LD-91-018, Forwards Response to NRC Request for Addl Info Re C-E Ssar Design Certification

From kanterella
Jump to navigation Jump to search
Forwards Response to NRC Request for Addl Info Re C-E Ssar Design Certification
ML20073J135
Person / Time
Site: 05200002
Issue date: 04/26/1991
From: Erin Kennedy
ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
PROJECT-675A LD-91-018, LD-91-18, NUDOCS 9105080052
Download: ML20073J135 (49)
v  d  e


Text

__ _ _ _ . _ . _ _ _ . _ _ . _ . . . _ _ _ _ _ _ . _ . _ _ _ . _ _ . _ _ _ _ . _ _ _ _ . _ ,

d ABB ASf. A flROWN ttOVE Al April 26, 1991 LD-91-018 Project No. 675 Docket No.52-002 U. S. Nuclear Regulatory Commission i Attnt Document Control Desk Washington, DC 20555

Subject:

Response to NRC Requests for Additional Information

References:

A) NRC Letter, Reactor Systems " ranch RAls, -1 T. V. Wambach (NRC) to E. Kennedy (C-E), l dated December 24, 1990. I B) NRC letter, T. J. Kenyon (NRC) to-A. E.

Scherer (C-E), dated June 26, 1989.

l C) C-E letter, E. H. Kennedy (C-E) to NRC, I dated March 15, 1991.

Dear Sirst 1 The reference letter requested additional information for the NRC starf review of the Combustion Engineering Standard Safety Analysis Report - Design Certification (CESSAR-DC).

Enclosure I to this letter provides our responses and Enclosure II provides the_ corresponding revisions to CESSAR-DC. _ Responrattto questions 440.16-(parts a, b, c, d, f,g, l h, i, j) and 4 40.23 will be provided separately, i

CESSAR-DC' Amendment G submitted on April 30, 1990 responded to RAI 480.7 received via Peference B, but a statement to 1 that effect was not included in our Reference C responses. i The formal response to RAI 480,7 is,=therefore, provided herewith.

Question 480.7 Section 6.2 states: "Santainment Systems (To be revised'in _j Submittal Group F) ." Provide the revised Section 6.2. 1

-Response 480.7

-The. revised Section 6.2 was prcivided via CESSAR-DC Amendment G (April 30, 1990).

ABB Combustion Engineering Nuclear Power

- _ . -. - - - -- . - . O Comston Enone<9 N t' c H Rcgi - e ye( 688 1911 104u _ c_ _ _ 4._c_ _ i,

,10,,,00,,

PDR ADOCK 0,%4y0 9.0 f

_A _ _ _ _ __ _ _ _ . .

3 i

! l Should you have any questions on the onclosed material, please contact me or Mr. S. E. Ritterbusch of my staff at (203) 285-5206.

Very truly yours, COMBUSTION ENGINEERING, INC.

E. H. Kennedy 1 Manager Nucicar Systems Licensing EHK! mis Enclosures As Stated cc: P. Lang (DOE - Getrmantown)

J. Trotter-(EPRI) 3 T. Wambach (NRC) e n.

ry e=- +w - - -- e>-- - w q

Enclo0uro I to LD-91-018 RES NNSES TO REQUEST FOR ADDITIONAL INFORMATION, '

PLANT SYSTEMS BRANCil f

- -,m, -,,'y, , s.-s,,, ,--+w ,-m,. . . , . , - - --e ..g, ,, , . , . . - - , . - - - - - +>y- , - , , , - . . - - .,.

Quf11191L_4SL1D Section 1.13 of the SAR states that CESSAR DC will take into account severe accident acceptance criteria from EPRI AEWR & DOE ARSAP lopic Papers. The referenced documents do not provide staff acceptance criteria for severe accident issue resolution. Such criteria are documented in the staff Draft Safety Evaluation Report on Chapter 5 of the EPRI Requirements Document and applicable SECY Papers such as90-016.

The SAR write up should be clarified to show compliance with approved staff positions.

Reingn_se 440.lQ Combustion Engineering agrees that NRC staff guidance is provided in documents such as SECY-90-016 and its Staff Requirements Memorandum (dated June 26, 1990). Section 1.1.3 of CESSAR-DC was written before SECY-90-016 and, to avoid confusion over the reference to the ARSAp and EPRI programs, reference to those programs will be removed in a future amendment. Use of information from those programs will be implemented on a as-needed basis during the Staff's review of the System 80+ design.

- - - - - - - - - - - - - - ~ _ _ _ - - _ _ _____ __

l Ouestion 440.11 Section 1.2.1.3 of the SAR states that for multi plant sites, independence:of safety related systems is maintained between individual plants.- The ability to cross tie systems (between units) in an emergency may enhance safety system functional availability. Has this capability been-considered, and if so, what are the competing benefits and risk associated with such cross ties?

Egiponse 440.11 Standardization of safety systems is made simpler by eliminating cross ties between units. This eliminates the nce) to reanalyze the safety system designs for multi-unit sites. Moreover, compliance with General Design Criterion 5 is clear and unambiguous without cross-ties (see Section 3.1.5 of CESSAR-DC).

System 80+ makes use of redundant components within a division or redundancy in function with non-safety and safety systems where a significant risk improvement can be obtained, This level of redundancy.

l makes the incremental risk reduction from unit cross connects  ;

insignificant.

The System 80+ design can be used at a multi-unit site and any related issues such as cross-ties would be described in the site-specific Safety Aralysis Report.

p L

I+

L

1 i

l l

I l

l Q.uestion 44Q212 l l

Section 1.9 is identified as design interface criteria. No criteria are 1 specified. Identify all site specific criteria which an applicant will have to comply with, or indicate that no such criteria exist.

Response 440.12 Consistent with 10CFR52, site-specific features are not included in the System 80+ standard design. Conceptual descriptions are, however, provided in CESSAR-DC for the following: Offsite Power System (Section 8.2), Emergency Operations facility (Section 13.3.3.2), Operations Support Center (Section 13.3.3.3, see C-E letter LD-91-013 dated March 15, 1991), Laboratory facilities (Section 13.3.3.4, letter LD-91-013),

Decontamination facilities (Section 13.3.3.6, letter LO-91-013), Ultimate Heat Sink (Section 9.2.5), and Normal Heat Sink (included as part of the Condenser Circulating Water System, Section 10.4.5). Chapter 1 is being revised and the site-specific interface requirements will be summarized in Section 1.9.

i s

-.-,v ,

Ouestion 440.L3 With respect to Appendix B (Probabilistic Risk Assessment), identify all system and. component design assumptions utilized in the CESSAR-DC System 80+ PRA which are in systems beyond the 80+ design scope or if in the design scope, not yet developed in complete detail.

Propose a reliability validation program which will ensure that all_

assumptions which went into the PRA are satisfied by an as built plant.

Response 440.13 The following systems, not within the scope of the System 80+ Standard

. Nuclear Power Plant Design, are of importance to the Probabilistic Risk Assessment (PRA). Consistent with the requirements of 10 CFR 52, conceptual designs of these systems are presented in CESSAR-DC sufficient to permit the preparation of a PRA for the certified design.

Offsite Power System CESSAR-DC Section 8.2 Normal Heat Sink and intake Structure CESSAR-DC Section 10.4.5 Ultimate Heat Sink CESSAR-DC Section 9.2.5 As stated in CESSAR-DC, Appendix B, generic reliability data was used in the System 80t PRA. Component failure rate data was extrac*.ed from the "PRA Key Assumptions and Groundrules Document" (Appendix A to Chapter 1 of the EPRI ALWR Requirements Document). This data was supplemented with oata from WASH 1400, the NREP data base, IEEE Standard 500, and the NPRDS data base. (References are provid9d in Appendix B).

For the System 80+ PRA, the following values resulted for internal events:

Loss o f Of fsite Power . . . . . . . . . . . . . . . . . . . . . . 4035 events / year (EPRI)

Loss of Circulating Water System including Normal Heat Sink......................................... 0.06 event / year (EPRI)

Loss of Station Service Water System, including Ultimate Heat Sink

.................... ............................. 0.02 events / year For all other Systems within the scope of the System 80+ design, sufficient detail has been developed to permit the preparation of the PRA. Details of the assumptions used in the System 80t PRA are documented and available for discussion and/or review by the Staff, as necessary. Combustion Engineering expects to update the System 80& PRA towards the conclusion of the NRC's review to reflect any changes resulting from the review or to incorporate any design refinements.

Response 440.13 (Continued)

It w;11 be the responsibility of the owner / applicant to provide site-specific designs for the systems outside of the System 80+ scope of design that meet the reliabilities assumed in the System 80+ PRA or to ,

provide alternate justifications to the NRL. i It is Combustion Engineering's responsibility to assure that the System 80+ PRA accurately reflects the design presented in CESSAR-DC (including ,

any changes or updates incorporated prior to the Final Design Approval).

The validity of the System 80+ PRA is assured through the application of normal engineering methods and quality assurance procedures in the design process.

Combustion Engineering considers the pRA " validated" with respect to the as-built plant if the as-built plant conforms to the design as certified by the Commission. This is the role of the " Inspections, Tests, Analyses and Acceptance Criteria" required by 10 CFR Part 52. Thus, compliance with the Inspections, Tests, and Analyses and Acceptance Criteria" for the System 80+ design will constitute validation of the PRA assumptions.

With regard to individual components, the System 80+ PRA, as noted above, relies on broadly-based generic reliability information with appropriate error factors, it is C-E's judgment that the data is sufficiently conservative that components procured to current standards and which meet their specified performance requirements will be well within the overall failure rate assumptions. It is also C-E's judgment that, because of the redundancy and diversity of System 80+ components -and systems, the effect of single component unreliabilities greater than assumed is not significant It should be further noted that the System 80+ PRA explicitly models common cause failures (Section 2.4 of Appendix 8),

providing further assurance that the PRA will remain conservative relative'to as-procured components.

In summary, CE does not believe that a separate reliability validation program" is required. Nonetheless, it is expected that the owner / applicant will be provided with- the detailed assumptions used in the System 80+ PRA in' the event that he deems it necessary to specify desired component reliabilities in equipment procurement activities.

Ouestion 440.14 Table Bl.3-1 of Appendix B provides comparisons of severe accident frequency for System 80+ versus System 80. Recent scoping studies have indicated that events when not at power (i.e., shutdown) can provide a sigaificant risk contribution, llave these events been analyzed and incorporated into the PRA and if so provide relevant information in the summary table? If not evaluated, provide a schedule for submitting this additional analysis.

Resno_tw 440.14 As indicated in CESSAR-DC Appendix B, the System 80+ PRA was performed only for events initiated from full power conditions. C-E believes that such events constitute the most severe challenges to maintaining core integrity and are by far the dominant contributors to core damage frequency. Recent events at operating reactors have indicated a need to Lore fully consider potential events during shutdown conditions. The System 80+ design addresses these concerns through a series of design improvements, rather than through PRA analysis.

System 80+ design features that contribute to reduced risk from shutdown events include:

Four (versus two) mechanically independent High Pressure Safety injection Train System, to improve primary system inventory control under all shutdown conditions. (CESSAR-DC Section 6.3.2) four Emergency feedwater subtrains (one turbine driven train, one motor-driven train) and two condensate storage tanks (one for each steam generator). (CESSAR-DC Section 10.4.9)

An RCS Safety Depressurization System, sized to permit feed-and-bleed core cooling. (CESSAR-DC Section 6.7)

Interchangeable Containment Spray Pumps and Shutdown Cooling Pumps, providing increased redundancy and diversity for shutdown cooling. (CESSAR-DC Section 5.4.7)

- An in-containment Pefueling Water Storage Tank, eliminating the need for recirculation actuation valves and circuitry.

(CESSAR-DC Section 6.8)

- A non-safety grade Chemical and Volume Control System with the capability to inject borated water into the RCS in addition to the 4-train ECCS. (CESSAR-DC Section 9.3.4)

Safety-grade Service Water System and Component Cooling Water System. (CESSAR-DC Sections 9.2.1 and 9.2.2)

(

Response'440.14 (Continued)

An alternate AC power source (gas turbine), capable of powering safety loads, diverse and . independent from the two emergency diesel generators. (CESSAR-DC Section 8.3.1.1.5)

Offsite power supplied by either of two independent lines.

(CESSAR-DC Section 8.2)

Increased design pressure of the shutdown cooling system (from 600 psia to 900 psia) to provide additional assurance against overpressurization. Relief valves are located inside containment. (CESSAR-DC Section 5,4.7)

- No cross-tie between the Shutdown Cooling System and the Safety injection System, which eliminates inadvertent diversion of shutdown cooling flow due to pump and valve misalignment.

(Section 6.3.2)

- Nuplex 80+ Advanced Control Complex with the capability of mode-dependent alarm displays, which enables alarms to be prioritized and displayed according to the mode of' plant operation. (Section 18.7.1.5.5)

In addition, the System 80+ design includes features which address concerns related to mid-loop operation:

- A favorable Reactor Coolant System layout, including large, vertically-oriented suction piping for shutdown cooling that is connected to the bottom of the hot leg.

The Shutdown Cooling Auto-Closure Logic has been removed, eliminating the possibility of spurious operation.

-Dedicated, safety-grade instrumentation is being added to the

-design to assure reactor vessel level indication to the bottom of the hot' leg.

C-E believes that the combination of features listed above adequately reduces: shutdown risk for the System 80+ design and that a PRA would not provide additional insights. In addition, it should be noted that the EPRI PRA Groundrules and Key Assumptions Document, at this time, contains no methodology or criteria for consideration of events initiated-at shutdown conditions.

i l

l l

l Ouestion 440.15 (ATWS) 1 Provide discussion on any analysis performed relative to peak primary system pressure, fuel performance and radiological consequences following a limiting ATWS transient for System 80t design. As an alternative, i discuss the applicability of the previously performed analysis for CE plants to the System 80+ design.

Response 440.15 The System 80+ design complies with the ATWS requirements in 10CFR Part 50.62. Therefore, the ATWS event has not been specifically analyzed for the System 80+ design. However, analyses were previously performed for the System 80 design. Extrapolation of the System 80 results to System 80+ indicates that the consequences of an ATWS event for the System 80+

design would yield acceptable results. The reasons for this conclusion are as follows:

The peak pressure criterion used in the System 80 PRA (Reference 1) was conservatively set at 3200 psia (References 2 and 3). An analysis was performed to estimate the peak pressure for the ATWS event in the PRA.

This analysis was best-estimate in nature and was performed with various assumptions for feedwater, turbine trips, and MSIV behavior.

Additionally,, the moderator temperature coefficient was varied from -0.56 to -0.77 10' dRH0/*F. The peak pressures for these calculations ranged from 3186 psia to 3230 psia.

The System 80+ design features a larger pressurizer than System 80. A larger pressurizer mitigates the pressure excursion following the loss of the secondary heat sink during an ATWS event. The moderator temperature coefficients for the System 80+ and System 80 designs as reported in

-CESSAR-DC and CESSAR-F, respectively, are the same, for these reasons the peak pressure for the limiting ATWS event (loss of feedwater) for the System 80+ design is expected to be lower than that for_ System 80.

With regard to fuel performance and radiological consequences, Reference 4, Section 6, states that for the System 80 design:

"The-most severe radiological release from any C-E NSSS during any ATWS Event is well within the limits of 10CFR100."

and, "The long term coolable geometry of the fuel rods in any C-E NSSS is maintained following any ATWS since no event results in clad failure due to clad collapse, no fuel pins are calculated to approach incipient fuel melt, and no DNB condition is expected."

Due to the similarity of the design parameters in System 80t to those design parameters in System 80 which are important to ATWS consequences, a similar conclusion can be reached for the System 80+ design.

1 l

References for Response 440.15

1) Enclosure (1) - P to C-E Letter to the NRC, LO-88-088, " Base Level 1 PRA for the System 80 NSSS Design,' (Proprietary), January, 1988.
2) CENP-134-P, *C-E NSSS Owner's Response to NUREG-0460, Volume 4:

March, 1980," (Proprietary), October, 1980.

3) SECY-83-293, " Amendments to 10CFR50 Related to Anticipated Transients Without Scram (ATWS) Events," July 19, 1983, p. 25.
4) CENPD-263-P, 'ATWS Early Verification: Response to NRC Letter of I february 15, for Combustion Engineering NSSSs," (Proprietary), 1 November, 1979. I l

I l

I

L

! l l \

l i

l 1

Ouestion 440.16(e) (Shutd.own Spar _qtions) l l

NUREG-1269 identified that containment was open throughout the April 10,  !

1987 event at Diablo Canyon, and there were no procedures to reasonably l assure containment closure in the event of progression of the accident to l a core damage condition, Address this situation with respect to the 1 System 80+ design and the anticipated methods that will be used to

! operate the plant. Include such design considerations as the need for removal of the equipment hatch and improvements in the System 80+ design which facilitate rapid replacement of the hatch should the need arise.

Similarly address other containment penetrations and potential bypass

paths.

Response 440.16(e)

The NRC position on the subject of containment closure and plant procedural and design measures required to prevent and to mitigate the consequences of a Reactor Coolant System (RCS) overheating event during Cold Shutdown in preparation of and during Refueling was promulgated by Generic Letter No. 88-17, " Loss of Decay Heat Removal," dated October 17, l 1988. In this guidance, the NRC set a limit of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for Combustion l Engineering NSSS plants to establish containment closure, which constitutes isolation of all penetrations which could provide a- release path for radioactive material, should the RCS overheat and boil, in a

, shutdown, refueling outage plant condition, release paths are the l equipment hatch, the personnel locks, and any penetrations being tested I or maintained. The guidance of the NRC Generic Letter 88-17 allows each plant to establish procedures and conduct closure drills to demonstrate that the 2-hour closure requirement is achievable. For purposes of design certification, release paths such as the equipment hatch and personnel locks, will be designed to be closable within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The l owner / operator will be responsible for employing the guidance of Generic L Letter 88-17 to assure via procedures, drills, and administrative means l that all- containment release paths are closable within the prescribed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

l l

l l

l l

L

Ouestion 440.17 (Intersystem LOCAJ for future evolutionary ALWR designs, the design of the low-pressure systems connecting to the primary coolant system must be designed to withstand full RCS pressure to the extent practicable, for those systems that could not be designed to withstand full RCS pressure, evolutionary ALWRs should provide (1) the capability for leak testing of the pressure isolation valves (2) valve position indication that is available in the control room when isolation valve operators are deenergized and (3) high-pressure alarms to warn control room operators when rising RCs pressure systems and both isolation valves are not closed, in considering low-pressure systems connecting to primary coolant system, all elements of the low-pressure system should be included (e.g., shutdown cooling system, letdown system, charging system, safety injection systems, instrument lines, pump seals, heat exchanger tubes, valve bonnets, etc.).

Provide detailed discussion on how the System 80+ design satisfies the above staff requirements.

Response 440.17 This question was superseded by question 440.45 in an NRC letter dated February 15, 1991.

l l

.Q1w1 Liga 440.18 mvdroaen Gerwntion and Control)

In a letter dated August 2L, 1990, you have indicated that CE will I provide information to justify a System 80+* containment design '

consistent with the EPRI ALWR Requirements Document and NRC staff position on this issue. 1he System 80+ design includes a hydrogen ignitor system (control grade) to assure compliance with 10CFR50.34(f).

Provide detailed description and the results of the supporting analysis to address the issue of hydrogen generation and control for System 80+-

design. Discuss the availability and functionality of the ignition system under potential severe accident conditions; such as containment environment and initiating events such as station blackout. l Response 440.1Q The System 80t* hydrogen igniter system is designed to prevent the hydrogen concentration in containment from exceeding 10% by volume while accounting for 100% fuel clad metal-water reaction per 10CFR50.34(f).

The hydrogen recombiner system will prevent the hydrogen concentration in containment from exceeding 4% by volume per 10CFR50.44, 10CFR50.46 and Regulatory Guide 1.7 for design basis accidents. Refer to CESSAR-DC, Amendment I, Section 6.2.5 for description and analysis results.

Based on the design requirements of Section 6.2.5.1.2 and the materials described in Section 6.2.5.6, there is reasonable assurance that the igniters will operate in the expected severe accident environment and time span. See the response to Question 281.57 for an indication of a worst-case severe accident environment. The ignitors are powered from the Class IE 120 VAC Vital Instrumentation and Control Power System and will be powered by the emergency diesel generators during loss of off-site power. For loss of off-site power and a failure of the diesel

. generators to start or run, the igniters can be powered from the gas turbine generator or the station emergency batteries via DC-to-AC inverters.

i i

Question 440.19 Olich Pressure Core Melt E.iection1 Section 6.7.1 states that the Safety Depressurization system will provide a capability to depressurize the RCS in response to a severe accident scenario. The total rapid depressurization (bleed) flow is designed to provide the capability to depressurize the RCS from 2500 to 250 psia within one to two hours following a reactor trip and subsequent core damage from a severe accident.

Provide the following additional information:

I (A) What were the system objectives and success criteria for rapid RCS j depressurization during a severe accident scenario? l l

(B) Details on the emergency procedure guidelines (EPGs) developed for l rapid depressurization of RCS to prevent high pressure core melt ejection.

(C) Thermal hydraulic analysis performed to demonstrate that under the most limiting severe accident scenario, the success criteria will be met using the E0P's described in item (b). Provide a sensitivity study showing impact of venting timing and operator response to meeting the success criteria.

(D) What control room indications are used by the operators for a successful rapid depressurization operation during a severe accident?

Response 440.19 (A) The system objective is to provide a remote manually operated system that can rapidly depressurize the RCS during a severe accident (such as a total station blackout, including failure of the on-site alternate A.C. power sourcc, with additional system failures that cause a complete loss of secondary side heat removal capability) where the operator has determined a vessel melt-through will likely occur.

The primary function of the Safety Depressurization System (SDS) during this type of severe accident is to sufficiently lower the pressure in the reactor coolant system to a po;nt where the following objectives will be met:

1. Reduce the pressure in the RCS to a value which will allow actuation of the HPSI pumps and/or any low pressure systems that can facilitate delivery of water to the reactor core in the event that electrical power is restored or an engineered safety system becomes available later in the event;

Reinanse 440.19 (Contin _utdl).

2. Reduce the pressure in the RCS to a value which will allow delivery of the passive accumulators' inventory to the reactor core; and
3. Should the severe accident progress to the point of reactor vessel failure, then a high pressure core melt ejection will be prevented.

With regard to success criteria, it should be noted that the SDS will include rapid depressurization (RD) valves that have been sized to accommodate the use of the SDS for feed and bleed decay heat removal, as outlined in the response to question 440.22, and severe accident RCS depressurization. (See CESSAR-DC Section 6.7.1.2.1.C.4 and Section 6.7.1.2.1.C.10, Amendment 1)

Based on EPRI guidance, the SDS success criterion for a severe l accident that ultimately leads to a reactor vessel failure is to l verify that the RD valves are large enough to reduce RCS pressure  ;

from 2500 psia to 250 psia prior to vessel failure.

(B) The existing C-E Emergency Procedure Guidelines (EPGs) are provided in document CEN-152, Rev 03 and are written utilizing a success path philosophy. The EPGs provide guidance to the operator to maintain critical safety functions following a Total Loss of Feedwater avent.

The current EPGs address the " feed" and " bleed" process, if the plant utilizes PORVs, but they do not address the severe accident scenario. A supplement to the EPGs for System 80t will be developed prior to the final Design Approval.

(C) The current version of the MAAP computer code (MAAP3.00, Revision

16) was used to model the System 80+ reactor coolant system, the steam relief system and the IRWST. The MAAP code performed the thermal hydraulic analysis of the TLOFW event in which feedwater flow could not be restarted, coupled with no si flow for once through core cooling. Following the loss of all main and emergency feedwater, the reactor coolant system steadily progresses to the point where the primary safety valves lift and the secondary side heat sink is lost. From this point (assuming no additional operator action or recovery) the operator has a certain period of time whereby the Safety Depressurization System (utilizing the Rapid Depressurization valves) can successfully depressurize the system from 2500 psia to 250 psia before the reactor vessel fails and debris is introduced to the reactor cavity.

A sensitivity analysis was performed using the MAAP code to establish both the maximum and an optimum time for opening the RD valves to depressurize the RCS during the above mentioned severe accident scenario. This analysis indicated that if actuation occurs beyond approximately two (2) hours from the time that the PSV's

Response 440.19 (Continued) initially lift, the operator may not have sufficient time to depressurize the RCS to 250 psia before the reactor vessel fails.

A sensitivity analysis was also performed to determine an optimum time for opening the RD valves for the above mentioned severe accident. The analysis objective was to identify an optimum delay time for opening the RD valves from the time of initial PSV lift considering a balance between the following criteria:

1. A suf ficiently long delay should be allowed to conserve RCS insentory and to facilitate a late recovery of an enginetred safety system such as containment sprays or HPSI, and still be assured that RCS depressurization to 255 psia can be achieved prior to vessel failure;
2. Earlier actuation of the RD valves should be considered if it would significantly extend the ultimate vessel failure time (due primarily to time dependent RCS thermodynamics conditions and the earlier delivery time of the passive accumulators), and thus provide more time to implement on-site and off-site emergency plans.

The results of the analysis show an optimum actuation time of approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> following initial PSV lif t considering these factors.

(0) For the severe accident, the following instruments are available to determine the success of the reactor coolant system depressurization:

Item CESSAR-DC Reference Degree of Subcooling Table 7.5-3 Core Exit Temperature Table 7.5-3 Reactor Vessel Coolant Level Table 7.5-3 RCS Pressure Table 7.5-3 Containment Pressure Table-7.5-3 Containment Atmosphere Temperature Table 7.5-3 In-containment RWST Temperature Table 7.5-3 SDS Temperature Table 7.5-3 It should be noted, however, that the above-listed instrumentation is not reouired for severe accident mitigation.

l I

Ouestien 440.20 (Ecuipment Survivability 1 Provide discussions on programs developed for equipment survivability applicable to System 80+ design in light of the staff requirements addressed in NRC SECY-90-016.

Response 440.20 in accordance with SECY-90-016 and the Staff Requirements Memorandum of 6/26/90, C-E understands that, for systems and equipment required only to mitigato severe accidents, the following criteria apply:

. The equipment needed to perform mitigative functions shall be identified.

. Equipment survivability will inclede consideration of the initiating event and the resulting environment.

. There shall be reasonable assurance that mitigative features will operate in the severe accident environment for which they are intended and over the time span needed.

. Mitigation equipment shall be capable of being powered from Class lE onsite systems and an alternate power supply.

Severe accidents shall not be considered a design basis. As such, the following criteria do agi apply:

. environmental qualification requirements of 10CfR50.49

. all aspects of 10CFR50 Appendix 8

. redundancy / diversity requirements of 10CFR50 Appendix A.

The program for accomplishing the survivability goal is outlined below:

A. Equipment required to survive until its functicn is performed is:

(a) Safety Depressurization System (SDS),

(b) Containment Spray System,*

  • To the extent that the CS system is required to prevent or mitigate design basis events, the requirements of 10CFR50.49 and 10CFR50 Appendices A and B apply.

Enponse 440.20 (Eouipment Survivability. Capt'd)

(c) Hydrogen Mitigation System (HMS) ignitors & cabling, (d) Reactor cavity flooding valves (holdup volume spillway valves & reactor cavity spillway valves)

This selection is based on the premise that the severe accident i results in a breach of the lower portion of the reactor vessel and corium dropping into the reactor cavity. One of the functions of the Safety Depressurization System is to prevent high-pressure core melt ejection. The remaining systems serve l to mitigate the consequences of corium in the reactor cavity. l Systems which support the listed systems are not exposed to the environments created by the severe accident.

B. The Safety Depressurization System is called upon to perform its required mitigative function prior to vessel failure. As such, the gross temperature, humidity and radiation effects due to molten corium in the reactor vessel cavity are not of concern. Operation of the SDS may, however, result in the discharge of highly radioactive fluid and will be considered in the procurement of the valves and operators.

The containment spray system has no components inside containment that could be exposed to a severe accident environment other than check valves, spray nozzles and interconnecting piping.

The HMS and the Reactor Cavity Flooding valves may be exposed to locally severe environments which will be considered in equipment procurement.

C. Equipment required to mitigate severe accidents will be located and/or protected to minimize the effects of the severe environment. Equipment procurement specifications will define the expected environmental parameters and the vendor will be required ta evaluate the expected performance of as-built equipment. Reasonable assurance of satisfactory performance will be based on available technical datar analyses, similarity to other components, and engineering judgment.

Question 440.21 (Testino of air-oEfrated valvet).

Recent experiences from operating reactors indicate that there are safety-related air-operated valves that fail to perform their designed safety function when the safety-grade air backup system (Nitrogen bottle) was used. This is because for some plants the air-operated valves are only tested with supply air connected to non-safety grade normal air supply system. Discuss the test program of System 80+ design in light of the above staff concern.

Eqsponse 440.21 It is and has been Combustion Engineering's practice to design pneumatic operated valves to fail to the safe position upon loss of electrical or pneumatic s3urces. Where this is not possible for active safety-grade valvac, local safety grade compressed gas service will be provided. The local compressed gas system will be designed to provide the gas at the flow and pressure necessary to operate the valve for its safety function.

Both normal and emergency sources will be tested prior to startuo.

Chapter 14, Section 14.2.12.1.136 will be revised to include a statement addressing testing of backup safety-grad.e gas systems for valves.

y - .,w ,

-r --- -e ev

l l

1 1

Onellion 440.22 In_ a letter dated August 28, 1990, you have stated that the initiation of feed and bleed decay heat removal on the System 80+ can be delayed for up to 30 minutes following steam generator dry out. Provide detailed discussion on the subject including the following: )

4 (a) What were the r.uccess criteria for feed and bleed decay heat removal on the System 80+ design?

(b) Discuss the emergency operating procedure (EOP) developed for feed  !

and bleed decay heat removal to achieve-successful operation.

Provide thermal hydraulic analysis performed based on the plant '

(c) configuration of the System 80+, to demonstrate that under the most limiting complete loss of secondary heat sink conditions, the success criteria will be met using the E0Ps described in item (b).

_(d) What control ;oom indications are used by the operators for a successful feed and bleed operation?

Response 440.22 .

I (a) The following criteria were used for the System 80+ design:

1. A single Safety Depressurization System (SDS) olced path, in 3 conjunction with two-of-four safety injection pumps, shall have '

suf ficient capacity to prevent core uncovery following a total loss of feedwater if feed and bleed is initiated immediately following the opening of primary safety valves. Analyses shall  ;

show a margin to core uncovery of at least two feet, using best estimate methods,

2. The SDS bleed paths shall have sufficient total flow capacity

-(both bleed paths) with all safety injection pumps operating to prevent core uncovery following a total loss of feedwater if feed and bleed is delayed un to 30 minutes from the time primary safety valves lift. Analyses shall show a margin to core uncovery of at least two feet, using best estimate methods.

(b) A System 80+ supplement to the Emergency Procedure Guidelines-is being. developed.- In the meantime, a comparison was performed between the event scenario considered for the System 804 analysis and that in the existing EPGs (Reference 1). The comparison shows that if the steps of the Reference 2 procedure were applied-to the System 80+ analysis, the consequences would be more favorable than those described in (c), below. Therefore, the EPGs for System 80s are expected to be similar to those in Reference 1.

ikiP.ojse 4402_(102LiguMi l The difference between the System 80+ analysis assumptions and the steps identified in Reference 1 are:

1. In the System 80+ analysis, all control systems are assumed to be inoperable, whereas in Reference 1 their operation was assumed.
2. In the System 80t analysis, once through cooling was delayed for approximately 30 minutes after steam generator dryout whereas in Reference 1 it is initiated prior to steam generator dryout. This delay was required to address the criterion in (a) above.
3. In the System 80+ analysis, safety injection flow was assumed to be automatically actuated, whereas in Reference 1, safcty injection flow was manually actuated. Automatic actuation delays the entry of safety injection flow into the RCS.

(c) An analysis of the total loss of feedwater event was performed using a realistic version of the CEFLASil-4AS code (Reference 2, Section 3.2) in order to size the SDS bleed valves for use as a decay heat removal mechanism, Best-estimate decay heat values were assumed in the analysis.

The TLOFW event analyzed was initiated from hot full power conditions by terminating all feedwater flow to the secondary side of the steam generators. Major analysis assumptions are shown in Table 440.22-1. Following the loss of feedwater, the secondary steam generator pressure increases from 1000 psia (the System 80t nominal full power value) to 1200 psia (the secondary safety valves lift pressure), and secondary inventory is depleted. The primary pressure increases due to the reduction in the primary to secondary heat transfer rate. A high pressurizer pressure reactor trip followed by turbine trip occurs at approximately 23 seconds.

Following the trips, the pressurizer pressure decreases due to the rapid reduction in core heat generation caused by the reactor trip.

Since emergency feedwater is not available, the secondary inventory continues to deplete resulting in further degradation in primary to secondary heat transfer. As a result, the primary system pressure again begins to increase. Once the steam generators begin to dry out, the primary pressure increases rapidly until the pressurizer pressure reaches 2500 psia at 2275 seconds at which time the primary safety valves lif t. Upon steam generat r dry out, the only means of rejecting heat is via primary safety valve discharge.

i I

Bfelponse 440.22 (Continutdl Once the bleed valves are opened, and provided the valves have sufficient flow area, the RCS and pressurizer pressures decrease to the point where safety injection flow is delivered to the RCS, If the RCS inventory is not excessively depleted at this time, the vessel mixture level will remain more than two feet above the top of the core.

The analysis to determine the valve size required to meet the goal in criterion (a) 1, assumed that one bleed valve was opened at 2275 seconds. The analysis result indicated a valve area of 0.0115 square feet will meet this criterion.

lo determine the valve size required to meet the goal in criterion (a) 2, a curve was developed which shows the variation between bleed valve total area and opening time delev after the primary safety valves lift. This curve is shown in . gure 440.22-1. Combustion Engineering chose a valve size which was slightly smaller than the size of a primary safety valve (0.021 square feet per velve versus 0.03 square feet per safety valve). The basis for using a valve size smaller than the PSVs was to ensure that any thermal transient imposed on the RCS during non-accident use would be less severe than that for operation of the PSVs. Two valves c' this size allow a delay time up to 30 minutes as indicated in .igure 440.22-1. The dashed curve of Figures 440.22-2 and 440.22-3 represent the pressurizer pressure and reactor vessel mixture level transient, respectively, for this valve size. The solid curve represents the transient response without the feed and bleed operation.

(d) The major control room indications required by the operator for the feed and bleed operation are shown in Table 440.22-2. These indications are also listed in Table 7.5-3 of CESSAR-DC, References for Response 440.22

1. " Combustion Engineering Emergency Procedure Guidelines," CEN-152, Rev. 03,
2. " Response to NRC Action Plan Item II.K.3.30, Justification of Small Break LOCA Methods," CEN-203-p, March, 1982.

1

J3ble 440.22-1 MAJOR ANALYSIS ASSUMPil0NS Main or Startup Feedwater flow 0 gpm (after time 0)

Emergency Feedwater Flow 0 gpm (after time 0)

Charging flow 0 gpm (after time 0)

Letdown flow 0 gpm (after time - 0)

Pressurizer Spray flow 0 gpm (after time 0)

(Main and Auxiliary)

Decay Heat 1979 ANS + 0 Sigma Reactor Coolant Pumps Tripped At 10 Minutes Pressurizer Safety Valve lift Pressure 2500 psia Secondary Safety Valve lift Pressure 1200 psia

1 lable 440,22-2

[0NTROL ROOM INDICATIONS AND ALARMS VSED TO PERFORM THE FEED AND BLEED OPERATION IILM CESSAR-0C Rf.((R[N((

SDS Valve Position Table 7.5-3 Safety injection Flow Table 7.5-3 Pressurizer Level Table 7.5-3 Reactor Vessel Coolant Level Table 7.5-3 Steam Generator Level (Wide Range) Table 7,5-3 RCS Pressure Table 7.5-3

< FIGURE- 440.22-1.

t i

'O.2 - - --

t MINIMUM TOTAL SDS VALVE AREA REQUIRED TO MAINTAIN

! O.19 -

CORE. COVER
  • VERSUS SDS VALVE OPERATION DELAY TIME -

t 0.18 -

~

AFTER PRIMARY SAFETY VALVE LIFT-FOUR HPSI PUMPS j _

O.17 - _ 1 j m 0.16 -

f

$_ 0.1 5 -

< 0.14 - '

m c: : 0.13 -

w - 0.12 -

3 0.11 -

t <-  ;

> 0.1 -

l

$ O.09 -

] O.08 -

O.07 -

j

$ O.06 -

j 2 0.05 - .

o 2 0.04 - f E O.03 -

2  :

0.02 -  %) OF CORE PLUS A MARGIN OF TWO FEET ,

l o.01 . i i i i i i * -

. . 4 0 5 10 15 20 25 30 35 40 45 50 55 i

SDS VALVE OPENING DELAY TIME AFTER PSV LIFT (MINUTES) l

(

  • 6 *

(Visa) aunssaud uazIanssaud O O O O O O O O O O V CD N O cr) N vi +4 to oo 5,

O O

lJJ CD 1 . a _ _ __ _ __ Y -

H 's W s y, ?' O g -

o W t V

/ (D

~' _ m w

W E -

g

O O

U C

3 15 ./ .

O w E

/ O o W m / 10 Y CD W -

O y .$ -

w

m. E m N5sS v 4 E 5 'o5 O

] - E Syb -

OW

E D; "

N I W a "

(r) s W

8 N

H

( -

1--

I E O D _

o W to W v4 LLI _

E _

CL i i i i i i i i i O O -O O O O O O O O O O V CD N LO cr) m vi vi  ;

(Visa) aunssaud HazIanssaud

e n (la)laAal BunixIH O v m N LU m N vi a CD OO 2 ja s T T i i 1 i O H O I- CD l l W l O  !

i -

O  !

.__I t -

Y l u s (O

^

> m- m Lu / Fa t3 TJ

-J i EG O c

g= ,

O O W "" U Q~  ;

f W8  % O (D

3 -

SC -

m I- "

N X S O

? H -

u. --

O LU N I N 2 5

=

_]

3 m ,-

$ R H t-w LU W

%5$ oE 2 W $8 o

m g

m-O g

> vt LU 2: 1 i I .i i i i i i O O a O V (D' N (D O m N vi vi (15)13A37 Jun1XIH

Ouestion 440.24 (Sixty-year life) i In a letter dated January 22, 1990, you have stated that CE will identify the components and systems which are affected for a 60 year plant life.

Provide all necessary information in CESSAR-DC to support the staff review for a 60-year design life including information on fatigue, corrosion, thermal aging, reactor vessel embrittlement, as well as all i l

the components and systems which are affected for the extended plant life.

Reiponse 440.24 The System 80+ structures, systems and components described in CESSAR-DC l l

are designed te support a 60-year life. The System 80+ design '

incorporates material selection, sizing, and supporting analyses that accommodate the-latest knowledge of the effect that age-related

degradation mechanisms (like. neutron embrittlement, fatigue and .

l_ corrosion) have over a 60-year operating cycle, for example, Section 4.3.2.8 of CESSAR-DC states:

" The design of the reactor internals and of the water annulus between the active core and the vessel wall is

, such that for reactor operation at the full power rating I

and an 80% capacity factor, the vessel fluence greater than1MgVat(hevesselwallisnotexpectedtoexceed 6.0 x 10 n/cm over the 60-year design life of the vessel."

In addition, lessons learned from current operating plants which are reflected in present regulatory requirements were also integrated into the design of System 80+ components to preclude, prevent or minimize concerns over material properties or design configurations that could potentially limit operating life. For example, the selection of material for the reactor vessel minimizes concern about excessive sensitivity to neutron embrittlement. Section 5.3 of CESSAR-DC outlines in detail how the material selected for the reactor vessel, the manufacturing methods and initial non-destructive examination to be used, and proposed irradiation capsule surveillance program all combine to ensure at least a 60-year 1ife.

Special attention has been paid to component replaceability in_ the System 80+-design. . Adequate space for inspection, repair, and component replacement has been provided except for certain components such as the Reactor Vessel.

Finally, the NRC's aging research has shown that the many identified-aging -phenomena do not pose major technical safety issues-in view of the plant's surveillance, inspection, testing, maintenance, repair and replacement programs (Refs. I and 2). Indeed, the major factors affecting aging of the reactor pressure vessel and other primary reactor coolant pressure boundary components are relatively well understood. For

,_ .,_.c. ,-- - _ _ . . , , _ .

- ~ .. .

example, the application of the NRC's regulatory guidance to estimate the safe remaining _ life of a reactor pressure vessel shows that many of the existing pressure vessels could be operated for longer than 60 years (Ref. 3). Similarly, technical feasibility studies and engineering evaluations sponsored by the nuclear industry and the DOE in support of plant life extension have also strongly indicated that the life of nuclear power plants can be safely extended beyond 40 years for current plant designs (Refs 4 and 5). There is nothing unique in the System 80+

design that would obviate applying the conclusions reached for current plant designs to System 80+,

in addition, the System 80+ design permits expeditious component replacement for obsolescence or failure over the life time of 60 years, consistent with the EPRI Utility Requirements Document. Examples are:

1) rapid replacement of Cathode Ray Tube displays and other instruments in the Nuplex 80+ Advanced Control Complex, and 2) spacious general arrangements in the Reactor Building and Nuclear Annex to provide c.sy access for equipment maintenance and refurbishment.

References

1. J. P. Vora, " Nuclear Plant Aging Research (NPAR) Pro'; ram Plan,"

NUREG-ll44, Revision 1, September 1987.

2. U.S. Nuclear Regulatory Commission, " Plan' for Integration of Aging and Life-Extension Activities," March 1987.
3. U.S. Nuclear Regulatory Commission, " Regulatory Analysis for Proposed Rule on Nuclear Power Plant License Renewal," Draft Report

-for Comment, NUREG-1362.

4. American Nuclear Society, Proceedinos of Topical Meeting on Nuclear Power Plant Life Extensio.n, (Snowbird, UT), Vols. I and 2, September 1988.
5. Electric Power Research Institute, Seminar on Nuclear Plant Life Extension, co-sponsored by Northern States Power, U.S. Department of Energy, and Virginia Power (Alexandria, VA), 1986.

= . . _ . _ . . _ _ _ - _ _ _ . . _ _ . . _ _ _ _ . ___ _ _

Question 440.25 (Pressurizer Heaters)

Provide discussions on the safety classification of the pressurizer heaters, if they do not meet the requirements of safety grade standards (e.g., Seismic Category 1, Class lE power supplies, etc.), discuss how the CESSAR-DC plant could achieve cold shutdown without operation of the presscrizer heaters and meet the Branch Technical Position RSB 5-1.

Response 440.25 Pressurizer heaters are designed to SSE loads and minimum natural frequency. The pressure boundary portion of the heaters is constructed to the requirements of the ASME Code, Section 111, Subsection NB (Safety Class 1) . The pressurizer heater system meets the Positions and Clarifications of NUREG-0737 Section ll.E.3.1. Item (7) of Clarifications acknowledges that heaters themselves are not a lE load, and consistent with this acknowledgement, the heaters are not designed to IEEE-323, Qualifying IE Equipment for Nuclear Power Generation Stations.

Natural circulation cooldown calculations for the System 80 design, wherein no credit was taken for heaters, showed that cold shutdown can L achieved without them. Based on a comparison of System 80 and System 04 design features, the results of natural circulation cooldown calculations are expected to be the same.

" - ' ' ' - -----.--u.--.--_________A,________ _ ___ ___ __

t Question 440.26 The CC LOCA evaluation model approved by the staff may not be applic6ble to System 80+ design with respect to plant specific configurations in node arrangement and control system. Confirm that a new LOCA evaluation model will be prepared for the System 80+ design. l Rescoase 440.26 The C-E Evaluation Model (References 1-7) was utilized in the System 80+

LOCA and Post-LOCA analysis. A review of the models,-prior to the analysis, indicated that a LOCA event for the :;ystem 80+ design was conservatively modeled with the cur.ent approved Evaluation Model using the physical characteristics of the System 806 design. Hence, there are no plans to prepare a new LOCA evaluation model for the System 80+

design.

References for Response 440.?6

1) CENPD-132P, " Calculative Methods for the C-E Large Break LOCA Evaluation Model," (Proprietary), August, 1974.

2)- CENpD-132P, Supplement 1.

  • Calculational Methods for the C-E Large Break LOCA Evaluation Model," (Proprietary), february,1975.
3) CENPD-132P, Suppicment 2-P, " Calculational Methods for the C-E Large Break LuCA Evaluation Model," (Proprietary), July, 1975.
4) CLNPD-132, Supple sent 3-P-A, " Calculative Methods for the C-E Large Break LOCA Evaluation Model for the Analysis of C-E and W Designed NSSS,*(Proprietary), June,1985.
5) CENPD-137-P, " Calculative Methods for the C-E Small Break LOCA Evaluation Model," (Proprietary), August, 1974.
6) CENPD-137, Supplement 1-P, "Small Break Model, Calculative Methods for the C-E Small Break LOCA Evaluation Model," (Proprietary),

January, 1977.

7) CENPD-254-P-A,
  • Post-LOCA Long Term Cooling Evaluation Model,"

(Proprietary), June,1980.

_ - _. . _ _ _ . ~ . _ _ _ . _ _ . _ . _ . _ _ _ _ _ . . -

l L l I

Ques,11on 440.27. 1 There were two incidents of Palo Verde Nuclear Generating Station relative to the turbine byi. .ss valves failing open due to a single i failure in the electrical systems. The consequences of these events may '

not be bounded by the analyses documented in Section 15.1 of the System 804 as an event with moderate frequency in occurrences. Please discuss the design features that would prevent or reduce the frequency of those l cvents happening or mitigate their consequences.

Rgiponse 440.27 The two incidents in which multiple in-service turbine bypass valves l opened due to a single failure resulted from the cross-connection of '

multiple instrument signal loops in the Balance of Plant portion of the instrumentation system. NSSS interface requirements documents required that independent signals be input to the SBCS. In both cases, a common connection between input signals existed, which was not consistent with the NSSS interface requirements. The System 804 design scope includes the portions of the instrument signal loop interfaces which were formerly 00P scope. Common connections do not exist in the System 80+ design.

The functional design of the 50C5 for NUPLEX 80+ is equivalent to that of Palo Verde, f

l 4

l Dyestion 440.20 On page 6.3-7 of the CESSAR-f system 80 imposes a requirement that "The total volume in the pi)ing from the reactor coolant system up to these valves shall be less tian 30 cubic feet per line. This volume shall be kept to a minimum so that the delay time for injection of borated water ,

will be a minimum." This 'arovision has been removed from CESSAR-DC for System 80+. Explain why tais requirement is no longer applicable, b ronse 440.28 The wording of M 6. was improved, and made more representative of the standard system design in CESSAR-DC, Amendment I, Section 6.3.1.2.3.1.6.

Paragraph 6.3.1.2.3.1.7,astatesthatthe"pipingrunsfromeachtank (safety injection) is as direct as possibic. . . . In addition, this i

line is borated up to the recirculation line tee as a result of periodic recirculation flow. The alping arrangement, in terms of length and volume, is compatibic wit 1 the assumptions of the safety analyses.

i I

- - , , cr.- .,--,..r_ ,..~%,-...-y.,- - ,,, ,,,<,.___,,,,%-,,,,., .,, m,,,,,,,%,-,.e,,_ .,..,%_,c .w ,.m., . ..,m. . - , . ,,_

4 (Lunt10E 440.29

provide an evaluation of the ECCS design features and proposed operating procedures according to 10 CfR Part 50 General Design Criterion 4 as related to the dynamic effects associated with flow instabilities and loads (e.g., water hammer).

Leiponse440.29 The response to this issue is addressed in the resolution provided for Unresolved Safety Issue (VSI) A-01 in CESSAR-DC Appendix A.

The System 80+ ECCS design addresses system dynamic loads such as those that may result from water hammer. plant operating and maintenance procedures are prepared in accordance with guidelines established by Combustion Engineering to minimize the potential for water hammer.

Specific design features, such as vents and drains, are provided in ECCS piping and are used in conjunction with these procedures to assure that these lines are maintained (restored in the case of maintenance or repair) in a water filled condition. Maintaining the ECCS in a water filled condition will minimize the potential for the occurrence of water hanner conditions during system start-up.

A new Section 6.3.2.6.4 will be added to CESSAR-DC as follows:

1 "6.3.2.6.4 Water Hanner The SIS design addresses system dynamic loads such as those that may result from water hammer, plant operating and maintenance procedures are prepared in aceirdance with guidelines established by Combustion ~ Engineering to min' size the potential for water hammer.

Specific design features, such as-vents and drains, are provided in SIS piping and are used in conjunction with these procedures to assure that these lines are maintained (restored in the case of maintenance or repair) in a water filled condition. Maintaining the SIS in a water filled condition will minimize the potential for the occurrence of water hammer conditions during system start-up."

y -

- -,,m..,- ,,--n,,-- g , .,-a., .., ,,,,.-v_,,--.mm,nnp_-erm,~,-me.,,=,,,,,r-c,-esw.-,.,,,,,en-y_ y,.., m., v a, , + , .e wmmg, nw mv, -

l DE ltion 440J Q System 80+ relies on operation of one Sl pump during post-LOCA long term '

cooling operation (LTC). Provide an evaluation of $1 pump reliability for extended operation during post-LOCA LTC mode. (Ref. CESSAR-DC 1 Section 6.3)

Retitons_440.30 As described in CESSAR-DC Section 6.3, the System 80+ design consists of four SI pumps. Each pump is provided with a separate suction line from the IRWST and a separato discharge line to one of four reactor vessel DVI nozzles. The System 80+ Si pumps are specified to have the same operating characteristics as the liigh Pressure Safety injection (HPSI) pumps specified for the System 80 design and in use at the Palo Verde Nuclear Generating Station (PVNGS), lho System 80+ Si pumps and the System 80 llPSI pumps are similar in design to botier feed pumps used in fossil power plants. The reliability of the System 80+ S1 pumps for extended operation is expected to be as good or better than boiler feed pump reliability. A comparison of the System 80 llPSI pumps to boiler feed pumps was provided in response to Question 440.27 on the C-E System 80 Standard Design, Docket No. 50-470 (attached). The NRC's review of System 80 lipSI pump long-term operability is summarized in the CESSAR SER ;

(NUREG-0852). The Staff concluded that the System 80 ECCS is acceptable. l t

i

i i t 8 .,

. 'I 1

4 I

i i

4

)

i i  :

I CESSALQttestion and Renonse.(nneernina l- tlP1LDLn1p lono-term Operabilit.y 4

't l'

i e

p E.

5 l

b 1

\

l l

o l

, a_. _ _ _ .. . _ _ _ - . _ - - - _ _ . - - . -

- h?11'l-. Recent plant experience has identified a potential problem

( regarding the operability of the pumps used for long-term cooling Inomal and post-LOCA) for the time period required to fulfill that function. Provide the pump design lifetime (including operational testing) and compare to the continuous pump operational time required during the short- and long-tenn of a LOCA. Submit infomation in the form of tests or operating experience to verify that these pumps will satisfy long-term requirements.

a 4

6-23

Response

The HPS! pumps supplied for System 80 plants are similar in design to boiler feed pumps. A comparison is listed as follows:

(

1. Bearing types used on boiler feed cumps and the HPSI pumps are similar. Boiler feed pumps are currently being supplied with both sleeve beariags with force feed lubrication and with ring oiled bearings as supplied for the HPSI pumos. The selection of bearing type for the boiler feed pumps is usually by customer pre .

ference.

2. The number of stages for boiler feed pumps and the HPSI pumps are similar. The number of stages for boiler feed pumos vary between 4 and 10, with most in the 7 to 8 stage range. This compares to the 8 stages used on the HPSI pumps,
3. In lieu of testing the HPS! pumps, the performance record of Ingersoll-Rand boiler feed pumps is cited. Numerous pumps have operated, meeting boiler feed demands,

~

for S-year and greater periods between scheduled maintenance cycles in fossil power applications.

These scheduled maintenance cycles are for complete examinations (complete overhaul) and do not include running surveillance and maintenance tnat is cerfomed on a regular basis to insure proper operation and to detect problems that would recuire a complete overhaul . Running surveillanu and maintenance includes, but is not limited to, the following:

a) Pump and motor parameters (i.e. pressure, temperature, flow, etc.) checked, b) Auxiliary piping, valves, and equipment checked.

~  :) Grease lubricated bearings checked for proper amount and consistency.

d) 011 lubricated bearings drained and filled with fresh oil .

e) Instruments recalibrated, f) Pump-motor alignment verified.

g) Perfomance testing. .

Checks on the pump and motor assembly and ancillary equipment are typically perfomed on a shift basis. Instrument calibrations , oil changes, alignment checks, etc. , are typically perfomed on a semi-annual or annual basis depending on individual plant preferences or plant operating status.

General time periods for scheduled complete overhauls depend on pump service and the losses resulting from increased clearances or of unscheduled downtime. Pumos are not typically opened for inspection and repair unless either factual or circumstantial evidence indicates that an overhaul is necessary. Factual evidence implies that the pump performance has fallen off significantly, or that noise or driver overload in-dicates trcuble. Circumstantial evidence refers to past experiences with the pump in question or with similar equipment on similar service.

The HPS! pumps are similar to boiler feed pumps in design but can be expected to

- have overhaul intervals of significantly greater time periods in that the actual HPSI pump operation will be minimal. In addition, the routine inservice operational inspections defined in the Technical Specifications (section 16.3/4.5) will verify the Consequently, the criteria for overhaul

(' o:entinuing apply.

capabilities of the HPS! pumps.f boiler feed pumps, which is The actual process for the HPSI pumps ma; well be inspection and replacement of replaceable-parts such as elastomer o-rings.

6-24

t

(  : ached is documentation from typical power generating stations that have boiler feed pumps similar to the System 80 HPSI pumps. As detailed, it is comon for the boiler feed pumps to operate without complete overhauls for a period of '

.several years or more.

4. The seals of the HPSI pumps are,of different design than those of the boiler feed pumps. .

For the boiler feed pumps, the nature of the boiler feed cycle during service (particularly after initial installation) introduces comparable or greater quantities of debris than would be experienced following any LOCA. The boiler feed cycle cruses the introduction of oxygen (particularly large quantities in the main condensor).into the boiler feedwater This results in corrosion being fonned in the piping during normal scheduled cyC s shutdown periods. When the pump is placed back into service, significant nuan',ities d corrosion and other contaminants can be placed into circulation and pcss th*9 ugh the boiler feed pump. Seal failures would be a predominatt factor for unscheduled shutdowns but experience indicates that unscheduled shutdowns due to seal failure are uncomon.

F r the HPSI pumps, the seals have had representative testing by the manufacturer under conditions that would cause seal failure. The testing technique was such that the test fluid was continuously recirculated. Particles resulting from failure would

(' ncirculate, accelerating that failure. Test reports do not show .any rapidly in-

. easing failures due to debris nor any other type of seal failure.

If debris were in the seal fluid, particles of a certain size and density might cause seal damage. The particles in question would have to be able to separate the seal surfaces enough to allow entry, then passage, of the particles from the 00 to 10 of the seal. In addition, the composition would have to be hard enough to score the sof ter of the seal surfaces. Boric acid crystals do not meet this criteria, as was demonstrated by the manufacturers test program for these seals which involved boric acid solutions of appropriate concentrations.

The HPSI pump seals are protected from debris by centrifugal separators installed in the seal water flow path and by the containment sump design. The seal water flow path is described as follows:

a) Discharge pressure fluid is taken from a line connected to the pump discharge and is reduced in pressure by means of an orfice, b) The fluid is then split in half (or.e flow train for each seal on the pump) and passes through a centrifugal separator. Any dense particles plus a significant portion of the fluid leaves the bottom of the separator and is returned to the suction side of the pump.

c) Clean fluid leaves the top of the separator and flows to the respective seal, d) Seal leakage is from the 00 to 10 of the real. The pump specification limits this to a maximum leakage rate of 50 cc/hr per sea. This leakage flows to the

(- liquid waste system via the drain connection, e) The majority of the introduced seal fluid is passed along the shaf t into the pump suction. .

6-25

a ., .

l l ..

( . I e A mechanical seal failure would result in a maximum leak rate of 500 cc/ min, g) The materials of construction of the seal are described as follows:

The pump shaf t sleeve is 31655; the seal consists of a stationary carbon ring facing a rotating tungsten carbide ring. Springs main-tain an appropriate pressure for contact of the rubbing faces.

Debris is also controlled by means of a vertical screen with a 0.090 inch clear opening in the containment sump which assures the limit of foreign particle size being drawn into the seal water flow path.

t t

l l

l I

O I

1 6-26

l l Question 440.31 3

The IRWST design criteria for ECCS in CESSAR-DC states *0affles and intake screens shall be installed to limit the particle size entering the IRWST to 0.09 inches in diameter in order to prevent flow blockage in SIS components and piping and in the reactor.' Provide additional information on the actual design of the interface between the containment sump and the IRWST in terms of drainage from the sump to the IRWST.

Include relevant diagrams. (Ref. CESSAR-DC Section 6.3).

Response 440.31 Vertical screens are provided in the entrance to the holdup volume at i elevation 91+9 feet. These screens are shown nn the Reactor Building i general arrangements and in figure 6.8-2. These screens limit debris from entering the holdup volume and ultimately the IRWST. Screens are also to be placed at the entrance to the Safety injection (SI) suction lines in the IRWST. These screens, along with the IRWST spillway location, provide additional assurance that debris will not enter the Si system and the reactor. Refer to CESSAR-DC, Amendment 1, Section 6.8 for the IRWST description, figures 1.2-3 and 1.2-6 for the holdup volume arrangement, figure 6.8-4 for the IRWST PalD, and figure 6.8-2 for the IRWST Spillway and Cavity flooding System diagram, flow from the holdup volume (containment sump) to the IRWST is via the IRWST spillway. Due to the elevation of this spillway, flow does not occur until approximately 60,000 gallons of water have accumulated in the holdup volume. Refer to CESSAR-DC, Amendment 1, Section 6.8 and figure 6.8-2.

,7--,_.s- , . _ * - - y , ,y ,,,,y. ,.,7% -

. _ , , _ - _ , , , , ...y ,.-,r

,,,-,..mm ..%,.w_,.,,,,_ e , ,r , - . - __ . _ ,. . _ _.

Enclosure !! to LO 018 PROPOSED REVISIO11S TO Tl!E COMBUSTIO!1 El4GIllEERIl1G STA!4DARD SAFETY AtiALYSIS REPORT - DESIG11 CERTIFICATI011 d

h a w -

c. _

.,e- <g,,,% ~ -,. - - ,- ...o.m.-,---,,- ,- _. , ,-,, .- - - , , ~ + w _,c-c. --w-. .-- .*

d 9 W D*/0 C E S S A R ?Niine m ou 1

a f

lD i .

be summarized i n CESSAR-DC Appendix A,cnd t h _,  ! 'aa 4-*-

j ix'1  ;.... s, m. s , ,-i n x- ,,itcri. t-- .s ; t." " 2 i':':

- ----i . .. , .

a

!! J.EEML. T e;' 1 " " ' :' ' : _ _ A Lovel III PHA will be performed. Thio Pl(A will be described in Appendix H. Degraded core analyucs will bo included in the PRA. Itosultu of tho Sabotago Protect lon Program i . will be pronented in CI:SSAH-DC, Appendix 13A. i; i

i l

l

\

l i

j -

V l

l V Amendment E 1.1-3 December 30, 1908 e-,.r*da.yw-gve,,- ,e.,y,--w-vegn.,,.w,,.e-p+,y,,-,,,,.,c ew mg ,rg-,+-mw,s.yy9,9,,w*.npac.,=-w,9--7w,,ys wg t- ,e,-g.e- ei* pin- ,,-w,e y + , w p www ge a 9 - *e. -e- -g-e e me e au-p- W =-9 *t- y Tw v* w 1 -t p gr g w e +- +w+--We'

L C ESS AR nM"lCAil0N *!

i l

Thin nection addrennen the 11 0 function of the SDS.

If normal and emergency AC power nourcen are available, opening the rapid deprennurization or bleed valves results in a rapid deprennurization of the RCS which allows the SI pumpn to be automatically started to refill the RCS and provide cooling of the core.

Coro decay heat removal, using the 17 0 tunction, in accomplished n by a once-through cooling pt ocean in which water in injected directly into the reactor vennel downcomer via the normal Safety Injection System (see Section 6.3). Once in the reactor vennel, the cooling fluid pannen through the vennel downcomer to the lower plenum, up through the core (where decay heat i:. removed) and out to the hot leg, through the nurge line to the prenuurizer und out through the dedicated rapid depreocurization bleed valven to the piping nparger in the litWST where quenching and cooling o!'

the bleed flow in accompliched. The quench volume within the IRWST allown a feed and bleed operation to be maintained Ior about thirty minuten bef ore external cooling of the 1RWST nhould 11 be initiated. IRWST cooling in provided by the nafety grade Component Cooling Water Syntom and the Shutdown Cooling Syntem heat exchangers. In addition, the containment Spray Syntem heat exchangern may be used to cool the IRWST.

Bleed and feed and, therefore, core cooling can continue even without the initiation of flow through the Shutdown Cooling heat D exchanger. Without IRWST cooling, the I llWST ' n vent nyntem will relieve the steam formed in t.he tank to t_ h e containment. The dincharged nteam will be condenned by t.h e containment cooling

.y nyntem and returned to the lioldup. Volume Tank via the ;umpi gravity drainn. T tf I

',M

'[. b g-46.7.2.2 Component. Dencriptipn 6.7.2.2.1 React or Coolant Gan Vent. Funct; ion Valve <.

Table 6.7-1 doncriben the IRCGV valves. 'Ph e RCGV valven are "

globe valven which are held cloned during normal reactor operation. Thene valven are normally operat ed only during chutdown periodn. These va1ven fai1 in the c1oned ponition.

6.7.2.2.2 Itapid Deprennuri zat ion (Bleed) Valve'.

Table 6.7-1 doncriben the RD valves. The rapid depre r. ;u r i n a t i on (bleed) valven are globe or angle valven preceded by gate valves acting an isolation valven. The valven are mot or operated and fail in the "An-In" position (FAI) Since t. h e valven are denigned to be opernted during a " n t a t;i o n blackout", the mot or operatorn are nupplied electrical power from the DC bunen.

1 Amendment 1 6.7-11 December 21, 1990

Jnjert 6.7.2.1.2 for a Total loss of feedwater (TLCfW) event in which: (1) it is also assumed that feedwater is not restored to the steam generator secondary side; and (2) it is also assumed that early " feed" and " bleed" for once-through core cooling is not initiated, the Rapid Depressurization valves shall b vpened no longer than 2.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> after the pressurizer safety valves first lif t. This will allow the RCS pressure to be reduced from 2500 psia to 250 psia prior to reactor vessel melt-through for a severe accident scenario.

4 Q YYo.zp

(

Section 3.11. The valven include those annociated with fill, drain, and preosure control of the Safety Injection Tanks which receive an SIAS or are required to operate following an accident.

The instrumentation includes the wide range 1cvel and pressure instrumentation annociated with the Safety Injection Tanks.

Insofar as practical, SIS componento required to inaintain a functional statun have been located outside containment to ollininato exposure of this equipment to the pont-loCA conditions.

The equipment outside containment in designed in consideration of the chemical and radiation ofrects annociated with operation following a LCCA. (Figuren 6.3.2-1A, 6.3.2-1B and 6.3.2-lc l indicate location of equipment incido or outnido of containment) .

The design life of the SI pumpn in 60 yearn, corresponding to the life of the plant. Design pressures and temperaturen are in excens of the maximum pressuren and temperatures seen by the respective component during the worst of normal operating and design bancs conditions. Materials of construction for the pumpn are compatible with the expected water chemintry under norrnal and LOCA conditions. A radiation resistance requirement han been placed on the pumpn connistent with section 3.11.

6.3.2.6.2 Minnile Protection protection from possible RCS generated ininniles in afforded by locating all componenta outside the containment except for the IRWST and SIT. The SITc are located outnide the biological shield such that protection from ponnible Reactor Coolant System genernted mian11cc in provided.

6.3.2.6.3 Seinmic Denign Since operation of the SIS in essential following a Lons-of-Coolant t$ccident, it is considered Category I for ceintnic design. The general design basin for Category I equipinent in that it must be able to withstand the appropriate acinmic loads plus other applicable loads without loan of design functions which are required to protect the public.

For the SIS, this means that the componentt. must be able to withstand the atrences resulting from emergency operation following a LOCA, simultaneous with the ntrences renulting from the Safety Shutdown Earthquake (SSE) without loan of function.

Refer to Section 3.7 for details on neininic design and analynic methods.

,(.

6.3-21

l l

Insert 6.3.2.6.4 6.3.2.6.4 Water Hammer The SIS design addresses system dynamic loads such as those that m;y result from water hammer. plant operating and maintenance procedures are prepared in accordance with guidelines established by ABD/Cf_ to minimize the potential for witer hammer. Specific design features, such as vents and drains, are provided in SIS piping and are used in conjunction with these procedures to assure that these lines are maintained (restored in the case of maintenance or repair) in a water filled condition.

Maintaining the SIS in a water filled condition will minimize the potential for the occurrence of water hammer conditions during system ,

start-up. I I

l l

1 l

l l

1

~ . _ _ . . . . , . . . _ _ , . . . . . _ . _ _ . . . _ . . , , , . _ _ . _ . , . . . . _ . . _ , _ _ . _ . .

Retrieved from "https://kanterella.com/w/index.php?title=LD-91-018,_Forwards_Response_to_NRC_Request_for_Addl_Info_Re_C-E_Ssar_Design_Certification&oldid=3587700"