Forwards Westinghouse Responses to NRC Request for Addl Info on AP600 from Ltrs & 20

ML20059A473
Person / Time
Site:	05200003
Issue date:	10/20/1993
From:	Liparulo N WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
ET-NRC-93-3995, NUDOCS 9310260341
Download: ML20059A473 (200)
v • d • e

Text

g m p o

+

y '

p'~N. .;

F j l j L ^

t f

4 = q-t iWestinghouse Energy Systems sa 355 .

Pittsburgh Pennsylvania 15230 0355 -

Electric Corporation ET-NRC-93-3995 NSRA-APSI 93-0403 ~

. Docket No.: STN-52-0031 ~!

e i

't October 20,1993 l L Document Control Desk 1 U.S. Nuclear Regulatory Commission l Washington, D.C. 20555 1 ATTENTION: R.W.BORCHARDT

SUBJECT:

WESTINGHOUSE RESPONSES TO NRC REQUESTS FOR ADDITIONAL- [

INFORMATION ON THE AP600 4 l

Dear Mr. Borchardt:

.t Enclosed are three copies of the Westinghouse responses to NRC requests for additional information. '!

on the AP600 from your letters of August 19,1993 and August 20,1993. This transmittal completes the responses to these letters. A revision to the response to RAI 620.51 previously transmitied is also ,

included. A listing of the NRC requests for additional information responded to in this letter is contained in Attachment A. Attachment B is a complete listing of the questions associated with the ,

August 19,1993 and August 20,1993 letters and the corresponding Westinghouse letters that provided our response.

These responses are also provided as electronic files in Wordperfect 5.1 format with Mr. Hasselberg's  :

copy.

If you have any questions on this material, please contact Mr. Brian A. McIntyre at 412-374-4334.

/

8x/f,NAL ,

Nichoir I. Liparulo, Manager -;

Nuclea- Safety & Regulatory Activitics  ;

t. /nja ,

L Enclosure  !

cc: B. A. McIntyre - Westinghouse F. Hasselberg - NRR i

1 t

• • 2600cn /h'I3

'H 9310260341~931020-  %

.{DR ADOCK 05200003 Y w . .

roR A ,

J

i , l Print:d: 10COS3 ATTACHMENT B CROSS REFERENCE OF WESTINGHOUSE RAI RESPONSE TRANSMITTALS TO NRC LETTERS OF AUGUST 19, AND AUGUST 20,1993 ,

Question issue NRC Westinghouse No ' Letter Transmittal Date 720.059 Venfy di ferences identified in 0720.57 07/19/93 10/20/93 6 720.060 incorporate PRA changes 07/19/93 10/20/93 720.061 Justify applicability of data 07/19/93 10/20S3 720 062 Bounding analysis for site specific hazards 07/19S3 09/10/93 720 063 Method for identifing adverse failures 07/19/93 09/21$3 720.064 System impo:tances 07/19/93 10/20/93 720.065 Example task analysis for HRA events 07/19S 3 09/21/93 720.066 include HRA events in Table D-1 07/19/93 10/20/93 720.067 Use of specific HRA events 07/19/93 10/20/93 720.068 HRA Table D-1 and PRA database discrepancy 07/19/93 09/21/93 720.069 HRA Table D-1 and specific HRA events discrepancy 07/19/93 09/21/93 ,

720.070 Use of PRA insights in ITAACs, DAC, and DRAP 07/19/93 10/20/93 720.071 Act!ons required for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> at stable conditions 07/19/93 10/04S3 720.072 24-hour mission time for containment events 07/19/93 09/21/93 720.073 Uncertainty analysis 07/19/93 10/04S3 720.074 ET end state sequences 07/19/93 10/20/93 720.075 CIC and ClO fault trees 07/19 S 3 09/21/93 720.076 CVS/SFW credited injection to IRWST 07/19/93 09/21/93 ,

720.077 Benchmarking of WLINK 07/19/93 09/21/93 720 078 Correct basis event values 07/19/93 09/21/93 720 079 Use of scalar vs cutsets for AC2AB 07/19/93 09/21/93 720 080 Fault tree truncation cutoffs 07/19/93 09/21/93 720.081 Large breaks outside containment 07/19/93 10/20/93 720 082 Mitigation of containment bypass 07/19/93 10/20/93 720.083 Omitted CCFs 07/19'93 10/20/93 720.084 Capability of cold shutdown following PCCS 07/19/93 10/20 S 3 720.085 Low frequency /high consequence IEs 07/19/93 10/20/93 720 086 Coinmon cause factors on IRWST CVs 07/19 S 3 10/2W93 720.087 Spunous operation of ADS 07/19/93 10/20/93 720.088 Pipe rupture frequency used for LOCA IEFs 07/19 S 3 10/02/93 720 089 LOCA IEFs 07/19/93 09/21/93 720 090 Leaks missing from very small LOCA IEF cales 07/19/93 10/20/93 1 720.091 CCF of software errors 07/19/93 10/20/93 720 092 PRHR HX tube failure probabilities 07/19/93 10/02/93 720 093 Procedure for modularizing fault trees 07/19/93 10/20/93 720.094 l&C test / maintenance errors 07/19/93 10/04/93 720.095 CCF data 07/19193 10/04'93 720.096 EPRI battery failure and CCF Jata 07/19/93 10/20/93 720.097 Isolation of IRWST CVs with MOVs 07/19/93 10/20/93 720 098 NRHR use in LOCA events 07/19/93 10/20/93 t 720 099 ;MT/ ADS actuation 07/19/93 10/20/93 720.100 Digitall&C for natural circulation 07/19S 3 10/20/93 720.101 Inadvertent actuation of PRHR 07/19/93 09/21 S 3 720.102 Monitor bus 07/19/93 09/03S 3 720 103 HVAC availability 07/19/93 10/20/93 720.104 CCF of process controlinstruments 07/19/93 10/04'93 720.105 CCF of microprocessor components 07/19/93 10/04/93 720.106 Paek cladding temperature for core cooling 07/19/93 09/21/93 720 107 URD requirement vs peak clad temoerature 07/19/93 09'21/93 720 108 Multiple SGTR sensitivity 07/19/93 10/20/93 ,

720.109 Core uncovery for large breaks 07/19/93 10/20/93 720.110 ADS va!ve discharge coefficient 07/19/93 10/20/93 720 111 Source for ADS critical flow models 07/19/93 09/21/93 '

720.112 Failure of IRWST CVs 07/19S 3 10/20!93 720.113 Containment backpressure on ADS & IRWST CVs 07/19/93 10/20S 3 720.114 CAS modeling for 4th stage ADS 07/19/93 10/20/93 720.115 Modeling of mini-purge system 07/19/93 10/04S3 720.116 SFPC containment bypass path 07/19/93 10/20/93 720.117 HRA insights in design 07/19/93 10/20/93 720 118 HEP modification 07/19/93 10/20/93 720.119 Inadvertent draining od IRWST 07/19/93 09/21/93 720.120 Leak detection for LOCA HEPs 07/19S3 08/31/93 720.121 Manual actions to close containment isoution valv 07/19i93 10/20/93 720,122 Inadvertent ADS actuation 07/19/93 10/20/93 720.123 Pressunzer level / hot leg for CMT & ADS actuation 07/19/93 10/20/93 Page1

?

Question l$ sue NRC Westinghouse No. Letter Transmittal Date 720 124 Full height vesselievelindicaton 07/19/93 10/2093 720 125 Operator recovery actions 07/19/93 10/0493 720.126 Containment isolation function 07/19/93 10/20/93 720.127 Boron dilution following multiple SGTRs 07/19S3 10/20/93 720 128 Actuation of CVCS following small LOCA 07/19/93 ' 10/20/93 720.129 Hot leg temperature setpoints for manual ADS 07/19S3 10/04/93 720.130 Coolant snakeup to containment 07/19 S 3 10/04/93 720.131 Containment isolation penetration 07/19/93 10/20/93 720.132 Credit for non-saf ety system sensitrvity case O7/19/93 09/21/93 720.133 Credit for operator actions 07/19/93 10/0493 720.134 MAAP modeling of PRHR and IRWST 07/19S 3 09/21/93 720.135 LOOP IEF for sensitivity case 07/19/93 09/21/93 720,136 PRHR tube rupture CDF contribution 07/19S3 - 10/20/93 720537 Fire PRA 07/19/93 09/21/93 720.138 Equipment ut affected by fire 07/19/93 09/21/93 720.139 Partitoning of fire frequencies 07/19/93 09/21/93 720.140 Fire area IEFs 07/19!93 09/21/93 720.141 Equipment not damaged by smoke! heat 07/19193 10/20/93 720.142 Significant fire definition 07/19/93 10/20/93 720.143 20-foot fire bamer separation 07/19!93 09/21/93 720 144 Loss of offsite power during fire 07/19/93 09/21/93 720.145 Fire screening analysis for specific initiators 07/19/93 10/20/93 720 146 Applicability of level 1 PRA for fire PRA 07/19/93 10/04/93 720.147 Fire areas of 2 or more safety /nonsafety dwisions 07/19/93 09/21/93 720.148 Cable routing by dwison 07/19/93 09/21/93 720.149 Fire effects on PRM. PCS, DAS 07/19/93 09/03/93 720.150 Fire common cause instrumentation failures 07/19/93 09/10S3 720 151 Energeng remote workstaten dunny fire 07/19/93 08/31/93 720 152 Expected burn times in 3-hour-rated structure 07/19S 3_ 09/21 S 3 720.153 CSL & CSLD fire shutdown evaluaton 07/19/93 10/20/93 720.154 Fire induced boron dilution dunng shutdown 07/19/93 10/0493 720 155 Combustible events in battery compartments 07/19/93 09/21/93 720.156 rire induced loss of power to SW pumps 07/19193 09/21/93 720 157 Detailed fire analysis at shutdown 07/19/93 09/21/93 720.158 PRA-based seismic margins rnethod 07/19/93 10/20/93 720 159 Seismic margins analysis 07/19/93 10/20/93 720.160 Seismic margins 07/19/93 10/20/93 720.161 Equipment not housed in seismic Cat 1 structures 07/19/93 10/20/93 720 162 Actions important to containment isolation 07/19'93 10/20S 3 720.163 Unavailability of non-seismic Cat.1 equipment 07/19/93 10/20/93 720 164 Relay chatter 07/19/93 08/31/93 720 165 Seismic walkdowns 07/19/93 '10/0493 720.166 Seismic failures with containment bypass / isolation 07/19/93 10/20/93 720 167 HCLPFs for equipment required for shutdown 07/19/93 10/04/93 720 168 Flooding 07/19/93 09/21/93 720.169 PCCS 07/19/93 10/20/93 720.170 In-containment flooding 07/19/93 10!O4'93 720.171 NRHR as potential flood source 07/19/93 09/21/93 720.172 Containment bypass due to flood water 07/19/93 09/21/93 720 173 Rupture of NRHR line during shutdown 07/19/93 10/04'93 720 174 Refuekng outage - shutdown PRA 07/19'93 10/04/93 720.175 Outage maintenance . shutdown PRA 07/19/93 10/20/93 720.176 Hot standby assumptions - shutdown PRA 07/19S3 10/20/93 720.177 Manual actuaton of IRWST 07/19/93 09/21/93 720.178 Setpoints dunng reduced inventory conditions 07/19/93 10/20/93 720.179 1RWST CVs and MOV block vatves 07/19/93 09/21/93 720.160 CCF of level Instruments 07/1963 10/20/93 720 181 Low hot leg level signal part of PMS/PCS 07/19!93 10/20/93 720.182 Open penetratens during shutdown 07/19/93 10/20/93 720.183 Equipment / personnel hatches open at Mode 6 07/19/93 10/20/93 720.184 Opening of depressunzaton valves dunng shutdown 07/19/93 09/21/93 720 185 CMT operaton at shutdown 07/19/93 09G1193 720 106 Opening of Valve V024 in CSL tree 07/19/93 09/21/93 720.187 Hot leg water level 07/19/93 10/20/93

' 720.188 NRHR IEFs for CSL vs CSLD 07/19/93 09/21 S 3 720 189 LP end state 07/19/93 09Q1/93 720 190 End state numbenng in CSND event trea 07/19/93 09121/93 720 191 Interfacing stsrem LOC A dunng shutdown 07/19/93 10/20/93 720 192 Shutdown source terms 07/19/93 10/20/93 720 193 NRHR pump operation during shutdown 07/19/93 09/21/93 Page 2

Question issue 'NRC Westinghouse No. Letter b nsmittal Date 720.194 Operator recovery of NRHR 07/19/93 10/20/93 -

720.195 OK end state in shutdown CET 07/10S3 10/2G93 720.196 Loss of NRHR causing IRWST actuation 07/19/93 10/20/93 720.197 Bringing plant to cold shutdown 07/19/93 1020/93 720.193 Test / maintenance errors causing shutdown initiator 07/19S 3 10/20/93 720 199- Insdvertent openinf of MOV 07/19/93 10/20/93 720 200 NRHR LOCA shutdown frequency. 07/19/93 10/20/93 720 201 Disabling NRHR signals with reactor head off 07/19/93 10/20/93 720 202 - Maximum containment shell temperature 07/19/93 10/20S3 720 203 Containment failure probability distribution 07/19/93 10/20/93 720.204 Containment failure locations 07/19S 3 10/20/93 720 205 Containment leakage at elevated temp / press 07/19/93 09/21/93 720 206 Excess stresses on containment penetration bellows 07/19/93 08/31/93 720 207 Containment leak tightness discrepancy 07/19/93 10/20/93 720 208 Reactor cavity ability to sustain impulse load 07/19ls3 10/20/93 720 209 Phenomena 07/19/93 10/20/93 720.210 Importance ranking / analysis 07/19/93 10SO!93 720.211 MAAP 4 0 code 07/19/93 09/21/93 '

720.212 Recriticahty accident if core reflooded by (RWST 07/19S 3 09/21/93 720.213 Core exit temperature at onset of rod melt 07/19/93 10/2093 720.214 Vessel failure in flooded cavity 07/19/93 09/21i93 720 215 Operator action to flood cavity 07/19/93 09/21/93 720.216 Procedure to flood cavity 07/19/93 10/20/93 720.217 Time to submerge vesset 07/19/93 10/20/93 720218 Temperature of reactor vessel wall while flooding 07/19S 3 10/20/93 720.219 Reactor insulation system 07/19S3 08/31/93 720 220 $GTR events 07/19S 3 09/21/93 720.221 Creep rupture of SG tubes 07/19S 3 10/20/93 720 222 Margins between hot leg creep temp & SG tubes 07/19/93 09/21/93 720 223 Tech Spec limits for SG thru wall cracks 07/19 S3 08/31/93 720 224 CET sequences 07/19/93 10/20/93 720 225 Hot leg creep rupture 07/19/93 09/21/93 720226 ' SFPC providing coolant to containment 07/19/93 10/20/93 720.227 Containment bypass thru RCS 07/19/93- 09/21/93 720 228 Containment bypass due to water-combustion failure 07/19/93 - 10/20/93 720 229 Peak pressure loads in reactor cavity 07/19 S3 10/20/93 720 230 CC release category 07/19/93 09/21/93 720 231 Rocket containment failure mooe 07/19/93 10/20/93 720 232 Reflooding vessel contining molten debns 07/19/93 10/04S3 720 233 Debns blocking 1RWST/ containment sump 07/1993 09/21/93 720 234 Hydrogen generation model 07/19/93 09/21/93 720 235 Operator actions with hydrogen generation 07/19!93 10/20/93 720 236 1RWST hydrogen concentration 07/19/93 10/20/93 720.237 Operator activation of hydrogen control system 07/19S3 10/20/93 720 238 Excluding DDT 07/19S3 09/21/93 720 239 Hydrogen-related failure of IRWST 07/19/93 10/20/93 720.240 Hydrogen igniters and peak pressurization 07/19193 10/20/93 720241 CCI with flooded reactor cavity 07/19/93 09/21/93 720 242 Axial & radial ablation of concrete for CCI 07/19S 3 10/04/93 720 243 EPRI MACE experiments 07/19/93 10/0493 720 244 Concrete ablation by jet of molten debns 07/19/93 10/04/93 720 245 Peak containment shell temperature for DRY 07/1993 10/20/93 720 246 Containment failure sequences from loss of PCC 07/19/93 09/21/93 720 247 Natural convection cooling 07/19S 3 10/20/93 720 248 Containment venting options 07/19/93 10/20S 3 720 249 Dominant release class sequence 07/19/93 10/20/93 720 250 Fission product release estimates 07/19/93 10/20/93 720 251 Source terms compared to NUREG-1150 07/19 S 3 10/20!93 720.252 Steam transfer from containment shell to sump 07/19/93 09/21/93 720 253 Vessel & containment failute times 07/1993 10/20/93 720 254 Uncontrolled fission product release 07/19/93 10/20/93 720 255 Procedures' equipment for actions in Q720 253 07/19/93 10/20/93 720.256 Containment challenges outside 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 07/19/93 10/20/93 720 257 Offsite consequences assumptions 07/19S 3 10/04/93 720 258 Containment bypass sourcr terms at shutdown 07/19S3 10/20/93 720 259 Shutdown CET binning process 07/19'93 10/20/93 720 200 SAMDA capital cost estimates 07/19/93 10/20/93 i Records pnnted 202 Page 3

1 i

ET-NRC-93-3995 ATTACHMENT A AP600 RAI RESPONSES SUBMITTED OCTOBER 20,1993 .

RAI No. Issue 470.003  : X/Q values 470.004  : Control room dose calculations 1

470.009  ; 1.OCA doses using NUREG-1465 assumptions 620.051R01: HFE request for matrix  ;

720.059  : Verify differences identified in Q720.57 i 720.060 l Incorporate PRA changes 720.061  ; Justify applicability of data 720.064  ; System importances 720.066  : Include HRA events in Table D-1 720.067  : Use of specific HRA events 720.070  ; Use of PRA insights in ITAACs, DAC, and DRAP ,

720.074  : ET end state sequences 720.081  : Large breaks outside containment 720.082  ; Mitigation of containment bypass  !

+

720.083  : Omitted CCFs 720.084  : Capability of cold shutdown following PCCS 720.085  ; Low frequency /high consequence IEs 720.086  : Common cause factors on IRWST CVs 720.087 l Spurious operation of ADS

, 720.090  : Leaks missing from very small LOCA IEF cales 720.091  : CCF of software errors 720.093  ; Procedure for modularizing fault trees 720.096 l EPRI battery failure and CCF data 720.097  ; Isolation ofIRWST CVs with MOVs 720.098  : NRHR use in LOCA events 720.099  : CMT/ ADS actuation i

l

ET-NRC-93-3995 ATTACHMENT A AP600 RAI IESPONSES -

SUBMITTED OCTOBER 20,1993 i

RAINo. Issue 720.100 : DinitalI&C for natural circulation 720,103 : HVAC availability 720.108 : Multiple SGTR sensitivity 720.109 : Core uncovery for larne breaks 720.110 : ADS va',ve discharue coeflicient 720.112 : Failure ofIRWST CVs 720.113 : Conte.inment backpressure on ADS & IRWST CVs l 720.114 : CAS modeline for 4th staue ADS ,

720.I16 : SFPC containment bypass path 720.117 : HRA insichts in desien 720.118 : HEP modification 720.121 : Manual actions to close containment isolation valv 720.122 : Inadvertent ADS actuation -

720.123 : Pressurizer level / hot lea for CMT & ADS actuation  !

720.124  : Full heicht vessellevel indication A

720.126  : Containment isolation function 720.127  : Boron dilution followine multiole SGTRs 720.128  : Actuation of CVCS followine small LOCA 720.131  : Containment isolation penetration 'I 720.136  : PRHR tube rupture CDF contribution >

720.141  : Eauipment not damated by smoke / heat 720.142  : Sienificant fire definition 720.145  : Fire screenina analysis for specific initiators 720.153  : CSL & CSLD fire shutdown evaluation 720.158  : PRA-based seismic marcins method 720.159  : Seismic maruins analysis .

I i

i 2 l

l r

ET-NRC-93-3995 ,

ATTACIIMENT A  ;

AP600 RAI RESPONSES i SUBMITTED OCTOBER 20,1993 -  !

RAI No. Issue 720.160 : Seismic mareins 720.161 : Eauipment not housed in seismic Cat I structures l 4

720.162 : Actions important to containment isolation 720.163 : Unavailability of non-seismic Cat.1 eauipment 720.166 : Seismic failures with containment bypass / isola't ion _

720.169 : PCCS j i

720.175 : Outane maintenance - shutdown PRA 720.176 : Hot standby assumptions - shutdown PRA :i i

720.178 : Setpoints durina reduced inventory conditions 720.180  : CCF oflevel instruments  !

720.181  : Low hot lea level sinnal part of PMS/PCS 720.182  : Open penetrations durine shutdown 720.183  : Eauipment/ personnel hatches open at Mode 6 j 720.187  : liot lea water level I

720.191  ! Interfacinu stsrem LOCA durina shutdown i

720.192  : Shutdown source terms .

720.194  : Operator recovery of NRIIR ,

720.195  : OK end state in shutdown CET l 720.196  : Loss of NRHR causina IRWST actuation 720.197  : Brinuina plant to cold shutdown 720.198  : Test / maintenance errors causina shutdown initiator f 720.199  : Insdvertent openinf of MOV f 720.200  : NR11R LOCA shutdown freauency l

720,201  : Disablinu NRIIR sianals with reactor head off 720.202  : Maximum containment shell temperature 720.203  : Containment failure probability distribution 3

i

.. .~ . . - - . _ - - . _

ET-NRC-93-3995 ATTACHMENT A -i; AP600 RAI RESPONSES SUBMITTED OCTOBER 20,1993 t RAI No. Issue j 720.204  : Containment failure locations  ;

720.207  : Containment leak tiahtness discrepancy 720.208  : Reactor cavity ability to sustain impulse load 720.209  : Phenomena  ;

a 720.210 Importance rankine / analysis 720.213  : Core exit temocrature at onset of rod melt >

720.216  : Procedure to flood cavity (

720.217  : Time to submerne vessel 720.218  : Temperature of reactor vessel wall while floodina .  !

720.221  : Creen rupture of SG tubes 720.224  : CET secuences ,

1 720.226  : SFPC providina coolant to containme .

720.228  : Containment bypass due to water-combustion failure

' F 720.229  : Peak pressure loads in reactor cavity 720.231  : Rocket containment failure mode 720.235  : Operator actions with hydronen eeneration 720.236  : IRWST hydronen concentration 720.237  : Operator activation of hydrocen control system 1

720.239  : Hydronen-related failure ofIRWST i 1

720.240  : Hydronen iuniters and peak pressurization l

720.245  : Peak containment shell temperature for DRY l 720.247  : Natural convection cooling 720.248  : Containment ventina options 720.249  : Dominant release class seauence 720.250  : Fission product release estimates 720.251  : Source terms compared to NUREG-1150 4 l l

ET-NRC-93-3995 ATTACHhiENT A AP600 IMI RESPONSES  ;

SUBMITTED OCTOBER 20,1993 IMI No. Issue 720.253 : Vessel & containment failure times +

720.254 : Uncontrolled fission product release 720.255 : Procedures /eauipment for actions in 0720.253 720.256 : Containment challenues outside 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 720.258 : Containment bypass sourcr terms at shutdown 720.259 : Shutdown CET binnina process 720.260 : SAhfDA capital cost estimates

'i I

j 4

5

NRC REQUEST FOR ADDITIONAL INFORMATION Question 470.3 N

For each of the postulated accidents, provide the X/Q values from the release point to the locadon w here the release is drawn into the control nxnn envelope. Values should be for the following time periods: 0-2 hours,0-8 hours, 8-24 hours,1-4 days and 4-26 days (Section 2.3.4).

Response

A calculation is perfonned to determine the appropriate atmospheric dispersion f actors (X/Qs) used to detennine the rathoactive material entenng the control rown envelope from outside air leakage and from MCR/TSC 11VAC operation. Based on a review of the SSAR, the following additional accidents are considered in determining control room operator doses to ensure that effects of all postulated accidents has been encompassed:

15.1.5 Main Steam Line Break 15.3.3 Reactor Coolant Pump Shaft Seiture (Locked Rotor) 15.4.8 Rod Ejection Accident 15.6.2 Small Line Break 15.h3 Steam Generator Tube Rupture 15.7.4 Fuel llandling Accident A review of the General AITangement Drawings indicate that the potential release points associated with the above accident cases is as follows MSIV compartment steam vents on the auxiliary building roof Steam line safety valves /PORV exhaust frorn auxiliary building roof Condenser air removal exhaust to the turbine buildmg vent Fuel handling area release assuming HVAC system is inoperable l Wmd from only sectors encompassing these points will have an impact on control room habitability.

The MCR has two potential sources of intake or infiltration, the control room air intake on the auxiliary building roof at elevation 160' 6" and infiltration through the doors into the MCR at elevation i17' 6" The MCR access path is from the annex I buildmg entrance at elevation 100'.

The inctix>dology used in determining the appropriate X/Qs for MCR habitability assessment is as follows:

The methodology developed m NUREG/CR-5055 is used to detennine the hourly average X/Qs for vanous wind speeds and stability classes.

Using meteorological data from three ddierent sitcs, the annual werage MCR X/Q is detennined.

The five percentile MCR X/Qs is also detennined from the s:une meterorological data.

W- WestinEhouse

i NRC REQUEST FOR ADDITIONAL INFORMATION l 7 .. y J r

g ,

1 Time-averaged X/Qs for other than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> are obtained using logarithmic approximation discussed  ;

in Regulatory Guide 1.145.

The resultant X/Q values for cach of the four release points and both intake / infiltration points is calculated for the following time ranges:

0-2 hours 0-8 hours 8-24 hours 1-4 days 4-30 days The calculation results will be submitted by Novernher 30,1993.

SS AR Revision:

To be determined ba' sed on the results of the analyses performed to answer the RAI 470.4 1 l

i I

i 1

470.3-2 l W

- WestinEhouse

1 NRC REQUEST FOR ADDITIONAL INFORMATION l

Question 470.4 1

Provide the doses that were calculated for the control room operators for each of the postulated accidents (Chapter 15).

Response

The response to this question will be provided in December 1993.

SSAR Revision: NONE l

l l

1 l

W Westinghouse

i NRC REQUEST FOR ADDITIONAL INFORMATION I Ouestion 470.9 Provide the doses from a postulated LOCA based upon the release rate and timing of NUREG-1465 (Section 15.6.5).

Response: 4 1

Complete response to this request will be provided in December 1993.

The analysis will be based on the current draf t NUREG-1465 (June 1992) with the following exceptions:  !

1. As advised by NRC staff at a meetmg with EPRI and Westinghouse on May 18,1993, the core releases for the design basis LOCA will be tenninated at the end of the early in-vessel release phase identified in draft -

NUREG-1465. This assumes that core cooling is regained prior to vessel failure.

2. As advised by NRC stafT at a meeting with EPRI and Westinghouse on May 18,1993, the iodme species split will be modified to include organic iodme with 5 percent of the elemental iodine assumed to convert to the organic form. Thus, instead of the split of 95 percent as particulate and 5 percent as I and ill currently specified j in draft NUREG-1465, the species spht used in the analysis will be 95 percent as particulate,4.75 percent as I and III, and 0.25 percent as organic iodine. 1

3. Draft NUREG-1465 specifies that the gap release phase is initiated at 25 seconds into the large break. LOCA I and that the duration of the gap release is 30 minutes. The AP60() core response is calculated to involve less than 5 percent raj bursts early in the accident. The rennuning fuel rods are not projected to burst until more than an hour into the accident. The dose analysis will reflect this.

4. The discussion of particulate removal coefficients provided in draft NUREG-1465 suggests extremely low rates of removal that are inconsistent with the removal rates calculated for AP600. The dose analysis will utilize a conservative removal coef ficient specific to the AP60fL SSAR Revision: NONE WBStingh0USB

NRC REQUEST FOR ADDITIONAL INFORMATION

m. . . g Responso Revision 1 Question 620.51 Provide a matrix to identify or map the information contained in Chapter 18 of the SSAR and other applicable SS AR ,

chapters with the 8 elements and specific components of each element described in the document "HFE Program Review Model and Acceptance Criteria for Evolutionary Reactors," that was transmitted to Westinghouse by letter dated September 16,1992.

Response (Revision 1):

The attached matrix maps the information contained in SSAR Chapter 18 and other documents with the 8 elements and specific sub-element components described in the document "HFE Program Review Model and Acceptance Criteria for Evolutionary Reactors.* De items presented in italics are the sub<lements within the scope of design certification. Other documents identified on the matrix are post-design certification design activities.

For some documents, such as functional requirements, example documentation is available either in the SSAR or in Westinghouse internal design files. As identified on the matrix, Westinghouse is seeking design certification of the scope and process for development of these types of documents. The examples are intended to provide information for certification of the scope and process for development of the documentation.

In addition, Westinghouse reviewed the document sent from Hasselberg to Liparuto, Docket No. 52403, dated September 16,1992, Enclosure 2, entitled "HFE Program Review Model and Acceptance Criteria for Evolutionary Reactors." The Westinghouse pos'. tion regarding this issue can be found in ET-NRC-92-3781/NSRA APSI 924262, dated December 30,1992, 1

SSAR Revision: NONE l

1 l

W Westinghouse 620.51(R1)-1 l

NRC REQUEST FOR ADDITIONAL INFORMATION Proposed SRP AP600 Design Documentation IIFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element I HFE Program Management Plan

• 1151 Design Team 620.13, 620.14, 620.15, Human Factors (Senion 18.4) 620.16, 620.55, 620.57 Engineering Program Management

• HFE Program Plan 620.34

- SSAR Chapter 18

- M-MIS Development Plan (OCS-GEH-001, Rev 0)

= Ihr flFE issues tracking 620.54, 620.80 system is the same asfor other systems engineeringfunaions.

Element 2 Implementation Plan

• ALWR URD Volume Ill, 620.4, 620.8, 620.10, Operating Experience Chapter 10 Compliance Matrir 620.24, 620.35, 620.45 Review Note: The items which are italicized are the ones whose scope and process are within design cernficoskm.

620,51(R1)-2 Vj Westinghouse

.f NRC REQUEST FOR ADDITIONAL INFORMATION nil "E 1

I 1

4

• 4 Proposed SRP AP600 Design Documentation life Program Review IIFE Program Review ModelTopic AP600 Design Process Relevant RAI Responses -i Model Section j Element 2 Analysis Results Report

• SSAR Section 18.3 100.8, 620.9, 620.12, Operating Experience

• SSAR Subsection 18.8.2.1.1.1 620.52, 620.53 Review

• SSAR Section 1.9 and Appendix 1A ,

• WCAP 13559

• NUREG 1275

• ALWR URD Volume III, Chapter 10 Element 2 HSI Design Team Evaluation Report 620.41 Operating Experience Review i

l Note: The items which are italici:ed are the ones whose scope and process are within design cernfcatwn 620.51(R1)-3

~b

-- .-- ,- - -,.n - .-- -- . ~ . . . - . . . . _ . , _ _ _ . ~ . . - . - . '-. - - . . - .:-_._._...-..

NRC REQUEST FOR ADDITIONAL INFORMATION im g i

i Proposed SRP AP600 Dcsign Documentation IIFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 3 Implementation Plan

• M-MIS Development Plan Development of System Functional

• Proceduresfor writing Requirunents functional requirements and SSDs can befoundin WCAP 12601

• Operations and Control Centers (OCS) SSD

• *Ihr scope and proass for the development of mission (s) statements (SSAR Subsections):

- Operations and Ccmtrol Centers (18.8.2.1.1.2)

- bfain Control Room (18. 8. 2.1.1.2.1)

- Afain Control Area (18.8.2.1.1. 2. 2)

- Switching and Tagging Area (18.8.2.1.1.2.3)

Note: The items which are italicized are the ones whose scope and process are within design cernfication.

G20.51(R1)-4 W85tingh0050

NRC REQUEST FOR ADDITIONAL INFORMATION i!! Hi!!

Al%00 Design Documentation Proposed SRP IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses IIFE Program Review Model Section Element 3 Implementation Plan (cont'd) - Remote Shutdown Room Development of (18. 8. 2.1.1. 2. 4)

System Functional - Tedmimi Support Center Requirements (18.8.2.1.1.2.5)

- Operational Support Center (18.8.2.1 l.2.6)

- Radnuste Control Area (l8. 8. 2.1.1. 2. 7)

- Inwl Control Stations (18. 8. 2.1.1. 2.3)

- Training Program (18.9.9.2)

- Main Contml Area (18.9.11.1)

- Computerited Procedures (l8.9.8.6.2) l Note: The items which an italici:cd are the ones whoae scope and process are within design cernfcatsm 620.51(R1}-5

NRC REQUEST FOR ADDITIONAL INFORMATION A

1% posed SRP AP600 Design Documentation IIFE Program Review IIFE 1% gram Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 3 Implementation Plan (cont'd)

• Mission statements will be Development of written for:

System Functional - Alarms Requirements - Displays

- Controls

- QDPS

- Wall Panel Information System l

Note: The items which are italicized are the ones whose scope and process are within design cerafcation.

620.51(R1)-6 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION j!p !u:i-

...e Proposed SRP AP60C Design Docurnentation IIFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 3 Analysis Results Report

• 7he scope and processfor the Deselopment of Jewlopment of Performance System Functional Requirementsfor thefollowing Requirunents (Senion 18.9):

- Main Control Room

- Main Control Area

- Switching and Tagging Area

- Remote Shutdown Room

- Technical Support Center

- Operational Support Center

- Radnuste Control Area

- Local Control Stations

- Displays

- Controls

- Wall Panel information System

- QDPS (18.9.5.4)

- Computerized Procedures

, (18,9. 8. 6. 4)

- Alarms (18.9.2.2)

I l

i l Note: "me items which are italicited are the ones whose scope and process are within design certification i 620.51(R1)-7 l W Westinghouse 1

{

l t

l..__ _ . - - _ . . _- - --

NRC REQUEST FOR ADDITIONAL INFORMATION A

Proposed SRP AP600 Design Documentation life Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 3 Analysis Results Report (cont'd)

• Performance Requirements Development of Documents will be written for Systan Functional the following:

Requironents

- Main Control Room

- Main Contn>l Area

- Switching and Tagging Area

- Remote Shutdown Room

- Technical Support Center

- Operational Support Center

- Radwaste Control Area

- Local Control Stations

- Displays

- Controls

- Wall Panel Information System

- Training Program Note: He items which are italici:cd are the ones whose scope and process are within design cernfcatwn.

620.51(R1)-8 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

. . . . Mi IH

- e.

Proposed SRP AP600 Design Documentation IIFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 3 Analysis Results Report (cont'd)

• 7he scope andprocessfor the Development of development of Functional System Functional Requirementsfor thefollowing Requirements (Section 18.9):

- Alain Control Room

- Aiain Control Area

- Switching ::nd Tagging Area

- Remote Shutdown Room

- Technical Support Center

- Operational Support Center

- Radumte Control Area

- 1xcul Control Stations

- Displays

- Controls

- Wall Panel Informat:on System

- QDPS (18.9.5.5)

- Alarms (18.9.8.6.5)

- Computerized Procedures (18.9.2.2.1 - 18.9.2.4.18)

Note: The items which are italiazed are the ones whose scope and prtw:ess are Mthin design cernfcatwa 620.51(R1)-9

NRC REQUEST FOR ADDITIONAL INFORMATION Uti.

m i

Proposed SRP AP600 Design Documentation IlFE Pn> gram Review IlFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 3 Analysis Results Report (cont'd)

• Functional Requirements Development of Documents will be written for System Functional the following:

Requirtsnents

- Main Control Room

- Main Control Area

- Switching and Tagging Area

- Remote Shutdown Room

- Technical Support Center

- Operational Support Center

- Radwaste Control Area

- local Control Stations

- Displays

- Controls

- Wall Panel Information System Element 3 HSI Design Team Evaluation Report

• Design Review Results are Development of do:umented according to the System Functional process outlined in WCAP 9817 Requironents Note: He items which are italici:rd are the ones whose scope and pnwena are within design cernficatwn.

620.51(R1)-10 3 Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION w a; IN Proposed SRP AP600 Design Documentation life Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 4 Implementation Plan

• SSAR Subsection 18.8.2.1.2.4 620.62, 620.63, 620.72, Allocation of 620.73, 620.74 Functions Element 4 Analysis Results Report

• Uterature review 620.62, 620.63, 620.72, Allocation of 620.73, 620.74 Functions

• Function Allocation Report Element 4 HSI Design Team Evaluatioa Report

• Design Review Results are Allocation of Joaunented acwrding to the Functions process outlined by WCAP 9817 i

Note: The items which are italicized are the ones whose scope and process are within design cernfcation 620.51(R1)-11

NRC REQUEST FOR ADDITIONAL INFORMATION 5.=

v

~

r^

Proposed SRP l AP600 Design Documentation life Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 5 Implementation Plan

• The prowss and scope of the 620.28, 620.29, 620.42.

Task Analysis task analysis includes the 620.47, 620 10 following outputs (Subsection 18.8. 2.1.2):

- defming the operationalspace of the plant

- mapping these tasks to each plantfunction organized acwrding to the goal-means structure

- al locating these tasks to man or automation

- identifying the datalwntrolsfeedback needed to support these tasks.

Element 5 Analysis Results Report

• Example: 620.33, 620.37, 620.38, Task Analysis (SSAR Subsection 18.9.1.3) 620.71

• Task Analysis Results Documentation Note: The items which are italicized are the ones whose sexye and procesa are within design cernficatum.

620.51(R1)-12 W

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

i. .u

t:.

e Proposed SRP AP600 Design Documentation IIFE Program Review IIFE Program Review Model Topic AlY200 Design Process Relevant RAI Responses Model Section Element 5 HSI Design Team Evaluation Report Task Analysis Element 6 Implementation Plan

• HSI scopefor the M-MIS 420.40, 620.82, 620.85, Interface Design design and the non-M-MIS 620.90 (Sectisns 18.8.1 and 18.13)

• Hardaure and software design 420.83, 420.84 process (Subseaions 18.8.2.3 and 18.8.2.2, and in the AP600 Instrumentation and Control liardnure and Softsure Design, Venfication, and Validation Process Report, WCAP-13383, Rev. O) e The processfor the resolution of HSIissues through testing (Subsection 18.8.2.3)

• Use of accepted humanfactors standards (Subseason 18.8.2.3)

Note: The items which are italicted are the ones whose neope and process are within design certifcation

. 620.51(R1)-13

NRC REQUEST FOR ADDITIONAL INFORMATION b

Proposed SRP AP600 Design Doctanentation IlFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 6 Implementation Plan (cont'd)

• Proper mnsideration of 620.72, 620.74 Interface Design human mpabilities and limitations (Subsection 18.8.2.1.2.4)

• The softnure de- -~n process (Subsection 18.8.2.x and in the AP600 instrumentation and C<mtrolliardnure and Softwure Design, Vertfication, and Validation Process Report, WCAP-13383, Rev. 0)

• The processfor developing escluationsfor the acaptability for task performance and flFE criteria, standards, and guidelines (Subsection 18.8.2.3)

• Other AP600 SSDs are used as design inputs to the M-MIS Note: 'Ihe items which are itali<ted are the ones whose scope and process are within design certzficati<m.

620.51(R1)-14 W Westinghoine

NRC REQUEST FOR ADDITIONAL INFORMATION

.ng-e Proposed SRP AP600 Design Documentation llFE Program Review hd Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 6 Analysis Results Repott

• Task Analysis Esplanation Interface Design (Subsection 18.8.2.1.2)

• Table 18.5-1

• lhe swpe and processfor 620.59 developing Guideline Documents incorporating accepted human factors guidancefor the following (Subsection

18. 8. 2.1.3):

- Alarms

- Displays

- Controls

- Training

- Workstation and Control Rocm Layout, Arrangement, and Ewironment

- Integration of Subsystems i

Note: The item < which are italicted are the ones whose scope and process are within design cernficati<m 620.51(R1)-15

NRC REQUEST FOR ADDITIONAL INFORMATION "i.,Fi 1r Proposed SRP AP600 Design Docannentaticn r

life Program Review life Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 6 Analysis Results Report (cont'd)

• Guideline Documents will be Interface Design written for the following:

- Alarms

- Displays

- Controls

- Training

- Workstation and Control Room Layout, Arrangement, and Environment

- Integration of Subsystems

• Example functional requirements:

(SSAR Subsections 18.9.5.4, 18.9.5.5,18.9.5.6,18.9.5.7)

Element 6 HSI Design Team Evaluation Report

• HSI will be verified against Interface Design the guideline documents Note: The items which are italicked are the ones whose scope and process are within design certifcarion.

620.51(R1)-16 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Proposed SRP AP600 Design Documentation IIFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 7 Implementation Plan = 7he processfor the 620.50, 620.87, 620.89 Procedure Jewtopment of thefollowing Development procedures can befound in the referenmi sections:

- Emergency Operating Procedures (18.9.8.1)

- Abnormal Operating Procedures (18.9.8.2)

- Normal Operating Proadures (18.9.8.4)

- Computerized Procedures (18.9.8. 6)

Note: The items which are italicized are the ones whose scope and process are within design cernfcation

, 620.51(R1)-17

NRC REQUEST FOR ADDITIONAL INFORMATION 6: illi!

iW ?H M:I:DD:

Proposed SRP AP600 Design Documentation life Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 7 Analysis Results Report

• AP600 Design D4ferences 620.69 Procedum Doorment Development

• High Lews Operator Action 620.50 Strategies in SSAR Subsenion 18.9.8.1. L 2

• AP600 Analysis Applicability Evaluation

• AP600 Procedures Writer's Guide

• ERGS

• ERG portion of task analysis

• General Operating Procedures for startup and shutdown j Note: The items which are italicized are the ones whose scope and process are within design cernfatwn.

620.51(R1)-18 3 Westinghouse i

NRC REQUEST FOR ADDITIONAL INFORMATION 1

Proposed SRP AP600 Design Documentation life Pmgram Review IIFE 1% gram Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 7 HSI Design Team Evaluation

• EOPs are validated against the Pmcedure Report Procedures Writer's Guide and Development the ERGS N

Element 8 Implementation Plan

• iluman Factors Fenfication 620.17, 620.18, 620.36, Iluman Factors and Validation Plan 620.41, 620.77, 620.78, Verification and (SSAR Subsections 18.8.2.3.1, 620.79 Validation 18.8.2.3.2, 18.8.2.3.3, 18.8.2.3.4)

• The swpe and processfor the 620.60 enluation ofindividualllSi elements, their integration, under a range of operational conditions and upsets, in wrious levels <f test-bedfidelity (SSAR Subsenions 18.8.2.3.1. 7 and 18.8.2.3)

• The adequacy ofperformance 620.84 measures (SSAR Subsections 18.8.2.2.3.3 and 18.8.2.3.5)

Note: The items which are italicized are the oises whose scope and process are within design cernfcation W Westinghouse 620.51(R1)-19

NRC REQUEST FOR ADDITIONAL INFORMATION o 'iin Proposed SRP AP600 Design Documentation IIFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 8 Implementation Plan (cont'd)

• The process for establishing iiuman Factous closure of open design change Verification and proposals is described in WCAP Validation 12601 e lhe scope and processfor wrification of the M-MIS to ensure that all critical human actions as defined by the task analysis and PRAlflRA have been adequately supported in the design, and that the V& V program explicitly addresses these issues, is described in WCAP 9817 and WCAP 12601, which encompasses the design review process, applicublefor the M-MIS.

Note: De items which are italicized are the onen whose secpe and process are within design cernfcation.

620.51(R1)-20 W

Westinghouse

__ . _ __ _ _.______________________m_ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ -

NRC REQUEST FOR ADDITIONAL INFORMATION

--. IE ill Proposed SRP AP600 Design Documentation IIFE Program Review IIFE Program Review Model Topic AP600 Design Process Relevant RAI Responses Model Section Element 8 Implementation Plan (cont'd)

• AP600 PRA Appendix D on 620.56, 620.79 i Iluman Factors HRA/PRA, and SSAR Verification and Subsection 18.8.2.3 Validation Element 8 Analysis Results Report

• A report will be written lluman Factors documenting the results of the Verification and experiments in SSAR Section Validation 18.8.2.3 Element 8 HSI Design Team Evaluation Report

• 7he processfor performing 620.56 tiuman Factors design reviews is described in Verification and WCAP 12601 and WCAP 9817 Validation

• The results of the design reviews will be documented.

Note: The items which are italicized are the ones whose scope and process are within design rernfication 620.51(R1)-21

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.59 l I

All R AI responses, except those that involve clanfication, must be incorporated into the probabilistic risk assessment (PRA) to ensure a complete final design cerufication package. Provide the corrected PRA pages containing the RAI resnonses. In addition, confirm that the Appendices listed in your response to Q720.57 identify all of the differences between the AP6fK) PRA and the AP600 SS AR.

Response

If the response to an RAI changes the PRA assumptions, modeling, or quantification, then the change will be incorporated into the next revision of the PRA, which is scheduled for February 1994. Each 720-series RAI response contons a section labeled "PRA Revision." If the text of the PRA report changes as a result of the RAl, then the correction is shown under this section. If the change is to the PRA model (i.e., basic event identifier changes, minor iailure probability change), then the change is desenhed; its impact on the overall PRA results is estimated; and, as stated in the response, the change will be incorporated into the next revision of the PRA.

The infonnation presented in RAI 720.57 identifies the known differences between the AP600 PRA repon and the AP600 SS AR.

The PRA update will include all RAI PR A-related responses in an appendtx.

PRA Revision: NONE l

)

T Westinghouse  !

i F

4 t'

l l

l 1

l NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.60 The staff anticipates that the PRA may need to be re-quantined due to issues identined dunng its review.

Incorporate changes to the PR A that result from the staf f s review into the sensitivity studies, uncertainty analyses, and final PRA quantification.

Response

The PR A, including sensitivity studies and uncertainty analysis, will be requantified to inerporate chmiges identified in the RAI responses. The PRA will be updated in February 1994.

PRA Revision: NONE l

l 1

1 1

1 l

l l

720.60-1 3 Westinghouse l

NRC REQUEST FOR ADDITIONAL INFORMATION ism 11m IE

}$

Question 720.61 Justify the applicability of any data extracted out of operating plant data bases, including the data base in the EPRI ALWR l'tility Requirements Document for passive plants.

Res; 1

. r.

Data from the Advanced Light Water Reactor Utility Requirements Documents (URD)(Volume 111, Revision 2, dated December 1991)is used in the APNio PRA w here available. This data base is specifically constructed for Advanced Light Water Reactor Passive Plants.

Westinghouse reviewed the data in the URD for applicability to APM). The components in the APNK) pl.mt are sitnilar to, and are under the same condition, as those in existing operating plants. Therefore, the data from the URD is applicable for APM).

Some data changes that were recommended by Safety and Reliability Optimization Services (S AROS letter to EPRI,

" Key Assumptions and Groundrules Document Recommended Changes to Data Annex," dated March 8,1991) were also used in the AP6fX) PRA. It is anticipated that they will be incorporated into the next revision of the URD (Revision 6).

PRA Revision: NONE W Westinehouse o

NRC REQUEST FOR ADDITIONAL INFORMATION b

Question 720.64 In Q720.13, the staff requested system importances. In Wesdaghouse's response, the staff notes that system importances for the following systems were missing: (a) the instrumentation and control (l&C) systems, (b) the plant's ac and de power systems, and (c) the plant's support systems (component cooling water, plant air systems, etc.). Evaluate importances for these systems and discuss the complete list of system importances in the PRA results section.

Response

The estimated importance values for the questioned systems are provided in Tables 720.M-1,720.M-2 and 720.M-3.

These values are obtained using the importance values for basic events contained in Tables F-8B, F-1iB and G-7 of AP600 PRA report. 'Ihe system itnportances presented in this RAI response are very conservative because a single-element system cutset causing system failure is set to a probability of 1.0, but the remaining system cutsets are not changed (i.e., set to a probability of 0.0). Due to the modular modeling in the PRA of the instrumentation and control systems (protection and monitoring system, process control system, and diverse actuadon system), the individual system importances are not available.

Insights:

Offsite AC Power System:

For the purpose of importance analysis, the offsite ac power system is defined as " loss of 4.16 kvae on ECS ES3/4/5 during transients or LOCA" with the success configuration described as " power on bus supplied only by extemal prid." The importance of offsite ac power is relatively small, which is consistent with design features such as independence of ac electrical power for safety system actuation. Note that the importance of onsite ac power (diesel generator) is reported m RAI 720.13.

DC Power System:

The failure of the de power system is defined as " common cause battery failure" following a loss of of fsite power event. Common cause failure of the de batteries causes loss of both the Class.lE and non-class IE de power systems. The importance of this failure is significant because following a loss of offsite power, the de batteries provide power to the passise safety system equipment.

Compressed Air System:

The nonsafety-related compressed air system is of minor importance.

Component Coolit Water and Service Water Systems:

Both the nonsafen-related component cooling water and service water systems have minor importance during at-p(mer operation because the operator has suf fient time to actuate the standby component if the operating one fails.

For the shutdown PRA evahiation, the CCW and SW support systems are modeled two ways: (1) in the loss of nomial residual heat removal (RNS) iniuating event frequency, and (2) as support systems requinxi for RNS mitigation functions. Due to the modehng of the CCW and SW systems in both the shutdown initiating event W Westincrhouseu

NRC REQUEST FOR ADDITIONAL INFORMATION frequency and the RNS mitigation functions, it is not possible to evaluate the CCW and SW system inportance during shutdown conditions solely for mitigation functions.

TABLE 720.M-1 CDF INCL? EASE AT POWER WHEN A SYSTEM IS UNAVAILABLE

T SYSTEM CDF % CDF CDF VALUE INCREASE INLREASE Offsite AC Power System negligible negligi' le 3.3E-7 DC Power System (1) 21765 7.3E-5 7.3 E-5 Compressed Air System 1M 5.5E-7 8.8E-7 Component Cooling Water 99 3.3E-7 6.6E-7 System Service Water System 99 3.3 E-7 j 6.6E-7 Notc. 1. For PRA modeling of de battery common cause failure, both class-lE and non-class lE de power is considered to be unavailable.

TABLE 720.M-2 CDP INCREASE AT SilUTDOWN WHEN A SYSTEM IS UN AVAILABLE l'

SYSTEM CDF% CDF CDF VALUE INCREASE INCREASE Offsite AC Power System 73 6.5E-8 1.5E-7 DC Power System (1) 5369 4.XE-6 4.9E-6 Compreswd Air System neghgibic negligible 8.9E-8 Note: 1. For PRA modeling of de battery common cause failure, both class-lE and non-class lE de power is considered to be unavailable.

720.64-2 3 Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION TABLE 720.M-3 CI LARGE RELEASE FREQUENCY INCREASE WilEN A SYSTEM IS UNAVAILABLE

]

I SYSTEM LRF % LRF LRF VALUE INCREASE INCREASE Offsite AC Power System 98 2.0E-8 4.0E-8 DC Power System (1) 42497 8.6E-6 8.6E-6 Compressed Air Systern negligible negligible 2.0E-X l

Component Cooling Water negligible negligible 2.0E-8 System Service Water System negligible negligible 2.0E-8 Note: 1. For PRA modelmg of de battery common cause f:ulure, both class-lE and non-class IE de power is I considered to be unavailable. I I

A discussion of the system importances will be prosided in the updated PRA which is scheduled for February 1994. ,

l PRA Revision: See above response 1

i l

72au-3 w wesungnouSe

l l

I l

i l

NRC REQUEST FOR ADDITIONAL INFORMATION l 1

!H! lui

!l

. e Question 720.66 In Q720.6, the staff requested a summary of sequences in which recovery actions were credited. In response, Westinghouse provided Table 720.61, which contained recovery actions for the dominant sequences and their associated performance shaping factors (9 of the 67 recovery actions were described). This table did not clearly describe what systems were being actuated, the availability of DAS, DIS, or PMS, the availability of alarms, etc.,

for each of the recovery actions. Expand Table D-1 in the PRA (w hich includes all human error probabilities) to include:

a. the type of a! arms and instrumentation (i.e., hot leg level) that would be available to the operator when he must perform these recovery actions,

b. whether DAS, or PMS, or D1S is available,

c. the time available to perform the recovery action,

d. the stress level,

e. whether procedures are long or short,

f. whether a checker is available, and

g. the location of the action.

This information is critical for the staf f to understand the importance of operator actions during a severe accident and the validity of the human reliability analyses that was performed.

Response

Table D-1 of the AP600 PRA has been revised to incorporate the information in this request; this table replaces Table D-1 in the current PRA report. The revised Table D-1 is provided in the pages that follow.

PRA Revision:

Table D-1 of the PRA is replaced with the following table:

W-Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION m::  :

Table D-1 (Sheet 1 of 22)

AP600 HEP

SUMMARY

RESULTS '

.W Ib. , of Operater Emr Evad ID Cae(s) DASI DtS/ PSF Chechag Iscaban Memm HEF ' ,

PMS Recovery Available (by) '

AC & a. Failure to recognizethe need and ZON-MAN 01 No voltage alann; loss of DAS, DIS, Procedure - SilORT; SRO & Control 2.67FA3 +

DC failure to start the standby diesel estemal grid alarm P3tS Time window (Tw) = 30 STA nmm generator during loss of offsite min; Actual Time fra) = I power 10 min; . t Stress level - tilGil

b. Failure to start diesel tenerator ZON4 FAN 02 Imss of AC power with loss of DAS, DIS, N/A; N/A Ex-control 1.00E-02 locally in order to provide power renote operation capability; PMS (Engineering judgement room for long term RCS makeup (no calculation was performed applied) following loss of control room for this event; the HEP is based control soldy on engineeringjudganent)

ADS a. Failure to recognize the need for LPM-MAN 01 Iow SG wide range level; high DAS, DIS, Proc 4re - LONG; SRO & Control 2.20F 03 reactor coolant system hot leg temperature; low hot leg PMS Tw = 39 min; STA rnom depressurization during a small water level; loss of startup FW Ta = 20 ttin; loss of coolant accidmt or loss of flow; loss of PRHR functen; Stresslevel -lilGil high-pressure beat removal (5 associated stanns are assumal systan available) b 720.66-2 W -

Westinghouse -

h i

u--.--- - . _____-__- - _.- __--- - u- .__-- -s . _ _ _ . _ - . - - - - s.-~- . -~-e ,. -- + -e --. ., -e - .-- - v - --..< - .n- *e,i

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION He . I!W

s W  :

Table D-1 (Sheet 2 of 22)

AP600 HEP

SUMMARY

RESULTS I6 byewa Dmenyban of Operator Fear Evenst ID Cue (s) DASI DLV FSF Checkmag Imcatsem Meam IEEP FMS Recovery Available Gry)

ADS h. Failure to rwognize the sent for LPM-htAN02 liigh containment pmsure; low DAS, DIS, Procedure - LONG; SRO Contml 6.50F-03 (cont'd) reactor coolant systan PRZR Ievel; low hot kt water PMS Tw = 20 min; roma depressurization during a level; high hot leg temperature; Ta = 18 min; medium loss of coolant accidst valve limit switch status; Stress level - IIIGII (5 associated alarms are assumed availabIf) ,

c. Failuir to ruegnize the aml for LPM-MANO3 Law hot leg water level;jammal DAS Procedure - II)NG; SRO Control N.30F 42 reactor coolant systan instrummt; Tw = 15 min; roam depressurization whm only the (2 associated alarms are assumal Ta = 15 min; diverse actuation system is available) Stress level - IIIGII providing infonnation during a small loss of coolant accident er transient

d. Failure to recognize the need for LPM 41AN04 low hot twg water level; jammed DAS Procalare - IJ)NG; SRO Contrut 8.30F 42 reactorcoolant system instrument; Tw = 15 min; room depressurization when only the (2 associated alarms are assumed Ta = 15 min; divene attuation systna is available) Stress level - IIIGli providing information during a medium loss of coolant accident GM W-Westinghause

l l

l i NRC REQUEST FOR ADDITIONAL INFORMATION

g. ag:

W ;g Table D-1 (Sheet 3 of 22)

APG00 HEP

SUMMARY

RESULTS Systave Demeriptime of Operator Error Event ID Cueb) DASI DISI PSF Chechag Escaties Mema IIEP 1515 Rece wry Availetne Gry)

ADS e. Failure to recognise the need for IEM-MAN 05 Loss of NRIIRS; low hot leg D AS, DIS, Procedure - 1 ONG; SRO & Contrn! 6.76FA4 (ca.nt'd) reactor contant system water level; Pals Tw = 60 min; STA room depmsurization during a (2 associated alanns are assumed Ta = 20 min; shutdown conditina with failure available) Sims level - IllGil of core maktmp taris and the nonnal re4 dual heat removal systesn

f. Failure to strognire the netti for LP31-REC 01 No detailed evaluation performed DAS, DIS, N/A N/A Control 5.20FA2 reactor coolant system for this task; P3IS room i depmsurization during a small (The unconditional IIEP for this has of coolant accidst or task is assumni similar to LP51 transieet with the loss of the MAh01. LPM-REC 01 is passive residual heat removal assumed to have a low system and core makeup tank depmdency on LPM-MANOI.

success after core damage That is, IIEP for LPM-REC 01 =

[1 + (19 x 2.20FA3) / 20] =

5.20E-02)

W-Westinghouse 4

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION Table D-1 (Sheet 4 of 22)

AP600 HEP

SUMMARY

RESULTS hystram Dmcdyties of Operator Erew EvmtID Cae(s) DASI DISI IT Chreling Lacation MesaHEP PMS Retsvery Availmhie (by)

ADS g. Failure to actuate the automatic ADN-h1 AN01 Cuts are addressed in 1.P51- DAS, DIS, Procedure - LONG; SRO & Csiret 4.77E48 tcont'd) dermsurization systan for StAN01 & LP31-htAN02 for Pats Tw = 30 min; STA remn stactor coolant system regwtive initiators Ta = 20 min; depressurization as rwovery frvm Strm leve4 - IllGli failure of automatic actuation or for manual automatic depressurization syste n actuation

h. Failure to complete automatic ADN-REC 01 No detailal e,aluation perfortned DAS, DIS, N/A N/A Control 5.00E-02 depressurization system actuation for this task; PSIS room for reactor coolant system (The unconditional IIEP for this depressurization as recovery from task is assumed similar to ADN-failure of automatic actuation or htAN01. ADN-REC 01 is from manual automatic assumed to have a low deprtssurization system actuation depmdency on ADN-hlANOI.

after core damage That is , IIEP for ADN-RECat

= [1 + (19 m 4.77E48) / 20] -

5.00 E-02) ]

720.es-s W westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Table D-1 (Sheet 5 of 22)

APGOD HEP

SUMMARY

RESULTS Systema IMarvigdies of Operator Favor Event ID Car (s) DAS/ DIS / PSF Cherlang Imcation Meam IIEP 1%tS Rerovery AvailaMe (by)

CCWS a. Failure to twognize the neal and CCIMIAN01 law CCW flow; DAS, DIS, Procedure - SilORT; SRO & Control 1.07F 0.5 start the standby component On additian to 1 alann PMS Tw = 30 min; STA room cooling water pump B. during a associated with CCW failure,2 Ta = 10 min; h>ss of coolant accident. transient, other alanns associatal with the Stress levet - IIIGli or loss of offsite power event initiating etmt are assumed available)

b. Failure to rwognize the need and CCB.M AN01N No detailed evaluation performed DAS, DIS, N/A N/A Control 1.07F 03 failure to start standby for this task; PMS room compimmt cooling water pump (the evaluation performed for B. dunna normal operation CCB-MAN 01 is apgdied to this etat as a conservative estimate)

c. Failure to exclude beat exchanger CCN-M AN02 Iligh tanperature on line DAS, DIS, Procedure - LONG; SRO & Control 2.52 F 02 Il001 A and align 11001B during downstream of IIX; PMS Tw = 60 min; STA room normal operation (1 associated alarm is assumed Ta = 30 min; available) Stress level - MODERATE 720.su W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION

~

E ng;

. y

_ t Table D-1 (Sheet 6 of 22)

APG00 HEP

SUMMARY

RESULTS Systen Descripties of Operator Fmr Event ID Cue (s) DAS/ IMS/ PSF Checking Imrafiam MemeHEP PMS Recomy Avaitahle (by)

CDS a. Failure to diagnow a steam CIP.-MAN 00 Ifigh radiation levelin main DAS, DIS, Procedure - LONG; SRO & Control 1.54FA3 gmerator tube rupture event stream line; high SG level; PMS Tw = 30 min; STA room (2 associated alanns are assumed Ta = 15 min; av silable) Stress level - IIIGli

b. Failure to adjust steam dump DUMP-MANO R Cues are addressed in CIB- DAS, DIS, Procedure - LONG; SRO & Control 1.32 E-fl3 valm, given a steam amerator MANDO PMS Tw = 30 min; STA remn tube sipture with success in Ta = 15 min; isolating faulted steam generator Stress level - It!GII CNS a. Failure to recognize the ami and CIC. MAN 01 Iligh containment (CNMT) DAS. DIS, Procedure - LONG; SRO & Control 1.20E-03 failure to isolate the containment, radiation; high CNMT pressure; PMS Tw = 2 hr; STA room give core damage following a high CNMT tanperature ; Ta = 30 min; loss of coolant accident (3 associated alarms are assumed Stress level - IIIGli available)

b. Failure to recognize the need and CID-M AN01 Iligh containment (CNMT) DAS, DIS, Procedure - LONG; SRO & Control 1.20FA3 failure to isolate the containment, radiation; high CNMT pressure; PMS Tw = 3 hr; STA room given core damage foDowing loss high CNMT temperature ; Ta = 1 hr; of offsite power, station blackout, (3 associated alanns are assumed Stress level - IllGII or transient available) 720.66-7 W

Westinghouse

j -

i NRC REQUEST FOR ADDITIONAL INFORMATION 4 Table D-1 (Sheet 7 of 22)

AP600 HEP

SUMMARY

RESULTS Sysdem Deutviytime of Oyecaser Error EvatID Car (s) DASI DESI PSF Cherke. Imcaban MeanHEP PMS anemy A,.a=hh- (by)

CNS c. FaDure to recognize the need and CIP41AN01 High containment (CNMT) DAS, DIS, Procedure - IDNG; SRO & Control 1.20E-03 (cont'd) failure to isolate the containmmt radiation; high CNMT peure; PMS Tw = 3 hr; STA room for long-tenu cooling foDowing a high CNMT temperature ; Ta = 1 hr; loss of coolant accident O associated alarms are assumed Seress levd - HIGH available)

d. FaGure to recognize the newt and CIT-MAN 01 High containment (CNMT) DAS, DIS, Procedure - LONG; SRO & Control 1.20FA3 failure to isolate the containment radiation; high CNMT pressure; PMS Tw = 5 hr; STA room for long-tenn cooling foDowing a high CNMT temperature ; Ta = 2 hr; loss of offsite power, station 0 associated alarms are assumal Stress level - HIGH blackout, or transient ' available)

e. FaGure to recognize the need and CIL41ANOS High contamment (CNMT) DAS, DIS, Procedure - LONG; SRO & Control 3.50FA3 faamre to isolate the containment radiation; high CNMT pressure; PMS Tw = 2 hr; STA room for long-term cooling foDowing a high CN3tT temperature ; Ta = 10 min; loss of 4Jfsite power or station 0 associated alarms are assumed Stress levd - HIGH blackout during shutdown available)

f. Failun to rwornire the need and CIT-MANOS High containment (CNMT) DAS, DIS. Proculare - LONG; SRO & Control 3.50E-03 failure to isolate the containmmt radiation: high CNMT pressure; PMS Tw = 2 hr; STA room for long-term cooling following high CN3fT temperature ; Ta = 20 min; transient during shutdown 0 associated alarms are assumed Stress level - HIGH available) 1 720.66-8 W -

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION

=1 liFam w $.,

i g

Table D-1 (Sheet 8 of 22)

APG00 HEP

SUMMARY

RESULTS Systeen Descriptiam of Operator Error Event ID Car (s) DASI DIS / PSF Carcim4t IAcaham Mean IIFE PMS Recovery Avastalde Gry)

CMT a. Failure to rwognize the omt for LPM-MAN 01 Low SG wide range levd; high DAS. DIS, Procedure - Il)NG; SRO & Control 2.20E-03 reactor coolant systan hot leg temperature; low het leg PMS Tw = 30 min; $TA room depmsurization during a small water level; loss of startup FW Ta = 20 min; loss of coolant accident or loss of now; loss of PRIIF! function; Stress level - IIIGII the high pressure heat removal (5 associated alarms are assumed system available)

b. Failure to actuate the core CMN-MAN 01 Cues are addressed in LPM- DAS, DIS, Procedure - LONG; SRO & Control 2.06E-03 makeup tank, if automatic MAN 01 & LPM-MANO2 for PMS Tw = 30 min; 5TA room actuation fails during a loss of respwtive initiators Ta = 20 min; coolant accidst Sims levd - IIIGil

c. Failure to manuaDy actuate the CMN-REC 01 No detailed evaluation performed DAS, DIS, N/A N/A Control 5.20E 02 core makeup tank after core for this task: PSLS room damage (The unconditional IIEP for this task is assumed umilar to ChlN-MAN 01. CMN-REC 01 is assumed to have a low depmdency on CMN-MANOI.

That is , IIEP for CMN-REC 01

= [1 + (19 a 2.06E 03) / 20] ~

5.20E-02)

'20.88.s w wesungnouse

NRC REQUEST FOR ADDITIONAL INFORMATION El fi![

_ s.

Table D-1 (Sheet 9 of 22)

APG00 HEP

SUMMARY

RESULTS Systna Dneriptiam of Oprrater Ener Evad ID Car (s) D ASI DIN PSF Chaimg imcation MesallEP PMS Reconry Avaitalde Gry)

CVCS a. Failure to align the chanical and CYN-MANDO Cues are addressed in CIB- D AS, DIS, Procedure - LONG: SRO & Contna 3.10F 03 volume contnd system in the MAN 00 PMS Tw = 30 min; STA room ausiliary spray made fellowing a Ta = 10 ming steam gmerator tube rn;sure Stress level - IIIGII event

b. Failure to align the chanical and CVN-MAN 02 Cues are addressed in ATW- DAS, DIS, Procedure - SilORT; SRO & Control 1.58F 03 volume control system in the MAN 01 PMS Tw = 60 min; STA room boration mode following an Ta = 30 min; anticipated transient without Stress levd - IIIGli scram

c. Failure to recognize the need and SGill MAN 01 low SG pressure; high steam DAS, DIS, Procedure - LONG: SRO & Control 3.91F 03 failure to trip the chmical and flow; PMS Tw = 30 min; STA room volume contnd system pump and (2 associated alarms are assuma! Ta = 10 min; isolate startup feedwater to failed availabic) Stress levd - IllGil steam generator, given a steam generator tube rupture event

d. Failure to restatt the chemical CVS-DIL There is no spwific cue for this DAS DIS, Pncedure - LONG; SRO & Control 3.08F 4 and volume control system loaded event; the modeling assumes that PMS Tw - N/A; STA room on the diend generator after a the operator fails to fol:ow the Ta - N/ A; loss of offsite power procedure and omit the step Stress levd - IIIGli 720.66-10 W

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION Table D-1 (Sheet 10 of 22)

AP600 HEP

SUMMARY

RESULTS

.W Denenytme of Operater Erwar EvatID Car (s) DAS/ DIS / PSF Chernw l ar,# - Meus llEP FMS 11ecovery Available (by)

IA a. Failure to rwognise the need and CAN-hlAN01 la w instrument air header DAS, DIS, Procedure - LONG: SRO & Control 1.07E-03 failure to actuate the standby prenure; PMS Tw = 30 min; STA room compressor, givm a loss of (la addition to I alarm Ta = 10 min; coolant accidst, loss of offsite nunciatal with IA failure,2 Stress levd - IIIGil power, or transient other alarms associated with the imtiating event are assumed available)

IRWST a. Failure to recognize the need and REN-MAN 02 14w-low IRWST levd; DAS, DIS, Procedure - LONG; SRO & Control 1.99E43 failust to open the recirrulation (In addition to I alarm PMS Tw > 60 min; STA room valves for IRWST low-law levd, anociated with IRWST level,4 Ta = 10 min; during a loss of coolant accident other alarms associated with the Strns level - IIIGH or transient initiating ermt are assumni available)

b. Failure to rwegnize the need and REN-MANO3 liigh CNMT radiation; high hot DAS, DIS, Procedure - LONG; SRO & Comm 3.45FA3 failure to open recirrulation leg temperature; PMS Tw = 160 min; STA room salves to flood reactor cavity (2 associatal alarms are assumed Ta = 120 min; after core damage ava;lable) Stress level - IIIGil 720.66-11 W-W85tlnghat!S8

NRC REQUEST FOR ADDITIONAL INFORMATION L' .

F si Table D-1 (Sheet 11 of 22)

APs00 HEP

SUMMARY

RESULTS Systene Descriptism of Operstar Fever Emd ID Curts) DAV DISI PSF Checking Iscatnam Mess IIEP PMS Recovery Available (by)

IRWST c. Failure to recognize the nml and STN-M AN00 law IRWST level; low reactor DAS, DIS, Procedure - LONG: SRO & Control 9.40E48 (cont'd) failure to perform 12W4T cavity waterlesd; PSIS Tw > 2 hr; STA room maktvp with spent fed or (5 alarms are assumed available Ta = 30 min; cNinical and volunt contivt for this somaried Stress levd - IIIGIl sv, tem after containment isolation following gravity ininti.m

d. Failure to manually open two IWN-MANDO Low hot hg water levd; DAS, DIS, Procedure - LONG; SRO & Contrud 1.15FA3 motor-eperated valves during ( l group of alarms indicating PMS Tw = 60 min; STA room shutdown conditions with the failare of the normal residual Ta = 10 min; normal residual heat remeval heat removal (NRilR) systm; Stress levd - IIIGII system unavailable NRilR a. Failure to ruegnize the need and RIIN-M AN01 Decreasing RCS pressure; DA$, DIS, Procedure - LONG; SRO & Control 2.90F 03 faGure to align the normal CNMT actuation: ADS valves PMS Tw = 30 min; STA ruom residual heat rmoval s3 stem open; Ta = 24 min; after automatic depressuihation (3 asmciated alanns are assumed Stress level - IIIGIl system actuation, during a loss I available) coolant accidat, bss of offsite ymwer, or transiest in the reactor coolant system cotJing mode f 720.ssa 2 W-westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION

ar .:"" $ ME

'"J i, E. ,.I Table D-1 (Sheet 12 of 22)

APG00 HEP

SUMMARY

RESULTS Syerse Ikmenyhem of Operator Error Evewt ID Cae(s) DASI DIS / PSF Chering Im aham Meme HEP PMS Rrrevery Av=a=Ma 0 s)

NRilR b. Failure to align the normal RilN-MANDIV i alarm due to the initial D AS, DIS, Procedure - U)NG; SRO & Control 2.60E-06 (cont'd) residual heat removal systan to commission error is assumed PMS Tw = 30 min; STA room provide a diversion path to the avaliable Ta = 10 min; IRWST during cold shutdown. Stress level - MODERATE and terminate event by reclosing (for initial commision);

the valve - IIIGil (for subsapent actions)

r. Failure to recognire the need and RIIN-MAN 02 Loss of esternal grid (no DAS, DIS, Prncedure - LONG; SRO & Control 1.97E-03 failure to manually transfer the voltage); no flow from NRilR PMS Tw = 2 hr; STA evom normal residual heat removal systan; Ta = 10 min; systent pumps to a diew! (2 associated alarms are assumed Stress levd - IIIGil generator power saune following available) a loss of offsite power, and failure of automatic transfer during shutdown 720.66-13 W- Westin'rhouse e

NRC REQUEST FOR ADDITIONAL INFORMATION air i

_ t Table D-1 (Sheet 13 of 22)

AP600 HEP

SUMMARY

RESULTS Nysts: Dewd;wien of Operator Error EvatID Coc(s) DAS/ DIS / PSV Checksag Imatism Mese IIEF PMS Recovery Avaanble (by)

NRilR d. Failure to rwegnhe the need and RIIN-MANO3 Voltage return; no flow from DAS. DIS. Procedure - LONG; SRO & Control 1.97FA3 (cont'd) failure to manually mtart the NRilR system; low but leg water PMS Tw = 2 hr; STA room nonnal midul heat rmoval tunperature; Ta = 10 min; systm pumps following grid (2 associated alanus are assumed Stress levd - IllGli recoven within two hours after a available) loss cf offsite power and failure of both automatic and manual transfer onto a diesel generator during shutdown PCS a. Failure to nicognize the need and PCN-MAN 01 Ifigh CNMT pressure; DAS, DIS, Procedure - LONG; SRO & Contret 5AE44 failure to actuate pasdve (in addition to I alann PMS Tw = 5 br: STA room containment cooling air-operated associatal with high CNMT Ta = 2 hr; valves, given a transient or hiss of pressure,2 other alarms Stress level - IIIGII offsite power associated with the initiating evet are assumni available)

PRIIR a. Failure to recognise the need for IIPM-MAN 01 Low SG level; high hot leg DAS, DIS, Procedure - LONG; SRO & Control 4.20E44 high-pmsure decay heat removal temperature; PMS Tw = 30 min; STA room following a loss of main (5 alarm _s are assumed available Ta = 10 min; feedwater, during an accident l for this venario) Sims level - MODERATE m,66M W

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION Table D-1 (Sheet 14 of 22)

AP600 HEP

SUMMARY

RESULTS System Description of Opermeer Fner EtatID Car (s) DAS/ DISI PSF Cherisqt Imcatism MemeHEP PMS Recovery Available (by)

PRliR b. Failure to align the passive PRN-MAN 01 Cues are addressalin IIPM- DAS, DIS, Prvcedure - U)NG; SRO & Contal 4.08E-04 (camt'd) raidual heat removal systan MAN 01 PMS Tw = 30 min; STA room givm a less of main feedwater Ta = 10 min; during a transimt Stress level - MODERATE

c. Failure to align the passive PRN-MAN 02S Can are addrmal in IIPM- DAS, DIS, Procalure - LONG; SRO & Control 2.55E.43 residual heat removal system M AN01 PMS Tw = 30 min; STA rimm give a loss of main feedwater Ta = 10 min; during a less of coolant accidmt Stress level - IllGli or loss of offsite power

d. Failure to control the passive PRN-MANO3 liigh anstron Aus; DAS, DIS, Procedure - U)NG; SRO & Control 8.76F 84 residual heat removal systan (5 alarms are assumed available PMS Tw > 2 hr; STA raam operation following a main steam for this scenario) Ta = 30 min; line break or main steam line Stress levd - IllGII valve stuck + pen event i

720.66-15 W-Westinghouse a _--- -_---------------,,---_-----__--x . - - - - - -- - -_t'

NRC REQUEST FOR ADDITIONAL INFORMATION

^i 'dy Table D-1 (Sheet 15 of 22)

AP600 HEP

SUMMARY

RESULTS i

systema Description of Operater Favor Eveyd ID Caeb) DAS/ DIS / PSF Checha Imation Menn IIIT PMS Rarewry AvaAable Ory)

PRllR e. Failure to rwognise the med and PRI A1 AN01 Iligh hot leg teenperature; low DAS, DIS, Pnredure - II)NG; SRO & Control 4.%E48 (cont'd) failure to isolate a failed heat PRZR prwure; low PRZR level; PMS Tw = 35 min; $TA room euhanger following passive (3 assuiated alarms are auumed Ta = 10 min; residual heat removal tube available) Stress levd - 510DERATE rupture before airtomatic depressurization system actuation, assuming one rhetnical and volurne control syste n pump and one core makeup tank pump are nmning

f. Failure to tweguire the newi and PRI41AN02 Iligh hot leg temperature; low DAS, DIS, Prncedure - IX)NG; SRC Contnd 3.06E-03 failure to isolate a failed heat PRZR presmre; low PRZR level; PhtS Tw = 15 min; room exchanger following passive (3 associated alarms are anumed Ta = 10 min; residual heat removal tube available) Stress level - $10DERATE rupture before automatic depressurir.atitm systern actuation, assuming chemical and volume control system and core makeup tank pumps are not operating W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADD!')NAL INFORMATION Table D-1 (Sheet 16 of 22)

APG00 HEP

SUMMARY

RESULTS Systen Descrip6mm of Operator Error EvmtID Cue (s) DASI DESI PSF CW Imcahme IWes IIEP PMS Rarovery Available Ony)

PSIS a. Faihare to rnognire the nmi and PSA-SI AN01 law accumulator pressure; low DAS, DIS, Prucedure - SIIORT: None Control 8.40E-03 failure to isolate accumulator PRIR level; PSIS Tw = 1 min; room injection line,if the check valve (2 asswiated alarmt are assumed Ta = 30 sec; ruptures available) Stress level - MODERATE RCS a. Failure to ris ognize the nmi for LPSI-M AN01 Imw SG wide range level: high DAS, DIS, Procedure - IA)NG; SRO & Control 2.20FA3 reactor coolant system hot leg temperature; tow hoe leg P31S Tw = 30 min; STA room depressuritation dusing a small water level; loss of startup FW Ta = 20 min; loss of coolant accident or loss of flow; loss of PRIIR function: Stress level - !!!Gli the high-pressure heat removal (5 associated alarms are assumed systesn available)

b. Failure to trip the fmar reactor RCN41AN01 Cues are addressal in LPM- D AS, DIS. Procedure - IDNG; SRO & Control 1.65FA3 coolant pumps,if automatic trip MAN 01 PMS Tw = 30 min; STA room fails during a loss of coolant Ta = 20 min; accidmt Stress level - MODERATE.

720.66-17 W

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION 11 hN Table D-1 (Sheet 17 of 22)

AP600 HEP

SUMMARY

RESULTS Systms Iberip6am of Operator Faer ErmtID Car (s) DAS/ DISI PSF Cherkeg Imcaban Mens IIEP I%tS Raro m y Aysilable (by)

RTS a. Failure in insert control rmis, ATW.ht AN01 Low SG narrow range level; high DAS, DIS, Prncedure - SIlORT: SRO & Contml given manual scram failure, PRZR pmsure; high neutron PSIS Tw = 60 min; $TA mom 1.50Fe02 within 1 minute during flut; flow mismatch betwnn Ta = 1 min (to initiate anticipatal transient without fadwater flow and turbine inlet action);

scram pressure ; und bottom lights not Stress level - IIIGII; lit; (4 associated alann, are muumni (conditional failure available) probability apsdied)

b. Failure to recognise the need and ATW-SIANO3 low SG narrow range level; high DAS, DIS, Procedure - SilORT; None Control 1.56E-02 failure to manually trip the PRZR pressure; flow mismatch Pats Tw = 1 min; room reactor within I minute, given betwow, fmlwater flow and Ta = 30 sw; anticipated tramient without turbine inlet psw.sure ; Stress levd - blODERATE scram (3 associated alarms are assumed available)

c. Failure to locally actuate the ATW-SIAN04 Cues are addressed in ATW- DAS, DIS, Procedure - SilORT; None Co.itral 1.25E 02 scrum breakers during BfAN01 PNIS Tw = 2 min; room anticipated transient without Ta = 1 ming scram Stress level - IIIGli 720.66-18 W-Westinghouse J

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION jiU 4 ,." %i F Table D-1 (Sheet 18 of 22)

AP600 HEP

SUMMARY

RESULTS Systrum Descripties of Operwier Erwar ErmtID Cue (s) DAS/ DISf PSF Chechang Imcatsan Mean HEP FMS Recovery Available (by)

SFWS a. Failure to recognire the neel for IIPM-MAN 01 Low SG Ievd; high hot h1g DAS, DIS, Procedure - LONG; SRO & Control 4.20Fe64 high-pressure dway heat removal temperature; PMS Tw = 30 min; STA room following a loss of main (5 alanns are assumed available Ta = 10 min; feedwater, during an accident for this scenarial Stress level - MODERATE

b. Failure to start the startup FWN-MANO2 Cues are addressed in IIPM- D AS. DIS, Procedure - IA)NG; SRO & Contnd 1.65E44 feedwater pumps given a loss of MAN 01 PMS Tw = 30 min; STA room main feedwater during a transient Ta = 10 min; Stress level - MODERATE

c. Failure to start startup feedwater FWN.MANO3 Cues are addressed in IIPM- DAS, DIS, Pnwedure - IA)NG; SRO & Control 1.03F 03 pumps, gium a loss of main MAN 01 PMS Tw = 30 min; STA room fm1 water during a loss of ofhite Ta = 10 min; power Stress level - IllGli

d. Failure to regulate the startup REG-MAN 00 Based on engimenna judgement. DAS, DIS, Procedure - SIIORT; SRO Ex<ontrol 2.10E41 feedwater foDoming fun opening it is assumed that approximately PMS Tw = 50 min; rnom of the regulating valves after a 7 alanns are available for the Ta = 30 min; loss of competssed air loss of compressed air scenario Stress level - IllGII SG a. Failure to recognize the need and CI A-M AN01 Law SG pressure; high steam DAS, DIS, Procedure - IX)NG; SRO Contnd 5.90E 03 failure to isolate a failed steam flow; PMS Tw = 10 min; room generator following a steam line (2 associated alanns are assumed Ta = 9 min; break avaBable) Stress level- IIIGil 720.66-19 W

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION 9:' 4 fii~  ;

Table D-1 (Sheet 19 of 22)

APG00 HEP

SUMMARY

RESULTS Spieum De cription of(W Ermr Emd ID Cze(s) DAM DIS / PSF Chering Iar h MenaIIEP PMS Re m ery Availalde (by)

SG b. Failure to diagnose a steam CIB-M AN00 liigh radiation levd in main DAS, DIS, Procedure - LONG; SRO & Control 1.M E.03 (cont'd) gewratar tube rupture event stream line; high SG level: PMS Tw = 30 min; STA room (2 associatal alanns an assumed Ta = 15 min; available) Streu levd - IIIGli

c. Failure to close a main steam CIB-M AN01 Cues an addrmed in Clll- D AS, DIS, Procedure - LONG; SRO & Centrol 1.01 E-03 isolation valve to isolate the MANDO PMS Tw = 30 min; STA nwn faulted steam gmerator, given a Ta = 15 min; steam generator tube rupture Stress level - IllGil event

d. Inadvertmt opming of a steam SGA-MAN 01 Iligh steam flow; DAS, DIS, Pnwwfure - N/A; SRO Control 2.35E4 generator power-operated rdief (1 alarm associated with PMS Tw = 10 min; room valve with the failure to restose it inadvertent action is assumed Ta = 5 min; available) Stress level - LOW (for initial commision);

- MODERATE (for subsequent actions)

~

W -

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION

&.. 2 tut 4 Table D-1 (Sheet 20 of 22)

AP600 HEP

SUMMARY

RESULTS Systems Description of Operator Fnur EvatID Cae(s) DAS/ DIS / PSF Chaimg Imatima Menn IIEP IMS Rerevery Available (by)

SWS a. Failure to rwognize the nest and SWN-M AN01 Iligh strainer differmtial DAS, DIS, Procedure - SIIORT; SRO & Control 1.07E 43 failure to open air-operated valve pressure; PMS Tw = 30 min; STA room on the motor

• trainer line during (3 alarms are assumed available Ta = 10 min; a lou of coolant accident, lou of for this scenario) Stress level - IIIGil o!Tsite power, or transient

b. Failure to recognize the need and SWN-MANDIN liigh strainer differential DAS, DIS, Prncedure - SilORT; SRO & Control 1.72F 04 failure to open air-operated valve pressure; PMS Tw = 30 min; STA room on the motor strainer line during O alarms are anumed available Ta = 10 min; normal operation for this scenariol Stress level - MODERATE

c. Failure to rwognize the need and MVB-MANO2 Low service water now; DAS, DIS, Procedure - SIIORT; SRO & Control 1.60E-03 lailure to start the standby O alanns are assumal available PMS Tw = 30 min; STA room servire water pump during a lou for this scenario) Ta = 10 min; of coolant accident, loss of offsite Stress level - IllGII power, or transient

d. Failure to ricognize the need and SWB-MANO2N Low service water now; D AS, DIS, Procedure - SilORT; SRO & Control 2.56E48 failure to start the standby (3 alarms are assumed available PMS Tw = 30 min; $TA room service water pump during for this scenario) Ta = 10 min; normal operation Stress level - MODERATE

,I m es-21 W

westinghouse i

i

NRC REQUEST FOR ADDITIONAL INFORMATION

u ti? ;ifyl Table D-1 (Sheet 21 of 22)

AP600 HEP

SUMMARY

RESULTS Systesm Description of Operator Error Evewt ID Cae(s) DAS/ DIS / PSF Checling Imcatum Mean IIEP PMS Recovery AeailaNe (Iry)

TCCWS a. Failure to recognize the need and T CB-MAN 01 Imw TCCW flow; DAS, DIS, Prncedure - LONG; SRO & Control 3.10F 43 failure to start the standby (3 alarms arv assumed available PMS Tw = 30 min; STA room turbine clowd cooling mater for this scenario) Ta = 10 min; pump, during a km of ruotant Stress level - IIIGII accident, loss of ofNte power, or trartsimt VWS a. Failure to rt<ognise the need and VLN-M AN01 liigh hy *: ogen concentratia; D AS, DIS, Procedure - LONG; SRO & Control 3.32F 04 failure to actuate the hydrogm (3 alanns are assumed available PMS Tw = 2 hr; STA room control system, given core for this scenario) Ta = 30 min; damage following a kas of Stress level - IIIGli coolant accident

b. Failure to recognise the need and VWN-MAN 01 Iligh chimed water tanperature; DAS, DIS. Procedure - LONG; SRO & Control 5.16F 43 failure to align the standby chiller CVCS pump tripped; PMS Tw = 1 hr; STA room during a kas of coolant accident (3 alarms are assumed available Ta = 30 min; for this scmario) Stress level - It!GII W

Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION

% M Table D-1 (Sheet 22 of 22)

AP600 HEP

SUMMARY

RESULTS System Descriptine of Operator Fnor ErmtID Cue (s) DAS/ DESI PSF Checkmg lmcation MemeIIEP I'MS Recovery Avaaahie (by)

VWS c Failure to recognize the need and VWN-MAN 02 loss of chilled water flow; DAS, DIS, Procesluit - IA)NG; SRO & Contal 3.10F 03 (cont'd) failure to align the standby CVCS pump tripped; PMS Tw = I br; STA room chined water pump, if automatic (3 alanns are assumed available Ta = 30 min; actuation faik, during a less of for tids wmario) Stress level - IIIGII coolant accident I&C Failure to detwt the loss of all CIX-MANDO Ims of plant gmwer generation; None It is assumed that the most N/A Ex<ontrol 1.00F 01 instnunentation and control, and (no calculation was performed limiting time window for room diverse indication system alanns for this event; the IIEP is based detecting this failure is 40 solely on engineering judgement) minutes for a "ctdd leg break" accident; transient is assumed to have a time window of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. ne IIEP ref1wts the assumed shorter time window 720.es-23 W westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.67 During the staf f's review of the response to Q720.6, the staff noted that many HEP actions reported in Table D-1 were not used in cutset quantification or were not used in the AP6(K) data base. In the response to Q720.6, Westmghouse stated that the ATWS recovery action ATW-MANO3 was not credited due to the short time for recovery, but this action does appear in the fauh trees and sequenct cutsets. Explain whether ATWS recovery actions AT\WMANOl and ATW-MAN 04 were credited in the PRA. These possible discrepancies should be addressed in Table D-1.

Response

The tenn recovery is used in the human reliability analysis (HRA) in two ways as follows:

1. A given operator action is considered to be a recovery action if the tasks composing that operator action are performed to correct an accident situation that was not resolved by a previously failed action. The failed action is viewed as the preferred method of resolving the incident.

2. The HRA takes into account the Uming mechanism for compleung each defined operator action.

The available time and estimated actual tune for compledng the action are defined. From these two times, the slack time is then defined, slack time being the "available time" minus "the esumated actual time." If the time window for a given task is greater dian 10 minutes and the estimated slack time is greater than 5 minutes, then it is assumed that there are chances for crew members (the shilI technical advisor and/or shilt supervisor) to recover errors made by other members of the operating team. This recovery is classified as awareness checking (or unpmceduralized) recovery and is applied as a multiplicative factor in the quantification of the operator acdon. An additional recovery factor is apphed if the esumated slack time exceeds I hour.

Addidonally, it is generally assumed that the senior reactor operator (SRO) may recover an error made by the reactor operator (RO) w ho is doing the aedon. This recovery, based on engineering judgment. is apphed to any event with available Ume greater than 5 minutes, if the estimated actual time does not exceed the available time. An appropriate muhiplicative factor is assigned in quantifying the operator action to account for this recovery.

The ATW-MANO3 operator action to tnp the reactor was credited in the FRA as a recovery action as defined in item

1. Slack time recovery, described in item 2, was not apphed to AT\%MANO3; the nme window for this event is 1 minute and the estimated actual time is about 30 seconds. The response provided in note 3 of RAI 720.6 referred to the recosery discussed in item 2.

In esaluating operator action AT\WM AN% the available ome considered was 2 mmutes and the estimated actual time was I ininute. Therefore. similar to ATW-MANO3, the recovery discussed in item 2 was n3 applied in die ATW-MAN 04 analysis.

W westinEhouse

NRC REQUEST FOR ADDITIONAL INFORMATION b  :

In evaluating operator action ATW-MAN 01, the available tune considered was I hour and the estimated actual time to initiating the action was about I minute. Therefore, the recovery described in item 2 was applied. The unconditional human ermr probability (llEP) evaluated for this task is 2.81E-(M. ATW-MAN 01 is assessed as basing a moderate dependency on ATW-MANO3. Therefore, the conditional 11EP for ATW-M AN01 is uwd in the PRA quantification; the conditional IIEP for ATW-M AN01 is calculated to be 1.50E-02.

I he IIEP of 1.46E-02 was incorrectly used m the PRA for ATW-M AN01. It is believed that the revised liEP of 1.50E-02 will not impact the PRA results significantly. The liEP of 1.50E-02 will be used for operator ATW-M AN01 in the next PRA revision.

PRA Revision:

(See RAI 720.66 response for Table D-1 revisions.)

720.67-2 W

- Westinohouseo

I l

l l

NRC REQUEST FOR ADDITIONAL INFORMATION jli iig n l l

. s Question 720.70 In Q720.4, Westinghouse was asked to identify areas of the AP600 design that the PRA indicated were important to reducing or maintaining risk, and should be addressed in the ITAACs. Describe how PRA insights were used to develop the ITAACs, DAC, and D-RAP. Include examples. Provide cross references in the PRA between the D-RAP, Technical Specifications, and ITAAC requimments for test and maintenance unavailabilities assumed for all systems, and assumed system availabilities goals (i.e., DAS and DIS). For example, tle PRA assumed the unavailability of DAS to be 9.0E-3. The staff found no unavailability goal for DAS during its review of the D-RAP.

Response

As dtscussed in the response to RAI 720.4, the AP600 design incorporates insights from several PR A studies. The design information for Tier 1 (including ITAACs) and Tier 2 (including the SSAR) addresses the appropriate aspects of the AP600 design that the PRA studies indicate are important to reducing overall plant risk The PRA provides detailed models of safety-related and nonsafety-related systems that provide initigation functions for tie various initiating events considered in the PRA. It evaluates the event mitigation functions perfomied by the modeled systems for a specified mission time followmg the initiation of an event. The various PRA system analyses identify realistic failure mechanisms for the components within a system. To evaluate the system performance, the PRA uses industry component failure data and makes assumptions for individual component unavailability due to testing and maintenance based on data provided in the Advanced Light Water Reactor Requirements Document, Volume III, Appendix A to Chapter I ("PRA Key Assumptions and Groundrules," EPRI, Rev. 2, December 1991).

The PRA results provide an evaluation of tle systern performance against high level safety goals. The results are also used to identify changes that can improve system reliability to perform its event mitigation functions.

The PRA is not used to establish specific availability goals for a system. The PRA is used to evaluate system perfomiance, from the perspective ofits availability and reliability to perfonn the event mitigation functions. Over plant life, the component and system unavailabilities will be monitored and tracked using plant data bases as part of the Operational Reliability Assurance Program (0-RAP) to assure that the high level safety goals, such as core damage frequency and large release frequency, continue to be met.

Section 16.2 of the SSAR discusses the D-RAP. Le D-RAP is not used to establish specific availability goals for plant systems. Le D. RAP documents the reliabiliiy assumptions for AP600 SSCs, including the PRA aliebility assumptions for the COL applicant's use in developing the 0-RAP. The PRA component unavailability and f ailure data assumptions to be included in the D-R AP are documented in Table F-4 of the PRA report. A cross-reference to Table F-4 of the PRA report will be added to SSAR Subsection 16.2.3.4 as indicated in the proposed SSAR revision Table F 4 of the PRA report includes component unavailability and failure data assumed for the safety-related and nonsafety-related SSCs modeled in the PRA. The D-RAP includes SSC unavailability and failure data assumptions for the systems modeled in the PRA independent of the relative importance for the SSC as determined by the baschne and focused PRAs.

i l

l l

W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION h

As part of the AP600 program for tie development of the Tier 1 information and the associated ITAACs, Westinghouse developed screening criteria to establish a logical and consistent basis for determining the need for ITAACs. The screening criteria focus on the safety significance of tle SSCs within a system. Each of the AP600 systems were screened against the ITAAC screening criteria.

The ITAAC screening process resulted in developing Tier 1 information and ITAACs for the safety-related systems and for those nonsafety-related systems that provide defetse-in-depth functions, independent of the relative importance for the system as determined by the PRA studies.

The AP600 Design ITAAC development process is consistent with the approach used in tie development ofITAACs and equivalent information is included in the developrnent of Design ITAACs for a system, structure, or component.

11ased on the process used in the ITAAC program, the requirements specified in the ITAACs are independent of the specific testing and maintenance unavailability assumptions in the PRA and therefore cros::,-references between these documents and tte PRA are not appropriate.

The AP600 Technical Specifications were developed by applying the four screening criteria provided in 52 FR 3788 to all AP600 systems. The testing frequencies assumed for specific components modeled in the PRA are consistent with the associated surveillance test interval provided in technical specifications for that component. The surveillance test intervals used in technical specifications can te found in the PRA under the appropriate system analyses provided in Appendix C.

The completion times for action statements in technical specifications are not directly related to testing and maintenance unavailabilities assumed in PRA. The PRA testing sad maintenance unavailability selected for a component is based on historical data that considers appropriate planned testing and maintenance performed on the component. The technical specification completion time is determined considering the seriousness and possible consequences of continuing to operate in a degraded condition, the required actions to restore the component and potential consequences of performing those actions, and the time needed to complete the required actions. Therefore, the testing and maintenance unavailability and technical specification completion times are not directly related and providing a cross-reference between these documents is not appropriate.

The assumed PRA testing and maintenance unavailabilities are not included in either the ITAACs or the SS AR (except for the D-RAP). The assumed PRA testing frequencies are related to certain technical specification smveillance test intervals for a limited number of components. The surveillance test intervals used in technical specifications can be found in the PRA under the appropriate system analyses provided in Appendix C. Therefore, no additional cross-reference beyond that included in the proposed SSAR revision is necessary, PRA Revision: NONE 720.70-2 3 Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION JH1r ~Hur V f SSAR Revision:

Subsection 16.2.3.4 will be modified as follows:

16.2.3.4 Information Available to Combined License Applicant The Cornbined License applicant is responsible for performance of the 0-RAP, widch maintains risk.

significant SSC reliability throughout plant life. The following infonnation is available to the O-RAP:

The list of risk-significant SSC identified during the design phaserend4leir-eww::ed rdia!!! tite m:i ::duJe c'::ed == :;W= i-~d ' ' : " "RA.

The PRA assumptions for compotent unavailability and failure data, as provided in Table F-4 of the PRA report.

The analyses performed for those components identified to be major contributors to total risk, with the dominc.nt failure modes identified and prioritized. The suggested means for prevention or mitigation of these failure modes forms the basis for the plant surveillance, testing and maintenance programs.

Table 16.2-2 provides a list of design recommendations for the nonsafety-related systems. These n commendations include the operational modes when tle systems are required to be available, the defense-in-depth functions performed by each system, the recommended modes for exterxled maintenance operations on the system, and remedial actions if the system is not available.

4 W-Westinghouse a

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.74 The staf f notes that the event trees' endstate 2 sequences were not quandfied (see WCAP-12699). These endstate 2 sequences result in core damage with an impaired containment. Quantify these sequences and include the results in the PRA or justify why quantincadon of these endstates is not necessary, in addition describe how the probabihty of containment bypass was estimated (referred to as Po in the PRAL Revise the CDF and dominant sequences, as necessary.

Response

The event tree endstate 2 sequences were quandfied in the AP600 hawline core damage and release frequency calculations. The sequences leading to the 2 codstates are included in the list of core damage quantification sequences, found m Table F-2, of the APW) Propnettry PRA Report. The last two sequences in Table F-2 read as follows:

SYS-IEC2E SYS-CIR SY S-IWTM SYS-IEC2L SYS-lWTM The node IEC2E represents the sequences leadmg to early core d unage endmg in the 2 endstates. The node IEC2L represents the sequences leading to late core damage ending in the 2 endstates. Dominant sequence number 19, from Table F-6 of the APM) Proprietary PRA Report, is a sequence that ends at a endstate. After the core damage quantification, the sequences are then carned through the release frequency calculadons. The sequences are carried in idenucal fann because the 2 endstate leads to a direct release.

PO is the probabihty to have a contamment pre-exisung opening large enough to prevent the conuunment pressuntation up to the setpoint of the passive containment coohng actuadon. It is assumed that a containment opening of 100 cm2 would lead to this condition. Af ter further review of the pre-existmg opening probabihty used in the AP6f X) baseline core damage quanufication, it was concluded that this value is too conservative and the value was changed in accordance with Reference 720.74-1. Reference 720.74-1 derived this value using information presented in References 720.74-2, 720.74-3, 720.74-4, and 720.74-5. The value presented in Section 5.12 of Reference 720.74-5 is 1.3EM. This value was then adjusted to cornpensate for the fact that there are no AP600 containment penetrations related to a containment spray system. The contnhution of the containment spray penetrations was 1.0E-05; thus the adjusted pre-existing opening probability is 1.2E-04. The PO value is found in the contonment isolabon fault trees, which are included in Appendix C21 of the PRA Report. This change will be mcorporated into the next AP600 core d:unage and release frequency quantification, to be completed in February 1994.

References:

720.74-1 " Risk Management and Operanons Impros ement G mdebook 13 - Containment Isolatum Guidelines," Revision 0, January 1991.

W Westinnhouse u

NRC REQUEST FOR ADDITIONAL INFORMATION If U$i 720.74-2 P. J. Pelto, et al., " Reliability Analysis of Containment isolation Systems," Pacific Nonhwest Laboratories, NUREG/CR-4220, June 1985.

720.74-3 D. D. Carlson, et al., " Reactor Safety Study Methodology Applications Program: Sequoyah #1 PWR Power Plant," Sandia National Labomtories, NUREG/CR-1659,1981.

720.74-4 R. C. Bertucio, et al., " Analysis of Core Damage Frequency: Sequoyah, Unit 1 Internal Events,"

Sandia National Laboratories. NUREG/CR-4550, Vol. 5, Rev.1, Part 1, Section 4.11.1, Apnl 1990.

720.74-5 Nuclear Regulatory Commission, " Reactor Safety Study; An Assessment of Accident Risks in U.S.

Commercial Nuclear Power Plants, Appendix 11: Fault Trecs," WASil-1400, October 1975.

PRA Revision:

C

21.4 REFERENCES

5. " Risk Management imd Operations Improvement Guidebook 13 - Containment Isolation Guidehnes,"

Revision 0, January 1991.

l l

l 720.74-2 3 Westinghouse I

l

NRC REQUEST FOR ADDITIONAL INFORMATION Table C21-3 NOTES RELATED TO SYSTEM FAULT TREE ASSUMPTIONS

1. TIM FRAC = 0.1 - The VFS purge exhaust penetration is assumed, conservatively, to be open about 10%

of nonnal operation time to compensate the air-leakages from components that could ntisc containment pressure.

2. PO - it is die probability to have a containment pre-existing opening large enough to prevent die containment pressurization up to the setpoint of the passive containment cooling actuation. The value is derived from ApperwherSulws+Maanalyss Reference 5 (opening with a site of 100 cm2; probability equal to 2dE4G 1.2E41).

3. See Appendix C20.

4. Assume that each ESF subsystem has approximately 30 sensors input (ccrrent soop and RTD), and these are shared in 8 EAl boards (each one can accept no more than 4 sensor inputs). Because each M40 can accept no more dian 4 inputs from EAl, two M40 per ESF subsystem are assumed to be present. Conservatively bodi are assumed needed. (See Appendix C20.)

5. The loss of cooling assembly that is performed by two fans located at the bottom of each card does not affect the cards' performance. Furthennore, the unavailability is negligible. In fact, the failure of both fans is:

(lE-5 x 24) * (lE-5 x 24) = 5.76E-8/d That is a small value with respect to the other failure. Also die CCF is disregarded for the same reasons.

(See Appendix C20.)

6. No signal failure has been modeled since many ddferent types of indication are available (e.g., low PRZR level, high temperature, and high area radiation).

4 l

I

!l l

720.74-3 l W

Westinghouse  !

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.81 Past PRAs have revealed that containment bypass sequences tend to dominate risk Yet for the AP600 design, the PRA states on page 7-3 that large breaks outside containment are precluded by design. Hcewever, no supporting documentation or references were supplied. Discuss the technical basis for this argument and the design aspects of the AP600 that preclude large breaks outside of the containment.

Response

A large-break LOCA is defined as the rupture of a primary system line greater thaa 10 inches in diameter. The AP600 precludes large breaks outside containment because there are no primary system lines of this size outside containment.

PRA Revision: NONE l

l l

1

)

l 1

l i

1 i

720.81-1 Westiflgh0Use

NRC REQUEST FOR ADDITIONAL INFORMATION lii' i!t li!

• Question 720.82 Re AP600 PRA documentation did not discuss how the design features of the AP600 mitigate containment bypass due to ruptured steam generator tubes. This item is of interest to the staff because the Commission is considering implementing design requirements aimed at reducing or eliminating containment bypass due to steam generator tube rupture events. Provide a summary of the AP600 design features that mitigate the amount of containment bypass leakage from single or multiple steam generator tube ruptures.

Response

The AP600 provides defense-in-depth for accidents, including steam generator tube rupture. The AP600 incorporates a number of design features that help to reduce the potential for and mitigate the consequences of steam generator overfill and containment bypass following a steam generator tube rupture event. Subsection 15.6.3 of the AP600 SSAR provides a description of this event, including criteria and analytical results of the safety analysis.

Subse~ tion 6.3.3.3.1 also discusses the passive core cooling system response following a steam generator tube rupture event.

The nonsafety-related chemical and volume control system and startup feedwater system automatically actuate to provide makeup to the reactor coolant system and to establish decay heat removal via the secondary system, respectively, following a steam generator tube rupture event. He startup feedwater system is designed to maintain a programmed steam generator water les el. This automatic control helps to reduce the potential for steam generator overfill due to overfeeding the faulted rteam generator. The chemical and volume control system makeup pumps automatically maintain a programmed pressurizer water level. The automatic level control helps to prevent indirect steam generator overfill due to break flow to the steam generator. Both of these nonsafety-related systems have safety-related isolation if overfill occurs and a high steam generator level is reached. As in current plants, the steam dumps and steam generator pawer-operated relief valves can automatically provide decay heat removal.

Maintaining decay heat removal helps to prevent reactor coolant system repressurization, reducing break flow to the faulted steam generator, and decreasing the potential for steam generator overfill and containment bypass.

The operators can take manual actians that complement the automatic response of the safety-related or nonsafety-related systems to reduce the severity of the transient, similar to actions taken in current plants. For example, the operators are expected to take appropriate actions to identify and isolate the faulted steam generator, cooldown and depressurize the reactor coolant system to terminate the break flow into the faulted steam generator, and stabilize plant conditions. The operators may also take corrective actions such as starting or stopping the nonsafety-related systems if a malfunction occurs.

If the nonsafety-related ystems malfunction or if operator actions fail to stabilize plant conditions, the safety-related systems will establish and maintain stable, safe shutdown conditions and prevent containment bypass. He safety-related passive core cooling system will automatically actuate following a steam generator tube rupture event. The exact sequence depends upon the severity of the tube rupture and the response of the nonsafety-related systems.

W Westinghouse l

i l

NRC REQUEST FOR ADDITIONA1. INFORMATION A

The core makeup tanks automatically actuate to maintain the reactor coolant system inventory. The design capabilities of the core makeup tanks, with gravity injection flow as compared to current plants with pumped safety-related injection flow, tends to reduce the potential for repressurization of the reactor coolant system and overfill of the steam generators.

The passive residual heat removal heat exchangers automatically actuate, if required, during a steam generator tube rupture. In particular, the heat exchangers automatically actuate on the same steam generator high water level signal that isolates the startup feedwater and the chemical and volume control system makeup pumps. Actuation of the passive residual heat removal heat exchangers cools down the reactor coolant system, reducing system pressure and terminating break flow to the faulted steam generator. Safety analysis shows that the operation of the passive residual heat removal heat exchanger prevents steam generator overfill and containment bypass without automatic depressurization.

In the event of failures beyond the design basis for Ap6(X), the increased defense-in-depth capabilities provide additional capabilities to mitigate steam generator tube rupture events. Partial automatic depressurization and manual actuation af the nonsafety-related normal residual heat removal system can cooldown and depressurize the reactor coolant system and eliminate break flow to the faulted steam generator, preventing containment bypass. If the nermal residual heat removal system is not successfully started, then full automatic depressurization will successfully stabilize the plant and prevent containment bypass. If automatic actuation of the safety-related systems is unsuccessful, the operators can use the first stage automatic depressurization system valve, which is a positionable globe valve with throttling trim, to provide a controlled partial depressurization and stabilize plant conditions, providing the capability to avoid a significant release for a steam generator tube rupture.

The simplified design of many plant systems, along with improvements in the man-machine interface, help to provide improvements in plant and operator response.

The response to RAI 440.27, which discusses AP600 response to multiple steam generator tube rupture events, shows that the design features discussed above help to minimize containment bypass for both single and multiple steam generator tube rupture events.

SSAR Revision: NONE PRA Revision: NONE l

I 720.82-2 W-Westinghouse  !

NRC REQUEST FOR ADDITIONAL INFORMATION

'jiif @ij

=  ;

Question 720.83 Common cause failures were omitted in certain parts of the PRA due to consideration of management procedures and Q practices. Discuss and justify the details and consideratiom that were given to design diversification, manufacturing Q, and plant management practices that limit common cause failures in tie AP600 design.

Westinghouse should also reference where ebese design details, Q practices, and plant management practices will be included in ITAACs, DACs, Technical Specifications, or Administrative Controls (whichever is applicable) and include these references in the PRA. Since common cause failures appear to be dominating the AP600 risk pmfile, identify which common cause failures were deleted from the PRA due to these details.

Response

The plant surveillance and testing requirements, including those in technical sper'fications and ITAACs, provide rnechanisms to establish and monitor equipment operabihty. These requirements can help to minimize tic potential for common cause failures.

Common cause failures are not omitted in the AP600 PRA. They are evaluated as discussed in Section 4.4 of the PRA report. The AP600 PRA specifically evaluated four types of dependent failures as discussed in Chapter 4 of the PRA. %ese dependent failures include:

- Sequence functional depetxiencies Intersystem dependencies

- Dependencies du: to human actions Intercomponent dependencies The following three basic groups of intercomponent dependencies or common cause failures are considered in the PRA:

- Design / manufacturing /constructiorvinstallation/intemal failures

- Abnormal envirotunental stress Maintenance or operator errors Common causc failures due to internal Iailures result from component wear, intrinsic failures, or normal ambient environmental influences that degrade components.

Appendix E.3 provides details of the common cause failures specifically evaluated in the PRA. As discussed in Subsection 4.4.2, common cause failures due to abnormal environmental stress were evaluated for the AP600 design and are not considered to be significant. Tic other types of common cause failures are explicitly or implicitly included in the PRA as part of the common cause failure analysis.

l W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION 7 - %

= m ITAACs have been developed to verify constmetion to the certified design. The preoperational and startup testing, including ITAAC measures, conducted following construction provides a mechanism that can help to minimize potential common cause failures.

Common cause failures due to design, manufacturing, construction, and installation that affect plant operation as modeled in the PRA are reflected in the historical data for component failures used in the PRA. For example, common cause failures that are not identified until after initial plant operation, such as inadequate design margin for a valve operator or incorrect valve installation, result in multiple failures of the associated valves as they are tested and therefore, are captured in the historical data for component failures.

SSAR Section 16.1 provides the AP600 technical specifications. The technical specifications include periodic surveillance tests that can help to establish and maintain equipment operability and minimize common cause failums that evolve over plant life such as internal common cause failures. The impact of technical specifications on common cause failures is implicitly included in the component failure probabilities used in the PRA, and therefore, appropriately addressed in the AP600 PRA.

The combined license applicant is responsible for developing administrative and operational controls that can impact various common cause failures, particularly maintenance and operator error common cause failures. The documents that implement these controls and the associated training provide direction to the plant operations, maintenance, and engmeering staff activities and provide consistency in various activities, thereby helping to reduce the potential for maintenance and operational error common cause failures. As with technical specifications, the impact of administrative controls on common cause failures is implicitly included in the component failure probabilities used in the PRA, and therefore, addressed in the AP600 PRA.

Common cause failures have been evaluated in the PRA and design diversification has been implemented to help reduce vulnerability to them. Details of the various system designs, including design diversity, are provided in the system descriptions in the SSAR. The following are examples of safety-related and nonsafety-related component and functional design diversification for several imponant plant applications:

. The automatic depressurization system valve design includes two different types of operators, two dif ferent valve types, and three different valve sizes, tiereby minimizing the impact of common cause failures on the various components.

- The safety-related core makeup tanks, automatic depressurization system, and in-containment refueling water storage tank provide a backup decay heat removal functional capability to the safety-related passive residual heat removal system.

• The normal residual heat removal system provides a diverse, nonsafety-related low pressure injection capability in the event of common cause failure of the gravity injection check valves to open.

. SSAR Table 7.2-5 summarizes the functionally diverse protection and safety monitoring system actuation signals for reactor trip and engineered safety functions.

720.83-2 3 Westingh0use

NRC REQUEST FOR ADDITIONAL INFORMATION puH 11 ut tr

• The diverse actuation system provides a diverse method to automatically and manually actuate safety-related systems following common cause failure of the protection and safety monitoring system.

SSAR Revision: NONE PRA Revision: NONE 72R83-3 W Westinghouse

I NRC REQUEST FOR ADDITIONAL INFORMATION  ;

Question 720.84 Discuss the capability of the AP600 plant to be brought to cold shutdown condition following operation of the passive containment cooling system and the potential equipment failures caused by the adverse containment environment.

Response

As specified in SSAR Subsection 3.11.2.2:

AP600 safety-related mechanical components are qualified by design to perform their required safety-related functions under the appropriate environmental effects of normal, abnormal, accident, and post-accident conditions as required by General Design Criterion 4 and discussed in Appendix 3D.

The post-accident environmental envelope is based on the operation of the passive containment cooling system for j the accident recovery period. The derived environmental envelope is the basis for the qualification of equipment under the guidance ofIEEE 323-1974, IEEE 323-1983, and Regulatory Guide 1.89, as discussed in SSAR Appendix 3D. The qualification of the equipment demonstrates the ability of the safety-related components to provide for the plants safe-shutdown condition while exposed to the post-accident conditions.

The ability to reach a cold shutdown condition will be dependent upon the availability of the normal residual heat removal system (RNS) and the necessary support systen s including the component cooling water system (CCS) and the service water system (SWS). The only powered, active components of these systems located inside containment and potentially impacted by containment conditions are the safety-related suction isolation valves in the normal residual heat removal system.

SSAR Revision: NONE ,

l PRA Revision: NONE ,

1 l

1 W Westinghouse 720.8&1 ,

= 1 l

I

\

NRC REQUEST FOR ADDITIONAL INFORMATION 3  :

Question 720.85 Desenbe the process diat was used to identify (a) low-frequency accident initiators leading to core damage that could significandy challenge prevendon and/or mitigation equipment and (b) low-frequency initiating events with very high consequences (multiple initiators, multiple steam generator tube ruptures, etc.).

Response

Section 7.1 and Appendix A of the PRA desenbe the process that was followed for initiating events identification.

in addition to all events described from operating experience review, a systematic analysis was performed on the AP60fl design to evaluate additional inidating events that could be generated, in pardcular, by the passive systems and by support systems. Effects of the identified inidating events on prevention and/or mitigation systems have also been detennined and reported in Appendix A of the PRA. All the prevention / mitigation systems impacted (failed by the event, decreased effectiveness, etc.) were not taken credit for in the related event tree model. For example the loss of a particular support system results in the loss of the supported system, and the event tree related to this esent is modeled without the supponed front-line system.

Itudaung events and resulting scenarios are removed if:

- The initiating event frequency is lower than 1.OE-06 and there is litde to no degradation of prevention and mitigation systems, such that it can be estimated that the frequency of the sequences generated will be less than 1.0E-12 per year, and the event does not lead to a direct core damage.

- The event consequences are bounded by another event with an initiating frequency more than a factor of 100 larger. If the factor is less than 100 and die conaibution of the bounding event to the overall core damage frequency is important, the frequency of die event is summed to die bounding event and quandfied with the same event tree.

- The frequency of the scenario is lower than 1.0E-12. This, if necessary, can be used for event tree simplificauon by deleting the event tree branches that are found, by a screening quantification, to tave a very low probability.

The dependencies between prevention and mitigation systems were automatically evaluated by the WLINK code, during both the first- and second-level quantification. Dependencies between the level I and level Il quantificadon were evaluated by prosidmg. as initiating event input to the containment event trees, the equations for the accident classes instead of numerical values to represent the f requencies of each class PRA Revision: NONE i

l i

720.85-1 W- Westinahouse a l

l

NRC REQUEST FOR ADDITIONAL INFORMATION Fui G U lii Question 720.86 i l

Justify using h1GL common cause factors that are dif ferent hom those recommended by EPRI in the Utility j Requirements Document (Volume 3, Revision 111,5/92) for the gravity injection check valves. The gravity injection j check salves were identified as being important in achievmg the reported core damage frequency estimates based i on the importance analyses. The values selected by ENEL and Westinghouse result in a factor of 10 reduction in the common cause failure rate of the gravity injection check valves than would be calculated using the EPRI values.

Response

The N1GL conunon cause factors for gravity injection check valves used in the AP600 PRA were from the SAROS letter to EPRI, " Key Assumptions and Gmundrules Document Recommended Changes to Data Annex," dated h1 arch 8,1991. These recommended data changes have becn approved by EPRI, and it is anticipated that they will be inemporated into the next revision of the Utihty Requirements Document tRevision 6) for passive phmts.

Since the grauty injection check valves are similar in design to existing plants check valves, it is anticipated that the h1GL cominon cause f actors recommended by S AROS are applicable for the AP600 gravity injection check vah es.

PRA Revision: NONE W- WeStinEhouse

NRC REQUEST FOR ADDITIONAL INFORMATION l

Question 720.87 The staff notes that spurious operation of the ADS contnbutes more than fifty percent of the Large Break LOCA initiating event frequency. This frequency was computed to be 4.95E-6 based on quantification of the ADS system l fault trees. The design salue for ADS spurious operation as specified in Revision I to WCAP-13202 was assumed to be once in every six hundred years, which is a factor of thirty five higher than the value listed above. Explain this discrepancy and correct the PRA. as appropriate. .

l l

l l

Response: l WCAP-13202 (Rev.1) states "The probability of n of the ADS should be once in NO years. Consideration should be given to both real demands.. as well as for spurious instrumentation signals.. ' The frequency of 1/6f0 for ADS 1 actuatmn is a design enteria which should not be exceeded. In addition, the value of 1/600 should not be compared  !

to 4.95E-5 because 4.95E-5 is the frequency of ADS spurious actuation contribution to large LOCA and is only one l of the factors that will lead to ADS actuation.

The 4.95E-5 frequency represents the contnhution of ADS spurious actuation to the large LOCA initiating event frequency in the AP6fC PRA.

In the APMO PR A. it is assumed that the spurious actuation of the ADS only contnbutes to either a large or medium LOCA. The treguency of ADS spurious actuation is 6.05E-5 per year (4.95E-5 contributes to large LOCA and 1.10E-5 contributes to rnedium LOCA as reported in Appendix B). The ADS spurious actuauon frequency includes the ADS valve internal rupture, operator errors (inadvertent manual ADS actuation and test / maintenance error), and malfunction of the integrated protection system.

ADS would be demanded to actuate upon an accident sequence of RCS leakage (<100 gpm), chemical and volume control system (CVS) failure, and failure to repair the CVS. The frequency of this sequence is 3.24E-5 per year.

1 Per response to RAI 720.14, the frequency of accident sequences (excluding the RCS leakage sequenec as mentioned i above) leading to ADS challenge is 134E-3 per year. l l

Therefore, the toud frequency of the ADS actuation ifor both demands and spurious actuation) is 1.43E-3 per year (0.05E-05 + 3.24E-5 + 1.34E-3) or once for escry 697 years u hich meets the design criteria.

(

l PRA Revision: NONE l 720.87-1 W W85tifloh0US8 o l

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.90 It appears that the very small LOCA frequency did not account for leaking valves, flanges, and seals. Explain this possible discrepancy.

Response

The very small LOCA initiating esent frequency did not explicitly account for leaking valves, flanges, and seals.

The calculation of this initiating event frequency was not tused on a leak How rate but simply on the failure of a pipe segment having the appropriate inside diameter which is less than or equal to 0.75 inch. Dere was no differentiation between the complete severance of such a pipe and a crack that leaks. The very small LOCA initiating event frequency is based on the number of pipe segments where components (such as valves and flanges) were considered as part of the pipe segment.

Leakage from valve bonnets, Hanges, and seals would likely be small leak rates that would be detected if the leak rate is greater than about 0.5 ppm. In the PRA report. " leakage in primary system" was viewed as an event that would simply require manual shutdown (see Table A-3 in the AP600 PRA report). After the PRA report was submitted, Westinghouse responded to NRC concerns regarding " Reactor Coolant System Leaks" in letter NSRA-APSL-93-0392/ET-NRC-93-3990 dated October 20,1993, which deals with the regulatory treatment of nonsafety systems. For this response, a new RCS leakage event was added to the Level 1 PRA, and the total core damage frequency and the release frequency were requantified. The frequency of this RCS leak event is based on operating plant experience and therefore includes leaks from valves, flanges, and seals. From these data, the reported leaks from flanges and valves were less than 50 ppm and the average leak rate was less th:m 15 gpm.

The RCS leak event will be incorporated into the next revision of the PRA in February 1994.

PRA Revision: See above response.

W W8Stin7 ohouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.91 1

Sof tware common cause failure for all cards fails automatic actuation of the CMTs and ADS. Thus, this event was identiDed as being an important risk contributor from the risk achievement analyses. The basic event probability 4

for common cause software error is described to be 1.1 x 10 in Appendix E. Provide the basis for and the vahdation of this probability. In pardcular, explain the basis for the factors given in the equation that was used to generate this value.

Response

The sofIware common cause failure (CCFI probability is 1.2E-06/ demand (see line 959 of Table F-4 and page E-11 of AP600 PRA).

The probability is calculated by using the fonnula reported on page E-10 of AP6(K) PRA, with the following values (values for w hich no data source stated are assumpoons based on engineering judgemenO:

U = sof tware common cause failure probability affecting a single subsystem; n = 5(XK) lines (per function; 50000 - 10tK)00 lines total) lambda = IE-03 fatal errors per instruenon line Vi*Vt = 5E-02 per demand. The range is between IE-02 to IE-03. In general, data indicates a two percent error found dunny software applications. The V&V failure for nuclear applications is expected to be lower.

Pc' V t' = 1E-05 per demand.

C =

0.1. Fraction of software crTors that is deemed to cause complete system failure in a non-fail safe system.

Pet = 5E-03 per demand. This is the sum of the following two contributions:

- the probabihty that the error will be acdvated dunng the event, given that it is not acdvated during a test; the real esent is thfierent than the test in producing additional inicroprocessor inputs and that these will activate the error. This probability is assessed to be low, IE-02 to IE-03 per demand range.

- the probability that the error will be activated during the event because of the concurring CCF hardware iailure or multiple hardware tailure which will produce an expected, but not tested, input in all redundant components. This probability is awewed to be lower than IE-03 per demand.

W-- Westinehouse o

NRC REQUEST FOR ADDITIONAL INFORMATION h

Using the above input probabilities and the equadon on page E.10, U = (5000

• IE-3

• SE-3 + 1E-5)

• 0.1

• 5E-3 = 1.2E-5 per demand.

As already described on page E-10, this affects a smgle subsystem. A pessimistic estimate that 10 percent of these CCFs will affect all microprocessor based components is used to get the final CCF probability as U

• 0.1 = 1.2E-06 per demand.

Thus, a CCF affecting all microprocessor based cards (both safety and non-safety) due to the built-in running sof tware is assessed as 1.2E-06 per demand. The component inportance analysis on plant core damage frequency (Table F-8 A of the AP600 PR A report) shows that the results are not sensitive to this value. The basic event CCX-SFTW r: presenting this failure mode has a risk decrease importance of 0.3 percent; thus a ten-fold increase in this basic event probability will still not affect the plant core d.unage frequency appreciably (e.g. less than a 3 percent inerenset PRA Revision: NONE 720.91-2 W- WestinEhouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.93 The fault trees in the AP600 PRA were modularize41. Desenbe the procedures that were used to prevent overlooking of system dependencies dunng fault tree moduktritation.

Response

The procedures used to develop the fault tree models are desenbed in WCAP-12699, Revision 2 (Reference 720.93-1). WCAP-12699 contains nine guidebooks; the guidebook describing the fault tree development is " System Analysis and Data Base Guidelook for AP600 Probabilistic Safety Study," Section 4.0. Section 2.0 of this guidebook describes the steps used to properly develop the system fault trees. As can be seen from the steps in Section 2.0, there are a multitude of preliminary activities that must be performed before the actual fault tree construction can begin.

Among the activities described in the steps of Subsection 2.1, step 2 states, " Complete a ' System Dependencies Matrix' including, for each system component, its supporting systems." Therefore, a system dependency matrix is developed for each system and the components in each system. This matrix is constructed before construction of the actual fault tree logic model begins. This matrix identifies, for each of the components, the systems that the components rely on for proper operation. For a given component, this matrix identifies the necessary power supplies, component cooling, rootn coolmp, or any other support system that are required for proper component operation.

For a more detailed explanation of the fault tree development procedures and guidehnes, please refer to Section 4.0 of Reference 720.93-1.

References 720.93-! " AP600 Plant Probabilistic Safety Study Guidebooks," WCAP-12699, ENEUDSR-VDN INW(M30 SPRD0061, Rev.1, Jt;ne 1992.

PRA Revision: NONE i

i l

l l

i I

l 1

720.93-1 i 3 Westinghouse l

l

NRC REQUEST FOR ADDITIONAL INFORMATION O

Question 720.96 The AP6(K) was designed such that the station blackout events contnbute minimally to the AP600 risk proGle, Describe how the generic EPRI data on battery failure and common mode failure was qualified to be applicable for AINDJ design.

Response

The response to RAI 720.61 provides the response for this question.

PRA Revision: NONE.

i l

I w westinghouse 720 m

NRC REQUEST FOR ADDITIONAL INFORMATION H!. 197

= .

Question 720.97 The staff notes that the passive containment cooling sumps use both MOVs and gravity check valves for injection while IRWST injection uses only gravity check valves. With the uncertaicty over the performance of gravity check valves at low presst.re differentials, explain why the parallel IRWST injection path is isolated with gravity check valves and not MOVs. Describe what risk reduction considerations were used in the selection of valves for these parallel injection paths.

Response

The design for the passive core cooling system in-containment refueling water storage tank (IRWST) injection lines and containment recirculation lines is shown in Figure 6.3-2 of the SS.AR.

The design for IRWST injection provides two parallel check valve flow paths in each IRWST injection line to address level 1 PRA reliability for failure of the check valves to open.

The design for containment recirculation provides two parallel flow paths from each containment recirculation screen area. Motor-operated valves are used in one of the parallel now paths for each containment recirculation screen area because the containment recirculation lines provide a capability to flood the reactor cavity in a severe accident.

During a severe accident in which the IRWST has failed to inject into the reactor coolant system, the motormperated valves are manually opened, allowing reverse flow through the line, to drain the IRWST into the containment sump i and flood the cavity. He use of check valves in this line would not provide this capability, ne containment recirculation design also addresses 12 vel 1 PRA reliability for failure of the valves in both lines to open.

The PRA, which models the IRWST injection line and containment recirculation line arrangements, shows acceptable passive core cooling system reliability using a check valve reliability appropriate to this application and assuming common cause failures of these check valves.

As described in Subsection 5.4.7.1.2.4 of the SSAR, the normal residual heat removal system provides a diverse, l nonsafety-related injection capability in parallel with the passive core cooling system IRWST injection line check valves. For this low pressure mode of reactor coolant system injection, the normal residual heat removal system pumps are aligned to take suction from the IRWST and the containment recirculation screen areas and to discharge ,

into the direct vessel injection lines as shown in Figure 6.3-2 (Sheets 1 and 2) of the SSAR. l SSAR Revision: NONE PRA Revision: NONE W Westinghouse 720m

NRC REQUEST FOR ADDITIONAL INFORMATION ma . .:.

Y m m

Question 720.98 Explain why the NRHR was not considered to mitigate Large Break LOCAs and Safety injection Line breaks. If the operator should not use the NRHR following Large Break LOCAs and Safety Injection lines breaks, what procedures would prevent the operator from actuating NRHR and the consequences if the operator inadvertently actuates NRHR. Discuss and describe these procedures. What is the likelihood that the operator will fail to follow procedures? Include this HEP in Table D-1.

Response

The AP600 PRA model did not credit operation of the normal residual heat removal system (RN9 to mitigate large break LOCAs because the system may be isolated due to high containment radiation. Upon re-. pt of an 'S' signal, the operator will be instructed to open the nonnal residual heat removal system discharge line and nonnal residual heat removal system suction connection to the in-containment trfueling water storage tank. The operator will then start the nonnal residual heat removal system pumps so that if the pressure in the reactor coolant system is reduced, the nonnal residual heat removal system pumps will provide low pressure makeup to the reactor coolant system.

The nonnal residual heat removal system pump will operate in this mode unless a high radiation level in containment was reached, whereby the nonnal residual heat removal system containment isolation valves would close. Operation of the nonnal residual heat removal system in this manner will not conflict with the passive safety system in mitigating an accident.

l The PRA model did not credit nonnal residual heat removal system operation for a safety injection line break j hecause the system would not effectively dehver flow through the intact safety injection line because of the '

configunnion of the nonnal residual heat removal system piping.  ;

The AP60n PRA incorrectly states that the nonnal residual heat removal system is not used during these modes.

PRA Revision:

The following paragraph in Appendix F.2.14.1 is rewritten as follow,s:

F.2.14 Large Loss of Coolant Accident F.2.14.1 Development of the Event Tree (A)

The normal residual heat removal system is not modeled owl due to the possibility of transinning rwhowthitvwtside-of-maainmera the system being isolated due to high containment radiation .

. 720.98-1 W-Westinchouse u

l

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.99 As reported in Appendix B, approximately eighty five percent of the small break LOCAs occur in or through the pressurizer instrumentation lines. Explain how the CMTs and ADS would manually and automatically actuate, given a bn'ak in the pressunzer ir:strumentation lines, it is the staff's understanding that die CMTs and ADS require the pressurizer level transmitters for manual and automatic actuation. The staff suspects that the pressurizer level transmitters would give inaccurate readings. In addition, explain how the irtstrumentation and the S-signals would respond to Otis event, and whether the instrumentation is environmentally qualified.

Response

The core make up tanks (CMTs) and automatic depressurization system (ADS) are designed to operate automatically following any LOCA including a pressurizer steam space break. SSAR Subsection 15.6.5.4.B.3.3 describes the analysis of a two-inch cold leg pressure balance line break which demonstrates core make up tank and automatic depressurization system performance during a " steam space break" (since the balance line connects to the pressurizer steam space). The core make up tanks are actuated on either an 'S' signal (Iow pressurizer pressure) or on low pressurizer level. The break of an instrument line would result in core make up tank actuation on low reactor coolant system pressure. The automaric depressurization system is actuated on core make up unk level (75%) and this setpoint will be reached a.; the core make up tank drains. Safety-related instrumentation is environmentally qualified.

SSAR Revision: NONE PRA Revision: NONE l

720.99-1 W Westinghouse ,

l l

I

i

)

NRC REQUEST FOR ADDITIONAL INFORMATION l i

l i.i.i.! A.

Question 720.100 The AP600 design makes use of natural circulation as a passive process to ensure safety. The staff wants to determine the extent to which the digital I&C systems have been verified for the range of natural circulation flow conditions expected during operation. Describe how the digital protection system's software is being validated for 1 expected natural circulation conditions under accident and non-accident conditions.

Response

As in current plants, the AP600 employs natural circulation as a means to remove heat from the core via the steam generators. In addition, the passive residual heat removal heat exchangers are safety-related components that use natural circulation to perfonn tirir function. The flow instrumentation used to measure reactor coolant and passive residual heat ternoval flow is similar in principle to flow instrumentation in current plants, and provides flow indication over the expected range of operation including natural circulation conditions.

The validation of the digital protection system software is described in WCAP-13383, "AP600 Instrumentation and Control Hardware and Software Design, Verification, and Validation Process Repon".

SSAR Revision: NONE PRA Revision: NONE 720.100-1

.N

- WestinFh0USB a

NRC REQUEST FOR ADDITIONAL INFORMATION

$1N 31!

> s Question 720.103 The staf f notes in Appendit C that the Protection & Safety Monitoring System is heat sensitive. Appendix C states that 12WF is the maximum temperature allowed for card operation, and loss of HVAC for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> does not result in the cards exceeding 12WF. How has the availability of the HVAC system been incorporated into the availability goals for the Protection and Safety Monitoring System and the Plant Control System? How would the PMS system respond if HVAC was lost for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> alter a severe accident?

Response

The Protection and Safety Monitoring System and Plant Control System reliability is supported by the HVAC systems design in combination with structures and area heat sink design to acconuxlate the systems' mission time in the PRA. The Class IE electrical rootn HVAC, a subs) stem of the nonsafety-related nuclear island nonradioactive ventilation system, cools the Chtss IE electrical rooms. Class IE electrical penetration rooms. Class lE battery rooms, spare Class IE battery room, the remote shutdown area and reactor cooling pump trip switchgear rooms.

7he rooms associated with A and C electrical power divisions and remote shutdown area are served by one ventilation system subsystem aml the B and D electrical divisions are served by a second ventilation system subsystem. The Class IE electrical room HVAC, a subsystem of the nuclear island nonradioactive ventilation system. is designed to provide a reliable source of ventilation / cooling to the Class 1E electrical moms whenever ac power is available. Although the subsplem (discussed in section 9.4.1 of the SS AR) is not safety-related,it has been designed to support the availability objectives of the protection and safety monitoring system (PMS). Failure of the nonsafety-related, nonseismic HVAC equipment and ductwork will not compromise any safety-related systems, structures, or compiments. including the protection and safety monitoring system. The system is designed, and the equipment and components functional capabilities are specified to maximize availability and minimize the potential for reliance on passive equipment cooling. This is achieved through the use of redundant equipment and components that are connected to standby onsite ac power sources. Specific design details are provided in SSAR Section 9.4.1.

The majority of the phmt control system equipment is serviced by the Equipment Room HVAC subsystem of the nonsalety-related annex / auxiliary building nonradioactive HVAC system discussed in section 9.4.2 of the SSAR.

Should the HVAC system be unavailable for more than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and ae power not be available room temperatures would not exceed limiting temperatures for the protection and safety monitoring system equipment for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The reduced heat huds within the rooms resulting from the loss of ac power and the subsequent reduction in de powered equipment serves to limit the temperature excmsion to less than 12WF. After 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> portable ventihuion equipment would be installed to maintain continued acceptable conditions for the operating pmtection and safety monitoring system equipment. Should ac power be available and the HVAC subsystem remain out of service, actions are expected to be taken to maintain tempemtures below limits to ensure the operability of the PMS consistent with the Technical Specification such as providing portable ventilation in the form of air movement equipment.

SSAR Revision: NONE PRA Revision: NONE W-WestinehouSe u

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.108 The staf f notes in the M AAP calculations for the Level I success criteria that multiple stetun generator tube ruptures result in core damage for some equipment configurations. Evaluate the sensitivity of core d:unage frequency to vanations in the assumed frequency of multiple steam generator tube ruptures. In addition, assess the change in multiple steam generator tube rupture frequency due to anticipated steam generator tube plugging and allowable steam generator tube leakage.

Response

Subsection 3.4.4 of the AP600 PRA Report provides results of the analysis of success criteria for the steam generator tube rupture (SGTR) initiating event. On the basis of M AAP 4.0 nms, for the multiple Ohree) steam generator tube rupture event, the peak chid temperature limit of 22(KrF is exceeded for sequences where failure of the protection

.nd safety monitonng system to actuate the passive residual heat removal system is assumed. This results in different success criteria for the three-tube SGTR event than for single tube rupture event. Namely, the protection and safety monitonng system is required to actuate the passive residual heat removal system on the high steam generator water level signal. As it is stated in Note 12 to Table 7.4 of the AP600 PRA, the effect of multiple SGTR in directly modeled in the passive residual heat removal system fault tree, PRS. The PRS fault tree introduces the conditional probabihty of the multiple steam generator tube rupture as the basic event MSGTR. He conditional probability of MSGTR, given a steam generator tube rupture event,is assessed to be 3.2E-2. The MSGTR event's impact on core damage frequency, according to values obtained from the importance analysis, is 2.2 percent, if assumed condaional probability of multipic SGTR is 1.

The frequency for the multiple steam generator tube rupture event assumed in this PRA is detennined on the basis that the only feasible mechanism for multiple steam generator tube rupture is the result of wear from loose parts, which is independent of the level of steam generator tube plugging and the allowable steam generator tube leakage.

This frequency is based on actual operating experience of Westmghouse PWR steam generators that ha5e been in operanon for many years.

PRA Revision: NONE

. 720.108-1 W- WestinEhouse

NRC REQUEST FOR ADDITIONAL INFORMATION i 2 Question 720.109 The M AAP acceptance criteria calculations indicate periods of core uncovery for break sizes in the range between 10 to 4 inches. Provide a table that includes (a) the peak cladding temperature, (b) the peak steam temperature, (c) the amount of core uncovered, (d) the time to core reflooding, given a core uncovery, and (e) the calculational code used, for each success pa:h credited for each initiating event group in Table 7-4 of the PRA.

Response

Table 720.109-1 duplicates the portion of Table 7-4 of the AP600 PRA report under " core cooling" and shows the peak core temperature (the hottest of any fuel or clad node at any given time during the transient), the maximum depth of core uncovery (percent of core), the duration of core uncovery (seconds), and the computer code used for the calculation. The " Note" column in the table indicates results of another analysis (for example, the design basis calculation) may have been used to verify that the success criteria are acceptable.

PRA Revision: NONE i

i l

l 220.iom, W wesunsouse I

i

NRC REQUEST FOR ADDITIONAL INFORMATION ja Eiii I

TABLE 720.109-1 (Sheet 1 of 6 )

CORE VALUES FOR SUCCESS CRITERIA FOR THE MITIGATING SYSTEMS Accident Initiator Succeu Criteria Peak Core Uncov Code Note Core.T Uncov Duratn

[K] [%) [s]

Core ctmling

• Transient 1 out of 2 main feedwater pumps and Design basis analysis secondary side cooling (condenser and used condensate pumpa)

OR Design basis analysis 1 out of 2 startup feedwater pumps and used secondary side cooling (condenser and condensate pumps or steam generator safety valves / power *Terated relief valve)

OR Design basis analysis Passive residual heat removal (in-centainment used refueling water system water storage tank inventory maintained for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />) 720.ss-2 W Westinghouse

l r

l NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION ju q3 ijm mii w ;g -

_ t _ e l

TABLE 720.109-1 (Sheet 2 of 6 )

CORE VALUES FOR SUCCESS CRITERIA FOR THE MITIGATING SYSTEMS Accident Initiator Success Criteria Peak Core Unco, Code Note Core.T Uncov Duratn

[K] [%] [s]

OP. 1040 16 1150 MAAP 4.0 3 ADS 2&3 Reactor coolant pump trip, full depressunzation (5) ,

1 out of 2 core makeup tanks,1 out of 2 gravity injection lines, containment integnty and reactor pressure vessel water recirculation (10)

OR 1040 40 100 MAAP4.0 4 ADS 2&3 Full depressurization(5), I out of 2 accumulators,1 out of 2 gravity injection lines, contamment integnty and reactor 1040 74 950 M AAP 4.0 2 ADS 1&4 pressure vessel water recirculation (10)

OR Covered by analysis Reactor coolant pump trip, partial for medium LOCA depressurization(6), with NRHR 1 out of 2 core makeup tanks, I out of 2 normal residual heat removal pumps (7),

reactor pressure vessel water recirculation (II)

W Westinghouse

!i 4l 1

i e 4-6 6

s

! i s A 0 i

l l yC 2 aO n

7 e aL t

o ymR i 3 3 4 N b ui &

2 2

1 diR ed r eN S S S em h v

D D D oro t A A A Cf iw 3 4 2 S e 0 0 0 d

M o 4 4 4 E C P P P T A A A S A A A Y M M M S

G v tn N

I oa]

c r s 0 5 0 0 n u[

T UD 1 0 5 9

A 1 1 G

I v

e o]

T r o c I

)

6 M C n% U[ 6 1

0 4

4 7

E f

o H 3

T k T. ]

t R a e erK 0 0 0 4 4 4 e

e O P o[

C 0

1 0

1 0

h F 1 S

( A I

R )

I ,

t n

1 E I y e 9

T I

(

n o 2 gr i

t mre nt 0 R l

a i a 1 v ti a

f e ot n taw 0

C 2 f

o l u t i nl oe o m c ut 2 c s 2 S e r one r s s,e r i f

7 S a t

u c o e v

, mte 1

e E E i r o t

a e

r l l

u na t n e L C e r f ksi a w u r t

1 h e o insu l

B C i r ,

l t

a ntnl a o se A U C

)

6 a u w p

n t

I os it e T s d d t pc se )

c pr S s o i l

e p u ,v 5 e N e s s m,k ee es d jr int o i

e O R c c

t a

z r s e u) ainrus i o

c I

T O S u i r

l a v e

p(5 n mlns) t a

z iya) t F u ,mr e A s r t o e0 ,va r0 n oeot i p(n i

s u r r1 r e

r s r on 1

ai u M S rs gn r da(no s t l

R E pto ),

s e e za c c oi 2joie r o s s

o U e a f7 2p r c r nt et r a 2 ,i a O

t t dl ufi c a pl f yl F L l u mto pt (s ro r s os oye al u e u oiutr c N A a t c et i r c r uv t

r d mt u u gr V R ri c uu mca t l I

e a poadi Rl u cc otei c L OP aa1c pr ue e e Rd1 g a rr ne c

OF a1 ine r A E N R -

O O I

T C t I

D n e a z D r lois _

A o o ck "

)

t ia a4 e R f ore n s O

it n sb a u F I s ( h o t h T

t n lotnr g e l e le S lai dl in E d c a t s

U i

c c mc m S a s e W

Q A _

E _

R _

C W~

R N .

NRC REQUEST FOR ADDITIONAL INFORMATION NRC REQUEST FOR ADDITIONAL INFORMATION iE HEi & Q 1 . e e. 1 . e e.

I TABLE 720.109-1 (Sheet 4 of 6 )

CORE VALUES FOR SUCCESS CRITERIA FOR THE MITIGATING SYSTEMS Accident Initiator Success Criteria Peak Core Unco, Code Note Core.T Uncov Duratn

[K] [%) [s]

OR Covered by analysis Reactor coolant pump trip, partial for medium LOCA depressurization(6) , with NRilR 1 out of 2 core makeup tanks, I out of 2 normal residual heat removal pumpsO.

reactor pressure vessel water recirculation (II)

OR Covered by analysis Partzal depressurizatiod6),1 out of 2 for medium LOCA accumulators, with NRHR 1 out of 2 normal residual heat removal pumps @,

reactor pressure vessel water recirculation (II)

• Very small loss of I out of 2 chemical and volume control system Design basis analysis coolant accident (Break pumps and passive residual heat removaj(13) used smaller than 3/4*)

OR See small LOCA Any small loss of coolant accident criteria 720.ss-s W westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION e=4

.~

'I TABLE 720.109-1 (Sheet 5 of 6 )

CORE VALUES FOR SUCCESS CRITERIA FOR THE MITIGATING SYSTEMS Accident Initiator Success Criteria Peak Core Uncov Code Note Core.T Uncov Duratn

[K] ['4] [s]

• Medium loss of coolant 1 out of 2 accumulators or 1 out of 2 CMTs, 1040 0 0 M AAP 4.0 4 ADS 1,2&3 accident (break size full depressurizatwn(8), I out of 2 gravity between 4" and 10") injectwn lines, and reactor pressure vessel water recirculationO O), 1040 25 600 MAAP 4.0 1 ADS 4 containment integrity OR The analysis slwws I out of 2 core makeup tanks or 1 out of 2 that NRilR mun accumulators, start within I hr 1 out of 2 normal residual heat removal (NRIIR) pumps, reactor pressure vessel water recirculation (II)

• Large ions of coolant 1 out of 2 core makeup tanks or 1 of 2 1040 12 300 MAAP 4.0 Break size 10*

accident (break size accumulators, greater than 10*) 1 out of 2 gravity injection lines, reactor pressure vessel water recirculationOO),

containment integrity

• Interfacing loss of Break isolation and any transient criteria coolant accident W -

Westinghouse

4 6

6

• 0

$ 1 2

A A

- C C t

e O O o L L N e g

l l

a r m l

a s e

e e e

S S S e d

M o E C T

S _

N Y O S G vt n I

T _

A N I

oa]

c r s M nu[

T UD R A O G F I N e v I

T I r o]

o c%

L A

)

M Cn[ U .

6 E N

O f

o H _

T a T.

e ]

I T 6 k I

D t R e rK e O P o[

D e F C A h S

R ( A I

O R d

)

2 F 1

- E n 1 9 T a ai c r a n (

a T i t e o S

E 0

1 I

R i

r e , nmv a n v a et i pi r

t a

u i

r e

C t

n i o itooiws t i t

r U 0 e t

atza ua ape sd e mt e a c c Q 2 S t n loi ,f t

s t

n E 7 S a e s rf i u o1 p y4' e R E i d s1 d a s s et ur s

l E r e

i i c

C L C it c

c ue n r e ingat a ut (l r v a c a

B C r a R

A C a pl e S t

s t no t N T U t n md 2 r om n a

omoelmo s a c e N S s e

l o

r f d r l o

o t at e1 t a nt a o O R c c c r s s yo s v ae c I

T O S u f o

e yr ns o n m eh f o

A F e gt yo e mla s M S s

s n ai t r l u u s o

R E l o mla r at a opzius od vi s l U e e o rh e l O l l g t s c yu a r a L r r s la c e F a r a s m N A l y

d let oiel urd imi e s v s y

I V R n ci i a xpi s Rh s a Rn L

E OA Fa re ad u er e OCp OA A R N

O O I

T C I e D b u

D r t r

A o o t

ia t

a e R r s O it n e n

u F I e o g h t

e g T n r n S d e mu a t it E i e p s c

S ru t

U c e Q

E A W R

C R

N $W.

?

h W

NRC REQUEST FOR ADDITIONAL INFORMATION I I f i Question 720.110 Discuss the influence of the ADS valve's discharge coefficient on the acceptance criteria for the medium to very small LOCAs.

Response

The flow areas for automatic depressurization system (ADS) valves, used in both the SSAR Chapter 15 safety analyses and the PRA acceptance criteria for LOCAs, is an effective flow area.

The effective flow area for a valve is a combination of the actual now area for the valve and an associated discharge coefficient. The effective flow area assumed for each valve results in the discharge flow rates calculated in the analyses.

SSAR Revision: NONE PRA Revision: NONE 20.110-1 W Westinghcuse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.112 Summarize the mechanisms that were considered for common cause failure of the gravity injection check valves.

Describe the external events that may influence their operation and discuss LOCA and/or ADS force induced failure (water hammer, etc.) of the gravity check valves.

Response

The passive core cooling system gravity injection lines from the in-containment refueling water storage tank contain check valves with a simple swing check design, using a nonarticulated, hinged-disc arrangement. De selection of check valves for the gravity injection line valves specifically addresses known common cause failures.

The use of check valves in the gravity injection lines prevents the valves from being subject to common cause failures related to the following external conditions:

• Actuation instrumentation or circuitry failures

• Failures of power supplies such as de power or compressed air

• Mechanical or electrical valve and actuator failures due to environmental conditions such as high temperatures, pressures, steam. radiation, flooding, and jet impingement i

Common cause failures related to the valve materials are also considered in the materials selected for valve fabrication. De gravity injection valve design requires using stainless steel that is compatible with the expected water chemistry and system conditions. The use of stainless steel precludes valve corrosion from the boric acid in ,

the in-containment refueling water storage tank and also helps to maintain the required cleanliness for the reactor l coolant system. In addition, c4 mmon cause failures of the check valves to open due to boric acid crystallization have been considered and are nat expected for the in-containment refueling water storage tank gravity injection  !

check valves. The PRA provides conservative treatment of the gravity injection check valves by using more limiting l component failure rate data for check valves that operate under adserse conditions. Therefore, the common cause l failure treatment is also conservative since the associated calculations are based on this limiting component failure data.

Common cause failures can also result from disc binding due to excessive nozzle loads such as seismic-induced loads, piping thernud expansim loads, and piping discharge forces. The valve design requirements identify specific nozzle loading limits that must be acconunodated by the valve body design.

He gravity injection check valves open to initiate makeup flow from the in-containment refueling water storage tank following reactor coolant system depressurization. When gravity injection flow initiates, the reactor coolant system has multiple steam vent paths open and the system is fully depressurized. Voiding is expected because of the saturation conditions in the reactor coolant system. Therefore, the potential for severe force-induced failures, 720.112-1 W-Westinghouse

1 NRC REQUEST FOR ADDITIONAL INFORMAFlON

+

l I

i including destructive water hammer, has been considered during operation of the gravity injection check valves, and these types of common cause failures are not expected.

SSAR Revision: NONE PRA Revision: NONE 720.112-2 W Westinghouse

l NRC REQUEST FOR ADDITIONAL INFORMATION m na l 2

i l

Ouestion 720.113 Describe the impact of containment pressure on the level I ADS success criteria. Discuss how increasing the )

containment back pressure impacts (a) gravity draining of the IRWST coolant into the vessel, (b) sizing of the 4th stage ADS valves, and (c) the 4thstage ADS valve's mode change performance.

Response

1 As described in Section 6.3 of the AP600 SSAR, the passive core coohng sysicm provides core decay heat removal I by venting the reactor coolant system to containment via the automatic depressurization system (ADS) valves and provides safety injection from several different injection and makeup sources. These sources include the in-containment refueling water storage tank (lRWST), which is vented to containment.

For events in which the automatic depressurization system valves provide a mitigation function, reactor coolant l

system decay heat removal is a closed-loop process that involves venting steam through the automatic i depressurization system valves and long-term makeup from in-containment refueling water storage tank injection and containment recirculation. The containment pressure establishes the backpressure on the automatic depressurization system valve discharge flow and provides the overpressure for in-containment refueling water )

storage tank injection and containment recirculation. For this closed-loop process, higher containment pressure improves the reactor coolant system heat removal process by increasing the automatic depressurization system vent now steam density. Herefore, lower containment pressure provides a conservative evaluation of passive core cooling system performance.

He fourth stage automatic depressurization system valves transition from choked to nonchoked flow conditions as the reactor coolant system decreases during the depressurization process. Higher containment pressures cause the l transition to nonchoked How conditions to occur sooner, improving automatic depressurization system performance. I Therefore, assuming lower containment pressure also provides a conservative evaluation of fourth-stage automatic  !

depressurization system valve mode change performance.

He SSAR Chapter 15 safety analyses that confirm passive core cooling system performance (including in- l containment refueling water storage tank injection and containment recirculation flows and fourth-stage automatic depressurization system valve sizing) conservatively assume that the containment is at atmospheric pressure.

The MAAP code, used to confirm the fourth-stage automatic depressurization system valve success criteria used in the PRA, provides an integrated reactor coolant system and containment response. Therefore, the containment pressurizes to the best-estimate pressure predicted for the analyzed sequence for the automatie depressurization  !

system backpressure and the in-containment refueling water storage tank pressure. He MAAP code considers the I best-estimate change in discharge mode for the fourth-stage automatic depressurization system valves from choked i

720.113-1 W-Westinghouse i

i

NRC REQUEST FOR ADDITIONAL INFORMATION flow to nonchoked flow conditions as the reactor coolant system and containment pressures vary during the depressurization.

SSAR Revision: NONE PRA Revision: NONE 1

720.113-2 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

~n in Queshon 720.114 Accordmg to available AP600 design drawings, the 4th stage ADS valves are piston air-operated valves that fail as is. These valves require power from one of the plant's de power busses and air supplied by the compressed air system. Describe the failures considered for the 4th stage ADS valves' backup compressed air system and how these failures were included in the ADS system fault tree.

Response

The air-piston operators use compressed air from one of two sources to open the valve upon receipt of an actuation signal from either of two actuation divisions. Appendix C5 of the AP600 PRA report discusses the support requirements for operation of the automatic depressunzation system (ADS) valves.

Normally, the nonsafety-related compressed and instrument air system provides the motive force for the valve operator. Each fourth stage automatic depressurizadon system valve also has a dedicated, safety-related air storage bottle that is used to perform the safety-related valve operations in the event that the nonsafety-related compressed and instmment air system supply is unavailable.

l Appendix C22 describes the PRA modeling of the compressed and instrument air system, including assumptions for modeling, testing and maintenance, operation actions, and common cause failures. Details on specific component l f ailures can be found in the system fault tree models in Figures 22-2.1 through 22-2.5. General types of failures considered in the system fault trees include the following:

• Pipe breaks Compressor failures l

Support system component failures (actuation, power, and cooling) l Pressure switch failures Valve failures including mispositioning SSAR Revision: NONE l PRA Revision: NONE l 720.114-1 W-Westinghouse

l 1

1 4

i NRC REQUEST FOR ADDITIONAL INFORMATION l

l Question 720.116 i The Spent Fuel Pit Cooling System (SFPC), a non-safety related system, provides filtration and cleanup for the water ,

in the IRWST during nonnal operation and the transfer of water between the refueling water cavity and the IRWST  !

during ref uehng operations. The staff suspects that this system could present a potential containment bypass path during an accident. This system was alluded to in the PRA, but did not appear to be modeled. Describe the impact of failmg to isolate tnis system on the containment bypass sequences.

1 Response: '

As discussed in PRA Appendix C.21.2.6.1, normally closed valves are not modeled in the containment isolation j analysis, inadvertent opening or spurious opening of a closed conutinment penetration during accident conditions I is not considered because it is expected to have negligible frequency. The containment isolation valves in the spent f uel pit cooling system are normally closed, and are only open during at-power conditions to purify the water in the j 1RWST immediately before and after a refuelmg outage. In addition, the containment isolation valves receive a l signal from the protection and safety monitoring system to close on a containment isolation signal. Therefore, these valves were screened from consideration based on the screening criteria.

PRA Revision: NONE l

4 i

l 1

W Westinohouse a

NRC REQUEST FOR ADDITIONAL INFORMATION I f Question 720.117 Describe how AP600 HRA insights have been used to improve the design of the AP600 facility. The items of interest include operating procedures, man-machine interfaces, instmmentation, and the digital control systems.

Response

Chapter 5 of the PRA report provides an overview of the HRA performed as part of the PRA and Appendix D provides additional information on the HRA.

The HRA was pan of an integrated and iterative process where the PRA system analysts and human reliability analysts worked together with the system designer to perfonn the individual system analyses used to develop the fault trees for the various systems modeled in the PRA, complete the HRA, and finalize the system design. This process involved identifying the various operator actions that support the specified mitigation functions for each system, modeling the operator actions in the individual system fault trees, and quantifying the human error probabilities for each operator action. The process examined the actions taken by the operator along with tie infonnation available for the operator to use in making decisions concerning each action. Table D-1 provides a list of the human error probabilities developed for the various operator actions, listed by associated system. The response to RAI 720.66 provides a revised Table D-1 incorporating diagnostic cues and performance shaping factors used in evaluating each operator action.

Specific insights from the HRA were incorporated into the system design arx! into the fault trees for systems modeled in the PRA. The individual system designs were modified, if necessary, to suppon performance of the modeled operator actions. For example,if an operator action rcquired specific indication to confimi failure of a cornponent to automatically actuate or successful manual actuation of a component (such as providing pump discharge flow to indicate that the pump is operating), the system design would be modified to provide the appropriate indication if it were not aheady included in the system design.

Following PRA quantification, the dominant cutsets were reviewed to identify sequences where human reliability was a significant contributor to failure for the cutset. For limiting sequences, changes were made to provide necessary operator-related improvements to eliminate the limiting human failures. For example, the low pressure injection mitigation functions provided by the normal residual leat removal system were found to be limiting for certain events and changes in both the design and operation of the system were made to improve human reliability in the operation of this system. The operational changes for this system will be reflected in the emergency operating procedures for the AP600.

The HRA modeling of the operator actions for mitigation functions of the various systems included in the PRA is consistent with the mitigation functions in high level operator action strategies provided in Chapter 18 of the SSAR.

These high level operator actions form the basis for the subsequent development of the emergency operating procedures. The IIRA was also integrated with the development of these high level operator action strategies.

W Westinghouse

1 l

i NRC REQUEST FOR ADDITIONAL INFORMATION j 41 gl.

Generic HRA insights from current plant operating experience have contributed to the AP600 instrumentation arxl I digital control system designs. The AP600 digital instrumentation and control systems include features such as 2-of-4 actuation logic, semi-autornatic and self -testing capabilities, and built-in interlocks.

SSAR Revision: NONE PRA Revision: NONE 1

i l

1 720.117-2 W Westinghouse

l NRC REQUEST FOR ADDITIONAL INFORMATION I!!i: 'typ 111 :ti Question 720.118 Ilow were the HEPs modified to account for the role of the operator as a monitor and decision maker rather than perfonning actions directed by procedures? Describe how the IIEP's were modified to reflect that the AP600 design uses advanced digital technology.

Response

The IIEPs used in the AP600 probabilistic risk assessment were not modified to reflect the use of advanced digital technology or to account for the role of the operator as a monitor and decision maker ratier than performing actions directed by procedures. The HEPs were generated using the nominal values provided in NUREG/CR-1278. The nominal values provided in NUREG/CR-1278 were not modified. The nominal values were applied to the manual actions credited in the PRA. The overall human reliability analysis (HRA) result is lower than those for current plants because the response to some of the events evaluated in the AP600 PRA consists ofless critical subtasks than may be appropriate for evaluating the same events for current operating plant IPEs.

PRA Revision: NONE W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION 10E n:

Vi!

m Question 720.121 The staff notes that some contamment notation valves may requirc inanual closure to maintain containment integrity.

For example, dunng a loss of offsite power, the mini-purge lines are opened and these lines represent a potential contamment bypass path if left opened. However, operator actions like these were not modeled or discussal in the PRA. Provide a list of valves and their associated systems that require manual containment closure for each initiating event group. In addition, discuss how these operator acuons were incorporated into the PRA and include these HEP actions in Table D-1.

Response

The containment isolation vahes, includmg the purge isolation valves, that are required to close receive engineered safeguards signals to do so, esen following loss of of fsite power. Thus, there are no valves that require manual containment closure for events requiring containment isolation.

The attached chart lists all the containment isolation valves that do not receive engineered safeguards signals (excludmg check valves), and, for each valve, explains how containment isolation enteria are met for the associated penetration.

Regardmg the concem about isolation of the containment purge lines, the containment isolation valves in the Containment Air Filtration System lines are fail-closed valves and receive engineered safeguards sign:ds.

SSAR Revision: Figures 9.3.1-1,63-3 and 9.3.6-2 will be resised and included in the Jaruruy 1994 SS AR Revision to indicate locked closed requirements as dncussed in the enclosed tahic.

PRA Revision: NONE W Westinchouse u

NRC REQUEST FOR ADDITIONAL INFORMATION ni" "ni m J System Penetration Line Valve Explanation CAS Breathing Air Supply V084 Under administrative control; Locked closed Inside Containment annotation will be added to Figure 9.3.1-1 CVS Spent Resin V040,V041 Under administrative control; Flush Out Locked closed valve FPS Fire Protection V050 Under administrative control; Standpipe System Locked closed valve PCS Containment Pressure V020A.B,C,D Closed system inside containment Sensing Line RNS RHR Suction V002A.B Under administrative control;

& V022 Power removed from valves PXS Test Conn. V208 Under administrative control; Locked closed annotation will be added to Figure 6.3-3 CVS Low Pressure V079 Under administrative control; Locked closed Cleanup annotation will be added to Figure 9.3.6-2 RHR Discharge V011 Under administrative control; Power removed from valves SGS SG Blowdown V080 Under administrative control Recirculation Locked closed valve 720.121-2 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.122 The staff believes that diverse instrumentation readmgs could occur during natural circulation conditions (example:

passive RIIR operation with an intact RCS with 2 phase flow) that could resemble a LOCA. Conditions resembling a LOCA could occur when the plant is cooled quickly (ex. startup feedwater is recoscred) tuul voids collapse, droppmg pressuri/cr lesel. The staf f is concerned that the operator would actuate the ADS even though it might not be necessary. Can this scenano or other scenarios motivate the operator to inadvertently actuate ADS? Ilow were these actions were included m the LOCA frequency cidcolations? What are the human error probabilities and associated perfonnance shaping factors? Ilow were they computed and incorporated in the PRA?

Response

The AP60) Emergency Operating Procedures will provide clear guidance to indicate when manual ADS actuation is required. The EOPs will select parameters that proiide diverse indication to the operator that inadequate core cooling conditions exist. Pressurifer les el by itself is not suf ficient to determine an inadequate core cooling cordition which requires manual ADS. EOP development is a post-design cerufication activity to be completed in accordance with the process described in SSAR Chapter 18.

As described in Appendices A.4.3 and B.3 of the PRA report, operator action to spuriously open a single ADS stage is considered in the calculation of LOCA initiating esent frequency. Operator action to inadvertently open four ADS stages sequentially is considered incredible and is not included. See the response to RAI 720.66 regarding human error probabiliues and associated performance shaping factors.

PRA Revision: NONE SSAR Revision: NONE W WestinE. house

NRC REQUEST FOR ADDITIONAL INFORMATION

' E:.

P.5...

Ouestion 720.123 It is the staff's urxlerstanding that manual and automatic actuation of the CMTs and ADS depend on pressurizer level transmitters and RCS hotleg transmitters (pressure transducers). These sensors are sensitive to flow rate and coolant Dow pattems. Desenbe how the operator would respond should the instmments give erroneous readings (example:

erroneous indications of a LOCA) (see Q720.122 for a related concem). Is other vessel level indication available to the operator? Summarize how these issues were considered in the PRA, and in selecting the present location of the level instrumentation.

Response

The safety-related protection and safety monitoring system (PMS) actuates the core makeup tanks automatically on a safety injection ('S') signal, as well as on low-2 pressurizer level, or high hot leg temperature coincident with low wide range steam generator level. An 'S' signal is generated on low-l pressurizer pressnre, high containment pressure, low steam gercrator pressure, orlow-3 cold leg temperature. The protection and safety monitoring system actuates automatic depressurization on core makeup tank level. Safety-related actuation of the core makeup tanks on a low-l pressurizer pressure 'S' signal and actuation of the automatic depressurization system on core makeup tank level are not affected bv mactor coolant system flow rates or contant flow patterns.

The nonsafety-related diverse actuation system (DAS) is used to op;n the motor-operated valves in the in-containment refueling water storage tank (IRWST) injection line on low reactor coolant system hot leg level. These motor-operated valves are normally open at power but are closed during shutdown conditions prior to depressurizing the reactor coolant system. De hot leg level instrumentation is designed to provide a level signal reganiless of reactor coolant system flow and reganiless of whether the reactor coolant pumps am operating. However, during mid-loop operation, the wactor coolant pumps are not mnning, and their operation cannot affect the hot leg level instrumentation readout. The hot leg level instrumentation is part of the plant control system (PLS) and is not safety- l r: lated. The AP600 procedoms will provide a mechanism for the operator to resolve ambiguous indications by using l diverse indication.

The PRA considers automatic and manual actuation of equipment by the protection and safety monitoring system, l the plant control system, and the diverse actuation system. Postulated automatic and manual actuation failures, including instmmentation system failures and operator errors are evaluated. The hot leg level instrumentation is used to monitor reactor vessel level during accidents, as well as hot leg level during shutdown operations. This location provides acceptable performance for both of these functions.

SSAh Revision: NONE PRA Revision: NONE l l

i i

l l

I 1 4

l 720.123-1 l 3 Westinghouse j l

1 l

l l

I NRC REQUEST FOR ADDITIONAL INFORMATION HY (i I.E. .

l Question 720.124 The staft notes that full height vessel level indication was not provided for the operators, similar to the full height level indication available in current BWRs. If the core was partially uncovered (level dropped below the RCS hotleg transmitters), tlw operators would have no indication what the reactor vessel level was. Explain how core recovery using the NRIIR could be credited without full height vessel level indication (see Q720.123 for a related concem).

Explain what cues the operator would have to actuate NRHR in this situation. This information should be included in Table D-1.

Response

The use of the nonnal residual heat removal system (RNS) following an accident will not be based on vessel level.

The operator will be instructed to align the normal residual heat removal system pumps to provide low pressure j makeup to the reactor coolant system upon receipt of an 'S' signal, and to start the pumps upon ADS actuation.

Therefore, vessel level indication will not be used to actuate the normal residual heat removal system. See the j response to RAI 720.98 for a more detailed description of the use of the normal rei dual heat removal system pumps i

during an accident. Table D-1 does include the human error probability of the operator to align the Nonnal RHR System as described above.

PRA Revision: NONE

. 720.124-1 3 Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION b ,

Question 720.126 The PRA mentioned that shutdown workstations are used should loss of the main contml room's function occur.

Is containment system isolation provided at ttese workstations for those systems that require manual isolation in the advent of core damage?

Response

As explained in the response to RAI 720.121, there are no valves that require manual closure for events requiring containment isolation.

Fluid penetrations supporting the containment isolation function that have remotely-operated marmal isolation valves can be closed from the remote shutdown workstation.

bb AR Revision: NONE PRA Revision: NONE i

1 i

i i

)

l l

l 720.126-1 3 Westinghouse i

NRC REQUEST FOR ADDITIONAL INFORMATION Hi!  !!!

.. .es Question 720.127 The staffis concerned about the effect of multiple steam generator tube ruptures on reactivity margins. The AP600 PRA indicated that boron dilution was not a concern for a single tube rupture event. Iloweser, if a multiple tube rupture occurred and the ADS was inadvertently operated, the staff is concerned that inventory from the secondary could induce a reactivity event. Provide the sequence of events and human actions that could lead to reactor vessel horon dilution during a multiple steam generator tube rupture event, and their likelihood of occurrence.

Response

As discussed in AP600 PRA Subsection B.2.5.3, the probability of the rupture of a single steam generstor is taken to be 5.3 x 10 ' events per y ear. As further discussed in the same section, the probability of failing a second tube, given the failure of the first, is taken to be approximately 0.05 event per year; thus the probability of the simul:aneous rupture of two tubes would be the product of the two,2.6 x 10" esents per year.

As discussed in the response to RAI 440.27, the automatic depressurization system (ADS) will not be actuated automatically following the rupture of five steam gene ator tubes. Therefore, the only potential means for automatic depressurization system actuation following a multiple steam generator tube rupture are by operator action or spurious opening of the automatic depressurization system valves.

The Emergency Response Guidelines will not call for manua! automatic depressurization system actuation following steam generator tube ruptures. In addition, these guidelines will require the operator to verify adequate boron concentration in the reactor coolant system prior to beginning a cooldown following a tube rupture; this is similar to existing plants.

Since manual automatic depressurization system actuation requires action by two operators simultaneously, the probability of inadvertent manual actuation is extremely low. This probability is estimated as follows: Table D-1,

" AP600 HEP Summary Results," System SG, item d, of the AP600 PR A shows that the probability of the operator spontaneously and erroneously opening a steam generator pow er operated relief valve and not reciosing it is estimated to be 2.35 x 10' The probability of inadsertent manual actuation of the automatic depressurization system will be lower since two operators must act. This value is taken to be 1 x 10+, based on engineering judgemnt.

The probability of spurious automatic depressurization system actuation per year is shown in Subsection B.3.2 of the AP600 PRA as 4.95 x 10' events per year. However, in this case, the time period of interest is only during recovery of a multiple steam generator tube rupture, conservatively taken to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />; thus this probability is reduced to 1.4 s 10 7 W-Westinghause l

NRC REQUEST FOR ADDITIONAL INFORMATION

!E e

ne following table summarizes this material:

Initiating event: Simultaneous rupture of two steam generator tubes 2.6 x 10' occurrences per year Probability of inadvertent operator action, manually actuating ADS 1 x 104 Resultant frequency of multiple SGTR followed by manual ADS 2.6 x 10* occurrences per year actuation Probability of spurious ADS actuation in a 24-hour period 1.4 x 10-7 Resultant frequency of multiple SGTR followed by spurious ADS 3.6 x 10" occurrences per year actuation Total of two scenarios 3.0 x 10* occurrences per year CNen a frequency this low, this postulated combination of events will not have a significant impact on the overall core damage frequency for AP600. Therefore, a mechanistic evaluation of the consequences has not been performed.

PRA Revision: NONE 720.127-2 W-Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION itu His

_n:  :

g Question 720.128 The PRA states that when the RCPs are not functioning (following a transient or small LOCA), the pressurizer sprays are inoperable. In these situations, the operator would use CVS to provide makeup for the pressurizer auxiliary spiays. The staffis concemed that actuation of the CVS under these conditions would change the IEPs for operator recovery following the LOCA or transient. The staffis also concemed that the actuation of the CVS could induce common cause software / hardware failuies of PMS since ectuation of the CVS seems to initiate testing of the communication and alarm server boards. These common cause testing failures that dominate the risk achievement importance analyses could occur following the postulated transient or small LOCA. Describe how actuation of the CVS following a transient or small LOCA influence operator recovery and common cause software / hardware failures of PMS and DAS.

Response

The responses to the two questions above are as follows:

1. Actuation of chemical and volume control system (CVS) by the operator is not expected to alter appreciably the human error probabilities (HEPs) following it. In fact it is expected that the reactor coolant pumps may be stopped per emergency operating guidelines during the progression of the event. The human error prc,6 abilities (HEPs) are calculated rather pessimisdcally in the present PRA study, with high stress levels, etc. Thus, tte present values of the HEPs also adequately represent such peripteral situtations such as operator actions following manual chemical and volume control system actuation,if needed.

2. Actuation of chemical and volume control system does not initiate testing of the communication and alarm server boards. Testing of boards in the instrumentation and control systems is under operator control and is not automatically initiated by an event. Thus the situation described in the question does not arise.

PRA Revision: NONE W Westinehouseu l

l

NRC REQUEST FOR ADDITIONAL INFORMATION m itth

" hi t

e Question 720.131 Provide the definition of a closed system as it pertains to containment isolation penetration. Describe what operator actions are required to maintain these systems (including safety and non-safety system) closed following an initiating event.

Response

The term closed system is used consistently with the definition of the term given in the ANS standard endorsed by Regulatory Guide 1.141, " Containment Isolation Provisions for Fluid Systems." Regulatory Guide 1.141 endorses ANSI /ANS-56.2-1984, "Containtnent Isolation Provisions for Fluid Systems after a LOCA," which defines the tenn closed system in section 2 as: " A piping system which penetrates the containment and is a closed loop either inside or outside the containment. Under normal operating conditions or loss-of-coolant accident conditions for closed systems inside containment, the fluid in the system does not communicate directly with either primary coolant or containment atmosphere."

No operator actions are required to maintain these systems closed following an initiating event.

SSAR Revision: NONE PRA Revision: NONE 1

720.,3 ,.,

w wesungnouse

l i

l l

l NRC REQUEST FOR ADDITIONAL INFORMATION l

l Question 720.136 The sensitivity studies of Section 8 and Appendix F of the PRA indicate that the PRHR tube rupture sequence's CDF is strongly influenced by the non-s:dety-related systems' performance. The relative change in CDF is about two l

orders of magnitude. For this sequence, provide the conuibution to the CDF for each of the non-safety rated systems.

Response

The results and a discussion of the results pertaining to the Regulatory Treatment of Nonsafety-related Systems (RTNSS) sensitivity study are provided in the 'AP600 Implementation of the Regulatory Treaunent of Nonsafety-related Systems Process, Sununary Report," September 1993, WCAP-13856. As part of the RTNSS evaluation, a focused PRA was performed. He focused PRA is a sensitivity study that does not credit nonsafety-related system mitigation functions.

PRA Revisions: NONE l

l l

l l

l i

l l

W- Westinohouse o

l L

NRC REQUEST FOR ADDITIONAL INFORMATION 3H !!!O Jf i Question 720.141 For each fire area, if any equipment is assumed to be undamaged by a fire occurnng within the fire area, identify the equipment and justify why it is not damaged by smoke, heat, or fire suppressants. l l

Response

The assumpdon hsted in Subsection I.2.2.1 of the AP600 PRA states that components such as check valves, manual l valves, pipes, and tanks are not considered to be vulnerable to tire damage. These are noncombustible components and are not expected to fait directly from the fire itself. They are also not vulnerable to smoke damage. Theoretically, these components could f ail from a prolonged exposure to heat because of structural failure from loss of material strength, overpressurization from therinal expansion of fluid, or thermal shock from application of fire suppressants. liowever, the combustible loadings for the fire areas, as shown in SSAR Appendix 9A, are low enough such that a fire of a prolonged duradon to initiate the failure mechanisms hsted above is not possible. Application of fire suppressants could occur in any area, but there is inadequate physical data to support a claim of thermal shock-induced failure of these components. So it is concluded that the assumption that noncombustible components such as check valves, manual valves, pipes, and tanks are not vulnerable to fire effects is reasonable. In the fire PRA, it was assumed that all other vulnerable equipment would fail from the fire itself or from fire-lighting activities. PRA Revision: NONE W WeStin=crhouse

NRC REQUE3T FOR ADDITIONAL INFORMATION E Ouestion 720.142 Define what is meant by a "significant fire" arx1 discuss what effect the " loss of the monitoring or control of plant operation functions" have on the front line systems, PMS, DAS, and DIS (see Section I.2.2.1 of the PRA).

Response

A "significant fire" was defined for the AP600 fire probabilistic risk assessment as a fire which will immediately or eventually cause a reactor trip. Such fires will nomially be alarmed in the control room, and will not be self-extinguishing. They may affect components or cabling required for plant operation. including monitoring and control. As a result of such a fire,it was assumed that if the plant was not automatically tripped, tie operator would manually trip the plant. A fire which would cause a loss of monitoring functions in one system would cause the operator to check the other diverse means of monitoring - tie safety related qualified display processing system (QDPS) or the diverse actuation system (of which the diverse indication system is a part). A single event such as a fire would not cause loss of monitoring capability. Separate divisions are located in separate fire areas. A fire-induced " loss of control" would result in a degraded level of control A fire could affect PMS functions by disabling one of the four divisions, reducing the logic from 2 out of 4 to 2 out of 3. WCAP-13382, "AP600 Instrumentation and Control Hardware Description," WCAP-13594, " Advanced Passive Plant Protection System FMEA " and WCAP-13633, "AP600 Instrumentation and Control Defense-in--Depth and Diversity Report" provide descriptions of instrumentation and control system operation and possible failure mechanisms. Effects from a fire on front line systems are discussed in section I.2 of the PRA trport. PRA Revision: NONE [ W85tiflgh0US0

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.145 Provide the analysis that screened the following imtiators from further consideration and quactification in the fire analysis: (a) loss of offsite powcr, (b) MSIV closures,(c) opening of ADS valves,(d) opening of the secondary side's safety relief valves. (e) station blackout, and (f) ATWS. Discuss the AP600 design features that preclude these midators from being credible that are referenced in Section I.2.2.2 of the PRA. Response. The specified initiators were screened from further analysis because it was determined that a fire could not cause them. Concurrent initiadng events are not considered as discussed in the response to RAI 720.144. The reasoning behind exclusion of the specified initiating events is discussed below. a) Loss of of fsite power - Offsite power sources are not required for safe shutdown of the AP600. There are no credible scenarios for fire initiating a loss of of f site power for the AP600. If all offsite power sources are lost, the onsite power system (diesel generators) serve entical systems providing defense-in-depth functions. Even if one considers a fire inducing a loss-of-of fsite power, the resultant core d:unage frequency can be shown to be sm:dl: (Frequency of a fire - conservative bounding estimate) x (conditional probability of core melt assuming a fire-induced loss of offsite power - conservative bounding estimate) = (frequency of core damage assummg fire induces loss of offsite power - conservative bounding estimate) (1.0E-02 per year) x (5.0E4)6) = 5.0E-08 per year The 1E-02 is estimated as a conserva6ve estimate from Tabic 4-4.1 of NUREG/CR-4840. The 5.0E-06 is estimated from the (core damage frequency of the internal events loss of offsite power sequence - TE)/(imitating event frequency of TE). b) MSIV closure - MSIV closure was not quantified as a separate initiating event. The fire-induced core damage frequency for a scenario where two trains of protection and safety monitoring cabling were disabled was quantified to be 2.6E-10 per year. A fire in the MSlV compartment was postulated, anJ the resultant core damage frequency was calculated to be 3.3E-ll per year, as shown in Table I-6 of the AP600 PRA. c) Opening of ADS valves - ADS valve opening occurs in four stages. The opening of each stage of valves is based on coincidence of sensors heated inside containment, in the fire PRA, it was assumed that fire-induced opening of these valves is not feasible because of segregated cabling and logic hardware. Ilowever, this assumption will be rc< valuated in the next resision of the fire PR A, w hich is scheduled for February 1994. The valves themselves are located in containment. Containment fires were ex(luded Irom f unhet analysis in Subsection 1.2.2.3.2 of the AP600 PRA. W Westinghouse

l l l l l NRC REQUEST FOR ADDmONAL INFORMATION

  .d!U :::  %

7t 1 l d) Opening of secondary side safety relief valves - The opening of the secondary side safety relief valves would initiate a transient. Secondary side safety relief valve opening was not quantified as a separate initiating event because the valves are actuated mechanically by system pressure. It is not credible that a fire could actuate them. e) Station blackout - There is no fire scenario in the analysis that causes a station blackout. A fire occurring , concurrently with another event such as a station blackout is negligible, as discu sed in RAI 720.144. A fire-induced I loss of offsite power is discussed in part (a) of this question. O ATWS - The ATWS initiating esent is either a loss of main feedwater or a loss of offsite power coincident with i failure of safety-related systems to insert control rods. No single fire can occur in a nonsafety-related location where it will initiate a transient event (loss of main feedwater or loss of offsite power) and simultaneously cause a safety-related system to fail to insert control rods (by keeping them energized). The AP600 employs separation of the reactor trip cabling and components. No single fire diat could disable the reactor trip function has been identified. Possible failure modes, such as stuck rods, are not fire-induced. The control rods will drop unless they remain j energi/ed. l PRA Revision: NONE SSAR Revision: NONE I l l l l l i 1 l 720.145-2 W - Westirighouse

NRC REQUEST FOR ADDITIONAL INFORMATION Ouestion 720.153 The analysis associated with fires at shutdown were solely based on a fire disabhng the NRHR system. From the staffs review, it appears that the quantification of event tree CSL (LOCA during hot / cold suutdown) needs to be rc< valuated. Reassess the shutdown fire risk analysis to include the elfccts of the revaluation of the CSL and CSLD event trees.

Response

Requantificauon of event trees CSL and CSLD will be perfonned as part of the AP600 PRA update etfort as stated in the responses to RAI 720.186 and RAI 720.188. Fire-induced loss of systems during shutdown conditions will be re-examined in the updated PR A w hich is scheduled for February 1994. The equation in Subsection 1.2.5 of the AP600 PRA report will be recalculated using new values for CDRCSL) and IEV(CLS) and the revised value for CDRFIRE) will be provided. A similar calculation will also be included for consideration of event tree CSLD. PRA Revision: See above response SSAR Revision: NONE WBStingIl0USB

NRC REQi>EST FOR ADDITIONAL INFORMATION I} . Question 720.158 Provide a detailed desciiption of the methodology used in perfonning the PRA-based seismic margins analysis. This description is particularly important because there are limited examples of the practical implementation of this meti odology.

Response

The response to this RAI will be prosided in November 1993. PRA Revision: NONE

                                                                                                        ' 0 Vj Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.159 Provide die following information in Appendix 11 of the PRA in order for the strdf to identify (a) the systems, structures, and components (SSCs) that should be added to the reliabihty assurance program, (b) the human errors that should be added to the COL applicant's training program, and (c) the key equipment that should be added to ITAAC:

a. The seismic cut. sets were based on the 1(W) dominant core d;unage sequences from the sensitivity study that credited safety-related systems only. Of these 100 dominant sequences, only the LOCA and loss of offsite power sequences were evaluated using IICLPF values. This method is unacceptable because the most hmiting seismic sequences may not appear in the first 1(X) sequences. Also, the Westinghouse seismic analysis did not consider ATWS sequences, In addition to an ATWS, consider other seismic initiators (.c.g. steam line breaks) that could result in a ddferent plant response than just die loss of of fsite power and LOCAs. For each seismically induced transient /LOCA/ATWS, Westinghouse shou,d use a systematic approach (like event trees) to identify sequences leading to core damage, and submit this analysis. This approach should account for random failures and human errors, as well as seismically induced failures. This analysis should ensure that sub-criticahty, vessel inventory, core, and containment coohng are maintained, and that their liCLPF values are assessed.

b. For each of the seismic core damage (utwts, in addioon to the seismic only combinations, report combinadons of seismic and random failures / human errors. These cutsets should appear in Table Ib2 as

("cutset element, liCLPF g" ) * (random probability or human error probability) Repon only the seismic / random / human error combinations where the random or human contribution is .001 or greater, Seismic / random / human error combinations that result in the same IICLPF as the seismic only combinatmn are considered to be "non-minimal" and do not need to be reported.

c. Provide a list of SSCs nucludmg frontline systems, support systems, and special components like tanks and heat exchangers) modeled in the seismic margins analysis. This list should include the associated llCLPF for cath SSC. Indicate the method and the data base that used to estimate the SSC liCLPFs.

W.- W8 Stifle.Il0USB

NRC REQUEST FOR ADDITIONAL INFORMATION

Response

As part of the requantification of the baseline PRA, additional analyses will be perfonned to support the risk-based seismic margins analysis. The additional analyses will provide additional data and information pertinent to concerns that have been expressed by die NRC in the seismic-related RAls. A thorough description of the additional seismic margins analysis can be found in R AI 720.158. Appendix 11 will be updated to include the findmgs and infonnation from the addition:d seismic analyses. The followim; discusses how the questions found in RAI 720.159 will be addressed by the additional infonnation provided in the expanded analyses.

a. The seismic margins analysis mettuxtology will me the applicable IPE event trees and assign an appropriate l'CLPF for each top event node. Also randorn failures / human enors, if larger than 1.0E-03, will be identified for each top event. Rus, the scismic analysis will report HCLPFs for each sequence, and where appropriate, combinations of random failures / human errors and seismic failures. This approach will supplement the previous analysis which identified HCLPFs for the dominant cutsets of the focused PRA.

By assigning HCLPFs, for all applicable sequences, the possibility of missing dominant components will be removed. The initiating events that will be analyzed, will be consistent widi the initiating event categories analyzed in the focused PRA. The group of initiating events include ATWS, LOCAs, ste2un line breaks, and a representative transient event tree.

b. The additional analysis will report failures which are a combination of seismic and random f ailures/ human errors, if the random failures / human errors are greater than 1.0E-03,

c. A hst of SSCs considered in the seismic analysis (including irontline systems, support systems, and special cornponent.s hke tanks and heat exchangers) will be included in the updated Appendix H.

PRA Revision: NONE l 1 i i I 720.159-2 W-Westinghouse I l l I i 1

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.160 The Westinghouse seismic m:ugins analysis appears to have incorrectly used the scismic margins MIN / MAX approach. in the MIN /M AX approach, a sequence HCLPF is equal to the lowest IICLPF of the contributmg cutsets, and die HCLPF of each cutset is the highest ilCLPF of any cutset element. Address diis concern.

Response

The calculations which were perfonned in Appendix H of the PRA report and RAI 720.15, which is an addition to i Appendix H, do not use the seismic margins MIN /M AX approach. As stated in RAI 720.15, "The lowest ilCLPF value for the cutset is um! to dercrmine the cutset's llCLPF". Therefore, the lowest ilCLPF of a group of components was assigned as that group's representative HCLPF, even if the components were combined in AND logic. If the MIN /M AX approach was applied to the cutsets in Table H-2 of RAI 720.15, the following methodalogy would be used: A group of elements are assigned the lowest IICLPF value of the group if the elements in the group are combined in OR logic A group of elements are assigned the largest llCLPF value of the group, if the elements in the group are cornhined in AND logic. The methodology used in Appendix H and RAI 720.15 to evaluate the HCLPFs of components within cutsets and the cutsets representative llCLPF yields conservative or equal results in comparison with the MIN /M AX methodology as outlined above. PRA Revision: NONE l W Westinghouse l l

l NRC REQUEST FOR ADDITIONAL INFORMATION iif M. th' .g _ i Question 720.161 List all equipment credited in the seismic analysis that is not housed in a seismic category I structure.

Response

Le only systems credited in the seismic analysis are Seismic Category I systems. All Seismic Category I systems are housed within Seismic Category I structures. PRA Revision: NONE I l l l 720.1s1-1 W westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

                                                                                                             @     !!!ji a

Question 720.162 l For each seismic core damage cutset (includes seismic only combinations and seismic / random / human error l combinations) whose HCLPF capacity is less than twice the Safe Shutdown Earthquake (SSE), identify any active l and passive systems and components, and operator errors that are important for containment isolation whose failures would lead to a release. Report these active and passive systems failures and operator errors if the HCLPF values ) l are below twice the SSE. l l l l

Response

Consistent with the position outlined in the Staff Requirements Memorandum for SECY-93-087, " Policy, Technical, j and Licensing Issues Pertaining to Evolutionary and Advanced Light Water Reactor (ALWR) Designs" dated July 21, 1993 the high confidence of low probability of failure (HCLPF) magnitude of 1.67 times the safe shutdown earthquake is used in the evaluation for the AP600 to demonstrate seismic capacity beyond the design basis. As ) can be seen in the results of the seismic margins analysis, presented in Appendix H of the PRA report, the SSCs necessary to safely shutdown the AP600, after a seismic event, have a minimum HCLPF of 0.5 g. As part of the requantification of the baseline PRA, additional analyses will be performed to support the risk-based seismic margins analysis. The additional analyses will provide additional data and information pertinent to issues that have been raised by the NRC in seismic margin related RAls. Concerns related to the containment isolation system will be specifically addressed in the additional seismic analyses. A description of the additional seismic margins analyses can be found in the response to RAI 720.158. Appendix H will be updated to include the findings and information from the additional seismic analyses. l PRA Revision: NONE l I 1 l l 1 l l 720.162-1 3 Westinghouse 1 l l

NRC REQUEST FOR ADDITIONAL INFORMATION

                                                                                                       !!n1 n!!!

g Question 720.163 Address the effect of having some non-seismic category I equipment available following a seismic event, including

" sensitivity" evaluations and assumptions.

Response

An assumption was made in initial stages of the seismic margins an. lysis that all nonsafety-related (nonseismic category I) equipment was unavailable, to mitigate an accident, after a seismic event. This is a conservative assumption when considering the possibility of a nonsafety-related system helping to mitigate an accident. The potential for nonsafety-related systems to adversely interact with safety-related systems is addressed in "AP600 Implementation of the Regulatory Treatment of Nonsafety-Related System Process", WCAP-13856, Revision 0. , As can be understood from the discussions in WCAP-13856 (see Chapter 8), it is not appropriate for sensitivity evaluations and assumptions to be addressed within the context of the seismic margins analysis. PRA Revision: None. l I I l I l 1 l l 720.163-1 W- Westintouse 6

NRC REQUEST FOR ADDITIONAL INFORMATION N Question 720.166 Discuss seistnic/randorn failure / operator error cornhinations identified in Q720.156 and Q720.159 that result in core damage with a potential containtnent bypass / isolation failure less than twice the SSE.

Response

Please see response to RAI 720.162. PRA Revision: NONE i 1 i W Westinghouse 72R166-1

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.169 Describe the component locations for the passive containment coolant makeup system. In addition, describe the potential flood locations and the potential system outage effects if this system were inadvertently drained through the charging line(s).

Response

He passive containment cooling system (PCS) pump, heater, and chemical addition tank are located within the valve and piping penetration room in the northwest quadrant of the Auxiliary Building at the 100' level. The Valve and Piping Penetration Room has sufficient drainage capability to preclude potential flooding from the recirculation path from impacting safety related equipment. Floor drains in this room are directed to the turbine building. He floor and walls which separate the valve and piping penetration room from the electrical equipment rooms in the auxiliary building are water tight. It should be noted that the recirculation portion of the passive containment cooling system is not safety-related nor required to perform any safety-related functions. He passive containment cooling system recirculation subsystem flow path inlet and outlet within the storage tank are at water levels above the minimum volume required for the safety-related containment cooling function. Therefore, breaks within the recirculation path will not result in a plant outage or the loss of a safety function. He passive containment cooling system water storage tank water volume and temperature are sufficient to provide adequate time for required equipment maintenance or repair to preclude a plant shutdown due to makeup system outages. SSAR Revision: NONE l PRA Revision: NONE l l l i l l l l i l l 720.169-1 l W westinghouse l l l l l

I NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.175 Shutdown risk is very outage specific, and depends on the vanous shutdown plant configurations combined with the vanous maintenance activities. Previous shutdown PRAs have identified outage inaintenance as a key contributor l to shutdown risk. The impact of outage maintenance was not included in the shutdown PRA, nor were the support system initiators. For example, successiul mitigation of a loss of decay heat removal and LOCAs during shutdown require nonnal RHR, passive RHR, RCS depressuritation, and gnvity injection. However, maintenance and i surveillance testing on these systems and their support systems (such as de power) were not included in the shutdown analysis. Identify the assumed systems unavailabilities Out reflect outage maintenance and surveillance testing, and provide references m the shutdown PRA to the applicable ITAACS, RAP, Technical Specifications, etc. that ensure th;st these availabilities will be met. In addidon, Westinghouse should consider support system initiators that could initiate a loss of nornud RHR and/or loss of the passive core cooling systerns, and address this in the analysis.

Response

The shutdown PRA evahiadon considers the safety-related and nonufety-related systems, including the appropriate support systems, that are available to mitigate the consequences of the various shutdown initiating events. The PRA does not take credit for systems that are not available dunng shutdown conditions, whether they are removed from service for outage maintenance or for other reasons such as bemg isolated as part of the plant shutdown procedures For enunple, during shutdown, depressurized conditions, the accumulators and core makeup tanks are isolated during the plant cooklown and depressurization and are therefore not credited for a LOCA mitigation during shutdown conditions. The shutdown PRA evaluation credits both safety-related and nonsafety-related systems that are available during the appropriate shutdown condinons, as specified by technical specifications or other plant administrative control documents such as operating procedures. Although the nonsafety-related normal residual heat removal system is nonnally operating to provide shutdown decay heat removal, it is not required for successful mitigation of a loss of decay heat removal. LOCAs, or other shutdown events. The system fault trees used in the PRA for both at-power and shutdown events include testing and maintenance unavailabihties for components within each system modeled, including the associated support systems that provide power, cooling, and actuation signals. The specific testing and maintenance unavailabihties are described for each system modeled in the PRA in Appendix C of the PRA report. The surveillance test intervals assumed for safety-related components modeled in the PP 4 are consistent with the surveillance test Ircquencies for components and equipment included in technical specifications in Chapter 16 of the SS AR. The surveillance test intervals assumed for nonsafety-related components modeled in die PRA will be used as the basis for the suncillance test frequencies used in administrative control documents such as operating suncillance and test procedures developed by the combined license applicant. Planned mainternmec for the safety-related passive systems is perfonned in modes where the specific components are not required by technical specificanons. W Westinnhouse o

l i i l NRC REQUEST FOR ADDITIONAL INFORMATION l 1 As discussed in Appendix FA, the shutdown PRA evaluation considers a variety ofinitiating events during shutdown ' conditions and evaluated the appropriate shutdown initiating events. The shutdown PRA considers the Initigation l functions for the appropriate systems that are available dunng shutdown conditions, and the analysis considers the I availability of the appropnate support systems. i SSAR Revision: NONE l PRA Revision: NONE l l l 1 1 1 I l i l i 1 1 1 i 720.175-2 W-Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION mg it Ouestion 720.176 Hot standby was not nuxleled in the PR A because the plant response to a loss of core cooling during hot standby is the sarne as full power operation. Westinghouse assurned that all of the safety-related and non-safety-related systems and actuation signals fboth automatic and manuaD are available. These assumptions are not valid it these systems are taken out for maintenance during hot standby. Therefore, Westinghouse should reference in the shutdown analysis where the applicable ITTACS, Technical Spech .ations, or RAP define that the maintenance unavailabilities assumed for all systems at full power are the same for hot standby.

Response

As stated in PRA Appendix F.4.3.1, the plant response to a loss of core cooling during hot standby is the same as dunng power operations, since all safety-related and nonsafety-related systems and actuation signals are available. See the response to RAI 720.175 for a detailed description of how system unavailabilities are accounted for in the PRA dunny al! operating nuxles. As documented m the apphcable ponions of the following Technical Specincations sections, the safety-related and nonsafety-related systems and actuation signals available in both hhwies 1 and 2 are also available in hkhle 3 as appropnate: i 3.3 Instnnnentation 3.4 Reactor Coohmt System 3.5 Passive Core Cooling Systems 3.6 Containment Systems 3.7 Plant Systems ) 3.x Electrical Power Systems j PRA Revision: NONE I l l i l l

                 .                                                                                     720.176-1 W- WeStinEhouse

e l NRC REQUEST FOR ADDITIONAL INFORMATION

tm :r tt tt p

Question 720.178 Presious shutdown PR As have identified reduced inventory operations as a dominant contributor to shutdown risk. To assist the staff in detennining whether the risk of overdndning the vessel during reduced inventory conditions is negligible, provide the following information in the shutdown PRA: (a) the low hot leg level setpoint, (b) the highest hot leg level setpoiat at which cavitation of the nonnal residual beat removal pumps can occur, (c) the low-low hot leg level set point, (d) the shortest time it takes to drain vessel level from the low hotleg level set point to highest nonnal residual heat removal pump eavitation setpoint, (c) the reference in ITAACs and/or DACs (whichever is applicable; that verifies that the hot leg level instrumentation has been tested for adverse reduced inventory conditions (such as core bothng and a completely dr:uned hotleg, etc.). (f) the reference in the RAP or Technical  ; Specifications that will ensure that the hot leg level instrumentation will be operable during Mode 5, and (g) a i quantitative basis for excludmg merdraining events.

Response

As described in SS AR Subsection 5.4.7.2.1, the AP600 has incorporated many design features to addn'ss midloop operations. These design features reduce the probability of air ingestion into the RHR putap suction. Furthennore, l the routing of the RHR suction line avoids kical air bindmg that could prevent RHR pump restart.

                                                                                                                               ]

a), b), and c) - With regards to the actual setpoints, final setpoint selection is a post-desiga certification activity and , will be perfonned as part of the development of the final AP600 Emergency Operating Procedures. j d) - Margin will exist between the low hot leg level setpoint and the icvel at which pump cavitauon occurs (greater than I hour based on nominal drain rates). Furthennore, due to the design of the RHR step-nonle connection, the maximum air injestion into the RHR pump suction with a near empty hot leg is hmited to 5 percent, which is wittun the operating limits of the RHR pump. Finally, interheks are provided to limit the rate of RCS draindown as well  ; as preventing the level to be reduced below a set hot leg level. { I c) - The hot leg level instrumentation pros ides input to the nonsafety-related plant control system (PLS). In addition, it provides mput to the diserse actuation system to actuate the motor-operated vahes in the IRWST injection line. Hot leg level actuation is venried in ITAAC Section 3.5.1 (DAS) Table 3.5.1-1, Item 3. f) - Hot leg level instrumentation is not addressed in the Technical SpeciDcations because it does not meet the selection enteria identified for the AP600 Technical Specifications in SSAR section 16.1.1. The availabihty of the hot leg lesel instrumentation during Mode 5 will be administratively controlled. I g) Oserdranung events are addressed m Appenda F.4.3 of the AP600 PRA report. I l , PRA Revision: NONE l SSAR Revision: NONE  ; l l l l 720 178-1 W- WestinZhouse \ l 4

1 l NRC REQUEST FOR ADDITIONAL INFORMATION l l Ouestion 720.180 The APNX) makes use of two independent hot leg level instruments to measure vessel water level dunng shutdown midloop conditions. Describe ho'y the common cause failure modeling of the level instruments was estimated,

Response

The hot leg level instruments operate on a 2/2 logie via the diverse actuation system (DAS). A random failure could ; defeat automatic actuation via the DAS. This random failure probability is higher than the common cause failure probability of the hot leg level instruments. Hence, common cause failure of the instruments is not important and therefore was not modeled. PRA Revision: NONE 720.M04 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.181 Clarify whether the low hot leg level signal, used to monitor and control the reactor vessel water level during draindown, is also part of the safety-related Protection and Safety Monitoring System or the safety-related Plant Control System.

Response

The hot leg level signal is p.ut of the nonsafety-related plant control system (PLS). SSAF1 Revision: NONE PRA Revision: NONE l 1 l l W Westinghouse

NRC REQUEST FOR ADDITIONAL. INFORMATION N Question 720.182 In Section F.4.3.2 of the PRA, it states that, with the exception of refueling when personnel / equipment hatches can be open, containment integrity is maintained, and that only the containment penetrations of operating systems are open. Identify each open penetration and specify whether the penetration is closed automatically through an actuation signal, or the operator must close the penetration manually or remotely following a shutdown initiator.

Response

The following is a list of the containment isolation lines that are open during normal operation. The mode of actuation is given for each associated containment isolation valve. As can be seen from the list below, the valves that are required to close to effect containment isolation following a condition that requires containment isolation are either self-actuated or automatically actuated. Thus, the operator is not required to close any containment isolation valves following a shutdown initiatar. System Line Mode of Actuation of Associated C.1. Valve (s) CAS Service Air in Automatic & Self-Actuated CCS Cooling Loads In . Automatic Cooling Loads Out , , . Automatic CVS Charging . . . Automatic PXS Nitrogen Supply to Accumulators Automatic RNS IRWST to normal residual heat removal system Automatic SGS Main Steamline . Automatic Main Feedwater . Autom:tr SG Blowdown . Automatic VFS Containment Air Supply . Automatic Containment Air Exhaust . . Automatic Containment Air Supply . Automatic Containment Air Exhaust . . Automatic VWS Chilled Water to Fan Coolers Automatic Chilled Water from Fan Coolers Automatic WLS Reactor Coolant Drain Tank Out Automatic SSAR Revision: NONE PRA Revision: NONE W-WB5tlngh00S8

NRC REQUEST FOR ADDITIONAL INFORMATION iir iiti n: M.7 Ouestion 720.183 In the strutdown analysis, provide references stating w here the applicable ITAACS, Technical Specifications, or RAP define that the equipment and personnel hatch will not be opened until the plant reaches Mode 6 (see Q720.182).

Response

As discussed in Subsection 6.3.3.4.3 of the AP600 SSAR and Apperxiix E4.3.2 of the PRA report, containment integrity is required to be maintained during midloop operation. Containment integrity is required in all operating modes except when the refueling cavity is flooded in Made 6. Technical Specifications 3.6.1 (Containment Systems) and 3.6.2 (Containment Air Locks) identify the mode applicability for requiring containment integrity for the equipment and personnel hatches. In addition, the mode applicability should be consistent with that for Technical Specification 3.6.3 (Containment Isolation Valves). Appendix E4.3.2 will be revised to reference these technical specifications. l l 1 l l l l l l l l 1 l 720.183-1

 %_, Westinghouse                                                                                                    ,

NRC REQUEST FOR ADDITIONAL INFORMATION

  .!!F im iii SSAR Revision: NONE PRA Revision:

Appendix E4.3.2 will be revised as follows: E4.3.2 Actuating Signals and Systems Available A list of safety-related and non-safety-related systems available for operation during the different potential shutdown states is given in Table F-1. That table also identifies the diverse types of actuatiou that can operate the systems. In particular, regarding the availability of automatic signals, the following are still operating during shutdown conditions: Signals that contribute to the S-signal: Low pressurizer level High containment pressure High containment radiation Core makeup tank actuation signal and core makeup tank water level signals that actuate tie automatic depressurization system. These signals do not function during mid-loop / vessel-flange and refueling shutdown conditions due to the draindown of the reactor coolant system. The low hor leg level signal, used to monitor and control the reactor vessel water level during the draindown of the reactor coolant system for the mid-loop / vessel-flange shutdown phase, is available. This instmment automatically actuates the in-containment refueling water storage tank motor-operated valve on low level during the mid-loop / vessel-flange shutdown phase. This logic is part of the diverse actuation system. In all plant operating modes (with the exception of refueling when personnel / equipment hatches can be opened), contairunent integrity is maintained. Only the containment penetrations of operating systems are open. Technical Specifications 3.6.1,3.6.2, and 3.6.3 in Section 16.1 of the AP600 SSAR identify the pl mt operating modes where containment integrity is required. l W Westinohouse o I L

NRC REQUEST FOR ADDITIONAL INFORMATION un

                                                                                                                                 ~    it di.
                                                                                                                                   . t Question 720.187 Provide justification as to why midloop conditions with water leul at the hot leg center line is assumed to have negligible impact due to the short duration of midloop operation (8 hours)(see Section F.4.5.2 of the shutdown PA).

For the Drained Maintenance tree, the staff concludes that assuming that the vessel water inventory is at the vessel flange is not conservative because the vessel level must be dropped to midloop conditions to install the nozzle dams. Provide the hot leg level at which the nozzle dams are installed, and the time for heatup and boil-off of the vessel water inventory, given this level.

Response

The shutdown PRA evaluation considers the various drained maintenance activities required during shutdown, including reduced reactor coolant system inventory operations. During shutdown, short-duration reduced reactor coolant system inventory operations are normally required for the transition into and out of refueling. However, there are also drained maintenance evolutions that require spending additional time in reduced inventory conditions. As discussed in Appendix B.7 of the PRA report, the PRA shutdown evaluation conservatively used the longer residence time for the reduced inventory operations, which include these reduced inventory maintenance operations. During shutdown conditions with reduced reactor coolant system inventory, the water level in the reactor vessel is normally maintained near the reactor vessel flange. The mission time for reduced inventory maintenance operations used in the PRA is 180 hours. This mission time includes entering reduced reactor coolant system (RCS) inventory conditions for the installation and removal of the steam generator nozzle dams, normally referred to as mid-loop operation, during each shutdown (approximately eight hours duration for each entry). 1 The AP600 design, with a higher steam generator channel head elevation relative to the hot leg elevation, allows ) the hot leg piping to be completely filled with water during installation of the steam generator nozzle dams, rather l than at a significantly lower mid-loop water level as in current plants. Following insertion of the nonle dams, the reactor vessel water level is re-established at the reactor vessel flange.  ; l An evaluation was performed to estimate the time for heatup and boiloff of the reactor vessel water inventory during j reduced inventory operations following a loss of the normal shutdown decay heat removal, which is provided by the normal residual heat removal system (RNS). The calculations determine the time to reach the minimum hot leg lesel. which would preclude recovering the nonsafety-related normal residual heat removal system because of insufficient reactor ewlant system inventory to maintain the normal residual heat removal system pump suction. If the normal residual heat removal system is not recovered within this time, core cooling is provided by manual or automatic actuation of the safety-related passive core cooling system, which provides safety injection flow from the in-containment refueling water storage tank (IRWST), core makeup tanks, or accumulators. The evaluation assumes that reduced inventory operations are initiated approximately 61 hours after reactor shutdown, which is the earliest anticipated time to initiate reduced inventory operations. Therefore, the decay heat j rate used in the evaluatio:- is conservative for both the initial reduced inventory operations following shutdown and  ! for the subsequent reduced inventory operations following refueling. The evaluation also assumes that the initial j l l W-Westinghouse I

NRC REQUEST FOR ADDITIONAL INFORMATION I!!! mi li _ t hot leg level is approximately 50 percent rather than being nearly full, which is normally expected when the steam generator nozi.le dams are installed or removed. The following table provides the calculated heatup and boiloff times using both best-estimate and design basis , assumptions. l Time After Time  ! Shutdown Time to Available for Initial / Final When RNS Initiate Time to RNS RCS Water is Lost (1) Boiling Boiloff Recovery Level Case (hr) (hr) (hr) (br) Mid-loop (50% }{L level) Best to Bottom of RCS llL Estimate 61 0.5 0.8 1.3 Mid-loop (50% lit level) Design to Bottom of RCS IIL Basis 61 0.4 0.8 1.2 Mid-loop (50% 11L level) Best to Top of Active Core Estimate 61 0.5 2.0 2.5 RV Flange Best to Bottom of HL Estimate 100 1.3 3.7 5.0 (1) Time based on current refueling schedule. Based on the results of the evaluation shown in the table, more than one hour is available for recovery of the offsite power to allow restart of the nonsafety-related nonnal residual heat removal system following a loss of decay heat removal during the lowest reactor coolant system inventory expected during reduced inventory operations. Assuming the event initiates with the water level at the reactor vessel flange, the available time for grid recovery and restart of the normal residual heat removal system is approximately five hours. Subsection F.4.5.2 of the PRA shows that the estimated time available to recover the offsite power grid and restore the nonnal residual heat removal system decay heat removal is 1.5 hours. According to the PRA report, this time is based on gnd recovery, given that the water inventory was at the vessel flange. Based on the preceeding calculations, the time to recover the normal residual heat removal system during drained maintenance conditions, including mid-loop, is at least one hour. Thus, the recovery time used in the PRA for restoring the normal residual heat removal system considers the impact of mid-loop operations. The time to restore power and restart the normal residual heat removal system is at least I hour and not 1.5 hours as reported in the PRA. However, the mission time used in the PRA is overly conservative (1085 hours for the operating train). As discussed previously, the mission time used for the normal residual heat removal system decay heat amoval operation is 180 hours. Based on the combined effects of these two, the probability of recovering the 720.187-2 W-Westingflouse

NRC REQUEST FOR ADDITIONAL If1 FORMATION HHi

                                                                                                             ^  n.

I! grid changes from 0.38 to 0.42 (see Reference 720.187-1). Therefore, the results in the PRA report consider the

 'mpact of mid-loop operations and are conservative.

The AP600 PRA is being updated, and a revision is scheduled for completion in February 1994. The update will include a statement to indicate that the impact of mid-loop operations is considered. The update will also include the revised values for the grid recovery time and system operating mission times.

References:

720.187-1 " Advanced Light Water Reactor Requirements Document," Volume III, Appendix A to Chapter 1, "PRA Key Assumptions and Guidelines," EPRI, Rev. 4, December 1992. PRA Revision: F.4.5.2 Development of Event Trees During Drained Maintenance (Mid-Loop / Vessel Flange Operations) Grid recoverj within M i hour (R15) -- The probability of recovering the grid within 44-1, hour is evaluated to consider the possibility of normal residual heat removal system operation without the need for diesel generator operation. After M 1 hour in drained maintenance conditions, the vessel water level is estimated  ; to go below the minimum hot leg level, resulting in loss of normal residual heat removal pump suction. He ' M 1 hour of allowable time is estimated considering: Time to heat up the vessel water imentory (enmidering fiMed-to-the . - ' "nage) during drained  ; maintenance. from 440F 130*F to 212*F. De mid !cep ecad!!ionwit' -* ' :!st-4he h * ' ;i ch:: 4ine ' in "med en have c negligib!: ! np:-: due :: th: :'-: dura:: cf th4ph=.: (cheut

• heurc).

Time to boil off the water inventory be4u e:- the . c' Enge end 'h ' ' 'eg neuh during drained maintenance conditions. ' Using thel plant Awuming t' ^me thermal-hydraulic data used fer the Eenbreek-plant-+hutdewn  ! pndiab!!! ::: : ', an ament analyt,ie, and the conservative hypothesis that boiling occurs at atmospheri- I I pressure, the following values are obtained f Time for heat up = 46-mimges 0.4 hour Time for boiloff = M 0.8 hour i Therefore, a total time of M 1.2 hours is assumed as the allowable time for normal residual heat removal function recovery during drained maintenance conditioris. The time window for evaluating operator error to actuate the systems required in the event tree model is assumed equal to I hour, the same as for the hot / cold shutdown condition. W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION ne probability of recovering the grid within 4,51 hour is estimated to be 048 042 according to Reference 2. l 720.187-4 3 Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION nL Ouestion 720.191 Discuss the frequency of an inter-facing system LOCA occurring through the nitrogen and water fill connections to the CMTs and accumulators following maintenance actions during shutdown and startup operations. The staff notes that inter-facing systems LOCAs were not evaluated to be important in the PRA.

Response

The occurrence of an interfacing system LOCA through the nitrogen and water filled connections to the core makeup tank (CMT) and accumulators is assessed to be highly unlikely. The assessment is based on the following considerations:

a. 'the nitrogen connections to the accumulators include the following features:

Accumulators are isolated from the reactor coolant system (RCS) by two series check valves (V028A/B; V029A/B). Moreover, loss of coolant from the RCS can also be terminated by isolating the accumulator by closing the normally open motor operated valve (V027A/B); On each accumulator line, there is a normally closed (failed closed) nitrogen isolation valve (V021 A/B); On the common nitrogen header that penetrates the containment, there are: a stop check valve (V050), a check valve (V043), a normally open (failed closed) air operated valve, and a normally open (failed closed) self operated valve that is kept open by the nitrogen pressure in the line; In the unlikely event that the accumulator develops a gas leak, the operator can isolate the accumulator; even if no operator action is taken, two check valves will minimize the amount of leakage; During shutdown, when maintenance activities may be performed on these components, the accumulators are isolated.

b. The water fill connections to the CMTs and accumulators include the following features:

On each accumulator makeup line, there is a normally closed (fai!ed closed) isolation valve (V232 A/B); On each CMT makeup line, there are a check valve (V231 A/B) and a normally closed (failed closed) air operated valve (V230A/B); The makeup line that penetrates the containment contains a check valve (V172), a normally closed (failed closed) air operated isolation valve (V171), and two parallel stop check valves on the chemical and volume control sy stem (CVS) interface (V156A/B); The makeup is supplied by the CVS. This line (up to the makeup pump suction)is designed for pressure greater than the RCS pressure; In the unlikely event that the CMT or accumulator develops a water leak, the operator can isolate the water leak; even if no operator action is taken, the check valves will minimize the amount of leakage; During shutdown, the accumulators are isolated, and maintenance activities on the compor.ents related to the CMTs and accumulators are performed with the plant partially or totally depressurized or with the locked open valves closed; 720.191-1 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

        !!!i        Ej

• With the plant partially depressurized, a water line break occurring in the lines interfacing th.. CMTs or accumulators would have the same effect as a very small water leak. The available time for detection and corrective action is relatively long; the loss of coolant can be terminated by closure of the locked open valves and check valves.

Based on the above design and operational considerations, interfacing system LOCA initiating event frequency for thesa connections and its contribution to the core damage frequency are judge to be insignificant in the PRA. PRA Revision: NONE I l l 720.191-2 3 W85tingh0USD i l

1 l NRC REQUEST FOR ADDITIONAL INFORMATION I i Question 720.192  ! Provide a discussion in the shutdown PRA detailing how the shutdown source term was estimated.

Response

The shutdown source terms are taken to be the same as the source terms evaluated for events at power operation. This is conservative since the third-cycle, end-of-life equilibrium at power fission product inventories are used for l shutdown doses. In actuality, the fission product inventories would be less at shutdown because of decay after scram. The cf feet of the smaller inventories on the acrosol deposition rates is negligible since the structural, inert particulates make up the vast majority of the airborne mass. The source terms estimation results in n:Icase fractions of selected groups of nuclides for each release category, which reflects the conditional probability of a fission product particle to be released after a gisen core damage sequence. The source term parameters are shown in Tables M-1 and M 2, and the fission pmduct release fractions are summarized in Table 11-1 of the AP600 PRA. There is one containment event tree for events initiated during shutdown fFigure G-7 of the AP600 PRA). The event tree end states have been grouped into the same release categories as sequences initiated during power operation; (that is, release categories OK, OKP, CC, and Cl). As indicated by Table 12-2 of the AP6tK) PRA, the total values of the release categories frequencies include shutdown events as one of the accident subchtsses. A new section (F.4.4.3) will be added to the AP6(K) PRA to discuss the shutdown source term. PRA Revision: F.4.4.3 Shutdown Source Term The shutdown source tenns are taken to be the same as the source terms evaluated for events at power operation. This is conservative since the third-cycle, end-of-life equilibrium at-power fission product inventories are used for shutdown doses. In actuality, the fission product inventories would be less at shutdown because of decay after scram. The effect of the smaller inventories on the acrosol deposition rates is negligible since the structural, inert particulates make up the vast majority of the airbome mass. The source tenns estimation results in release fractions of selected groups of nuclides for each release category, which reflects the conditional probability of a fission product particle to be released after a given core damage sequence. The source term parameters are shown in Tables M-1 and M-2, and the fission product release fractions are summarized in Table i1-1. See Chapter 11 for complete details on the fission product source terms. W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION M THi! IE

                                                                                                                  ]

Question 720.194 ne staff found that operator recovery of the Normal RHR system was not included in fault tree RNC2 during a loss of decay heat removal during hot shutdown, cold shutdown, and midloop operation. He staff believes that, given a loss of Normal RHR, the operators would try to recover Normal RHR before actuating the passive core cooling system. Describe (in the shutdown PRA): (a) the expected operator actions to immediately recover core cooling given a loss of Normal RHR during shutdown (including inadvertent closure of the suction valves, loss of one operating pump, etc.), (b) the type of available instrumentation that characterize Normal RHR status (e.g., discharge flow, etc.), (c) long term decay heat options including availability of IRWST and Passive RHR, (d) recovery actions for a loss of reactor coolant inventory (includes loss of IRWST coolant), and (e) operator actions to prevent primary system over-pressurization.

Response

a) ine fu 600 PRA model did not take credit for operator recovery of the normal residual heat removal system 2 (RNS)in fault tree RNC2 because it is assumed that the normal residual heat removal system is not recoverable; the human error probability is conservatively taken to be 1.0. He emergency operating procedures will include operator recovery actions of the normal residual heat removal system following a loss of decay heat removal, b) SSAR Subsection 5.4.7.2.1 describes the design features of the normal residual heat removal system that address mid-loop operations. His subsection describes the many design improvements that make a loss of the r.ormal residual heat removal system during shutdown very t nlikely. This subsection also describes the instrumentation available to the operator that characterizes the system during shutdown operations, c) Appendix F.4.4.1.1 of the PRA discusses the use of the passive residual heat removal heat exchanger following the loss of decay heat removal during shutdowns. The availability of the in-containment refueling water stcrage tank (IRWST) and the passive iesidual heat removal heat exchanger is not impacted by the loss of the normal residual heat removal system.

1) See the responses to RAls 720.196 and 720.200 for discussions regarding loss of coolant accidents resulting from a loss of decay heat removal during shutdowns.

e) See the responses to RAls 720.196 and 720.200 for discussions regarding loss of coolant accidents resuhing from overpressurization events during shutdowns. PRA Revision: NONE SSAR Revision: NONE 720.194-1 W W85tlngh0llSB

NRC REQUEST FOR ADDITIONAL INFORMATION it! !1!i 11 i1 n

                                                                                                       -l_

Ouestion 720.195 A review of the shutdown CET indicates a large fraction of the shutdown sequences have been grouped into the OK endstate. During the stalTs review of the supplied documentation,it was not able to detennine the reasons for these results. Provide the reasons for these results.

Response

The PRA model assigns the OK endstate for the release categolf if: a) core melt is arrested in the reactor vessel, b) containment is not impaired, and c) passisc containment cooling is available. PRA Revision: NONE 1 i i l I 720.195-1 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.196 Section F.4.4.1.2 of the PRA states that, at cold shutdown, if a total loss of Normal RHR occurs and the pressure is not satisfactorily relieved through the one Normal RHR relief valve, a pipe failure in the Normal RHR system could occur. The staff is concerned that gravity injection would automatically actuate, and a containment bypass sequence could occur. A second bypass sequence could also occur as a result of a stuck open relief valve. These scenarios were not considered in the event trees. Discuss these scenarios in detail in the PRA, provide the time that the operator has to respond before the IRWST is drained into the auxiliary building, and describe possible recovery actions. Determine the core damage frequency resulting from these scenarios and the assess the offsite consequences due to containment bypass.

Response

Subsection F.4.4.1.2 of the PRA incorrectly stated that a loss of normal residual heat removal system (RNS) could result in a pipe break in the normal residual heat removal system. As described in PRA Subsection A.3.2, the normal residual heat removal system piping is designed to withstand full reactor coolant system operating pressure without rupture (design pressure of 900 psig). Furthermore, motor-operated isolation valves (design pressure of 2485 psig) are available to isolate the 900-psig portion of the system. See Subsection A.3.2 for a discussion of interfacing loss of coolant accidents. Therefore, the scenario described is not a credible containment bypass sequence. During shutdown operation, the normal residual heat removal system relief valve (V021) protects the reactor coolant system from credible overpressure events that can occur when the reactor coolant system is intact (Modes 4 and 5, unless in mid-loop). The capacity of this valve is based on limiting the pressure in the reactor coolant system to the Appendix G limits (approximately 630 psig) for the most severe, credible, mass addition and/or heat addition transient. The thermal expansion of the reactor coolant system resulting from a loss of decay heat removal during shutdown is within the capacity of the normal residual heat removal system relief valve. Therefore, the reactor coolant system will remain below this pressure. During mid-loop operations, the automatic depressurization system valves are required to be open, so a loss of decay heat will not cause the reactor coolant system to pressurize. During refueling (Mode 6), the reactor vessel head is removed, and repressurization of the reactor coolant system cannot occur. The open normal residual heat removal system relief valve discharges into the in<ontainment refueling water storage tank (IRWST). Therefore, the valve stick.ing open will not cause containment bypass. PRA Revision: PRA appendix F.4.4.1.2 will be revised as follows: W westinghouse 720.196-1

NRC REQUEST FOR ADDITIONAL INFORMATION

3. , g

W F.4.4.1.2 Loss of Coolant Accident With the normal residual heat removal system in the shutdown cooling mode, the mechanisms for loss of  !

coolant accident generation are the following:

• Operator error that inadvertently opens normal residual heat removal motor-operated valve V024, to allow ,

flow diversion from the direct vessel injection line to the in-containment refueling water storage tank i resulting in a loss of primary coolant.

• Pipe break as a consequence of overpressurization due to loss of the decay heat removal system.

Preliminary evaluations show that, following a normal residual heat removal system failure, thermal expansion and steaming cause an increase in pressure. !' this p:= u= I: ne =ti:' etc-i!y =":~cd occugh

           'he rce = lief valve (V021) previd d c.- 1: :-^ = ! =idua! h=! : .cra! ry !:=, " ecu!d p-ten" .!!y !=d                                                              ,

te-pipe-fai!um !- S r- = ! =!du:! h=t ==cv ! ny:':- ^: : ::: =:iu = :: ^r .h: 5.-2, !c= cf

           =cet= cce!:n! c=v          '" 'h: =:c:::     =! =t= !:vd in he!ce. *he r 'n== 'c' 'eg !:=! = qui-d fr-epeatien cf *he rc==! : dd=! h=! ==cv ! pu=p:, *u: p=v::"ng :=t:

• cf 'h: pr=p:. Di;irioimal residual heafienvallsysteni%11ef;ValW(V021);hast aufficientfcapacityVpseritfths~rsastoncoolasi .

l

                                              !                                                                                                tdje.'bf ths system        pressure normal residual                to exceed.

heat removaljpstess piping will the% occurspetelNG [and thsjvent isilmits (approximately ths:same (the[ lass 630 psig)/ residual heat iemoval with'uo loss of coolant accident. B.: c'f=! i 6: ==: :: ?- 6: !c= cf c:- =! ' re N ul!T eci e mevdfi1%A 'E= $f Ac5!ht 2:55:1,"h=::= S: ==: cy: :=: : : =!!-d fer Since no impact on sequence frequency quantification arises (normal residual heat removal already failed), this i mechanism ofloss of coolant accident generation is e' xGemelyf6nlikely'and therefore'not represented in the loss of coolant accident event tree. l

• Pipe break or leakage during normal operation of the normal residual heat removal system or when the system is started (from a standby condition). l The specific event tree developed for this case is shown in Figure F-25 and discussed in Subsection F.4.5.1.

720.196-2 l W Westinghouse 1 l l

                                                                                                                                                                           ,,I

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.197 in Appendix F of the PRA, discuss how the plant is brought to cold shutdown from full power. In addition, discuss brietly how refueling is conducted. This discussion should include the systems that can be used and the reliability of the systems involved. This discussion should also include how the AP600 design is protected from low temperature overpressure events and how it is performed. During shutdown, low temperature overpressure protection appears to depend on a single safety valve, V021, in the Normal RHR system.

Response

SSAR Subsection 5.4.7.1.2.1 discusses shutdown heat removal for the AP600. SSAR Subsection 5.4.7.4 discusses operations during all modes of plant operation including plant cooldown and refueling operations. In addition. Appendix F.4.3 of the AP600 PRA report provides a summary description of cold shutdown and refueling operations. As described in these sections, the systems used to bring the plant to cold shutdown and during refueling include the reactor coolant system, steam generator system, startup feedwater system, chemical and volume control system, normal residual heat removal system, component cooling water system, and service water system. The reliability of these systems is described in the corresponding sections of Appendix C of the PRA report. See the responses to RAls 720.196 and 720.200 for a detailed discussion on lower-temperature overpressure events. SSAR Revision: NONE DRA Revision: NONE 20.197-1 W Westingh00S8

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.198 Discuss the pmcess that was used to scarch for test and maintenance ermrs that could cause shutdown initiators or loss of support systems (such as de power). In addition, describe how diese errors were incorporated into the PRA. Provide a list of the test and maintenance errors and the corresponding human error probabilitics.

Response

Based on engineering judgement, four types of initiating events are assumed to occur during shutdown (reactivity accidents, transients and loss of offsite power, loss of coolant accident, and loss of decay heat removal events). These events, delineated in Subsection F.4.3.1, are treated as bounding events for all accidents initiated at low power operation. One human error was evaluated in the PRA as contributing to the loss of coolant accident initia6ng event frequency during shutdown conditions. This operator action is identified as RIIN-MANDIV (inadvertent opening of normal residual heat removal valve RNS-V024 without reclosing it). A human enor probability of 2.60E-06 was evaluated for RHN-MANDIV. Six other human errors associated with shutdown operation, but not considered to be test and maintenance errors, are used in the PRA quanti 0 cation. These operator actions are: LPM-M ANOS, CIL-M ANOS, CIT-M ANOS, RHN-M ANO2, RIIN-MANO3, and IWN-MAN 00. These human errors are described in Table D-1. PRA Revision: NONE i l 1 W85tiflgh00S8 i

I 1 I l l NRC REQUEST FOR ADDITIONAL INFORMATION l I l Question 720.199 In the awessment of the boron ddution events, the probability of a MOV inadvertently opening was taken to be 2.5 x 10" This value was taken from the EPRI generic data base. Assess the likelihood that the MOVs will be inadvertendy opened due to test and inaintenance activities during shutdown.

Response

In Figure F-2X of the PRA report, the event tree branch "no spurious opening of accumulator MOVs" is assigned a f ailure probability of 2.52E-(4. This value reflects the hardware failure probability of the MOV. Operator recovery of the MOV is not credited in the evaluation, it is anumed that, if the MOV is inadvertently opened by an operator,it is highly unhkely that the error would not be detected and corrected by a member of the operating crew in the near term, before any associated adverse plant condioon develops. This assumpoon is based on the operators' activities during this event; the parameters being inonitored and the consequence of an operator action is expected to be readily apparent to the crew members. Therefore, based on engineenng judgment, the HEP for inadvertently opening the MOV (and not recovering the error) is judged to be of the order of magnitude of 1.fK)E-05. By examination of the related sequence 6 in Figure F-28 of the PRA report, the f requency is approximately 1.00E-10 per year, which is low. Therefore, mclusion of the operator action, discussed above, into this sequence would not change the PRA results significantly. PRA Revision: NONE 7 M ,]99.] E

NRC REQUEST FOR ADDITIONAL INFORMATION i i Question 720.200 The rupture probability of the Normal RHR piping is based only on generic data and does not include potential overpressurization events that can rupture this piping with the Normal RHR system operating. Provide an evaluation of the Normal RHR LOCA frequency that considers: (a) the low temperature over-pressurization initiating event during shutdown (b) relief valve V021 sticking, and (c) Normal RHR pump seal failures.

Response

SSAR Section 5.4.7.2.2 describes the AP600 design features that address intersystem LOCA. In addition, see the response to RAI 720.196 for a discussion of the probability of a rupture of the normal residual heat removal system (RNS). The design and operational features, discussed in these documents above, provide the rationale for not including the low temperature over-pressurization initiating event during shutdown, and normal residual heat removal system pump seal failures in the normal residual heat removal system LOCA frequency. The sticking of relief valve V021 will be considered in the esaluation of the normal residual heat removal system LOCA frequency, and reflected in the next PRA revision. PRA Revision: Incorporate the probability of relief valve V021 sticking into the normal RHR LOCA frequency evaluation. 720.200-1 W westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

                                                                                                      !!E " iji
                                                                                                       +

ni

                                                                                                       .       e.

Question 720.201 Describe the risk-based considerations have been given to disabling the Normal RHR automatic suction and isolation valve signals when the reactor head has been removed during shutdown.

Response

The normal residual heat removal system (RNS) suction line inner and outer isolation valves (V001 A & B) do not receive automatic signals to close. The normal residual heat removal system suction line containment isolation valves (V022, V023) and the discharge containment isolation valve (Vol1) receive a signal to close on high containment radiation. His signal it disabled once the reactor head has been removed. The decision to remove automatic isolation of these valves is based on the importance of maintaining residual heat removal cooling during shutdown. PRA Revision: NONE 720.201-1 W westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION l Question 720.202 The remonse to Q720.24 provides the estimated contaimnent ultimate pressure capacity, but does not provide the probability distnbuhon function. Furthermore, this information is only provided f or ambient ternperature and 400'F. The results of MAAP calculations reported in Appendices L and N of the PRA indicate that gas temperatures in certain regions of the containment exceed 500K for short periods of time (e.g., in the steam generator and upper compartment during several hydrogen burn sensitivity calculations, and in the steam generator compartment during sensitivity case " DRY"). In this regard, provide the following:

a. the maximum expected contairunent shcIl ternperature that would encompass all severe accidents.

l This value should reflect the potential for hicalired heating due to such phenomena as diffusion flames, and failure of the passive containment cooling system,

b. the conditional containment failure probability distribution function for the AP600 containment (probability of failure as a funchon of containment pressure) for temperatures representative of sesere accidents. As a minimum, specify the conditional containment failure probability values for: (1) pressures of 70 psig, 90 psig.120 psig, and the pressure corresponding to ultimate capacity, and (2) temperatures of 400K and the maximum containment shcIl temperature.

Response

A containment failure probabihty distribution is being developed for revision 1 of the AP600 PRA scheduled for February 1994. The information requested in parts (a) and (b) will be incorporated in the failure distribution and the analysis of the AP600 containment response to severe accidents. PRA Revision: See above response 3 Westinghouse 2a2024

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.203 N Diwuss the development of the containment failure probability distnbution. " :ifically address: (a) the contributions to uncertainty from uncertainties in material properties and modehog, and (b) whether/how the allowable corrosion of the containtncnt vessel over the N)-year plant design life has been reflected in the estimate of ultimate pressure capacity (a corrosion allowance is not identified in responses to Q252.22 through Q252.28).

Response

A contailunent failure probability distribution is being developed for revision I of the AP600 PRA scheduled for Feb. nary 1994. Uncertainty from materials properties, construction and modeling will be included in the distribution as a minimum. It is not anticipated that the allowable corrosion will significantly affect the distribution. PRA Revision: See above respome W Westinghouse 720.203 4

NRC REQUEST FOR ADDITIONAL INFORMATION fi!!! '";l. n li

                                                                                                            .       t Question 720.204 Identify and discuss the potential containment failure locations (including major penetrations) and their respective likelihoods for steel shell temperatures for temperatures representative of severe accidents. Discuss whether the relative ranking of potential failure locations changes over the range of temperatures expected for severe accidents.

Response

A containment failure probability distribution is being developed for the revision 1 of the AP600 PRA scheduled for February 1994. This infornation will be identified as part of that development. PRA Revision: See above response. l i l 1 720.20 &1 W Westinghouse 1 1

                                                                                                                       )

NRC REQUEST FOR ADDITIONAL INFORMATION dm ali.

                                                                                                          ?!?    J!

_ i. Question 720.207 An inconsistency exists between the AP600 plant description document (WCAP-13202) and the PRA. The PRA indicates that the containment is more leak tight and thus more effective in retaining fission products than current reactors. However, it is argued in WCAP-13202 (page 1-11) that in order to make leak testing more efficient, the containment will have a slightly higher leak rate than current reactors, Clarify this apparent discrepancy. In addition, describe any risk basis for the selection of the containment leakage rate.

Response

The containment leak rate is specified in SSAR Subsection 16.3.6.1 (Surveillance Requirement 3.6.1.1) as 0.12 of containment air weight per day at the calculated peak containment pressure, and is consistent with the PRA analysis. The SSAR and not the plant description document provides the design description for NRC review and basis for regulatory activities. %e AP600 design features resulting in a more leaktight containment include the use of fewer containment penetrations, a higher percentage of closed penetrations, enhanced penetration design configurations and the use of smaller penetrations. The containment leakage rate was established based on a deterministic evaluation of acceptable leakage rate consistent with the isolation features and instrumentation capabilities. SSAR Revision: NONE PRA Revision: NONE W-WB5tiligh0ljSe

NilC REQUEST FOR ADDITIONAL INFORMATION N Question 720.208 Describe the capabilities of the AP600 reactor cavity and stmetures to sustain the impulse loading associated with rapid pressurization events, such as ex-vessel steam explosions, without loss of structural integrity.

Response

Peak pressure loads in the reactor cavity are described in the response to Question 720.229 for 3 cases. (a) He peak cavity pressure for high pressure melt ejection into a dry cavity is 16 psid. This is a quasistatic condition. Pressure loads are imposed on the floor of the reactor cavity below the reactor vessel and on the walls of the octagonal primary shield up to elevation 98' which is the elevation of the floor of the reactor coolant piping annulus. (b) The peak cavity pressure for high pressure melt ejection into a flooded cavity without steam explosion is 2.1 psid. His is a quasistatic condition. Pressure loads are imposed on the floor of the reactor cavity below the reactor vessel and on the walls of the octagonal primary shield up to elevation 98' which is the elevation of the floor of the reactor coolant piping annulus. (c) The peak cavity pressure for high pressure melt ejection into a flooded cavity with steam explosion is 130 psia. The duration is estimated in WCAP-13388 to be 50 milliseconds. The pressure load on the structure is assumed to rise linearly from zero to 115 psid in 25 milliseconds and to decay linearly in the next 25 milliseconds. Pressure loads are imposed on the floor of the reactor cavity below the reactor vessel and on the walls of the octagonal primary shield below elevation 83' (approximately at the reactor vessel cylinder to bottom head interface), his is conservative for the reactor cavity because the pressure wave expands radially away from the source of the steam explosion ard attenuates significantly at this distance. The arrangement of the reactor cavity is shown on the General Arrangement drawings in SSAR Section 1.2. Typical reinforcement is shown in SSAR Figure 3.8.3-4. Pressure loads on the walls were evaluated as follows: Reactor Cavity Floor Pressure loads on the floor are transmitted through the internal concrete floor and the containment vessel into the basemat and ground. East and West Walls These walls separate the reactor vessel cavity from the steam generator compartments. Below elevation 83', loads are directly into the mass concrete of the containment interior stmetures. Above elevation 83', the walls are 7'6" thick at mid span and about 12'6" thick at the ends. 720.208-1 W-Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION p :i!p w :u North Wall This wall separates the reactor vessel cavity from the sump area and access shaft. Above elevation 80', the wall is 9' thick at mid span and about 14' thick at the ends. Below elesation 80', there are openings at the bottom of the wall and the wall varies between 3' and 8', The wall is supported by the floor slab at elevation 83'. South Face The south face of the reactor cavity is part of the mass concrete of the containment interior structures. The structures surrounding the reactor cavity were reviewed for the three cases of pressurization described above. The structures above elevation 83' can sustain the quasistatic pressure of 16 psid for cases (a) and (b). He structures below elevation 83' can withstand the quasistatic pressure of 16 psid for cases (a) and (b) as well as the impulsive pressurization of case (c). PRA Revision: NONE. SSAR Revision: NONE i l l l 720.208-2 i W

                                                                                            ~

Westinghouse <

                                                                                                                     \

1 1

NRC REQUEST FOR ADDITIONAL INFORMATION f Question 720.209 Based on infonnation discussed in a February 23,1993 letter, and provided in the PRA, the response to Q720.51, and WCAP-13388, the staff is unable to conclude that certain severe accident phenomena / events cannot lead to failure of the APfdK) containment. These phenomena /cvents include hydrogen deflagration and detonation, direct contamment heating, rapid steam pencration and stetun explosions (both in-vessel and ex-vessen, temperature-induced

$. team generator tube rupture, reactor vessel failure given a flooded reactor cavity, and ex-vessel core debris coolabihty. In order to provide a defensible and scrutable basis for establishing the risk significance of these phenomena for the APNH), provide the following:

a. a systematic treatment of uncertainties in each of these phenomena / events, and any other phenomena / events which could have a significant impact on AP600 containment perfonnance.

This should include identification of major contributors to uncertainty, quantification of each of these contnbuting factors considering the current state of knowledge, and propagation of these uncertainties. The result of this assessment should be a probability distnbution which desenbes the expected range of outcomes for each issue (e.g., a range of pressure rise for direct containrn it heating), and the associated degrees of behef.

b. rmdified CETs which include treatment of each phenomena, as well as representation of the full range of issue outcornes, and

c. justification for the quantification of these events in the CETs.

Use probabihstic tools, such as decomposition event trees or an approach similar to that desenbed in NUREG/CR-5423, to treat the uncertainties in each of these phenomena /cvents. Response: 1 Revision 1 of the APMW) PRA is scheduled for February 1994. The level 2 PRA will mclude decomposioon event trees for the m:yor phenomena and phenomenological nodes on the containment event tree. PRA Revision: See above response i W-WestifNhouse u

NRC REQUEST FOR ADDITIONAL INFORMATION I Ouestion 720.210 Provide an importance analysis for the Level 2 PRA to identify importantnment contributors to APMO perfonnance. This assessment should be similar to importance analyses typically perfonn PRA 0o identify important contributors to core damage frequency), but would a ures, focus on contain as well as containment failure firquency). As part of the respo , actions ranked in tenns of their importance in (a) limiting containment stresses below ASME e first 24 hours, (b) than itF3 for all time periods after core damage. preventing uncontrolled fission product

                                                                                                                                            ,    release       after  24     houni o less and (c) limiting

Response

The importance analysis for the AP6(O containment event trees has been and perfonned as part ts results are reported in Tables G-6 and G-7 of the AP600 PRA Report importance values for release frequencies for each of the release categories: OKP CC and CI. T , (a) As analy/ed in Chapter 10 and Appendix L of the AP600 PRA Report th , below the sensitivuy ASME Service Level C value during the first 72 hours from cases. the onset of core darnae con ge for all base and tb) The uncontrolled fission product release after 24 hours due to containment failure is mod l d i ee n the CC release 72 hours). The importance values reported ant to tt CC release category are: mcontributors Table G-7 for this a er failure systems of 12-out-of-12 ait-operated valves on the core makeup t:mks and the passive resid ual heat removal

          -       miscellaneous common cause failures of electrical teards f ailure of 8-out-of-8 gravity injection check valves failure of 6-out-of-6 motor-operated valves on the first three automatic                                                          s ages.

depressurization t Loss of contamment integrity is modeled as the Cl release category. The most import;mt basi c events, besides the ones that are also the major contributors to the core damage frequency are: (such as the vessel rup ure initiating event), l l - pre-existing containment opening ( - operator failure to provide the IRWST makeup failure of the air operated containment isolation system valves to close conditional feedwater pumps are probability lost (OTH-SGTRI) of a steam generator tube rupture due to failure o of feedwater cont steam generator tube rupture initiating event. W WestinEfl00se 720.210-1 _ _ _ __ _ _ _ _ . _ _ _ _ - - - - - - - - - - - - - ~ ~ - ~ ^ ~ - ^ - ~ - -

1 NRC REQUES1 FOR ADDITIONAL INFORMATION I 1 (c) The conditional containment f:ulure probability before 72 hours can be assessed as the Cl release category I probability which accounts for 5.1 percent of overall core d:unage frequency. PRA Revision: NONE i 1 l 1 1 720.210-2 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.213 Provide an estimate of the core exit temperature that would be indicative ot the onset of control rod melting, and discuss w hether any specific actions would or should be taken by operators in response to these indications as part of accident management.

Response

The control rods are silver-indium-cadmium with a stainless steel cladding. De liquidus temperature of the control rod material is 1520 F (1100" K). lioweser, the control nxi material will not be able to rek)cate until the control n>d claddmg fails at an estimated temperature of 2240' F (1500" K). Since the control rods do not generate significant heat, the temperature of the control rod cladding is controlled by heat transfered from fuel rods and the heat transfered between the control rods and the steam flowing upward in the core. The core exit thermocouple indicated ternperamre is 1.Lely to be a reasonable estimate of the control rod cladding temperature, considering all of the uncertanties in accident scenarios and the progression of a core damage accident. Additionally analyses of the heatup of the core in a PWR indicates that the ume frame between the melting and downward relocation of the control rmi claddmg and the fuel rod cladding is on the order of minutes. The response to R AI 720.55 and 120.56 prov' des details of the process to be used in developing an integral severe accident management program, as opposed to considenng various operator actions for very specific severe accident conthlions. Ilowever, using an analogy to ERGS and S AMGs for existing plants, operator actions to depressurite the reactar coolant system and to inject any source of water into the core are cidled for at core exit thermocouple temperatures greater than 1200' F (922" K). Assuming some similarity to the ERG and SAMG for existng phmts, no special operator actions are warnuned based on the melting temperature of the control n>d cladding. PRA Hevision: NONE 1 3 Westinghouse 72a2 m I l l 1 l l

NRC REQUEST FOR ADDITIONAL INFORMATION m! e nr Ouestion 720.216 The response to Q720.21 provided only an example of criteria that might form the basis for operator actions to flood the reactor cavity. Provide more specific information regarding the procedures and criteria for actuation of the reactor cavity flooding system. As part of the response, specify the set points for alarms or decision points (e.g., hydrogen concentration values or core exit temperatures), or describe how these will be established. Also, provide an estimate of the time available to actuate this system for each accident class / sequence that it is credited in the PRA.

Response

Setpoint selection is a post-design certification activity and will be performed as part of the development of the final AP600 Emergency Operating Procedures. The objective of a Trocedure to flood the cavity will be to prevent reactor vessel failure to prevent core debris from being released into the containment. Such a procedure is a last resort and will not be implemented until it is clear that the in-containment refur%~ water storage tank (IRWST) water is not injecting into the vessel and that severe fuel damage is occurring. The clearest indication of severe ful damage is rapid oxidation of the zirconium alloy cladding, a highly exothermic reaction that is accompanied by I a escalation of the core exit temperature and a release of hydrogen from the core. The setpoints for a cavity flooding procedure will be based on high IRWST water level and very high core exit temperatures (the current PRA used 2000*F). As discussed in Chapter 10 of the PRA report, based on the results of the MAAP4 analyses, more than one hour is available from the time that the core exit temperature escalates until the time that the lower head integrity is challenged because of creep rupture. PRA Revision: NONE W-WB5tlligt10USB

l 4 NRC REQUEST FOR ADDITIONAL INFORMATION Em ta!! Ouestion 720.217 Recent work by Kastenberg, et.al., for operating reactors ino cates the reactor vessel will fail in the flooded cavity configuration shortly af'er the water in the reactor cavity becomes saturated. Provide the time required to submerge the vessel, and the time required to reach coolant saturation condidons in each of the flooded cavity scenarios analyzed for the PRA.

Response

A graph showing the time required to flood the reactor vessel with the 10" and 4" cavity flomling lines has been provided as Figure 4-4 in the position paper on external cooling of the reactor vessel (WCAP-13388). The effort to evaluate the work performed by Kastenberg is ongoing and will be considered in the requantification of the APNk) PRA. However, one major dif ference between the operating reactor configuration and the AP600 is noted. The Kastenberg analysis considers PWR reactor cavities flooded to the top of the vessel hemispherical head. The APNX) success criterion for in-vessel retention of core debris is successful IRWST water injecdon into the reactor casity, filling the containment to the 105' elevation. There is a 30 foot (9.5 m) head of water above the bottom of the vessel when the IRWST has been drained into the cavity. The IRWST enters the cavity approximately 90"F (50"K) subcooled, and as it is heated, comes to saturation at the cont:dnment gas pressure. However, the static pressure exened by the water above the elevahon of the lower head assures that the kical water temperature at the lower head of the vessel (the location of the heat transfer) is always approximately 18 F (10"K) subcooled. PRA Revision: NONE WBStingh0USS

l NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.218 For the case identified as "CR", provide the temperature history of the reactor vessel outside wall and the coolant temperature in the reactor cavity while the cavity is flooding up to contain the ,. ? ten corium in-vessel.

Response

In case CR, the IRWST water injects into the reactor vessel and quenches the d: unaged core before rekication to the lower head occurs. The IRWST water fhods both inside and outside the reactor vessel; therefore, there is little challenge for the u.asel wall. In case LFWI, the vessel dries out, and debris kicates to the lower head which is flooded on die outside by IRWST water. The lumped-mass cavity water temperature for case LFW1 is presented in Figure 720.218-1. The reactor vessel wall temperatures were not included in the plot files for the M AAP runs performed for the AP600 PR A revision O. The M AAP4 severe accident analysis are being redone as part of the revision 1 of the AP600 PRA. The vessel wall temperatures will be included in the report for all cases in which tue detiris is :rtained in the lower head. For a description of the lower head creep rupture model, please see RAI 720.221. PRA Revision: Sec above response l i l l I l W westinghouse 72a218a

NRC REQUEST FOR ADDITIONAL INFORMATION AP600 Case LFW1 - Folture of Automatic Depressurizotton System Covity Water Temperature Cavity 380 _ 370

 ^

x

 " 360
             -                            j

3 s 350 -

e 340

   -         [ (I
             =
                       /

y 330 [/ ' 320 J h 310 ' ' ' ' ' ' ' ' ' ' 0 5 10 15 20 25 30 Time (hrs) Figure 720.218 1 l l l l l 720.218-2 3 Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

iit iiii!

                                                                                                          *        ::1-tr k

Ouestion 720.221 An AP600 demonstration calculation using SCDAP/RELAP5 has been completed by the NRC Office of Research. This calculation was performed for the steam generator tube rupture sequence modeled in the AP600 PRA. One of the major differences observed is that the MAAP calculations do not predict the occurrence of creep rupture of the steam generator tubes prior to creep rupture of the hot leg. In order to better understand the capabilities of the M AAP code to predict the timing and location of creep rupture failure, provide the following information:

a. a description of how the Miller-12rson creep-rupture model is implemented in the MAAP calculations, including a description of the model (e.g., from the MAAP manual) and related input and output parameters,

b. a comparison of MAAP calculations with available creep rupture data, and

c. the pressure and temperature history in the hot leg and steam generator tubes during the "SGTR" sequence.

Response;

a. A description of MAAP 4 creep-rupture model and related input and output parameters is provided in the M AAP 4 Users Manual (see reference 720.221-1).

b. The creep-rupture data available in the open literature were obtained from isothermal test conditions (the temperature of the test object was uniform). However, in the reactor system, the structure may have a large temperature variation. To utilize the isothermal data, MAAP 4 nodalizes the structure and applies the creep-temperature data in each node and imposes the uniform strain across the wall to solve for the time to rupture.

MAAP 4 calculations for the lower head have been compared with finite element structural analyses which demonstrated excellent agreement between the two results. Westinghouse letter NSRA-APSL-93-0342/ET-NRC-93-3990 dated October 20,1993, provides information of the finite element analysis and comparison.

c. The RCS pressure transient for Case SGTR is presented in Figure L-108 in Appendix L of the PRA report.

The temperature histories of the hot leg and steam generator tubes is presented in Figure 720.221.

Reference:

720.221-1 MAAP 4 Subroutine Creep Description, MAAP 4 Users Manual. PRA Revision: NONE 720.22,-, w wesungnouse

NRC REQUEST FOR ADDITIONAL INFORMATION f f Figure 720 211 AP600 Case SGTR RCS Piping Temperature Hot Leg Metal Temperature m u SG Tube Metal Temperature 600 y _ 550 ~ x , 3

 ~

500 Ii a

 ~

a _ 450

             ~

o- _ E _ D - H 400 "~ " 0 " y-i

                                                                "      ~
             ~

350 ' ' 0 20 40 60 80 Time (hrs) 720.221-2 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720 224 For each of the sequences described in Appendix L of die PRA, provide the following:

a. the predicted S/G tube temperature history and peak temperatures (where not already reported),

b. a summary of the plant system availabihty, e.g., a table showing failed and available systems in each sequence, and

c. a comparison of the sequences analyzed in the Level 2 portion of the PRA, with the dominant sequences in the Level 1 arudysis, based on system availabilities / failures developed in item b.

above. The purpose of this comparison is to show that dominant sequences in the Level 1 analysis are encompassed by the calculations perfonned in the Level 2 analysis.

Response

a. The temperature history of the steam generator tubes is presented in Appendix L of the PR A report for the LFW1 sequence. This same result is applicahic to the CR sequence which is a sensitivity case for the LFW1 case. This is the only sequence in which the RCS is pressurized ami the natural circulation of hot gases to the steam generator is significant enough to challenge the tube integrity,

b. The summaries of plant system availabilty are provided in the sequence descriptions in the text of Appendix L.

c. A more detailed desenption of the Level 2 sequences and the comparison to the Level 1 dominant sequences will be provided as part of the PRA revision I scheduled for February 1994.

PRA Revision: See above response W Westinghouse I

I i NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.226 According to the PRA, the spent fuel pool cooling systems can be used to add coolant to the containment volume. Provide a description of how and when the spent fuel pool cooling system would be used to add coolant to the containment and vessel during a core damage event. As part of the response, discuss the potential for bypass as a result of these actions, and identify any provisions provided in the design (such as additional check valves) to prevent bypass. Justify why the CET did not take into consideration the containment bypass potential for this system.

Response

PR A Appendix C4, Subsection C4.3.4 and the last paragraph of C4.4.1, states that the spent fuel pool cooling system (SFS) can be used to provide makeup to the in-containment refueling water storage tank (IRWST) during the long-term core cooling with a break in containment or a containment isolation system failure. This can be accomplished using the spent fuel pool, the existing SFS pumps and the lines normally dedicated to purify the IRWST and transfer water from the refueling cavity back to the IRWST after a refueling. For this operation either pump A or B can be used by opening either valve, V053 or V054, respectively, and the motor-operated containment isolation valve, V038. For the safety-related method of containment makeup, please see the response to RAI 471.2. 'Ihe containment event tree (CLIT) did not take into consideration the containment bypass potential for this system because this system would be used for this function only if there was already bypass of the containment. PRA Revision: NONE 0.22 M W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION ali p W t t Question 720.228 Discuss the considerations that were given to the potential for containment bypass as a result of hydrogen-combustion-induced failure of the IRWST, including failure of connected piping systems such as fill lines. Justify not treating this as a potential containment bypass mechanism in the Level 2 analysis.

Response

ilydrogen-combustion-induced failure of the IRWST is not considered as a potential containment bypass padi because of the very low probability of getting hydrogen in die IRWST. (Core damage must occur as a result of an intact pnmary circuit fault with successful operation of the first, second, or third !.tage of the automatic depressuriz;ttiori system [ ADSJ and failure of the ADS fourth stage.) The frequency of events that could result in hydrogen accumulating in the IRWST, as described in the response to RAI 43036, is less than 2.0E-9 cvents per reactor year. All connected piping systems, such as fill lines, are either embedded in concrete or anchored to the concrete wall close to the tank. Moreover, all such lines that penetrate containment have a check valve inside containment and an air- or a motor-operated valve outside containment. Therefore, hydrogen-combustion-induced failure of the IRWST is not expected to result in containment bypass. PRA Revision: NONE 7212284 W

  - WestinEhouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.229 Provide an assessment of resulung peak pressure loads in the AP6(M) reactor cavity given the following conditions: (a) high pressure melt ejection into a dry reactor cavity, tb) high pressure melt ejection into a fhoded cavity, without coincident ex-vessel stetun explosion, and (c) high pressure melt ejection into a ikoded cavity, with coincident ex-vessel steam explosion. This assessment should either be bounding in nature, or, alternatively, consider the full range of uncertainty in related processes and parameters, in w hich case a range of credible pressures and associated degrees of behef shouhi be provided.

Response

Vessel failure is not expected in the AP(0) design due to extemal submergence of the reactor vessel. The External Coonng secuon of WCAP-13388 considers high pressure melt ejection from the AP600 to be an extremely low probabihty event. For the purpose of assessing the AP600 reactor cavity peak pressure, an HPME has been postulated. (a) As discussed in WCAP-13388, the cavity pressure due to llPME into a dry cavity can be calculated by assuming isothermal expansion of the pas being discharged from the reactor vessel at the safety valve setpoint pressure and choked flow at the biological shield exit to the casity sump area. Making this assumption: Pe = P (A./A c) y (1) where P, = reactor cavity pressure P, = RPV pressure prior to vessel failure (17 x 10^ Pa) A, = RPV failure area (0.025 tn2 ) A, = Minimum cavity cross-sectional area (3.95 m 2) Subst tuung these values into Equation (1) yields a peak reactor cavity pressure, P , of 0.11 MPa (16 psid) for the dry casity case. tb) A bounthng cavity pressure due to llPME into a ihnded cavity without coincident ste:un explosion can be estunated using Equation (2). This estimate equates the steam addiuon rate to the pas flow mte from the reactor carny durmg the interaction interval. AP c=rh/ / (2 A/ pc) (2) where th, = maximum steam generanon rate (706 kg/sce per WCAP 13388 section on Steam W Westinghouse m

NRC REQUEST FOR ADDITIONAL INFORMATION nn u 3 l Explosions) Ay, = cross-sectional area of cavity exit (3.95 m2) p, = density of gas in reactor cavity (1.129 kg/m') AP = differential pressure between the reactor cavity and containment regions Substituting these values into Equation (2) yields a peak reactor cavity differential pressure, AP,, of 0.14 bar (2.1 psi) above the containment pressure for the flooded cavity without stc.an explosion case (h). This pressure increase would occur as the corium contacted the water in the cavity, prior to the pressure increase caused by the expansion of the RCS gas into the cavity (calculated in (a) alme). (c) A pressure loading the cavity walls due to IIPME into a flooded cavity coincident with an ex-vessel steam explosion can be estimated using the equation: P, = (R ,/X,) 2 Pj, j (3) where P, = pressure on the cavity wall P, = pressure in the inter-action zone of the steam explosion kernel (10 Mpa per WCAP-13388, Steam Explosion section) R,, = radius of steam explosion kernel (0.6 m) x, = distance from center of interaction zone to nearest cavity wall (approximately i 2.0 m) Substituting these values into Equation (3) yields a peak impulse pressure on the nearest cavity wall due to an ex- l Vessel steam explosion directly beneath the reactor vessel of 0.9 MPa (130 psia) for the flooded cavity with steam explosion case (c). The total duration of the pressure impulse will be tens of milliseconds (50 msec per WCAP-13388 section on steam explosions). 1 An evaluation of the cavity response to these pressure loadings is provided in the response to RAI 720.208 PRA Revision: NONE ' SSAR Revision: NONE 720.229-2 W Westinghouse

I 1 l l NRC REQUEST FOR ADDITIONAL INFORMATION l 1 I Question 720.231 l The lack of penetrations in the AP600 reactor vessel lower head could result in a relatively higher incidence of creep-rupture failure of the reactor vessel (in contrast to h> cal failure in connected piping), and an increased frequency of the " rocket" containment failure mode. This failure mode was treated in NUREG-ll50, but was not considered for die AP6Wk Although Westinghouse believes the probability of high pressure vessel failure for the AP600 design is nephgible, this view is based in part on full credit for creep rupture as a mechanism for precluding high pressure failures. The staf f view is that creep rupture is not assured, and that high pressure vessel failure can occur in some fraction of the core damage sequences. In this regard, provide an assessment of the signincance of the " rocket" containment failure mode for the AP64) risk profile. As part of this response, proside an assessment of the impact that creep rupture failure of the reactor vessel lower head would have on (a) motion of the reactor vessel andhir failure of die vessel restraints, (b) die possibility of direct failure of the containment or piping penetrations, and (c) the condihonal containment failure probability.

Response

The fracuon of core d:unage sequences that may occur at high RCS pressure is very small. This is a direct result of the redundant means of depressuriting or passively cooling the RCS included m the AP600 design and credited in the PRA. The fraction of high RCS pressure core damage sequences that occur without cavity Gooding and ex-vessel cooling is even smaller. Submergence and external cooling of the RPV lower head would occur prior to submergence and cooling of the hot leg piping. The timing and possibihty of hot leg being submerged is sequence dependent, however, if the IRWST is drained into the reactor cavity, on the order of one hour is available between the time that the lower head is submerged and the hot leg is submerged (see RAI 720.225). Ex-vessel cooling of the RPV lower head would prevent its failure by creep rupture. The delay in subsequenGy submerging the hot leg piping would allow its heat up and cause creep rupture of the hot leg in the AP600 (no lower head penetradon) to be more likely than creep rupture f ailure of the RPV lower head. (a) A high pressure melt ejection is unlikely, as described in WCAP-13388. Vessel failure due to creep rupture is expected to occur m the reactor vessel at the hot leg nonle or at the surface of the debris bed and most likely discharge gas f rom the primary system while the debris remains in the RPV lower head. If the creep rupture failure occurs at the hot leg noule, the reaction thrust force is not likely to be any larger than the thrust force caused by a large LOCA. If the creep rupture failure occurs in the RPV, discharging gasjust above the debris, the reacdon thrust force will tend to hit and rotate the RPV, and place shear and bending moments on primary system hot and cold legs. Analyses for HPME in existing Westinghouse PWRs shows that the reacdon force at the RPV lower head is unlikely to excced the inertia of the RPV, molten debris. and remaining vessel internals. The AP600 RPV mass mass of fuel, mass of sessel internals, etc., are comparable to the correspamding masses for an existing, Westmghouse three-hop plant. Analyses for exisung Westinghouse plants have also shown that the stresses induced by the jet reaction force at IIPME are far below allowable stress levels in the biological shield wall. This means that the RPV will be constrained and will not become a missile that will threaten W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION conudnment walls. Note also that AP&O RPV dimensions, biological shield wall thickness, etc., are comparab!c to the correspondmg dimensions for an existing three-kop Westinghouse plant. (b) Since the reactor vessel will not move, there is no possibility of direct failure of the containment penCtrationS. (c) The postulated failure mode does not pose a credible threat to the AP600 plant. It has a negligibly small conditional containment failure probability. PRA Revision: NONE SSAR Revision: NONE i 4 1 1 1 720.231-2 W Westinghouse

NRC REOUEST FOR ADDITIONAL INFORMATION 3.. ,

                                                                                                            *P       j Ouestion 720.235 Sequences m which the core degrades at high pressure can restit in either creep rupture of the hot leg / surge line or failure of the S/G tubes. Once depressurizauon tygins, the accumulator and CMT coolant is injected into the vessel.

This coolant injecuon into the core's degraded geometry results in significant hydrogen generation. Identify operator acuans that might be taken m response to this event, and pmvide an assessment (e.g., sensitivity analyses) of the impact of these acuons on hydrogen production. Respens:. Appropnate operatur actions will be described in the Severe Accident Management Prograrn as explained in the response to RAI 720.56. PRA Revision: NONE W Westinghouse ' a

NRC REQUEST FOR ADDITIONAL INFORMATION a '1 i A l Ouestion 720.236 It has been noted that in some sequences, automade ADS operation can result in localized hydrogen concentrations (in and above die IRWST) above 101 Because diese concentrations could lead to large deflagrations and potentially local detonations, measures to prevent such an accumulation of hydrogen warrant consideration. In this regard, identify and discuss any measures that might be taken to prevent die IRWST hydrogen concentration from exceeding 10M (such as early operator actions to depressuri/c the RCS), and the desirability of these measures.

Response

Chapter 14 provides the hydrogen bum analysis scenarios. Scenarios IIYD1 and HYD4 are the sequences which result in the maximum elevated hydrogen concentrations in the in-conudnment refueling water storage tank (IRWST). The sequences are relatively small breaks (2 inch) in the hot Icg with the first 3 stages of the automatic depressuritation system (ADS) in operation relieving to die in-containment refueling water storage tank. The flow area through the automatic depressuritation system is much larger than the break, so the majority of the flow from the prnnary system leaves through the automatic depressuritation system and enters the in-containment refueling water storage tank. This scenario and the conservative assumption that one hundred percent of the cladding surroundmg the active fuel is oxidi/ed prior to vessel failure results in a very conservative hydrogen analysis. Under these conservadve assumpdons, the direct hydrogen release results in a peak hydrogen concentration in the in containment refueling water storage tank in excess of 20 volume percent for case HDY1 (no igniters). The high hydrogen concentration in the in-containment refuchng water storage tank gas space is however a result of suppressing the hydrogen combustion which would result from the actuation of the hydrogen control system igniters. This is evident in the results for case HYD4 which is identical to llYDi except the igniters are in operadon. The availability of the hydrogen control system is optimi/cd by providing a multitude of power supplies including offsite power or either onsite diesel. With the igniters in service, the hydrogen is ignited by any of die four local igniter units and consumed before concentrations can reach the detonable level. To provide confidence of ignidon, four igniters are spaced uniformly m proximity to the in-containment refueling water storage tank vents. Consequently, the hydrogen concentration in the in-containment refueling water storage tank is not expected to significantly exceed the lower fl.unmabihty limit. In order for elevated hydrogen concentrations to be introduced above the in-containment refueling water storage tank, the hydrogen must be preferentially released through the first three stages of the automatic depressuritation system. The expected progress of core damage scenarios results in fourth stage automatic depressurtradon system actuation poor to core damage and thus any significant hydrogen releases. If the automatic depressurizadon system were to fail completely, the hydrogen flow to the contidnment would be through the reactor coolant system (RCS) safety valves u hich are directed to the containment upper compartment atmosphere, bypassing the in-containment refueling water storage tank. If the event were initiated by a medium or large LOCA, or the fourth stage automade depressuritation system valves were to operate, the reactor coolant system hydrogen would be sented preferentially through the break or the fourth stage valve, bypassing the in-containment refueling water storage tank. As identified in the response to RAI 48036 the scemtrios that lead to large releases of hydrogen to the in-containment refuchng water storage tank are of a magnitude ofless than 2.0 x 10-9 per reactor-year. Ahhough this scenario frequency is less than 1 percent of the core damage frerluency presented in the AP6(O PRA report, the potential for large W

   - Westirwhouse u

NRC REQUEST FOR ADDITIONAL. INFORMATION

!jiU     $
 +

n

 .       i deflagrations or local detonations f ailure is less hkely yet, based on the expected availabihty of the hydrogen control system to burn the hydrogen, as generated, within the in-containment refueling water storage tank gas space at concentrations below the detonable concentrations. Further, for the identified scenario's leading to hydrogen releases to the in-contairunent refueling water storage tank the expectations are that the in-containment refuchng water storage tank would be at saturated conditions by the mass and energy releases via the first 3 stages of automatic depressuritation system or passive residual heat removal operation. With the in-contamment refueling water storage tank contents saturated, the continued releases would result in the in-containment refueling water storage t:mk gas space being steam inerted and thus climinate the potential for hydrogen deflagration or detonation. Ilased on the low probability scenarios, the availability of the hydrogen control system and saturation of the in-contamment refueling water storage tank resulting from the scenarios that yield hydrogen releases, the potential for large deflagration and local detonations are is sery small The emergency operating procedures developed under the process identified in SS AR Subsection 18.9.8.1 and the severe accident management program addressed in the response to R AI 720.56 will address contingencies for deahng with hydrogen.

SSAR Revision: NONE PRA Revision: NONE I l l 720.236-2 W-Westinghouse l 1 l 1

j 1 1 l l NRC REQUEST FOR ADDITIONAL INFORMATION I Question 720.237 The response to Q720.20 provided only a general discussion of criteria that might form the basis for operator actions to activate the hydrogen control system. Provide more specific information regarding the procedures and criteria for actuation of the hydrogen ignition system. As part of this response, specify the set points for alarms or decision points (e.g., hydrogen concentration values), or describe how these will be established. Also, provide an estimate of the time available to actuate this system for each accident class in which it would be used.

Response

As indicated in the response to RAI 720.20, the emergency operating procedures (EOPs) for the AP600 will define the operator actions during emergency conditions. Plant specific ZOPs will be prepared using the criteria described in Subsection 18.9.8.1.2 of the SSAR. Specific procedures and assocci setpoMs/ decision points are not yet available. The hydrogen igniter system is provided to accommodate hydrogen generated during a severe accident case by promoting hydrogen burning when lower flammability limits are reached in containment and thus prevent accidental hydrogen burn initiation at high hydrogen concentration levels. The system provides the capability to prevent the containment hydrogen concentration from exceeding 10 volume percent and thus prevent the occurrence of hydrogen detonation. Following an alarm indicating either high local hydrogen concentration or core conditions indicative of potential hydrogen generation, the igniter system is manually actuated in the main control room using the Plant Control System. The hydrogen igniters are located within containment to cover areas where hydrogen may collect. As previously described in the response to RAI 720.20, the criteria used for the actuation of the igniters is based on core exit temperatures (measured by the core exit thermocouples) and local hydrogen concentrations within containment (measured by the hydrogen monitors distributed throughout containment to provide representative indication of concentrations). The specific values for the alarm setpoints/ decision points will be developed as part of the EOP development process (see Subsection 18.9. 8.1.2). These will be based on core exit temperatures that are indicative of inadequate core cooling, but at temperature levels below those indicative of core damage ( ~ 2000*F) and h> cal containment hydrogen concentrations indicative of hydrogen generation rates in excess of the capability of the hydrogen recombiners to maintain hydrogen levels below the flammability limit (above 4 volume percent). An illustration of this approach is presented in the high-level operator action strategy for the emergency operator's response to inadequate core cooling (see SSAR Table 18.9.8 22, AP600-FR-C.) Response to Inadequate Core Cooling)in which operator monitoring of containment hydrogen is tied to core exit temperature. The time available for operator response to energize the hydrogen igniters is scenario dependent. However, the AP600 Probabilistic Risk Assessment (PRA) does provide an estimate of the time available to actuate the system. The six base case sequences of the PRA are taken from dominant accident scenarios determined in the level I probabilistic risk assessment. For the base case analpis documented in Appendix L of the PRA, time from the initiation of the event until the top of the core is uncovered is approximately two hours. Time from the core uncovery until significant production of hydrogen is on the order of tens of minute. Time for significant local concentrations of hydrogen to develop within containment is also on the order of tens of minutes later. Results of the analpis also indicate that with the initiation of hydrogen burning at lower levels of hydrogen flammability (5

                                                                                                               ~

W - Westinghotise

NRC REQUEST FOR ADDITIONAL INFORMATION I!!" t:: Hu! _ s. to 6 percent) the hydrogen igniter system controls local hydrogen concentrations within desired limits. With the previously noted time periods, the employment of the core exit temperature and local containment hydrogen concentration criteria tied together as noted in the high-level operator action strategy will alert operators to the potential need for actuation of the hydrogen igniter and provide sufHcient time for operator decision and implementation of the actuation process. SSAR Revision: NONE PRA Revision: NONE 1 1 1 i i i 1 720.237-2 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION i l Question 720.239 Discuss the effect that hydrogen-related failure of the IRWST would have on the containment's passive heat removal performance.

Response

The hydrogen related failure of the in-containment refueling water storage tank (IRWST) is a highly improbabic event. The probability for high potential hydrogen releases to the IRWST as discussed in the responses to RAls 480.36 and 720.236 is of a magnitude ofless than 2.0 x 10 4 per reactor-year. Although this scenario frequency is less than 1 % of the core damage frequency presented in the AP600 PRA report, the potential for IRWST failure is less likely yet, based on the expected availability of the hydrogen control system to burn the hydrogen as generated within the IP.WST gas space at concentrations below the detonable limits. Further, for the identified scenarios leading to hydrogen releases to the IRWST, the expectations are that the IRWST would be at saturated conditions by the mass and energy releases via the first three stages of the automatic depressurization system or passive residual heat removal operation. With the IRWST contents saturated, the continued releases would result in the IRWST gas space being steam inerted and thus eliminate the potential for hydrogen related failure of the IRWST. Based on the low probability scenarios, the availability of the hydrogen control system and saturation of the IRWST resulting from the scenarios that yield hydrogen releases, the potential hydrogen related failure of IRWST is extremely remote. Nonetheless, the failure of the IRWST is not expected to have a negative impact on the containment's passive heat removal performance. The failure of the IRWST would result in loss of IRWST water level effecting an increased containment water level and a preferential change in the injection source (via the direct sessel injection line) to the containment sump versus the IRWST for coolant makeup. With the loss of the IRVIST, reactor coolant system mass and energy releases would be directly to the containment atmosphere. This would have no deleterious effect j on the performance of the containment's passive heat removal capability. It would rather increase the efficiency of ' heat transmission to the containment atmosphere since a direct path would then be available similar to the fourth-stage automatic depressurization system being in service or a large break LOCA. Further, the additional cooling 1 water inventory in the containment would result in increased amounts of cooling water available to flood the reactor vessel cavity. SSAR Revision: NONE PRA Revision: NONE l l 1 W westingh00S8 720.2394

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.240 Provide an assessment of the impact of the hydrogen igniters in limiting die peak pressuritation predicted for the base case (BCl).

Response

Case IGN presented in Appendix L of the PRA report is an analysis of case BC1 with the igniters system turned off. PRA Revision: NONE 1 l l I l 1 720.240-1 w westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION jj p up N Ouestion 720.245 For the case in Appendix L entitled " DRY", provide the peak containrnent steel shcIl temperature and the corresponding containment pressure.

Response

Caw DRY was corrected due to an error in the concrete decomposition properties. The corrected section can be found in the PRA resision in the response to RAI 480.2X. The results presented here were taken from the corrected analysis. The temperatures and pressure are presented in Figures 720.245-1 and 720.245-2. The contairunent shell temperatures include the wet and dry ponions of the dome and the containment cylinder. PRA Revision: NONE l l i l 720.245-1 g_ Westinghouse i i

NRC REQUEST FOR ADDITIONAL INFORMATION iiif E!N lii  !!j AP600 Case DRY - failure of All ECC Water Sources Contoinment Shell Temperature Dry bome

c. . Dry Shell 4 a nei Dome

                .           . Wet SheiI 260
          ^Lu 240         -

220Z' " 200 \ A \ sg-j wre m

           -     180
                                                                                   =       2 o

160- , 140-_ *^ \ p L ky [ 120 r 100 O 10 20 30 40 50 Time (hrs) Figure 720.245-1 AP600 Case DRY - Follure of All ECC Water Sources Contolement Gas Pressure Dry Dome 45 _

                      ~              l 40 2
                                     \
            ;   35 f                   j a
          "30-}l:      _

m 25

u

                      - %~                     l o   23    .

L 15 10

                      ~ '                '            ' '      ' ' ' '     ' ' ' '

O 10 20 30 40 50 Time (hrs) Figure 720.245-2 1 720.245-2 W WOSTIngh00SO I l l i

I 1 I NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.247 in response to Q720.23, Westinghouse indicated that natural convection cooling is suf0cient to prevent contaimnent failure. In view of this, proside an assessment of the impact of the system on the APN)0 risk profile. This might be addressed via sensitivity analyses using the modified CETs. Also, describe the trade-offs that were considered between the containment design pressure and design leak rates, and the need for the passive cooling system.

Response

As it is stated in Subsection C7.6.1 of the AP600 PRA, failure of the air flow path surrounding containment is not a credible fault and has not been considered in the containment event trees. The impact of losing containment air cooling is that all core damage sequences that are binned in the OKP release category would lead to containment failure due to pressuniation, with noncondensable gases generated by core-concrete interaction, and would be transferred to the CC release category. In this case the portion of core damage sequences that are binned in the CC release category would increase from 2.1 percent to 15.6 percent and the mean site boundary dose for the CC category would be proportionally increased. (The mean site boundary dose for the OKP category would be zero.) Contamment design pressure and the leak rates were estabhshed by " design basis" considerations. The passive containment coohng system is needed to keep containment pressure below the design value. PRA Revision: NONE l 1 l l 720.247-1 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION f_ii !L _ + Ouestion 720.248 An accident management procedure is called out in the PRA that can be used to prevent containment overpressure failure as a result of non-condensable gas generation. Provide a discussion of the options available to permit containment venting. Discuss how these procedures and systems would be utilized to prevent containment failure.

Response

The potential for containment overpressurization due to non-condensable gas generation for the AP600 is a very low probability scenario. As discussed in PRA Section 12.5 only 2.1 percent of the core tnelt firquencies result in containment overpressurization and only in the long term without credit for operator action strategies or engineered features.

      . 2.1 percent of the releases are quantified as large releases due to a potential containment failure in the long term. Release category CC may fail the containment after four days due to core-concrete interaction.

Although four days is considered to be sufficient time to perform accident management based corrective actions, no credit is taken for strategiefor engineered features that facilitate the operator's ability to prevent containment failure in the CC release category. Success criteria for ex-vessel debris cooling as discussed in the PRA Appendix G indicates where vessel failure occurs, core debris is released into the reactor cavity. The cavity is designed to provide sufficient area for debris coolability assuming water coverage over the debris bed. The failure of the debris coolability function is the failure of the gravity injection subsystem and failure of at least two out of four accumulators or core makeup tanks to inject water to flood the reactor cavity, if the passive containment cooling system is operating, if the passive containment cooling system is not operating, debris coolability failure is defined as the failure of gravity injection a.nd the failure of one out of four core makeup tanks and accumulators. Core debris coolability success criteria, based on core makeup tank, accumulator and in-containment refueling water storage tank availability, take into account the water holdup in the in-containment refueling water storage tank free volume, and in the refueling canal. Success criteria also takes into account the water lost due to condensation on the containment shell and the steam in the containment atmosphere. If core debris is not successfully quenched, core-concrete interaction takes place, producing the basemat penetration and generation of non-condensable gases. Additional sources of water potentially available for core debris quenching include the chemical and volume centrol system (CVS) via the normal makeup line, spent fuel pit system (SFS) via the makeup line to the in containment refueling water storage tank (IRWST) and overflow into the reactor cavity and the post 72 hour containment inventory makeup connection via the normal residual heat removal system (RNS) The time frames available for responses to this scenario provide sufficient time for operator actions to prevent containment failure as a result of overpressurization by taking recovery actions to supply additional water to the W Westinghouse 20.2m

NRC REQUEST FOR ADDITIONAL INFORMATION A reactor cavity to cool the ex-vessel debris. Appropriate operator actions will be developed in the Severe Accident Management Program as explained in the responses to RAls 720.56 and 720.55 SSAR Revision: NONE PRA Revision: NONE I 4

                                                                                                                  )

l i 720.248-2 W Westinghouse 1 l

NRC REQUEST FOR ADDITIONAL INFORMATION It Ouestion 720.249 The representative sequence used to establish die source icnn for each release class was selected based on consideration of the contribuuon of the vanous sequences to core damage trcquency. An alterriative, and more defensible, approach is to select the representative sequence based on consideration of die sequence contribution to nsk rather than core damage frequency. Identify the most risk significant sequences within each relcase class, and provide an estimate of the source tenns Ior these sequences. For cach release class, justify that the source tenn used to represent the release class adequately represents all of the sequences assigned to the release class.

Response

The reason a particular sequence is grouped into a particular release category is because it has similar release characterisucs (in tenns of magnitude, timing) as the other sequences in the release category. Similar releases yield similar consequences. Since the consequences of each sequence in a release category are similar, the contribution to nsk for each sequence can be estimated by the f requency of the sequence, because risk is the product of the frequency and the consequence. Therefore, using the core damage frequency as the basis for selecting the representithe sequence in a release category is equivalent to using the risk as the basis. PRA Revision: NONE W Westinghouse 2&2C

l NRC REQUEST FOR ADDITIONAL INFORMATION  ! f" ljj 1 Question 720.250 The fission product release fractions in the AP600 are significantly lower than expected by the staff. In this regard, for each release class, identify and discuss the impact of those MAAP models and input assumpdons that Westinghouse believes have the greatest innuence on fission pnxiuct release estimates. l Response: i l l In the release categories in wluch the cont;unment is isolated for at least 72 hours after the onset of core damage l (OK. OKP and CC), the major assumptions which affect the fission pnxluct release are the leak rate of the l containment and the holdup due to the release through the middle annulus of the auxiliary building. The containment leakage is 0.12 volume percent per day. The effect of the middle annulus holdup is quandfied in the direct release sensitivity case presented in Chapter 11. De hohlup amounts to a decontamination factor of 25 for the middle annulus. In the containment isoladon failure / bypass release category (Cl), the major assumption that affects the release is that the containment cooling water is operauonal. The enhanced condensation of steam on the containment shell helps to keep the containment pressure very near atmospheric. If the shell were dry, the shell heat removal would be inetficient, and the containment would pressurize to relieve decay heat through the unisolated line. The reduced pressure in the cont;unment limits the flowrate through the isoladon failure thus limiting the release of Ossion products. PRA Revision: NONE l 1 1 1 l l 1 l l l l l 720.250-1 l W_ Westinghouse ' l 1 I l l l l I

NRC REQUEST FOR ADDITIONAL INFORMATION Ouestion 720.251 NUREG-1150 and supporung technical documents include an assessment of the range of uncertainty associated with Ossion product releases for various release classes for PWRs and InVRs. Although this infonnation was developed on a plant-speciGc basis, it can be apphed to the AP600 design on an approximate inis. In this regard, provide a comparison of the AP600 source tenns (point estimates) for each release class, with the range of releases estimated in NUREG-1150 for the closest matching plant and release class. Discuss the reasons for any major dif ferences.

Response

The AP600 source tenn analysis was performed to demonstrate that the plant design meets ue goal to limit the cumulative frequency of large releases (resulting in a dose of greater than 25 rem at the site boundary,24 hours after core damage) to less than 1.0E-6 per year. This Westinghouse design goal is consistent with the utility guidelines (" ALWR Requirements Document", Volume III, Appendix A to Chrter 1, PRA Key assumptions and Gmundrules", EPRI, Rev.3, June 1992). Also, the AP6(K) site input for the MAACS code input is evaluated on the basis of the ALWR reference site defined in the same Utility Requirements Document. The site-specinc data required to define the M AACS site input file were completed by using the Surry specific plant data (see Appendix M.2 of the AP600 PR A ). NUREG 1150 proudes source tenns for five nticlear power plants. Peach Bottom and Grand Gulf are BWRs, and Sequoyah is a PWR with an in-cont;unment ice condenser. The other two plants are Westinghouse PWR's with a large dry cont:unment which is similar to the AP600: Surry has a subatmospheric containment and Zion is a pre-stressed concrete design. Although they cannot be chtssified as " matching " the AP600 design, their source terms can be very roughly compared to release estimates calculated as part of the AP600 PRA. The previous PWRs source tenns (includmg Suny's) are dominated by the sequences involving early containment failure. The AP600 release categories, however, are limited to four groups, none of which involves early containment failure, as euduated in Appendix L of the AP600 PRA. The most important release category C1 (containment irupaired), addres:,es the of fsite release due to containment isolation failure. The other three categories (OK, OKP, CC) do not insolve containment failure within 72 hours, and releases associated with these categories are m:untained within the containment design leakage basis. Therefore, the release rates for these three categories are very similar. The AP600 source tenn is provided in Table 11-1 of the AP600 PRA. Comparison with the ranges of Surry source tenns shows good consistenc3 ni comparable release classes. For the OK, OKP and CC categories, the release fractions are about an ordct of magnitude lower than the "no containment failure" bin in the Surry source term. The reason for this difference is that the AP600 containment analysis assumes design leakage at 0.12 volume percent per day at the design pressure and temperature. The only exception is Lanthanum group, where the lowcr margin for Surry release range is lower than the AP600 point ettimate. This is due to the fact thrt there is a wide uncertainty range for such low (10" - 10') numbers. W WestinEhouse

NRC REQUEST FOR ADDITIONAL INFORMATION suli uu! I !ii The CI category release fracdons are slightly lower than the lower margin of the Surry release frac 00ns range for sequences with contairunent failure. The only excepdon is Strontium group, w here the fractions differ by two orders of magnitude. This i., due to the fact that the Cl release category does not involve core-concrete interaction, which is the main cause of non-volatile fission products distnbudon. Table 720.251-1 provides a comparison of the AP600 and Surry source terms. The values for the AP600 have been taken from Table 11-1 of the PRA Report and the ranges of values for Surry have been taken from Table B.8 of NUREG-1150. Following are descripdons of the Surry containment failure bins reported as important to the health effects: Bin #16 represents cont unment failure at the time of vessel breach, with the vessel at a high pressure and failure of the containment sprays. Bin #5 represents sequences in which containment failure precedes core damage and sprays failure. Bin #12 represents sequences in which the failure location is not submerged. Bin #1 represents sequences with a high reactor coolant pressure during meltdown with early containment failure and failure of containment sprays. TAHLE 720.251-1 Plant Containment status Release Fracuon by Group 1 Cs Ba Sr La Kr/Xe Surry Containment failure #16 2.E 6E 6I 6.E 4I 1.0 8.E-1 7E- 1 3.E-1 3E-1 3.E-2

                                        #5      2.E    1 E    5.E    SI     2.E     1.0 7E-1       6E-1        3 E-1      3E-1       1 E-2
                                        #12     1.E   6E      3E     3I     1.E     1.0 8.E-1      6.E-1       2E-1       2E-1       9.E-3
                                        #1      2.E    6.E     3E     3.E    2 E     1.0 8 E-1      7.E-1       3.E-1      3.E-1      IE-2 AP600     Containment non isolated           4 E-2       4.E-2       5I-4       7E-5       2I-5        3.4E-1 (CI)

Surry No containment failure #15 3 E 5E 6E 6.E 1 E 5.E-3 6E-4 1.E-4 3E-5 3.E-5 2.E-6 AP600 Containment isolated (010 6.E-7 6E-7 3I-7 3.E-8 2.E-8 4.2E-5 PRA Revision: NONE 72&2E2 W-WeStinghouSO

NRC REQUEST FOR ADDITIONAL INFORMATION I Question 720.253 For each of the sequences presented in Appendix L of the PRA, provide a sumrnary of the following: (a) expected sessel failure times, (b) the time to containment failure, and (c) the time required to release the bulk of the noble gases to the environment.

Response

The timing of the esents requested are presented in Table 720.253-1. The phrase " die bulk of the noble gases" is , taken to mean more than half the inventory. ' PRA Revision: NONE l 1 l l l 1 I l 720.253-1 W Westinghouse l l l l

NRC REQUEST FOR ADDITIONAL INFORMATION is' lii!! F lj Table 720.2531 Timing of Vessel Failure and Containment Failure Case Vessel Failure Time Containment Failure Time to Release Bulk of (hr) Time (br) Noble Gasts (hr) BC1 11.8 c,o oo VRPI O.0 oo oo SLP c,o cc oo MLP c,o oo oo LFW1 c,o 0.0 < 48 SGTR > 72 0.0 > 72 CC 11.5 > 72 > 72 OKP 16.5 c,o e,o CilF i 1.8 > 72 > 72 DRY 8.6 > 72 > 72 IGN 11.8 c,o oo CR c,o oo oo SG2 00 0.0 8.0 = means the event does not occur in this analysis > 72 means that trend indictes event could occur after 3 days if no actions taken to prevent it. 720.253-2 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION WH mn 4 s Question 720.254 One of the Commission's containment perfonnance goals is to prevent uncontrolled radionuclide release to the environment for time penods in excess of 24 hours. The PRA does not provide suf6cient information in this regard. In order for the staff to conclude on the adequacy of the AP600 design in preventing long-tenn releases, identify and discuss the actions that would be required to pres ent or mitigate uncontrolled Dssion product release due to (a) long-tenn non-condensible gas generation, (b) impaired decay heat removal capacity resulting from a depleted coolant inventory (due to leakage of steam from containment), and (c) late containment bypass (temperature-induced SGTR) resulting from long-tenn retention of molten fuel pools widiin die reactor vessel.

Response

Specine accident management actions, guidelines, and setpoints are not yet defined. See the response to RAI 720.56 for more infonnation on accident management guidelines. For each of the scenarios mentioned in the question above, there is significant time for accident management to be performed.

a. The WCAP-13388 analysis and the M AAP4 analysis for cases DRY, CHF and CC show that more than 72 hours are available before the containment integrity is challenged by non-condensible gas generation.

b. An an:dysis perfonned for the Regulatory Treatment of Nonsafety-related Systems (RTNSS) focused PRA shows that more dian 72 hours are available before the depletion of coolant inventory results in core uncovery.

c. There is no significant heat transfer mechanism from the core debris to the steam generator tubes at low RCS pressures, liigh pressure is ruled out for long-term scenarios because the RCS piping will fail long before 24 hours at high temperatures expected in severe accidents.

1 PRA Revision: N TE i 1 1 l l l 1 W

  - WestinEhouse I

                                                                                                                    \

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.255 Identify specific pmcedures and equipment that would be required to perform the actions identified in response to Q720.253, and any corresponding COL-action items, including actions that the COL-applicant should address in its accident management program (such as procedures that the COL-applicant would need to develop).

Response

The Westmphouse plan for addressing severe accident management program requirements for the AP600 will be based on the current cf fons by the Westinghouse Owners Group to develop severe accident management guidance tor the current generation of operating plants. The details of the plan includ:ng COL applicant responsibilities are a&lressed in the response to RAI 720.56 and 720.55. It should be noted, however, that mittgating procedures have not been assumed in the selected sequences with the exception of limited specific operator actions identified in the case descriptons. The operator actions developed in the severe accident management program will typically serve to mitigate the consequences and severity of the subject cases. The equipment assumed to be available in the presented sequences is described in each of the individual sections. For example, for sequence BC1 the following systems / equipment are assumed available per the description: IRWST No Accumulators Yes 2-out-of-2 Core Makeup Tanks Yes 1-out-of-2 Passise Containment Cooling System Yes flydrogen Control System (igniters) Yes Automatic Depressurization System Yes 1 -out-of-2 l Beyond the equipment identified in the case descriptions, assumptions relatise to alternate mitigating procedures, l cqmpment or cooling water sources hase not been factored into the results. I f SSAR Revision: NONE I PRA Revision: NONE I l 1 I i 1 l 720.255-1 3 Westinghouse l J

NRC HEQUEST FOR ADDITIONAL INFORMATION jHi! Td ifi  : Question 720.256 Provide a list of major sequences in which the dominant containment challenges occurs outside of the 24 hour mission time selected for the PRA analysis.

Response

The major challenges to the containment which occur outside the 72 hour mission time selected for the Level 2 PRA analysis are all related to core-concrete interacuan leading to possible containment overpressurization by non-condensible gases or basemat failure. The sequences in Appendix L in which core-concrete interaction occurs are CC, CIIF and DRY. PRA Revision: NONE l 1 l l 2a2m Uf Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.258 The APMK) PRA selected the "CI" release category to model the risk associated with shutdown containment bypass sequences. The LWR shutdown risk studies (NUREG-1449) indicate a much higher whole tu!y dose than predicted by this ALWR calculation. Justify the present treatment or provide an alternative containment bypass source tenn for the shutdown risk assessment.

Response

Section tt9 of NUREG-1449 estimates the whole-taly dose from a core melt 48 hours after shutdown with an open conuumnent at 200 rem at a 1-mile distance from the plant. Table 13-1 of the AP600 PRA indicates that the mean site boundary (one-half-mile radius) dose level for CI release category during the first 24 hours following the onset of core damage is 4.24 Sv (where 4.24 Sv is equal to 424 rem). PRA Revision: NONE j i I l l l l l l i 72a2saa w westingnause

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.259 A review of the shutdown CET indicates that a large fracuon of the shutdown sequences have been grouped into the endstate identified as "OK" Based on review of the supplied documentation, the staff is unable to determine the rationale for this classification. Accordingly, provide additional details regarding the binning process and criteria used.

Response

The response to this question is the same as that provided for RAI 720.195. The PRA model assigns the OK endstate for the release category if: a) core melt is arrested in the reactor vessel, b) containment is not impaired, and c) passive containment cooling is available. PRA Revision: NONE 720.2m W

   - westinEhouse w

NRC REQUEST FOR ADDITIONAL INFORMATION Question 720.260 N Provide a capital cost estimate for implementing the following accident-management-related items: (a) emergency trip bypass for NRHR and CYCS pumps, (b) emergency access to allow external charging of the plant's DC batteries, (c) emergency bypass of MSIV closure sign:ds, (d) emergency trip bypass of the diesel generators, (H cmcrgency access to allow external charging of the plant's air systems, and (f) emergency containment penetration bypass to provide alternate sources of coolant injection to containment.

Response

This question requests additional accident management strategies and design alternatives be evaluated as an extension of the Severe Accident Management Design Altematives (S AMDA) report (see RAI 100fM)2(RI)). The SAMDA report evaluates whether or not the safety benefit of the SAMDA outweighs the cost of incorporating the SAMDA in the plant. All of the strategies identified in this RAI were evaluated for dieir risk significance in RAI 720.54(RI). In keeping with the S AMDA methalology, it is not necesstuy to evaluate capital costs for strategies that will not significantly benefit plant and public safety. For each of the strategies listed in this RAI, the risk significance is first evaluated. If it is found that the strategy would significantly reduce nsk, then a capital cost is estimated. Each strategy is discussed below, a) Emergency (np bypass for NRHR and CVCS pumps As stated in the response to item 3.2 of RAI 720.54(RI), " die txtive nonsafety-related systems are much less risk important dian the passive systems. Adding manual bypasses to NRHR and CVS pump protective interhicks would not be risk significant. In addition, such bypasses could adversely affect plant availabihty if they are improperly operated." Thus, it is not appropriate to evaluate a capital cost for this accident management strategy. b) Emergency access to allow external (harging of the plant's DC hatteries The goal of this strategy is to provide additional sources of ac power to the de power system. As stated in the response to RAI 720.54(RI), item 4.2, the AP600 has connections to hook up srnall, temporary electrical generators to provide ac power to support the post-accident monitoring function. As this accident management strategy exists for AP6(X), it is not necessary to evaluate its capital cost. c) Emergency bypass of MSIV closure signals The goal of this strategy is to reopen the MSIV in order to use the condenser as a heat sink to extend the water supply. As stated in the response to item 5.1 of RAI 720.54tRI), this strategy is not risk significant and wouhl have no elfect on the current PR A results. Thus, it is not appropriate to evaluate a capital cost estimate for 01is strategy. W Westinohouse u

1 l l l 1 NRC REQUEST FOR ADDITIONAL INFORMATION I d) Emergency trip bypass of the DGs As stated in the response to RAI 720.54(RI), die capability of manually bypassing or resetting selected protective trips is provided for in APNX)(see SSAR Subsection 83.1 and Figure 8.3.1-1). As this strategy exists for AP600, it is not necessary to evaluate its capital cost. e) Emergency access to allow external charging of the plant's air systems This accident management strategy does not apply to AP600 because the air-operated valves in the passive safety-related systems or in the nonsafety-related defense-in-depth systems do not require air supply system. Thus, it is not applicable to estimate a capital cost for this strategy. f) Emergency containment penetration bypass to provide alternate sources of coolant injection to containment The goal of this strategy is to ensure an adequate long-tenn water supply to maintain reactor coolPat inventory and to remove heat from the reactor and the containment. As stated in the response to RAI 720.54(RI), item 3.1, " Provisions have been designed into the passive safety-related systems to allow for water makeup from nonsafety-related plant water systems as well as temporary connections to other plant water systems or to portable supplies. These connections provide makeup to the containment to maintain long-tenn core cooling." As a variation of this strategy exists for AP600,it is not necessary to estimate its capital cosL PRA Revision: NONE SSAR Revision: NONE l 1 l 720.260-2 W Westinghouse E}}