based on plant reliability and the reliance on operator actions. With respect to the plant
I note that the single line of protection is not fully compliant with the single failure
criterion (SAP EDR.4). In particular EBF feed is required to a minimum of two
quadrants and is therefore not single failure tolerant to any one quadrant. In addition
Office for Nuclear Regulation
Page 22 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
VOPE is not single failure tolerant for the reasons discussed in section D5.5 of Ref. 1.
This is recognised within Commitment 13 of Ref. 1 which is to complete a detailed
ALARP review of protection including Auto CO2 purge, VOPE/QFT systems and
diverse boiler feed isolation. Given the low reliability claimed I consider this to be an
important commitment.
83.
I note that the transient analysis for case 3B8, for which all three SRV’s fail to lift
predicts a peak reactor pressure of 68.4 bar(a). This is beyond the upper bound
pressure limit (64.1 bar(a)). Ref. 1 argues that the frequency of a 10-4 pry seismic
event with two spines failing and all SRV’s failing to lift is below 10-7 pry and beyond
the design basis. I accept that this fault sequence is beyond the design basis.
84.
Overall, based on the evidence presented in Ref. 1 I accept that for two spines in
different quadrants failing in a 10-4 seismic event a single line of protection is available.
However, I note that the claimed reliability of the single line of protection is relatively
low at 0.1 fpd, consequently I consider it important that Commitment 13, which
involves a detailed ALARP review of protection is completed.
Reactivity effects from water ingress
85.
The reactor physics effects of steam ingress are considered within Ref. 1 which notes
that as core burn-up increases the core becomes under-moderated as a result of
graphite weight loss and that this increases the adverse effects of steam ingress
injecting additional moderator.
86.
Two aspects are considered:


The effect on pre-trip overpower and consequent fuel failures
Whether post-trip shutdown margin remains adequate for long term hold down.
With respect to overpower transients Ref.1 concludes that the position is bounded by
the current safety case (Ref.12). This is a reasonable claim given that the reactivity
addition rate for the small number of bifurcation failures (16 bifurcation failures
following a seismic event) will be less than that for 147 tailpipes upon which the current
safety case is based.
87.
The current shutdown penalties are applied in Technical Specification LCO 4.1.1 and
were justified in Ref. 13. They were based on 20 tonnes of water ingress for the
bounding frequent fault and >60 tonnes for an infrequent fault. For the revised case
Ref. 1 reports that for a frequent spine failure (8 bifurcations fail with successful
protection) there is an ingress of 13.5 tonnes of water which is well below the 20
tonnes justified in Ref. 13. I also note for the infrequent faults analysed in Ref. 10 the
water ingress is below 60 tonnes.
88.
Overall, in respect of the reactivity effects of water ingress I accept the argument
presented in Ref. 1 that boiler spine failure is bounded by the existing safety case.
Reactor Vessel Flood Detection System (RVFDS)
89.
The RVFDS is intended to provide automatic feed pump tripping to reduce the risk of
reactor vessel flooding during shutdown states. This system has not yet been put into
service but is planned to be available on each reactor for the next planned refuelling
outages in 2015. This is reflected in EDF NGL Commitment 1. Should an earlier forced
shutdown occur following return to service, Ref. 1 argues that boiler spine failure whilst
shutdown would be a very low frequency event and that at least 30 minutes would be
available for operator action. I note that the operator would be made aware of a leak by
alarms from the existing OLMMS (Off Load Moisture Monitoring System) or BOLMMS
Office for Nuclear Regulation
Page 23 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
(Basement Off Load Moisture Monitoring System). On balance I judge this position to
be ALARP.
Sensitivity of Claim 2 to Boiler Spine Failure Frequency
90.
Whilst noting Claim 1 aims to justify boiler spine failure as an infrequent fault at 10-3
pry, there is clearly some uncertainty attached to the failure frequency. This is
recognised in Claim 2 in that it is based on demonstrating two lines of protection, ie a
frequent fault is assumed. I also note the claim within Ref. 1 that should the frequency
be a “few x 10-3 pry” there would be no impact on the deterministic position. Whilst
noting that this statement is somewhat imprecise, I accept EDF NGL’s judgement that
the deterministic aspects of Claim 2 are not sensitive to such an increase in boiler
spine failure frequency.
91.
Ref. 1 also includes a simple sensitivity study of the effect on risk of higher boiler spine
failure frequencies; this aspect is addressed within the PSA assessment.
4.2.3
Claim 3 - The risk associated with the proposed return to service of the three
reactors is Tolerable and ALARP
92.
As noted above I have not specifically assessed the overall ALARP case. However a
number of the commitments made within Ref. 1 are relevant to my assessment are
briefly commented on below.
Commitment 4: Review of boiler thermocouple strategy
93.
Commitment 4 is to carry out a review of the boiler thermocouple strategy. This review
is to include an investigation into re-commissioning of existing boiler thermocouples
and also consider the feasibility of installing additional thermocouples. Noting that
there are uncertainties associated with the operating temperature of Weld 12.3 I
consider this to be an important commitment.
Commitment 13: ALARP review of protection systems
94.
Commitment 13 is to complete a detailed ALARP review of protection against boiler
spine failure. This review is to include, but not be limited to: auto CO2 purge for the gas
circulator motor compartment; a spine restraint system; reliability improvements to
VOPE/QFT etc. I support this review and in particular I note that auto CO2 purge would
appear to be of particular benefit given the current reliance on operator action.
Commitment 15: Develop implementation plan for a cooling modification
95.
Commitment 15 is to develop an implementation plan for a cooling modification to
reduce Weld 12.3 temperatures. A number of potential options are identified within
Ref. 1. Whilst I support this work I note that the majority of the options identified will be
quite challenging to implement.
Commitment 17: Impact on fuel and core of long term operation at reduced power
96.
Commitment 17 is to review the impact on fuel and core of long term operation at
reduced power within 6 months of return to service. I support this commitment and
judge that a timescale of 6 months is reasonable.
97.
The 19 commitments that are made in Ref. 1 are important in the context of ALARP.
For the commitments considered above I judge, on ALARP grounds, that they do not
need to be completed prior to return to service. It is intended that EDF NGL’s progress
against all of its commitments will be monitored by ONR through regular project
Office for Nuclear Regulation
Page 24 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
meetings. This is to be tracked through an issue (Issue 2714) on the ONR issues
database.
4.3
Comparison with Standards, Guidance and Relevant Good Practice
98.
SAP FA. 1 requires that fault analysis should be carried out comprising design basis
analysis, suitable and sufficient PSA and suitable and sufficient severe accident
analysis. I judge that adequate design basis analysis has been completed and note
that a PSA is included in Ref. 1. The adequacy of the PSA will be judged by the PSA
specialist in their assessment. I note that no severe accident analysis has been
presented but judge this reasonable in the context of this safety case.
99.
Overall, in respect of the identification of initiating faults I consider that Ref. 1 complies
with SAP FA.2 in that initiating faults of random single spine failure and multiple spine
failure arising from a seismic event have been considered within the safety case. In my
view the fault sequences considered within Ref. 1 are consistent with the intent of SAP
FA. 6 concerning the identification of design basis fault sequences and SAP FA.3
concerning the analysis of the consequences of fault sequences. I also note that the
provision of two lines of protection for frequent faults is consistent with the
expectations of FA.6.
100.
In general terms I consider that SAP FA.4 relating to fault tolerance of the design and
effectiveness of the safety measures has been adequately addressed. I also note that
the linking of faults, fault sequences and safety measures is clear and consistent with
SAP FA.8.
101.
I also note that MACE, used for the transient analysis, is a well-established code within
EDF NGL and it has been used widely within boiler tube safety cases. In my view its
use for this application is consistent with SAP FA.7 which requires that the analysis of
design basis fault sequences uses appropriate tools and techniques and with SAP
FA.17 which requires that theoretical models adequately represent the facility.
102.
With respect an infrequent seismic event with consequential failure of 1 or 2 spines I
note that the line of protection is not fully compliant with the single failure criterion
(SAP EDR.4). This, combined with the reliance on operator actions has led to a claim
on reliability for this line of protection of 0.1 fpd. The implications of this in terms of risk
are considered within the PSA assessment report.
103.
Target 4 of the SAP’s (Design Basis Fault Sequences) is used to judge the adequacy
of the safety measures assuming their successful operation. Failure of a boiler spine at
a frequency of 10-3 pry could lead to a DB1 (0.1-1mSv) off-site release as a
consequence of SRV lift assuming pre-failed fuel is present in the reactor. For an offsite release at a frequency of below 10-3 pry the BSL is 10mSv and above 10-3 pry it is
1 mSv. Noting that this initiating event lies at this border in terms of frequency I judge
that Target 4 is met.
104.
With respect to a 10-4 pry seismic event resulting in failure of 2 spines in different
quadrants the consequences assuming successful operation of the safety measures is
a DB 2 to 3 release (from Ref. 24, ie between 1 and 100mSv). For a frequency of 10-3
to 10-4 pry the BSL is 10mSv and below 10-4 pry the BSL is 100 mSv. Noting that this
initiating event lies at this border in terms of frequency I judge that Target 4 is just met.
4.4
Verification, INSA and Nuclear Safety Committee (NSC)
105.
The verification statement in Ref. 1 indicates that the safety case has undergone a
comprehensive verification process. In particular I note the statement in respect of
Claim 1 that “Overall, it is judged that the spine failure frequency for operation at-power
lies in the region approaching 10-3 pry, but the evidence presented does not provide
Office for Nuclear Regulation
Page 25 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
full confidence in supporting infrequent failure.” Whilst the validity of Claim 1 is
considered within the structural integrity assessment I have considered the sensitivity
of the deterministic aspects of Claim 2 to boiler spine failure above. A number of other
points raised by the verifier are considered within my assessment.
106.
I note that the overall judgement of the verifier is that the risk from at power spine
failure, and from post frequent and infrequent seismic induced spine failure, is tolerable
and ALARP. I also note the judgement within the safety case that there are no further
measures that are reasonably practicable prior to return to service is supported by the
verifier.
107.
Ref. 25, 26 and 27 present the INSA approval statements for return to service of
Heysham Reactor 2 and Hartlepool Reactors 1 and 2 respectively. INSA support the
return to service of the reactors at part power operation on the basis that the risk of
boiler spine failure has been demonstrated to be ALARP. I also note that INSA
concludes that two lines of protection have been demonstrated for frequent faults and
a single line of protection for the infrequent seismic event.
108.
Minutes from the NSC at which a draft (Version 01) of Ref. 1 was considered are
presented in Ref. 28. Following this meeting the final version of the safety case (i.e.
Ref. 1), has been considered out-of-committee by the external NSC members. The
overall view of the external members (Ref. 29) of the NSC is that the case is
supported.
109.
In conclusion I note that Ref. 1 has completed EDF NGL’s own due processes and that
no issues that would prevent the return to service of Heysham 1 Reactor 2 and
Hartlepool Reactors 1 and 2 have been identified.
4.5
IIS Rating
110.
In terms of the IIS rating (Ref. 13) and in the context of this fault studies assessment I
rate the safety case submission presented in Ref. 1 as 3 – Adequate (Green). This is
on the basis that the safety case generally meets the intent of the relevant SAPs and
although complex is reasonably well explained. I note that the timescales for delivery
and assessment of the safety case have been challenging but do not believe that it
would be appropriate to reflect this in the rating.
Office for Nuclear Regulation
Page 26 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
5
CONCLUSIONS AND RECOMMENDATIONS
5.1
Conclusions
111.
This report presents the findings of my assessment of EDF NGL’s safety case (Ref. 1)
for the return to service of Heysham 1 Reactor 2 and Hartlepool Reactors 1 and 2 at
reduced temperature operation following the discovery of a defect on Heysham 1
Reactor 1 boiler spine 1D1. The report considers the fault studies aspects of the safety
case, the structural integrity and probabilistic safety assessment aspects are
addressed separately.
112.
The main focus of my assessment has been Claim 2 that in the event of boiler spine
failure the consequences remain tolerable. A further aspect of my assessment, which
is key to Claim 1 has been the claim that the method used to assess the temperature
of Weld 12.3 is conservative.
113.
My assessment is based upon the assumption that a number of key structural integrity
points are valid namely:




That the boiler spine random failure frequency is of the order of 10-3 pry but on
the frequent side of the 10-3 pry boundary (paragraph 114 and 115 below).
Claim that the structural integrity consequences of spine failure are limited to
up to failure of the 9 mono-tubes.
Claim that for a 10-3 pa seismic event spine failure would not occur.
Claim that for a 10-4 pa seismic event the failure of three or more spines in
different quadrants is no greater than 5.5x10-3 fpd.
I have discussed these points with the structural integrity assessor who has confirmed
(Ref. 11) that from a structural integrity perspective he is content with the above
assumptions.
114.
With respect to the first of the above points, whilst Claim 1 aims to justify boiler spine
failure as an infrequent fault at 10-3 pry, there is clearly some uncertainty attached to
this frequency. This is recognised in Claim 2 which is based on demonstrating two
lines of protection, ie a frequent fault is assumed. I also note the claim within Ref. 1
that should the frequency be a “few x 10-3 pry” there would be no impact on the
deterministic position. Whilst this is somewhat imprecise I accept EDF NGL’s
judgement that the deterministic aspects of Claim 2 are not sensitive to such an
increase in boiler spine failure frequency.
115.
I also note the structural integrity assessor (Ref. 11) has concluded that the random
failure frequency for a boiler spine at power is of the order of 10-3 pry and that the
uncertainty associated with this is compatible with the claim in Ref. 1 that the
deterministic aspects of Claim 2 would not change should the frequency be a “few x
10-3 pry”.
116.
In terms of the fault studies aspects of Claim 2 I have concluded that the arguments
and evidence provided to support the claim that in the event of boiler spine failure the
consequences remain tolerable are valid. In reaching this conclusion I have considered
whether the fault sequences analysed are appropriate, whether the analysis is
adequately robust and whether the lines of protection claimed are sufficient. I have
also concluded that safety case generally complies with the intent of the relevant fault
studies SAPs as identified in Table 1.
117.
I note that Commitment 13 is to complete a detailed ALARP review of protection
against boiler spine failure. This review is to include, but not be limited to: automatic
CO2 purge for the gas circulator motor compartment; a spine restraint system;
reliability improvements to VOPE/QFT etc. I support this review particularly noting the
Office for Nuclear Regulation
Page 27 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
relatively low reliability of the single line of protection claimed for an infrequent seismic
event.
118.
Overall, based on the evidence and arguments provided by EDF NGL I judge the claim
that the Weld 12.3 algorithm is conservative to be reasonable. However, I note that the
heat transfer and fluid flow in the region of Weld 12.3 is very complex and that
confidence would be increased by additional thermocouple measurements. In this
respect I note that Commitment 4 is to carry out a review of the boiler thermocouple
strategy and that this review is to include an investigation into re-commissioning of
existing boiler thermocouples and also the feasibility of installing additional
thermocouples. I consider this to be an important commitment.
119.
I note that the 19 commitments that are made in Ref. 1 are important in the context of
ALARP. It is intended that EDF NGL’s progress against all of its commitments will be
monitored by ONR through regular project meetings and tracked through an issue
(Issue 2714) on the ONR issues database.
120.
To conclude, from a fault studies perspective I am broadly satisfied with the claims,
arguments and evidence laid down within the Licensee’s safety case as presented in
Ref. 1.
5.2
Recommendations
121.
I make the following recommendation:

From a fault studies perspective I recommend that ONR should Agree to the
requests (Ref. 20 and 21) made under LC22(1) arrangements for the return to
service of Heysham 1 Reactor 2 and Hartlepool Reactors 1 and 2 at reduced
temperature as justified in the safety case presented in Ref. 1.
Office for Nuclear Regulation
Page 28 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
6
REFERENCES
1.
EDF NGL Report: NP/SC 7717 Version 6 - A Safety Case for Return to Service of
Heysham 1 Reactor 2, Hartlepool Reactor 1 and Reactor 2 at Reduced Temperature
Operation Following the Discovery of a Defect on Heysham 1 Reactor 1 Boiler Spine
1D1 (TRIM 2014/425760).
2.
ONR HOW2 Guide NS-PER-GD-014 Revision 4 - Purpose and Scope of
Permissioning. July 2014. http://www.onr.org.uk/operational/assessment/index.htm
3.
Safety Assessment Principles for Nuclear Facilities. 2006 Edition Revision 1. HSE.
January 2008. http://www.onr.org.uk/saps/saps2006.pdf.
4.
TAGs – No TAGs have been used directly in this assessment. ONR’s TAGs are
provided at: http://www.onr.org.uk/operational/tech_asst_guides/index.htm
5.
Guidance on Mechanics of Assessment within the Office for Nuclear Regulation (ONR)
(TRIM 2013/204124).
6.
EDF NGL Report: NP/SC 4226 Add 4 – Hartlepool and Heysham 1 Power Stations:
Consolidated Boiler Spine Safety Case (TRIM 2010/448252).
7.
Email from S Harrison (ONR) to
(EDF NGL) Sent 28 November 2014: HYA
R2 and HAR R & R2 return to service at reduced temperature safety case - Fault
Studies Questions (TRIM 2014/403076).
8.
EDF NGL Report: NP/SC 7072 Add 2 - Hartlepool & Heysham 1 Power Stations:
update to the boiler tube failure safety case from an at-power reactor (TRIM
2010/156980).
9.
ONR Assessment Note: Boiler Tube Leak and Boiler Spine Safety Cases (NP/SC 4226
Add 4 & 7072 Add 2) (TRIM 2012/180367).
10.
EDF NGL Report: E/REP/BCDB/0029/AGR/14 Revision 000 – Hartlepool/Heysham 1
Power Stations – Boiler Spine Recovery Project – Additional MACE Analyses of
Superheater Tailpipe and Bifurcation Inlet Weld Failures (TRIM 2014/40336).
11.
(ONR), Validity of Key Structural
ONR Email: Email from A Holt (ONR) to
Integrity Claims, dated 20 November 2014 (TRIM 2014/430245).
12.
EDF NGL Report: NP/SC 7474 Add 1, Hartlepool/Heysham 1 Power Stations, Interim
Safety Case for Reactivity Effects of Boiler Tube Failure Faults, July 2007.
13.
EDF NGL Report: NP/SC 7474 Add 1, Hartlepool/Heysham 1 Power Stations,
Extension to the Safety Case for Reactivity Effects of Boiler Tube Failure Faults,
November 2007.
14.
ONR IIS Rating Guide Table (TRIM 2014/12522).
15.
EDF NGL Response: NPSC 7717 – Response to
2014/411744).
16.
EDF NGL Report: E/EAN/BBGB/0063/AGR/13 Revision 000, A Review of the Boiler
Spine Weld 12.3 Compliance Algorithm, August 2013 (TRIM 2014/407509).
17.
EDF NGL Report: E/EAN/BBJB/0344/AGR/14 Revision 000, Preliminary Weld
Temperatures at Full Power and Reduced Loads (TRIM 2014/407499).
Office for Nuclear Regulation
Questions (TRIM
Page 29 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
18.
EDF NGL Report: NP/SC 7154 Add 6 Rev 000, Harlepool & Heysham 1 Power
Stations, Boiler Tube Leaks on a Shutdown Reactor, April 2014 (TRIM 2014/411573).
19.
EDF NGL BAWG Paper: BAWG/P(14)1, Boiler Spine Recovery – Proposal to Operate
Hartlepool and Heysham 1 at Reduced Load (TRIM 2014/413337).
20.
EDF NGL Letter from Heysham Station Director: Request for Agreement made under
Licence Condition 22(1) - NP/SC 7717 Version 6 - A Safety Case for Return to Service
of Heysham 1 Reactor 2, Hartlepool Reactor 1 and Reactor 2 at Reduced Temperature
Operation Following the Discovery of a Defect on Heysham 1 Reactor 1 Boiler Spine
1D1, NSL/HYA/50744(Y) dated 17 November 2014 (TRIM 2014/424879).
21.
EDF NGL Letter from Hartlepool Station Director: Request for Agreement made under
Licence Condition 22(1) - NP/SC 7717 Version 6 - A Safety Case for Return to Service
of Heysham 1 Reactor 2, Hartlepool Reactor 1 and Reactor 2 at Reduced Temperature
Operation Following the Discovery of a Defect on Heysham 1 Reactor 1 Boiler Spine
1D1, NSL HRA 5/05R dated 14 November 2014 (TRIM 2014/426668).
22.
EDF NGL Email: NPSC 7717 – Response to
2014/417908).
23.
EDF NGL Email: Clarification of Status of Ref. A18 of NP/SC 7717 (TRIM
2014/419753).
24.
EDF NGL Email: Response to Fault Studies Question 9 - Dose Bands for- Failure of 2
Spines with Line of Protection Successful (TRIM 2014/424595).
25.
EDF NGL INSA Approval Statement: Heysham 1 - EC 354025 - Cat 1 INSA - HYA R2
Return to service after the discovery of a defect in HYA D1 Boiler Spine (TRIM
2014/423350).
26.
EDF NGL INSA Approval Statement: Hartlepool - EC 354020 - Cat 1 INSA - Reactor 1
Return to Service after Inspections following Identification of Heysham 1 Spine
Anomaly (TRIM 2014/423384).
27.
EDF NGL INSA Approval Statement: Hartlepool - EC 354021 - Cat 1 INSA - Return to
Service after Inspections following Identification of Heysham 11 R1 Spine Anomaly (TRIM 2014/423338).
28.
EDF NGL Heysham 1 and Hartlepool Nuclear Safety Committees: Minutes of the
Meeting held at Barnwood on 30th October 2014, Meeting 10a/14 (TRIM
2014/425769).
29.
EDF NGL Email: Independent Members Responses on NP/SC 7717, dated 17
November 2014 (TRIM 2014/4224888).
30.
ONR Assessment Report: ONR-CNRP-AR-14-079, Revision 0, Structural Integrity
Assessment of the Safety Case for Return to Service of Heysham 1 Reactor 2,
Hartlepool Reactor 1 and Reactor 2 at Reduced Temperature Operation following the
discovery of a defect on Heysham 1 Reactor 1 Boiler Spine 1D1 (TRIM 2014/411978).
31.
ONR Assessment Report: ONR-CNRP-AR-14-075, Revision 0, PSA assessment of
the Return to Service Safety Case for Hartlepool (Reactor 1 and Reactor 2) and
Heysham 1 (Reactor 2) Following the Discovery of a Defect on Heysham 1 (Reactor 1)
Boiler Spine (D1) (TRIM 2014/399140).
Office for Nuclear Regulation
Question 4 (TRIM
Page 30 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
Table 1 - Relevant Safety Assessment Principles Considered During the Assessment
SAP
No
SAP Title
Description
FA.1
Design basis analysis, PSA and severe accident analysis
Fault analysis should be carried out comprising design basis analysis, suitable and
sufficient PSA, and suitable and sufficient severe accident analysis.
FA.2
Identification of initiation faults
Fault analysis should identify all initiating faults having the potential to lead to any
person receiving a significant dose of radiation, or to a significant quantity of
radioactive material escaping from its designated place of residence or confinement.
FA.3
Fault Sequences
Fault sequences should be developed from the initiating faults and their potential
consequences analysed.
FA.4
Fault Tolerance
DBA should be carried out to provide a robust demonstration of the fault tolerance of
the engineering design and the effectiveness of the safety measures.
FA.6
Fault Sequences
For each initiating fault in the design basis, the relevant design basis fault sequences
should be identified.
FA.7
Consequences
Analysis of design basis fault sequences should use appropriate tools and
techniques, and be performed on a conservative basis to demonstrate that
consequences are ALARP.
FA.8
Linking of initiating faults, fault sequences and safety measures
Linking of initiating faults, fault sequences and safety measures.
FA.17
Theoretical Models
Theoretical models should adequately represent the facility and site.
ESS.9
Time for human intervention
Where human intervention is necessary following the start of a requirement for
protective action, then the time before such intervention is required should be
demonstrated to be sufficient.
EDR.4
Single failure criterion
During any normally permissible state of plant availability no single random failure,
assumed to occur anywhere within the systems provided to secure a safety function,
should prevent the performance of that safety function.
Office for Nuclear Regulation
Page 31 of 32
Report ONR-CNRP-AR-14-066
TRIM Ref: 2014/410785
Essential Safety Function
Line of Protection 1
Line of Protection 2
Reactor Trip
Automatic trip on high gas
pressure
Manual trip at 30 minutes
Shutdown
PSD
SSD/None (see para 71)
Gas Circulator Run On
Gas Circulator MM common
breakers
11kV circuit breakers
Vessel Overpressure
SRVs
VOPE/QFT
Boiler Venting
Via SS/21s and dump system
Via SS/192s discharge to
(automatic VOPE on trip)
atmosphere (manual action 30
minutes post trip)
Boiler Feed & Feedwater
Source
EBF and RFTs (with boiler
blowdown via SS/21 control)
HPBUCs and HPBUCs tanks
(with boiler blowdown by
manual opening of SS/192s)
Gas Circulation
Forced gas circulation on
pony motors (gas circulator
purge required)
Natural circulation
Vessel Flooding
VOPE/QFT
Boiler blowdown via SS/192
(manual action 30 minutes
post trip)
Table 2 - Lines of Protection for Essential Safety Functions for Eight Inlet Bifurcation
Failures
Office for Nuclear Regulation
Page 32 of 32