Forwards Advanced Reactor Severe Accident Program Topic Paper Set 6, Development of Severe Accident Mgt Program, for Review

ML20195H598
Person / Time
Site:	05000470
Issue date:	11/11/1988
From:	Scherer A ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY
To:	Crutchfield D Office of Nuclear Reactor Regulation
References
LD-88-132, NUDOCS 8811300491
Download: ML20195H598 (31)
v • d • e

Text

_____ _______ ______ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

.* ~

CIw R,

. 6. . ....

November 11, 1988 LD-88-132 Docket No. STN 50-470F (Project No. 675)

Mr. Dennis M. Crutchfield Acting Associate Director for Projects Office of Nuclear Reactor Regulation Attn

• Document Control Desk U. S. Nuclect Regulatory Commission Washington, D. C. 20555

Subject:

Advanced Reactor Severe Accident Program ( ARJAP) -

Topiu Paper Set 6

Dear Mr. Miraglia:

This letter provides the proposed resolution for the aingle issue of ARSAP Topic Paper Set 6: "Development of a Severe Accident Management Program". Combustion Engineering plans to adopt, in the development of the System 80+TM design, the resolution of this issue.

We recuest, therefore, your early review.

If you have any questions or comments, please call me or Mr. E. !i .

Kennedy of my staff at (203) 285-4520.

Very truly yours, COMBUSTION ENGINEERING, INC.

A. E.*Tcherer Director Nuclear Licensing AES:Jeb

Attachment:

As Stated cc: Mr. Frank Ross (DOE-Germantown) 3 S

Mr. Dan Giessing ( DOE-Germantown) h1 Mr. Mario Fontana (Tenera Corporation) l g i

~

Power Systems 1000 Prospnct H it Road (203) 4 3-1911 Combustori Eryneemg Inc. Post O'fo Box 500 Teen 99297 Wnd50', Connect <ut 00095 0500 CG11300491 DDR esi331 ADOCK 05000470

$ PDC

___3

. I

. Attachment to LD 30 Pages ARSAP SEVERE ACCIDENT ISSUE TOPIC PAPER

. 6".1 DEVELOPMENT.'0F A SEVERE ACCIDENT MANAGEMENT PROG' RAM .

. Issue Definition .

The Nuclear Regulatory Connission's (NRC's) Severe Accided Wlicy Statementl addresses means of demonstrating that a new design for a nuclear ,

power plant is acceptable from the standpoint of severe acektent concerns.

In particular, the NRC Staff is to review the design to rictermine "acceptability using an approach that stresses determinist'.c engineering analysis and judgment complemented by PRA." Or.e aspect of that review is the dotermination, for hypothesized sequences that could leau so a severe accident, of how and when each such event that is sufficiently probable to j warrant consideration could be terminated in a manner that would limit its public health and safety consequences.

To p m ent such sequences from becoming severe accidents and to assure an acceptable event termination if they do, both the operating staff's likely responses and the involved design features must be suitable. For existing i nuclear plants, the NRC has indicated that probabilistic analyses combined with an accident managemont program will be required for the closure of these severe accident issues.2 Such an accident management program would 1 directly address the actions necessary to prevent or terminate events appropriately, while controlling radinlogical releases, i

This paper deals with the need to address severe accident management in a j design certification application for an advanced pressurized nter reactor

]

(PWR). The paper defines an approach that will be taken for advanced PWRs, ,

both to establish certain operational goals for a Sevare Accident Management l 2 -

Program (SAMP), and to develop a SAMP, complementing the PRA and l

4 deterministic analyses, tha: completing the severe accident evaluation of the j submitted design. Full' implementation of the SAMP will ba addressed by j, . , applicants referencing a' certified, advanced PWR design'.

1 .

j .

1 . .

i l l

?

Backaround Severe accident management concepts and the need to address those -

concepts require elaboration. First, those plant conditions'in which the

~

core (with or without damage) is being cooled, the integrity of the reactor containment as a passive barrier is being maintained and the release of radioactivity is being controlled are referred to as "safe stable states".

The progress of a potentially severe accident can be terminated ar.d a safe stable state attained, if sufficient coolant to imerse the core material and a method of heat removal are prov ded.3'4 The potential for establishing a permanently coolable state exists, as an event progresses, with (a) an essentially intact core geometry, (b) a severely damaged cure within 'he original core boundary, (c) a severely degraded core that has relocat2d to the reactor vessel lower head, and (d,' are :ebris relocated to the reactor containment building. This paper define, '.ertain safe stable states as the operational goals of the SAMP, guiding the identification and seloction of operating staff responses.

Actions taken by the plant operating staff with the intention of affecting in accident sequence are referred to in this paper as "recovery" actions, or simply as "recovery". Thus, specific actions to prevent core I

damage or to mitigate the consequences of core damage are included in the recovery definition. Current probabilistic risk assessments (PMs),

including the PMs being performed in support of advanced PWR design certification, tend to utilize conservative assumptions, thereby underestimating the potential for recovery in assessing the progression of hypothesized severe accidents. Even though the analysts typically elect not l to take full credit for recovery, either in preventing or in mitigating he  !

effects of core damage when performing an overall assessment of facility risk (or when performing a safety goal' assessment), their models fac" ' tate analysis of the impact of recovery actions. In fact, to provie bience to the plant operators, potential recovery tactics are often addresseu .o some f degree upon completion of a PM, and the PM logic models can be updated to l include those recovery actions with a significant impact on best estimate t risk.

t 2

i i

i

Analyses of core melt progression in severe accident sequences, for example, are performed using PRA tools such as the deterministic HAAP :-la to indicat'e how much. time is avsilable to perform recovery actions prior to. -

vessel or containment failure, how necessary the actions are to achieve a safe stable state while c~ontrolling radiological releases, and whether the actions are likely to succeed or fail. Recent improvements to *e MAAP code that enhance its capability to calculate severe accident progressions and recovery sequences are addressed in the ARSAP Topic Set 2 and in the ARSAP Topic Paper 5.3.5,6 Once defined, "safe stable states" are used in developing a program to plan for and guide recovery (the SAMP). Such a program deals with those accidents with the potential to progress beyond the onset of core damage (i.e., the potential to become "severe accidents"). "Accident management" includes a broad range of design and operational orovisions that collectively afford the strategies and the means for the operating staff to prevent core damage or, failing that, to plan, achieve, and monitor recovery to a safe stable state, should a severe accident ever occur. Such strategies are developed to reduce the challenges to passive barriers (particularly the reactor containment) and to limit releases of radioactive material.

Risk assessments on current generation PWRs have shown that the probability of severe accidents is very low, and the enhanced design and operational features of the advanced PWR, where significant emphasis has been placed on the prevention of severe accidents, tre expected to result in even lower risk estimates. In addition to inherent design features, the ability of the operating staff to take further measures either to prevent or to halt ,

the progression of a severe accident, to mitigate fission product release, i

and to establish one of the target safe stable states, will contribute to risk rinimization. The NRC and many industry experts agree that certain preparatory and recovery actions can be taken by the plant operating and technical staff to prevent or to mitigate significantly the consequ'nces of specific severe accidents. The.NRC has raised concerns, however, "at sorte actions that might be taken could have unintended consequences,and that 3

., .o. .

existing design and operational practices may not fully support the ability

.of the operating staff to take timely, beneficial actions. 7 These concerns arise from' the coincident recognition of the following points: ,

1. Existing designs and operational practices comprehansively address severe accident prevention, but they are typically based upon and validated against accident sequences that were not analyzed beyond the onset of core damage;

2. There is considerable uncertainty in the underlyiiig physical I phenomena of severe accidents, the information availcble to the operator under such conditions, and the impact of postuleted

mitigative actions; l 3. The actions required or available to the operator under severe accident conditions often involve trade offs of competing considerations that may make them difficult to improvise or even to carry out in practice; j 4. Initial investigations have identified specific situations (e.g.

' primary system depressurization prior to vessel failure) where ennancements to existing operating practices could lower the risk i

from severe accident::

d

5. New features incorporated in advanced PWR designs (e.g. provision for containment spray coolant makeup from ex containment) require well defined operator strategies and guidance before their overall impact on safety can be effectively assessed;

6. The severe accident capabilities afforded by the design should be j maintained over_the life of the facility.

l A SAMP provides the programmati'c mechanism for addressing the concerns l noted'above. By addressing these concerns, development'of a SAM will' reduce I the already low risks of advanced PWRs, reduce the uncertainty In the .

4 I .

I '

l calculated risk:, help ensure that the calculated risks remain low over.the life of the plant, and thus enhance the demonstrated acceptability of an ,

advanced.PWR design. ,'

• Other ARSAP topic papers have been written to bound related uncertainties in severe accident phenomena, particularly those affecting the potential for

, achieving a safe stable state assuming that core debris has relocated into containment. Examples include all of the topic papers in ARSAP Topic Set 2  !

addressing the Response to Severt Accidents (i.e., In vessel Hydrogen Generation, Core Melt Progression and Vessel Failure, Direct Containment 4 Heating, Containment Performance Hydrogen Ignition and Burning, and Debris Coolability - see Reference 5).

1 a Historical Persoective i

The nature of the safety issues being addressed by the commercial nuclear

! industry and NRC has changed over the years as new analyses or significant i events have served to focus attention on different aspects of operation or design.

i There have been two severe accidents at large scale nuclear powered

! generating stations: one at Three Mile island in 19798 and one at Chernobyl in 1986.9 Both were publicly reported as the accidents

) progressed, with considerable emphasis on the recovery approaches being l pursued and the uncertainties in the attainment of a safe stable state.

! Thus, both served to elevate the relative importance of severe accidents in

thn minds of the public, the regulators, and the nuclear industry. Further, j they reinforced the prudence of preplanning for recovery in the event of such an accident and supported the consideration of design and management

provisions that enhance the potential for recovery, particularly for new reactor designs where the impa.ct of design refinements is lessened since equipment fabrication and plant construction have not begun.

l .

i

s i

Yv

Since TM!, both the NRC and the industry have undertaken and continue to l pursue major programs to improve the ability of nuclear plants to prevent and mitigate the< consequences of severe accidents. Their recent work,' portions of which are sumari:ed ~below, .will be used to guide the ARSAP approach for addressing accidunt management.

NRC Efforts l

Subsequent to THI, the NRC focused attention on research and regulation  ;

associated with multiple failure accident sequences that progress beyond the design basis and involve inadequate core cooling and associated fuel damage.

As described by the NRC, "emphasis shifted from providing safety by relying on the traditional design basis approach to a multifaceted approach which emphasized improved operations, human factors considerations, realistic performance of systems, and probabilistic risk assessments" (see Reference 2). The NRC's THI Action Plan 10,11 defined a wide spectrum of design and operational improvements to prevent and, if necessary, cope with severe &ccidents, including improved symptom based emergency procedures, enhanced instrumentation, and computerized decision-support systems.

The NRC initiated efforts after THI to improve emergency procedures.

Guidelines for the preparation of these revised procedures were provided in NUREG 0899.12 The NRC requirements set forth in this and other documents focus on proceduralized operator responses for preventing or limiting core damage. The requirements did not explicitly address procedures for operator

, actions once significant core damage or containment failure had occurred. ,

Accordingly, in parallel with the research efforts noted above, the NRC requested Battelle's Columbus Laboratories to evaluate the feasibility and value/ impact of extending emergency procedures further into the severe accident regime. The resultant report, NUREG/CR 4177, concluded that it would be both feasible and cost-beneficial to "develop procedures for l

operators to mitigate the consequences of accidents progressing past the onset of core damage."l3 i

=

'6

The NRC also initiated the Severe Accident Research Program (SARP) after the TMI accident to "provide the Comission and NRC staff the necessary technical data and analytical methodology needed to address severe accident

• issues." ('see Reference 2') The' initial ~ work in SARP was focused on developing a better understanding of the phenomena associated with severe accidents and consisted of a wide range of experiments and code development activities. The continued expansion of the accumulated severe accident data base has been guided by the NRC's Severe Accident Research Plan,I4 which provides for a number of supporting research efforts designeo to enhance the experimental and analytical basis for assessments of the risk of severe accidents. A key element of this Research Plan was the NRC's source term reassessment effort as documented in NUREG 0956.15 In 1985 following extensive interaction between the NRC Staff and the industry on severe accident issues, the NRC published its Severe Accident Policy Statement (see Reference 1). This Policy Statement concluded that generic backfits were not required to address severe accidents at existing plants but recognized the need to systematically evaluate individual plants to confirm that unique plant specific vulnerabilities do not exist. The Policy Statement also addressed means of demonstrating that a new design for a nuclear power plant is acceptable for severe accident concerns. The Policy Statement as applied to new plants will require a probabilistic risk analysis of new designs and "cost-effective reductions in risk from severe accidents."

All of these efforts supported the development of the initial draft of the Reactor Risk Reference Document (NUREG-ll50),16 which examined the severe accident frequencies and risks and their associated uncertainties for five licensed nuclear power plants. The results, models, and data of NUREG-ll50 have been and will be used as they are finalized by the NRC to develop guidance for accident management strategies. They will also be used to characterize the importance of plant operational improvements, the risks of certain actions, and areas potentially requiring further attention.

1

In an effort to extend and apply the research on the management of severe accidents, the NRC undertook an examination of one particular accident management strategy -- the venting of a.8WR MARK I containment under specific postulated severe accident conditions. The results were reported in 2 NUREG/CR 4696.17 The central issue in the examination was whether venting ,

is an effective means of preventing or mitigating the consequences of severe I

accidents for a particular reactor and containment design. The results

] showed that, for t h sequences evaluated, implementing this accident management strategy his the potential to lower radiological release by a l

factor of about ten to twenty from the rclease that would otherwise result following an uncontrolled containment overpressure event. In practice, however, the risk reduction potential was predicted to be limited by the 9

relatively low likelihood of venting being permitted. The results indicated j the potential value of defining accident management strategies, but also i concluded that additional modifications to plant design or operating practice may be necessary to allow these strategies to be reliably implemented in

practice.

1 The BWR Severe Accident Technology (BWRSAT) program at Oak Ridge National j Laboratory (ORNL) has developed ud incorporated several advanced models into its code suite for BWR severe accident analysis.18 These models include i representations of progressive core relocation and time dependent egress of i

core debris from the lower head. Application of these models in a short term .

blackout sequence, results in 35 percent of the core debris remaining in the i vessel as long as 7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after bottom head dryout. These results are j controversial. If true, they show the importance of the addition of water 2 and demonstrate the potential for slowing the accident progression.

! . In June 1988, the NRC Staff presented its "!ntegration Plan for Closure

) of Severe Accident Issues" to the commission (see References 2 and 19),

l Closure of the severe accident issues for operating reactors will require the l performance of either an Indixidual Plant Evaluation (IPE) or a PRA and the implementation of an Accident Management Program by each of the licensees.

l l In the Integrated Plan, the NRC indicated that a generic letter will be l 8 i

i

issued in 1988 to initiate the IPEs. In this generic letter, the NRC will also inform the industry that they will be expected to develop and' implement a severe accident management program. In their Integration Plan, the NRC states that "significant risk' reductions can be achieved through effective accident management." Also" in 1988 the NRC staff plans to send to the Commission the plans for proceeding with its Accident Management Program.

Industry Efforts In parallel with and in response to the above regulatory activities, the ,

commercial nuclear industry has taken significant steps to enhance the operating staff's ability to prevent and respond to severe accident conditions.

The industry has devoted substantial resurces to the implementation of the THI Action Plan items. Many of these items addressed preventing and mitigating degraded core conditions. One of the many operational improvements that has been implemented by the industry since TMI has been the adoption of function based symptom-oriented emergency procedures by the plants. Each of the four vendor Owners Gr;ups produced guidelines for such procedures and the individual utilities have produced plant specific pre:edures based upon these guidelines. These procedures substantially address the appropriate actions for the prevention of core damage.

In response to the NRC't, 1980 Advance Notice on Rulemaking20, the nuclesr industry organized the Industry Degraded Core Rulemaking Program (IDCOR) in 1981. The mission of IDCOR was to perform an independent evaluation of the technical issues related to potential severe accidents.

IDCOR was supported by most nuclear utilities, architect / engineers, and LWR ,

vendors in the United States and by seven foreign countries. 10COR established the technical foundation for resolving the severe u.cident issues associated with operation of LWR nuclear plants. IDCOR concluced that the risk from severe accidents was small and that no requirements for major generic modifications to current design or operation were warranted.21 The

- 9

effects of various alternative operator actions on fission product release

~during hypothesized severe accidents were assessed, however, and such actions' were found to be beneficial 22- .

~

IDCOR continued'to represent the industry and work with the NRC to establish the basis for closure of the severe accident issue, including the development of a methodology for performing the IPEs required by the NRC. In June 1988, the successful 10COR Program was terminated and the responsibility for continued industry interactions with the NRC on severe accident issues was handed over to the Nuclear Management and Resource Council (NUMARC).

One analysis performed by the Industry begraded Core Rulemaking Program (IDCOR) addressed safe stable states and determined the capabilities of existing plants for recovery during hypothesized severe accidents.23 10COR developed simplified models, with corresponding success criteria, to assess the potential for successful recovery during various stages of a severe accident progression. The chosen stages resulted in consideration of an essentially intact core, of a severely degraded core within the original core boundaries, of core material relocated to the vessel lower head, and of core debris relocated to containment. Each model involved two elements: one addressing the time required to quench overheated core material in the event that recovery actions supplied water to the beundaries of the affected region; and a second addressing the time required for progression to the next stage based on the mechanistic attack of support structures by the remaining overheated or molten material. Quenching of the entire overheated region prior to progression to the next stage assured a safe stable state, if an adequate ultimate heat sink was available.

Scaled experiments with simula A materials were evaluated by 10COR to calibrate the quenching models. 'hese experiments addressed quenching and debris coolability for various gtometry and blockage configurations. Once the models.had been incorporated into the MAAP code to afford an integrated event analysis capability,24 Three Mile Island accident data were also used to validate the'models. In assessing the attack on adjacent structures-10

(e.g., the core support structure and the reactor vessel), IDCOR considered material weakening due to high temperatures, oxidation, and ablation (melting) of..the structures. Both chemical e'norgy (e.g., from oxidstion reactions) and the decay heat of the core materials were modelled.

IDCOR concluded that, for "essentially intact" core configurations, ample flow passages assured high quenching rates and recovery was achievable. For more severely damaged cores, certain sequences also afforded significant time for recovery; the system pressure, the available quenching area and the criterion for core support failure were significant uncertainties. Once core material relocated to the vessel lower head, however, the simplified model predicted accumulation of overheated or molten material prior to sudden vessel attack; vessel failure was predicted prior to quenching so no stable state was credited at this stage of the accident progression. This result was not dependent on the configuration of lower vessel penetrations. A safe stable state in containment was predicted by IDCOR for relocated core debris, provided that sufficient water was available to immerse the debris and a means for containment heat removal (such as fan coolers) was available.

The Electric Power Research Institute and the Department of Energy are supporting a major investigation of the THI 2 accident. As a result, considerable information is becoming available to support improved understanding of badly damaged cores and subsequent efforts to arrest an accident. A summary of the core damage progression during.the THI-2 accident has been presented by DOE, based on the latest available data from the ongoing destructive examination and corresponding analyses (see References 8, 25). The major physical mechanisms hypothesized to have controlled the core damage progression include the formation of a coarse debris bed, relocation and freezing of a metallic lower crust, and long term quenching of debris in the core region and lower plenum. Interaction of coolant from the B-pump star't (74 minutes) with the upper fuel rod remnants resulted in fracturing and formation of the upper core debris. Continued heatup of the degraded core (200-224 minutes) resulted in a large molten region within the core.

11 i

Major core relocation occurred as a. result of local failure of the crust in the East quadrant due to thermal attack'or stress-induced failure (224

~

minutes). The upper core debris settled intn the molten core zone as molten -

core material flowed . int 6 the lo'wer plenum region and onto tfie core former/ baffle plate. The relocation of molten material apparently resul'ted in a more coolable geometry. The upper core debris and lower plenum debris can be concluded to have been quenched following relocation and were likely cooled in a matter of tens of minutes after the major relocation event.

Several analyses have been performed to enhance understanding of the melt relocation behavior and damage to the TMI 2 vessel components.26,27,28,29 Additional examination of inlet plenum structural components will be required to characterize the degree of attack upon the vessel wall. The observed large particle size of the debris in the inlet plenum and the degree of subcooling prior to fuel relocation appear to have been significant factors in the establishment of a safe stable state.

Many individual utilities have initiated PRA Programs since TMI and have examined many plant-specific severe accident issues (see References 30 and 31 as examples). Some utilities have performed IPEs as part of the demonstration phase of 10COR IPE Methodology development program or in anticipation of the NRC's generic letter (see, for example, Reference 32).

Because of concerns expressed by the NRC over the ability of MARK I containments to respond to severe accidents, many utilities that operate BWRs with MARK I containments and the BWR Owners Group have looked at the risk of severe accidents at such plants and potential risk reduction measures.33 These risk reduction measures have included the definition of accident management strategies (e.g., containment venting) and the means to implement such strategies.

The BulROG Severe Accident Applicability Review 34 examined the ability of the latest BWROG Emergency Procedure Guidelines (EPGs) to provide guidance to the operator under severe accident conditions. This study identified some 12

post core melt accident management strategies that could be developed or extended from existing EPG steps to further enhance mitigation of postulated core melt progression' scenarios'. Potential. enhancements'to existing guidance -

focused on a) the use of alternative or additional symptoms to ' trigger action under particular severe accident conditions, 'b) the actuation of drywell sprays using external sources of water, and c) containment venting.

The BWROG Review also pointed out the possible competing risks associated with implementing some of the proposed accident management strategies. For example, drywell spray actuation designed to quench material as it leaves the vessel may cause a harsh environment, leading to inoperability of the safety relief valves and subsequent repressurization of the vessel. The Review also described considerations associated with practical implementation of these strategies. For example, some actions may need to be taken in remote locations in adverse environments or require information from instrumentation that may be adversely affected by the accident. These considerations will need to be effectively addressed in any accident management program to ensure that the effort actually results in safety enhancement.

The industry is currently committed to defining the appropriate scope and content of an accident management program for existing nuclear plants in response to the NRC's requirements. NUMARC, working through EPRI is expected to produce a draft program description for industry comment and ,

review in 1988. The NUMARC NRC interaction for existing plants mav impset the following ARSAP issue resolution for the advanced PWR; however, such an impact is not expected due to the unique circumstances of the advanced PWR (i.e., the flexibility afforded by addressing these considerations early in the design process, consistent with complying with the general requirement of the NRC Severe Accident Policy for design enhancements for advanced plants -

(see Reference 1)).

e 13

Ighnical Acoroach to Resolve the issue for the Advanced PWR The.resolutiorrstrategy will be to develop a SAMP (Severe Accident

• Management Program) that relies on updated emergency response guidelines for the prevention of core damage and that addresses the mitigation of the effects of any damage that does occur by defining the strategies and means to plan, achieve, and monitor recovery to a safe stable state. The steps to be taken to implement such a program for the advanced PWR include:

1. Address severe accident prevention through updates to the appitcable emergency response guidelines;

2. Establish certain safe stable states as the operational goals of a SAMP for advanced PWRs;

3. Define strategies consistent with intended design capabilities to minimize radiological releases by accomplishing the safety functions required for successful recovery at each target safe stable state;

4. Identify potential recovery actions to fulfill the strategies for specific event sequences; determine and document the context for each action in a "severe accident management data base";

5. Evaluate the identified actions for representative event sequences, select those actions that will be taken, define the parameters for each selected action (e.g., time available, indications, expected responses), and document the selection basis in the data base;

6. Evaluate the proposed plant design to ensure adequacy in supporting reliable, effective performance of the selected actions;

7. Identify appropriate changes to Emergency Response Guidelines (ERGS) and develop accident manage' ment outlines to ass'ure implementation of the selected actions in an appropriate decision framework; and 14 e

8. Define provisions to institutionalize the severe accident management program at each advanced.PWR facility.

Each of these eight actions is described in more detail below.

1. Provide Uodated ERGS for the Advanced PWR The NRC's Severe Accident Policy Statement requires that advanced PWRs comply with existing regulations.(see Reference 1). One element of that compliance will be the production (typically through updates of existing guidelines) of ERGS that reflect the design features of the advanced PWR.

These ERGS, like the corresponding ERGS for existing plants, will address the appropriate operating staff resoonses to prevent severe accidents.

Throughout th3 ensuing-develo.nment of the SAMP, further refinements of these updated ERGS will be defined as appropriate,

i. Establish certain Safe Stable States as Ooerational Goals Mitigating the consequences of a severe accident involves defining and taking actions that transform the plant from a disturbed state in which key safety functions are not t.Mg satisfar.torily fulfilled to a safe stable state in which performance s acceptable. To apply means ends problem solving techniques in determining such actions, the target states must be defined in an operational manner.

The highest priority is to maintain the core in its as built configuration; this is the objective of accident prevention as addressed in Step 1 above. In the event the core is damaged, however, three target st;tes will be considered with respect to severe accidents for the advanced PWR, Each will be made operational by defining the transitions between stages, the phenomenology applicable to each stage, and the engineering criteria for successfully establishing each stage.

15

e, t =

A. The target safe stable statest given the onset of core damage, have been

. chosen to include the following stages in the progression of severe accidents without recovery:

l o The firs', state to be considered involves core material within tho I

original core boundaries. The corresponding stage of an event

) progression is initiated when the core integrity success criterion is exceeded (ARSAP Topic Paper 3.2 Jefines this threshold as 2200'F) and it ends when material relocation violates the c. ore boundary.

4 o The second stage to be considered involves significant relocation of l core material within the vessel -- typically to the vessel lower j head region. This stage of an event progression ends with the l failure of the reactor vessel.

I.

t o The third and final stage to be considered involves core debris relocation to the lower cavity floor. Recovery will successfully establish this safe stable state, if quenching and debris coolability are established in the cavity, if containment heat removal is adequate, and if coolant inventories or sprays limit fission product inventories that might be released.

B. Identify and characterize the controlling phenomena and the corresponding uncertainties that are significant, if recovery is to interrupt an event progression at each stage and establish a stable state. The output of this effort will be a list for each target stable state of the phenomena and corresponding uncertainties that are significant to the unrecovered event progression or to the recovery of functional capabilities. The list will be revised, as necessary, when the analyses in the following

, step are performed.

The phenomena signif'icant to plant recovery are those that determine the impacts'of both the unrecovered event sequences and the expected recovery actions on the likely fulfillment of the' principal safety functions that 16

relate to safe stable states. Based on prior evaluations, recovery actions of interest will focus on providing coolant to immerse the core or core debris, facilitating decay heat removal and radioactivity control. Predicting, and perhaps limiting, the resulting hydrogen production is important to assure containment integrity; forestalling vessel failure can limit challenges to the containment. The controlling phenomena and the corresponding uncertainties that are significant for recovery (either by aiding or impeding it) in each configuration will be determined by ARSAP through a review of base case and sensitivity studies with the improved models for core melt progression and vessel failure in the MAAP code (as discussed in ARSAP Topic Paper 2.2).

C. Define the engineering parameters for each target safe stable state that determine both the promising recovery tactics and the potential for their success. The output of this effort will be estimated ranges for the engineering parameters that define the window for effective recovery, including: the time available before progressian to the next stage; necessary flowrates for coolant makeup (based on the applicable core quenching rate); the required delivery pressure (based on expected reactor coolant system or containment pressure); and the state of unoxidized metallic material (temperature, location, and geometry).

The engineering parameters for c:ch :tage (i.e., potential safe stable state) that are likely to determine both the promising recovery tactics and the potential for their success will be determined by ARSAP through a review of representative analyses and sensitivity studies that are being performed for one particular advanced PWR, the System 20+.

In sumary, this step in the development of a SAMP defines three activities that will establish c' ruin e safe stable states as the operational goals of the SAMP for advanced PWRs: (a) defining target safe stable states and the conditions that determine transition from one to the next; 17

(b) identifying and characterizing controlling phenomena and the corresponding uncertainties that are significant for recovery to each state; and (c) defining the eng'inee' ring parameters for each target state'that determine both the promis.ing recovery tactics and the potential for their~

success. ,

3. Define Strateoies for Recovery at Each Taraet Safe Stable State Drawing upon the results of the preceding step, for each target safe stable state, strategies will be defined that are consistent with intended design capabilities to accomplish the safety functions required for successful recovery and thus to minimize releases of fission products. The principal safety functions for severe accident management are:

o Reactor pressure vessel pressure control o Damaged core or debris cooling and heat removal control o Combustible gas control in containment o Containment pressure / temperature control o Radionuclide release mitigation and path control.

For each target state, alternative strategies will be listed that are feasible given the plant design for fulfillment of those functions that are required for recovery. For exa;;;plc, . ith the c::: intact, restoration of ,

installed coolant makeup capability to satisfy the corresponding engineering criteria for success would be one strategy for cooling the damaged core; at the same time, passive accommcjation could be a strategy for combustible gas control that is compatible with the design intent.

. The strategies will support development of the SAMP for each of the identified safe stable states in accordance with the following guidelines:

o The first stage considered involves core material within the original core boun'daries. Effective recovery actions for this stage will be addressed during development of the accident management program; these actions are expected to be an extension of provisioris l

18 l

}

. .. . i made in the aadvanced PWR design and the corresponding emergency response procedure guideljnes to minimize the risk of core. damage l

(' prevention).. Should prevention efforts fall short, recovery at this stage.with minimal. core damage is a significant possibility.

~

i In any case, vigorous pursuit of coolant restoration using existing equipment (and instrumentation) is likely to terminate the accident at this stage and to minimize the release of fission products.

o The second stage considered involves significant relocation of core material within the vessel - typically to the vessel lower head .

region. 10COR did not predict that a safe stable state could be achieved at this stage and it is unlikely that transition from the  !

first to the second stage could be reliably detected. The focus for l the advanced PWR will be on updating the 10COR evaluation based on [

improved models; recovery efforts will emphasize coolant l

restoration, whether the new models predict stability or not, f recognizing that recovery was successful at TMI at this stage and {

that coolant will mitigate any further fission product releases.

These recovery afforts are again expected to be guided principally l by emergency operating procedures, with appropriate sxtensions, t o Ouring both the first and second stages, recovery efforts will have i a second thrust: the utilization of the safety related  !

depressurization system provided for the advanced PWR. These 1

4 recovery efforts will initiate a transition from responses guided '

principally by extended emergency operating procedure outlines to [

j recovery efforts guided by new accident maugement outlines (to be  !

l developed in Step 6 below). Should analyses addressing recovery  !

) efforts, depressurization, and control of both comoustible gases and (

! fission products for these stages of hypothesized severe accidents  ;

identify design refinements affording significant safety benefits. l they will be considered for the advanced PWR and the basis for a (

l

! decision on their incorporation will be documentad. I t

i

! l l 19  !

I f I

l

(

o The third and final stage considered involves core debris relocated to the lower cavity floor. The design approach for this stage includes a commitment to demonstrate deterministically, to the - -

degree of.assuran'ce appropriate for accidents as improbable as severe accidents reaching this stage, that the advanced PWR design affords sufficient features to assure the attainment of a safe stable state in containment and the effective m'itigation of fission product releases following vessel failure. Recovery provisions for this stage will address, cavity flooding and the control of containment parameters. These provisions will be include') in the accident management outlines.

In summary, this step in the development of a SAMP defines strategies for fulfilling the principal safety functions that are consistent with overall guidelines for each of the safe stable states. The overall guidelines are based on the design intent and the available severe accident technology.

4. Develoo a Data Base To include Potential Recovery Actions In this step, the information required to select the appropriate operator responses to severe accidents will be collected, evaluated, and documented.

The results and supporting information from available severe accident analyses, completed NRC research, and foreign accident management experience will be used, together with insights from the PRA for the subject advanced PWR, in producing this severe accident management data base. 'This compendium of severe accident knowledge will include information concerning the role of the operator under severe accident conditions, the prevailing plant conditions when operator response is required, and the information available to the operator under such conditions. The production of this data base will center around a sequence review as discussed below.

Drawing upon PRA' analyses performed for the advanced PWR, representative severe accident sequences will be reviewed in a walkthrough to determine both

' opportunities. and alternative actions available that might ' promote recovery '

and'the control of fission products by effecti.ng an identified strategy for 20

, .o ,

A I one or more functions. To do this, the reviewers will pause at each

j. significant development in the accident sequence and consider potential responses in the current context. Their consideration will address:

]

A. The adequacy of the guidance provided to the operators by the i current emergency procedure guidelines. Key quest, ions that will be j asked at each decision point are

2

) o Do the EPGs provide guidance under the postulated severe j accident condition?

I

, o Is the guidance appropriate (i.e., will performance of the l indicated actions accomplish the desired function)?

J o Will the operator have access to the information needed to

{

diagnose the situation and take the indicated actions?

o Will environmental conditions allow the actions to be taken?

j o Are there additional actions that the operator could take that I would further implementation of the strategies from the preceding step or otherwise more effectively mitigate radiological releases?

I i B. Guided by the PRA event trees, the reviewers will develop a logical i

depiction of the various roles of the operator under severe accident conditions (i.e., represent key operator decisions as nodes in event tree segments developed to illustrate the context for each l

decision). Thus, while the PRA event trees logically depict how the l

i important severe accident sequences can occur and progress from a system oriented perspective, the set of ' Accident Management Event l ,

l Trees' will highlight and logically depict the role of the f operations staff in severe accident management, thus providing an importar,t component of the accident management data base, i . .

'21 1

I

C. The documentation of the important information concerning operator response at each key point in the progression of each sequence. The Accident Management Event Trees will define the key points in the progress. ion of the important severe. accident sequences; At each ,

such point, the following information will be documented in summary fashion:

o The functional objectives, potential conflicting objectives, and priorities of the operating staff's actions; o The decisions that the operator must address to achieve the critical functions (i.e., implement the strategies for fulfillment of the functions) and the alternative operator actions identifiedi o The status of key plant parameters at the time of diagnosis and action, including the availability / reliability of instrumentation at these times; and o Any assumptions made and conclusions drawn concerning plant response and physical phenomena as::c44ted with severe accidents.

The accident management trees and the entire accident management data base will be structured around the critical safety functions as defined in Step 2.

5. Evaluate Alternative Actions and Document Selections The next step is to select specific actions to be taken, if any, where alternatives have been identified in Step 4. Selection will be based on review of the information documented in the data base and of the available deterministic analyses from the PRA and related studies. Where necessary, '

additional analyses will be performed. The following guidelines will govern the selection of respontes:

22

o All identified alternative operator actions will be considered; o Uncertainties.and potential unintended consequences of each action -

will be weighed; ,

o The reliability of the desired response, given the time available and the plant design (see also Step 6 below), will be considered -

and o Specific recovery actions will be selected only if the projected benefits in terms of the ultimate control of fission prcduct releases clearly outweigh potential rinks or adverse effects, without accepting significant though improbatle risks to obtain less significant benefits.

The data base will be updated to record the decisions made in this step and their basis. The subsequent steps, which may entati some iteration with the above steps, ensure that the design for hardware and instrumentation, the procedure guidelines, and the future implementation of the program are consistent with reliable performance of the selected recovery actions.

6. Evaluate the Procosed plant Desion to fnsure Adecuaev This step provides a more complete review of the capability of the existing design to support implementation of the accident management strategies and recovery actions defined through the preceding steps.

Potential design improvements are developed in this step and adopted where appropriate to facilitate the implementation of the selected recovery actions

, and, hence, the underlying strategies to accomplish the safety functions and limit the release of fission products.

+ Drawing upon the information base developed in Step 4, the decision framework in Step 7 below, and the provisions for institutionalizing the SAMP in Step 8, an evaluation will be performed that is akin to a task analyses of the. recovery actions selected in Step 5. The evaluation will identify potentia 1' improvements in the following areas:

23

4 o Man machine interface improvements. including modifications o- l 2

additions to the instrumentation, control room design features, or- [

' operator. decision ~ support equipment (e.g., new applications for .

(

, personal computers); .

I o Plant system hardware design improvements including modifications to [

the design that obviate the need for difficult operator actions,  !

that make implementation of specific actions easier (e.g., remote actuation of valves, additional shielding, etc.), or that allow  ;

specific actions to be taken (e.g., add vent paths); and  !

o Refined recovery action definitions that more accurately address  ;

1 existing hardware and instrumentation capabilities. l o Equipment that should be added to or deleted from the list of l

]

! equipment subject to a survivability evaluation as discussed in  !

! ARSAP Topic Paper 4.1.35 [

i i

The potential improvements will be reviewed and those that are effective i f and necessary to promote recovery will be incorporated into the design. The ,

I severe accident management information data base will be updated. I 1

[

t

7. Define Imolementation Software in an Acerceriate Decision Framework l

j -

L

An advanced PWR owner / operator should have the flexibility to designate l the technical support organization as the focal point for the severe accident l f

! management expertise that is focused on recovery. Adequate time is available

}

prior to initiating these mitigating actions to assemble the technical l i support staff, which can include personnel with an in depth background and f understanding of severs accident phenomenology.36 The advanced PWR SAMP is f f

! thus structured to separate those recovery related tasks that, by their  :

i .

. nature, could be coordinated by the technical support staff into separate f accident management outlines. Other related tasks (including preventive p act-ions), too urgent for technical support rvsponsibility or necessary to I l  !

l i l l 24 f

l t

I h

ensure coordinition with the recovery tasks that are already in the ERGS, are provided in updates to the emergency response guidelines. A plant owner / operator will then have t'he option of using them separately as' written or combining them for impl'emen'tation into acre comprehensive emergency response procedures.

For those situations where the existing ERGS are deemed inadequate or could be beneficially enhanced, specific niew guideline steps or instructions will be developed. Such development will include the following: ,

o Re/iew of the functional goal of the underlying strategy, any possible competing functional goals, and the operator's priorities; o The selected actions to be taken by the operating staff and the criteria for taking the actions;  ;

o The information necessary to determine the need to take these l actions and to verify the effectiveness of the actions; and o The responsioility for taking the sction.

5 The proposed revisions will be reviewed to ensure that no ambiguities are inadvertently introduced.

For those situations involving new considerations unique to severe

accident recovery and suitable for technical support center coordination, new j accident management outlines will be develored that are similar to the ERGS.

4 The rw:overy actions that are selected in Step 5, verified to be possible i

given hardware designs (Step u), and implemented through the procedural outlines (this step) may be appropriately factored into tae advanced PWR PRA [

1 model: at part of the best estimate plant response.

I l

25

8. Provide for Owner /Ocerator Imoletentation

. While the preceding steps address the development of the $ AMP, implementation by a plant owner / operator will also be necessary to ensure recovery should a severe accident ever occur. Fu-ther, severe accident technclogy will evolve over the life of a facility and updates to the selected severe accident recovery actions may be anticipated. To facilitate these future actions, the SAMP will include provisions and be documented in a .

fashion conducive to implementation and updating by the owner / operator.

The severe accident management information base developed in Step 3 includes the necessary provisions and documentation to facilitate the transfer of responsibility for it to an owner /opcrator. In particular:

o the selected recovery actions are developed through a rational process using a hierarchy of safe stable states, functions, strategies and responses supported by documented analyses; o the problem being solved (i.e., the safe stable state goals) is defined separately from the proposed solution (thn SAMP),

facilitating the assessment of the impact of any new information; o the bases for key decisions in the program are documented, as well as the alternatives not selected and their bases; o the broader context that must be considered for effective response implementation is addressed (e.g., phenomenological uncertainties, hardware capability, instrumentation, task analysis, human factors, environmental considerations, decision responsibility); and o the data base will be documented in an updatable format.

Given these provisfons in the data base, an advanced PWR owner / operator will be able to develop guidance.and training materials for assigned personnel. They will also be able to assess the applicability of new 26

g .'

• research and development information, focussed on the relevant phenomenological uncertainties, and appropriately update the data base, the selected recovery actions, or the accident management strategies defined in Step 3. It would also be possible to determine if any cost beneficial modifications to plant system hardware design or the design of the man / machine interface were appropriate in light of the new information.

Summary and Conclusion The NRC has stated that the performance of severe accident management will contribute to their acceptance of the PRAs performed for operating plants in response to the Severe Accident Policy, and that adequate capability in this area will be required of operating plants to obtait closure of the severe ac:ident issues. The advanced PWR design applicants propose to develop a Severe Accident Management Program to complement probabilistic and deterministic analyses in establishing the severe accident capabilities of their proposed designs.

The resolution approach comits to the development of such a program.

The approach takes credit for updated smergency responsa guidelines to address the prevention of severe accidents. To address mitigation in the extremely unlikely event that a severe accident does occur, the approach first develops safe stable state goals and then proceeds to develop functional recovery strategies, recovery action options, preferred recovery actions, complementary design enhancements, corresponding procedure outlines, and documentation facilitating future owner / operator implementation.

Implementation of this Program will ensure that the advanced PWR design and operational interfaces support effective accident management and ensure recovery to a safe stable state should a severe 1ccident ever occur.

27

REFERENCES '

1. U.S. Nuclear Regulatory Comission .(NRC), Policy Statement on Severe Reactor Accidents, Federal Register, Volume 50, p.32138, August 8,1985.

2. USNRC, Staff Briefina to the Comissioners on Master Plan for Intearatina All Severe Accident Issues, June 2, 1988.

3. Nuclear Safety Analysis Comittee, Mitiaation of Small Break LOCAs in Pressurized Water Reactor Systems, NSAC-2. Electric Power Research Institute, March 1980.

4. Industry Degraded Core Rulemaking Program (IMOR), Ooerator Reseense to Severe Accidents, IDCOR Technical Report 24.4, Atomic Industrial "orum, December 1984.

5. Advanced Severe Accident Program (ARSAP), ALWR Severe Accident Issue _

Set 2 Resoonse to Severe Accident Conditions, Internationc1 Technology Corporation (!TC), February 1988.

6. ARSAP, ALWR Severe Accident issue set 5: Safety Goal Evaluatien, ITC, September, 1988.

7. USNRC, Accident Manaaement Research Proaram Plan, ORAFT, June 28, 1988.

8. E.L. Tolman, "THI 2 Accident Scenario 'Jpdate," Transactions of the Fifteenth Water Reactor Safety Information Meetina, NUREG/CP 0090, U.S.

Nuclear Regulatory Comissien, October 1987.

9. INSAG, lymmary Reoort on the Post Accident Review Meetine___on the Chernobv1 Accident, International Atomic Energy Agency, Lafety Series No. 75 !NSAG 1, Vienna, Austria, 1986.

10. USNRC NRC Action Plan Develooed as a Result of the THI-2 Accideql, NUREC 0660. August 1980.

11. USNRC, Clarification of TMI Action Plan Re_cuirements, NUREG 07,7, November 1980.

12. USNRC. Guidelines for the Preoaration of Etercency Oceratina Procedures, NUREG 0899, August 1982.

13. R. DiSalvo, et al., Accident Manaaement: Persoectives on Manaaina__

Severe Accidents in Co mercial Nuclear Power Plants, NUREG/CR 4177,

, Volumes 1 and 2, 8atte11e's Columbus Laboratories. March 1985. l 1

14. U3NRC, Severe Accident'Research,,Procram Plan, NUREG 0900, January 1983.

15. _USNRC, Reassessment of Accident Source Term Evaluation Methods and Assu-otions, NUREG 0956, July 1986. ,

28 l l

c .; -

16. USNRC, Reactor Risk Reference Document, NUREG 1150, Oraft, February 1987.

17. D.' Hanson, et al., Containment Ventina Analysis for the Peach Bottom Atomic Power St Q ign, NUREG/CR 4696, EG1G Idaho, February 1987.

18. L. J. Ott, "Advanced Severe Accident Response Models for BWR Application,' Transactions of the Fifteenth Water Reactor Safety Information Meetina, NUREG/CP 0090, U.S. Nuclear Regulatory Comission, October 1987.

4 19. USNRC Intearation Plan for closure of Severe Accident Issues, SECY 88-147, Victor Stello, Jr. to the Commissioners, May 25, 1988.

20. USNRC, Advance Notice of Procesed Rulemakina. Severe accident Desian Criteria, Foderal Register, Volume 45, p.65474, October 2, 1980.

i

21. M. Fontana, The Industry Georaded Core Rulemakina Proaram (IOCOR) . ., ,An Overview, IT Corporation, Paper presented at the American Nuclear Society International Meeting on LWR Safety Assessment, Cambridge, MA, August 28 September 1, 1983.

22. 10COR, Technical Summary Recort - Nuclear Power Plant Resoonse to Severe AC.qid.tal.1, Atomic Industrial Forum, November 1984. ,

i

23. 10COR, Safe Stable States, IDCOR Technical Report 22.1, Atomic Technical Report 22.1, Atomic Industrial Forum, June 1984,

24. Fauske and Associates, Inc., MaAPf3.0) Modular Accident Analysis Procram. User's Manual,10COR Technical Report 16.2 3, Atomic Industrial Forum, February 1987,

25. S. Langer, Proceedinas of the First International Information Meetino on the THI-2 Accident, EGt,G Idaho, Inc., CONb 8510166, Octcber 19G5.

26. M. Epstein, First Order Modelina of the TMI-2 accident Conditions.

Fauske and Associates, Inc., October 1985,

27. A. W. Cronenberg et al., Thermal Interaction of Core Melt Debris with the THI-2_ Baffle. Core-former. and lower Head Structures, EG1G Idaho, Inc., EGG-TMI 7811. September 1987.

28. R. Moore, TM' ! Reactor Vessel Lower Head Heatus Calculations, EGG TMI-7784. EG1G Idaho, Inc., September 1907,

29. D. W. Golden, 'I'll 2 Analysis Exercise Phases 3 and 4 (174 Minutes to 300 Minutes) De'nonstration Calculation,' Transactions of the Fif teen *h._

,h Water Reactor Safety Information Meetina NUREG/CP 0090 V.S. Nuclear Regulatory Comission Nteber 1987.

30. Long Island Lighting u any, Shoreha9 Nuclear Power Station Probabilistic Risk Ast g , Occket 50 322. June 1983..

29

..  :.? *

31. Consumers Power Company. Bia Rock Point Probabilistic Risk Assesamf<nj. [

Docket 50 155, March 1941. *

32. . L'ong Island Light.ing Comp'any. Shoreham Nuclear Power Station In'diviquil' -

[

ElArt.,;q;1uation, Docket 50 322, April 1986, t

33. E. Burnts et al., Severe Ace' dent Containment Intecrity -- MARX I~

containments, Boiling Water lleactor Owners Group (BWROG), June 1987.  ;

34. D. Blanchard, et al., igyare Accident Aeolicabiljjy'of BWROG Emercancy Procedure Guidelines, BWROG, November 1987. l r

35. ARSAP, ALWR Severe Accident Issue Set 4: Essential Eauioment  !

Performance, ITC, June 1944; i

36. ARSAP, Technical Basis for the EPRf ALWR Raouirements Document Assumetion on Delaved Fission Product Release, July 1968.

I t

i l

1 l

l l

l 1

l I

k i

h O e F

30 l

f

!