ML20034H802
| ML20034H802 | |
| Person / Time | |
|---|---|
| Site: | 05200001 |
| Issue date: | 01/28/1993 |
| From: | Kelly G Office of Nuclear Reactor Regulation |
| To: | Duncan J GENERAL ELECTRIC CO. |
| Shared Package | |
| ML17179A859 | List: |
| References | |
| NUDOCS 9303220092 | |
| Download: ML20034H802 (23) | |
Text
.
P p cncy 3&"Y s E UNITED STATES n
i*
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555
%,...../
Docket: 52-001 January 28, 1993 NOTE T0:
Jack on "an, GE FROM:
Glen y
PS R
SUBJECT:
RETRANSMITTAL OF ABWR RA QUESTIONS As we discussed in San Jose during the January 1993, Management Meeting, I am enclosing the questions I have already sent you (by fax or letter) regarding i
the ABWR PRA. This retransmittal is solely for the purpose of helping to assure that no questions fall through the cracks.
I am also enclosing a few thoughts I put together on PRA-based ITAAC, based on the San Jose meetings, as well as a few reminders (written to myself) of things to check.
I hope you find the enclosed questions helpful.
Enclosures:
as stated
\\
~
J 9303220092 930309 PDR ADOCK 05200001 A
f l
~
~!
i I
QUESTIONS ON THE ABWR PRA July 16, 1992 i
0-21B In Open Item 0-21B, the staff required GE to address seismic capacities for equipment that is not part of the Certified Design. On June 27, i
1992, GE responded by providing a faxed draft of SSAR Section 19.10. On review of this section, the staff is unable to determine what were the assumed seismic capacities of either the systems involved or of'
. individual components in the systems.
(1) Indicate what information in Section 19.10 is in Tier 1 (e.g., RSW design performance specifications) and reference the section of the Tier 1 document. (2) Provide the 1
overall assumed reliability of each system that is modeled in the ABWR PRA, but not in the Certified Design, er alternatively, provide the l
assumed reliabilities of each component in these systems.
(3) Provide an ITAAC (or if appropriate a DAC) for these systems that help to assure that when these systems are designed by the COL applicant, they will meet the assumptions about reliability (including unavailability) made i
S-5 The staff has required GE to make confirmation of the seismic capacities 1
S-6 of various equipment a COL Item. GE responded by providing a fax dated
-i S-7 June 30, 1992 that discussed confirmation of seismic capacities beyond j
S-8 the plant design bases (draft Section 19.9.8 of the SSAR). 'This section i
states that the COL applicant should take actions specified in Section i
19H.5 of the SSAR.
Section 19H.5 is a reference section, and has no i
specific actions associated with it.
Please correct this error.
5 SA-2 In lieu of a sesimi_c PRA, GE submitted a PRA-based seismic margins approach by fax, dated June _26, 1992. A quick review of this analysis raises the following questions: (1) How were human errors incorporated into the analysis? (2) What are the dominant sequences (top 30) ranked by HCLPF? (3) What random failures were considered and what were the assumed failure rates? (4) How was the seismic failure of.the Reactor Service Water Pump House considered in the analysis?
(5) How was'the failure of the Reactor Service Water strainers (either by seismic failure or random failure) considered in the analysis?
(.6) Describe'how l
you incorporated random failures into your margins analysis.
0-12 Provide a discussion of how the migration of smoke during a severe acci'ent fire is prevented or mitigated in safety significant areas l
othei than primary and secondary containment. This subject.is probably best handled by GE sending (or referencing) applicable area diagrams, followed by a GE briefing.
j I-8 In its June 30, 1992 fax on' COL License Information (SSAR Section 19.9);
GE provided its analysis of external flooding (Section 19.9.3).
The staff does not find this to be an adequate analysis of external flooding.
Provide an analysis that quantitatively and qualitatively discusses the capabilities of the ABWR design (sited, as GE has' stated, at one foot above the probable maximum flood (PMF) level) to withstand j
severe accident floods higher than the PMF.
GE's analysis should j
determine the height of external flooding at which the conditional i
l 1
I probability of core damage becomes non-negligable. GE's analysis should include assumptions about the siting of the Reactor Service Water Pump House and should analyze the potential safety consequences of flooding this building.
0-On June 29, 1992 GE provided by fax a draft write-up of SSAR Section
[
22B 19.13 on PRA Design Insights. The following areas need to be addressed:
(1) Compare the dominant sequences from previous BWR PRAs to the dominant sequences for the ABWR.
Include with this comparison a' discussion of why sequences that were dominant in other BWR PRAs are not l
so for the ABWR and why the ABWR CDFs are so low, (2) Discuss the' balance of prevention and mitigation as embodied by the ABWR design and j
why the balance is acceptable, (3) Compare the treatment of phenomena t
challenging containment integrity for the ABWR PRA versus other BWR i
PRAs, including a discussion of unique features in the ABWR' design that effect these challenges, (4) Discuss the important safety and design l
insights developed by GE about the ABWR design based on the ABWR PRA, and (5) List the vulnerabilities found in the ABWR design when performing the ABWR PRA and provide GE's definition of a
" vulnerability".
Include internal and external events. Describe any enhancements made by GE to design or procedures because of PRA insights.
PRA-GE faxed (May 22, 1992) its draft requantification of the ABWR PRA,-
1A which provided updated tables of core damage frequencies, updated event I
trees, and a list of changes from the original PRA submittal.
(1) i Provide a comprehensive list of cutsets. (2) List where the ABWR PRA-l takes credit, if anywhere, for recovery of non-safety grade equipment.
(3) Based on the requantification, list any non-safety grade systems that are important to safety and need to be incorporated into accident-managment strategies. (4) Describe how the requantified PRA results have l
changed the PRA insights from the original PRA submittal.
l 0-GE faxed (June 25, 1992) an updated draft discussion of PRA As A Design l
22A Tool as Section 19.7 of the SSAR.
(1) This section needs to be expanded to provide some details of how GE used actual operating experience-in the design of the ABWR, including examples.
(2) The examples provided by GE only discuss things that have or will save money-for GE/ COL applicants.
Provide examples of how safety was improved by use of the PRA or its insights.
SC-2 On June 4, 1992, GE faxed a discussion of how the RWCU system was to be-I modified to remove a potential vulnerability to use of the RWCU as a i
high pressure /high temperature decay heat removal path. ' Included in-l this package was a set of modified logic diagrams that'show how.the regenerative heat exchanger will now be isolated rather.than the whole-RWCU system.
(1) Provide a discussion of what -signals / occurrences,. if i
any, will cause automatic isolation of the entire RWCU. (2) Indicate where in the SSAR GE intends to document the commitments and' document
-l the engineering rationale made in this fax.
l
7 0-11, 0-18 On June 18, 1992, GE submitted a fax of the draft ABWR PRA data uncertainty I
analysis (level-1 portion). On page 1 of the draft, GE claims that if all error factors are increased to 15.0, the core damage frequency results only increase 14% for the 95th percentile. This seems unusually low.
(1) Provide additional information on the sampling of the tails of distributions used in your Monte Carlo analysis.
On page 8 GE states that human error events were not coupled when analyzing i
uncertainties because GE believes that different operators and different crews would provide a tendency toward uncoupling. This is not necessarily true for r
a maintenance crew or operations crew that performs calibrations, tests, or maintenance. The staff takes this position based on current operating experience.
On page 9 GE states that the effect of multiplying'all basic event probabilities by 2.0 is equivalent to choosing a value above the 85th percentlile. The staff notes that this is only true if your error factor-is small.
In the last paragraph on page 9, GE states that their analysis shows that the effect of systematic bias error is very small in the PRA.
The'. staff i
finds that little justification for this statement was given in the draft analysis.
It may not be true at all, and the method used to demonstrate GE's 3
case cannot in and of itself provide such a justification.
The staff notes that the sensitivity curve used on page 11 can be quite misleading to persons not familiar with lognormal distributions. Note that the mean value is influenced by the distrubution tail and the shape of the curve would be quite different if X,93, rather than the ratio of X,,3/mean was' used.
(2) For Table 4, page 12, please explain why " moderately coupled" ha's a higher mean than " tightly coupled"? (3) If we assume that the top 300 cut sets did not include coupled events, would these results change if we were to use more cutsets?
j l
I-15 l
On June 29, 1992, GE submitted a fax that listed the equipment that GE sugge.sted go into the COL applicant's RAP based on PRA insights.
In Section t
19K.8, GE lists the important structures, systems, and component ; for shutdown analysis. This analysis does not address areas such as AC power and DC power, which are perhaps more vital when the plant is shutdown than whrn it is at power due to equipment maintenance and test during outages.
(1) Provide a more complete description of how GE determined what equipment should go into RAP based on the shutdown analysis and the analysis of external events.
Section 19.K.9.12 discusses flood protection from internal flooding. '(2) Why does the flooding discussion not discuss seals for doors, penetrations, etc.
as potential pathways for water if they are not properly installed and maintained?
3 Table 19K.9.1 identifies equipment failure modes and provides recommended test
i l
1 k
intervals for many pieces of equipment.
(3) Are these the same test intervals assumed in the ABWR PRA? If not, how would the results and insights of the ABWR PRA be modified if the recommended intervals were used in the PRA? (4)
Explain why GE believes that the equipment identified and the test intervals chosen for inclusion in this table are sufficient to assure that an ABWR, when built, will meet the reliability assumptions of the ABWR PRA.
(5) Explain how the information provided in Section 19K was included / factored into the ITAAC.
(6) Explain why Table 19K.9-1 does not appear to address preventing water from passing through barriers between safety divisions.
PRA-1B On July 16, 1992, GE faxed a description of its evaluation to determine'which systems, structures, and components should be included in a COL applicant's RAP program. This evaluation neglected to address reliabiality targets.
Provide targets for the equipment in Table 19K.1-1 and provide a rationale for r
these target values.
l Internal Flooding On June 30, 1992, GE faxed its internal flooding analysis (Appendix 19R). A i
scan of the table of contents of the submittal indicates that flooding of the Reactor Service Water Pump House was not addressed.
Provide an analysis of internal floods in the pump house or justify why they do not need to be j
considered.
\\
l l
I i
h r
l
1 t
STAFF QUESTIONS REGARDING THE ABWR PRA August 31, 1992 I-15 Based on the GE-fax to the staff of June 29, 1992 that addressed Interface Requirement #15 (the reliability assurance program), the staff has the following questions:
(1) GE did not provide an estimate of the importance of initiating events. An exception is the " loss of both offsite power sources" initiating event.
For this event a risk achievement worth ratio is reported in addition to its Fussell-Vesely importance value.
It is-i unclear how GE was able to use risk achievement worth to perform such a r
calculation. The staff believes that for initiating events, the use of an importance measure of the " risk reduction" type such as the Fussell-Vesely would suffice.
Please evaluate all significant initiating events using a " risk reduction" type importance measure and report the results in your risk importance ranking of the SSCs. Also explain how the risk achievement worth of an initiating event was defined.
t (2) GE did not discuss how the insights from the ABWR PRA were taken into account in deciding on the maintenance activities, as well as their frequencies.
Provide a discussion of how PRA insights were used to decide maintenance activities and their frequency, particularly if the i
PRA insights were used is a systematic manner.
l (3) GE provided minimal description of how safety significant SSCs were identified for the seismic, fire, flood, and other external events portions of RAP.
Expand your write up in this area to include (a) whether and how the seismic PRA results reported in the SSAR originally were used to help determine seismic SSCs, (b) whether and how the modified FIVE methodology results were used to help determine fire SSCs, (c) whether and how the shutdown reliability study numerical results were used to help determine SSCs for shutdown, and (d) similarly for internal floods.
In general, provide a better description of your bases for inclusion / exclusion of particular SSCs and describe how you went about deciding what SSCs should be included for external events.
i (4) The staff considers as incomplete GE's identification of SSCs that I
are to be included in RAP for areas of the ABWR that are not modeled in the PRA but are safety significant (e.g., the Reactor Service Water Pump House was not modeled in the internal flooding analysis).
GE must systematically consider these unmodeled areas and report on whether they are safety significant or not.
(5) Based on the reported results, the staff made the following j
observations: (a) GE may have used the dominant cutsets only for l
deciding what systems, structures, and components are important to safety.
Such use would be inappropriate and could eliminate important safety insights.
Please clarify exactly how GE went about calculating the importance of-SSCs.
(b) When ranking SSCs based on importance I
measures, the ranking should first be performed for the particular function (e.g., decay heat removal), then the particular system, and then components, as necessary. This is done to ensure that all i
important SSCs are determined.
It is not clear what ordering was I
}
N l
followed by GE.
Please provide an explanation of the order of calculating importance used by GE.
If GE did not follow the recommended order, provide justification or recalculate the importance of SSCs.
(c)
In Table 19K.3-1 it appears that Fussell-Vesely was used as the primary I
ranking importance measure. The staff believes that risk achievement worth should be used first to rank the importance of SSCs (since risk l
achievement worth looks at what happens if the equipment does not work because it is poorly maintained) rather than Fussell-Vesely (that tells you the value of making the SSC work perfectly).
Following calculation e
of risk achievement worth, the dominant cutsets should be used to calculate the Fussell-Vesely importance of SSCs to provide additional, complementary safety insights.
(d) In Table 19K.3-1, a risk-achievement worth ratio was reported for the combustion turbine generator, but not for the diesel generators. This implies that the plant relies more on the combustion turbine than the diesel generators in loss of offsite power events.
Please explain.
(6) The following should be added to the SSC list for RAP:
(a) h containment sprays in both the wetwell and drywell, because of
{
containment bypass concerns and the potential consequences to the public. (b) ac independent water addition system connections for the fire truck.
(7) The staff finds that the criterion of a cutoff of 20 for risk achievement worth is too limiting and suggests that a cutoff of five to ten be used for reporting purposes.
l (8) In Table 19K.9-1, GE provides recommended test or maintenance intervals to be used by a COL applicant in drawing up it's detailed RAP at the COL stage.
It Table 19K.9-1, do the recommended test intervals match the assumed intervals in the ABWR PRA (i.e., do the test and maintenance intervals in the Table provide assurance that the equipment i
availability and reliability assumptions in the ABWR PRA will come truc?)? Where they do not match, justify the discrepancy.
i (9) It is not clear to the staff why at and dc power did not show up as important for shutdown risk. Please provide an explanation.
(10) The staff believes that your discussion on reliability and maintenance actions in Section 19K.9 needs to more accurately reflect
-l the assumptions of the ABWR-PRA and safety significant design specifications. Two examples of areas that need expansion come from Section 19K.9.ll.
First, GE states that the smoke removal system should be operated annually to demonstrate that it will be able to maintain negative pressure. Details of the test are not given and no mention of special testing requirements are provided.
However, the staff understands that the smoke control system should be tested to insure that it is capable of maintaining a pressure differential even if a door is left open between the divisions. A second example is that the testing and maintenance of seals between divisions that are designed-to prevent cross-divisional internal flooding around doors, penetrations, and other openings is not considered in the discussion on internal floods.
Expand your discussion of reliability and maintenance actions.
l r
l (11) In Table 19K.9-1 GE has provided test and maintenance intervals for critical safety-related equipment, based on core damage frequency l
importance measures.
(a) How is GE attempting to assure that the i
acceptance criteria for these tests reflect the pressure, temperature, l
and other conditions under which the SSCs must perform during severe accidents (i.e., following multiple failures)? For example a valve may
-i need to close against full system pressure differential while the valve t
operator is subject to a high temperature steam environment. A second i
example is a heat exchanger that is normally only subject to a 125 degree F differential temperature, but under severe accident conditions may see a 400 degree F differential.
(b) How is GE assuring that the detailed test and maintenance programs reflect ABWR PRA insights?
(12) Explain why the GE RAP did not identify anti-siphon valves as very safety significant in their use to prevent internal flooding.
l 0-12 (1) In Section 19K.9.ll on fire protection, GE states that room fire i
barriers, including penetrations, should be inspected.
Expand your i
explanation of what constitutes a fire barrier (e.g., separation walls, i
doors, and safety-grade and non safety-grade penetrations) or provide'a reference to where the SSAR defines a fire barrier.
l (2) The staff considers fire dampers in the HVAC systems and any associated electrical motors or mechanical actuation devices to be i
safety significant and believes that they should be added to the SSC list in the RAP.
I-9 (1) Either explain why the spent fuel pool and its supporting systet.s, such as the fuel pool cooling system, which are located in the reactor
~
building, are not discussed in the ABWR internal flooding analysis as possible sources of flooding or provide an analysis.
(2) In plant diagrams in the SSAR, it appears that RCW surge tanks A and i
C have no structure separating them that could prevent the flooding two divisions simultaneously. Discuss this potential concern.
l (3) Discuss the effect on your flood analysis if GE more correctly I
assumes that the two operator actions needed to isolate reactor service water (RSW) system line breaks are linked rather than independent? How was the potential for operators becoming confused (there is the potential that flooding indications could be seen in more than one room) about the source of the RSW flood, followed by their cutting off the intact RSW division, modeled in the flooding analysis?
(4) The control building flood analysis did not address the possibility of failure of the flood protection barriers (penetration seals, if any, i
and watertight doors) between the three divisions of RSW/RCW equipment.
In particular, the watertight doors identified in Table 19R.6-2 for the control building are not describe as being monitored or alarmed.
Address operator error in leaving the doors open or failure of the i
doors.
In general, address. failure of the barriers.
SA-2 In a June 26, 1992 fax, GE submitted a PRA-based seismic margins-analysis for the ABWR. The following questions apply to that submittal:
k
l l
1 (1) Provide justification for the use of the 2.0g/0.45/0.70g fragility parameter values used for the fire water tank. The DSER recommended use-of 1.4 /0.45/0.5.
If GE believes that its values are achievable, they 9
9 should be included in an ITAAC.
I (2) In the original ABWR seismic PRA, for all event tree sequences involving loss of offsite power (LOOP) with on-site available, the event i
trees required RHR in the suppression pool cooling (SPC) mode in' order i
for ultimate success. The new trees have eliminated the need for SPC.
-Provide justification.
(3) For all LOOP sequences with successful scram, the original trees required that RHR heat exchanger integrity be maintained. This is no longer required on the new trees.
Provide GE's rationale.
(4) Provide fragility data for the use of condensate injection (event-V2
-l on the-new trees).
j (5) Provide seismic fault trees for dc power, reactivity control, and standby liquid control.
Provide them as models or a Boolean equation l
for system failure.
i (6) Justify why relay switches do not appear in any of the models.
(7) Although GE states that random failures were considered in the
-i margins study, no random failure values were provided.
Provide a list of all random failures incorporated in the assessment and the failure probabilities used.
1 (8) Prc,1Je sequence level cutsets, both for seismic only and seismic plus random failures.
(9) The technique used for developing plant level HCLPF values in the' GE assessment was apparently to develop plant level fragility curves in a manner consistent with that used for performing a PRA and then calculating the HCLPF using the fraginty parameters for those curves.
This approach is not consistent with the intent of the Expert. Panel that.
developed the margins approach.
Provide revised HCLPF calculations using " MIN-MAX" approach preferred by the Panel.
This is based.on the-i assumption that the HCLPF or an "0R" function (e.g., a list of cutsets) is the lowest HCLPF of any element and that the HCLPF of an "AND" function.(e.g., a cut set) is the highest HCLPF of any element.
Report seismic / random combinations in the form:
X,
- Y l
where "X" is the HCLPF of the seismic portion of the combination and "Y" is the failure probability of the random portion of the combination. Do not include any combinations where the value for "X" is the same as the l.
seismic only HCLPF for the sequence or where the value for "Y" is less than 0.001.
i
i c
r
(
06s September 29, 1992 Reliability Assurance Program - (1) GE has indicated an intent not to h
duplicate requests for inclusion of SSCs into RAP if they are already i
there from deterministic insights. The staff considers it important to identify to the COL applicant the insights from the PRA regarding SSCs to be included in RAP.
If the COL applicant is not provided with PRA-i based SSC insights, the applicant may design and perform periodic tests i
that do not fully challenge the SSC in areas necessary to assure it will oerform during the events postulated in the PRA (and for which it is t
creditad). The staff believes it is necessary for GE to make a complete listir,g of SSCs to be included in RAP based on the insights from the ABWR PRA.
(2) The staff continues to await a listing of reliability j
targets in table form for systems (train or system-wide level) and components identified for inclusion in the RAP.
(3) At a function level, there are several important systems that act as redundant components that, in the aggregate, provide an important safety function, but do not individually have a high importance (as determined by I
importance measures).
Expand your SSC list to include a single train of the following systems: HPCF, RWCU, RHR, LpFL, RSW, and electrical ac.
A walkdown inspection of these systems should be performed periodically (perhaps on a yearly basis) to verify that no unnecessary common cause failures exist between the independent divisions. A checklist could be I
provided to facilitate and guide the inspections.
(4) Add a COL action item to have the COL applicant provide a listing of individual barriers that should be included in the RAP for fire. These barriers should include doors, separation walls / floors between safety divisions, and penetrations between divisions.
(5) Expand RAP to include a requirement that the COL applicant review and exercise annually the emergency operation procedure for operating the Remote Shutdown Panels and i
manually operating RCIC from outside of the control room in emergency l
situations.
(6)
Expand RAP to include fire dampers in the HVAC system.
Seismic Margins - (1) Explain why for sequences 15, 16, 17, and 18 the event trees do not consider the possibility of failure of. RHR heat l
exchanger integrity.
(2) Provide the fragility data for the condensate,
injection (V2).
(3) Explain why no seismic fault trees or fragility values were provided for depressurization, level and pressure control, i
and inhibit ADS.
(4) Discuss the seismic capability of the isolation valves and their controllers in the OPS. What prevents the OPS line _
j from becoming kinked or obstructed during a seismic event?
(5)- Your seismic analysis assumes that an earthquake would not prevent the rupture disk (s) from opening.
Certainly, failure closed of one of the I
isolation valves would fail the COPS.
So would pressurization of the volume between the rupture discs.
Provide a more complete discussion of why Class 11 sequences do not need to be considered for-seismic events.
(6) Discuss whether LPCF, RCIC, and HPCF are capable of pumping I
saturated fluids at 365 F.
If not, what is the basis of-taking credit for them in Class 11 sequences, if the rupture disc has not opened (due for example to a crimp in the line or failure closed of an isolation i
valve) and the pressure in containment has increased to containment J
l
1
~
1 i
ultimate.
(7) Discuss the implications of seismic failure of the SRV discharge line, with or without sprays available.
Would the ADS be l
compromised? Is containment challenged? Are the SRV discharge lines modeled as part of the depressurization system? If not, why not? (8)
Are "p" sequences to be considered as large releases, since they drain the suppression pool?
If not, how should they be considered and why?
(9) On page 8 of your June 26, 1992 fax on Seismic Margins Analysis, you should include SRV discharge line failure under number 9 (Depressurization).
GE's ex-containment LOCA submittal indicated that 1
these lines had a HCLPF of 0.729 (10) The ABWR seismic margins analysis takes credit for use of fire water as an injection source.
i Since neither the diesel driven nor the ac-motor driven fire water pumps are seismically qualified, discuss your basis' for taking credit for fire l
water injection and containment spray.
RWCU - (1) The SSAR needs to be modified to-include a requirement that the COL applicant demonstrate that the proposed changes in the RWCU
- l operating temperatures during severe accidents is acceptable during emergency use.
(2) In the event of a high pressure LOCA or transient l
where 'the RWCU is needed to supply decay heat removal (i.e., RHR has
[
failed), discuss when and if containment isolation would automatically i
occur and how, if at all, it would affect the use of the RWCU.
t PRA Requantification - Based on the LOOP and SB0 event tree (figure
[
19D.4-4), the sequence involving LOOP, followed by successful scram and recovery of offsite power within 30 minutes, has a frequency of 5.79E-2/yr.
In GE's original PRA submittal, this sequence was l
transferred to the Reactor Shutdown event tree (Figure 190.4-1). The staff has recommended that this sequence be transferred to the Isolation / Loss of FW event tree instead.
In the revised submittal (May 21, 1992), this sequence was neither transferred to the Reactor Shutdown I
tree nor the Isolation / Loss of FW tree.
Please explain this i
discrepancy.
i r
- i t
o 1
)
I
(
t t
e i
Q7s October 19, 1992 COL Licensee Information - Your list of COL action items faxed June 30, f
1992 was incomplete. Add the following areas to the list: (a) develop a plan and implement procedures for validating Reactor Service Water and i
UHS assumptions (See the 6/27/92 GE fax on Reliability Assumptions Outside' Certification Scope), (b) develop a requirement that the COL applicant either build its fire water tank to 2.0 /0.45/0.70g fragility 9
or maintain a fire truck that is capable of providing water at a minimum l
pressure and volume to the fire water system following a large seismic j
event.
(c) Modify SSAR Section 19.9.14 to include that the COL i
applicant must complete a site specific analysis for potential flooding i
sources and required mitigation features.
(d) Expand on the discussion in SSAR Section 19.9.14 on floor drain sizing to explain the process of l
deciding the appropriate size flood drain capacity (including consideration of any blockage deemed appropriate by GE).
(e) Expand the COL action item list to include assurance that the Reactor Service Water Pump House is designed so that no more than one division of RSW is affected by potential breaks in RSW lines.
(f) COL applicant is to
~
develop procedures for modes other than full power that preclude i
maintenance in the " intact division" if the other two safety divisions are in maintenance or are potentially subject to a common fire or flood since the barriers between the divisions are not intact.
Fault Trees - On May 28, 1992 the staff requested GE to supply fault trees for the Reactor Water Cleanup System and the Condensate and Feedwater System.
Please comply.
l 1-l i
l 1
e
i ITAAC (I) Based on the PRA, the following areas should be added to ITAAC: (a)
The firewater system. This includes testing of system availability including surveillance of the particular path leading from the outlet at the firewater system to the reactor pressure vessel.
ITAAC must i
demonstrate that the capability to inject from the three alternative-l sources (ac-driven pump, diesel-driven pump, and fire truck) and supply this water in sufficient quantities in all injection modes credited in the PRA.
Injection modes with their respective flow rates at various pressures should be specified.
(b) ACIWA system. This should include I
all fire protection and RHR non-safety piping (with their valves) that i
form this ACIWA system, the ACIWA flow instrumentation, and the ACIWA diesel pump. Also the emergency operation procedures need to be included. The ITAAC should assure that the system will function under simulated station blackout conditions.
(c) seismic insights. There needs to be a table for a seismic ITAAC based on PRA insights. The
.l following are examples of areas to be included (i) RHR heat exchanger a
seismic supports, (ii) ACIWA system seismic supports, (iii) Control rod drive system seismic capacity, (iv) hydraulic control units, and (v)
{
diesel generator and support system capacities.
l (2) Modify tables in Section 19.8 of the PRA.
(a) For Table 19.8-5, j
"PRA Input to ITAAC: Minimize Threats From Internal Fires", (i) add I
evaluation of the smoke removal system, (ii) confirm that the only
" pinch points" in the plant for important safety systems, their controls, and power are the control room and the containment. Other potential pinch points include the cable tunnel area, remote shutdown
(
system area, and electrical equipment / battery areas. (iii) provide a j
q walkdown ITAAC to include systems engineers and fire experts to j
ascertain if the as-built plant meets the assumptions in the ABWR fire r
a PRA.
(b) Modify Table 19.8-6, "PRA Input to ITAAC: Minimize Threats l
p While Shutdown" to take into account GE's expanded evaluation of i
equipment to be included in the shutdown screening tables and to address (perhaps by procedure) the concern that drains are more-likely to become clogged during a flood when the plant is in modes other than full power (due to increased trash and transient items).
(c) Modify Table 19.8-4, "PRA Input To ITAAC: Minimize Threats From Internal Floods" to include reactor building drains, raised sills, and penetration seals;~ the drain system, including check valves, piping alignments / locations, and pumps; i
instrumentation to alert control room operators to a flood; l
instrumentation to alert control room operators that flood-tight doors i
are open; the flood-tight doors that protect ECCS, RSW, and RCW areas; i
and a walkdown with systems engineers to ascertain the adequacy of the as-built plant to prevent and mitigate internal floods.
(d) Modify Table 19.8-I, "PRA Input to ITAAC: Prevention of Core Damage", to i
indicate that (i) RCIC is to be able to operate for at least eight hours following a station blackout without room cooling, (ii) the combustion turbine generator is connectable to any one of the three safety divisions to provide ac power, (iii) clarify to what the injection flow rates quoted for the seismically qualified ac independent water addition system apply (e.g., to the fire truck?), and (iv) provide an ITAAC for
)
t DRAFT i
. - =
j b
use of the fire truck to provide all modes of injection credited in the PRA.
(e) Modify Table 19.8-3, "PRA Input to ITAAC: Maintenance of Containment Integrity", to include a evaluation of the containment overpressure protection system isolation valves (and associated valve operators), flow lines, and special emergency procedures (part of accident management).
(f) Modify Table 19.8-1 and 19.8-6 to include an l
analysis and comparison between the loss of offsite power frequency assumed in the PRA and the site-specific loss of offsite power frequency associated with the regional grid and the site's weather conditions.
If a site does not meet the PRA frequency assumption, then compensating reliability values should be considered under the reliability assurance program (e.g., for equipment such as DG trains, combustion turbine, hydro-electric plant connections).
(3) GE has indicated that relay chatter does not need to be considered in the PRA.
Add an examination to verify that relay devices are not used in the systems modeled in the seismic margins analysis (all are to use solid-state switching devices) except in the electric power distribution system.
(4) The staff did not insist that GE investigate intersystem LOCAs in the PRA because GE agreed to upgrade the piping in interfacing low l
pressure systems. The upgraded piping is to be able to withstand normal operating pressures. Add an ITAAC that confirms the upgraded quality of l
the pipes that interface between the high and low pressure systems.
Specifically list the interfaces to be confirmed.
l (5) The ITAAC are to confirm the success criteria assumed in the PRA (both level 1 and 2).
List the minimum capacities, inventories, flow l
rates, temperatures, heat transfer capabilities, pressures, concentrations, number of trains, and other PRA success criteria assumptions.
Indicate for each success criterion which ITAAC will assure that the criterion will be met.
In the event that the as-built plant does not meet all the success criteria (i.e., is more optimistic l
than the PRA assumptions), provide guidance to the COL applicant as to how it can demonstrate equivalence to the PRA success criteria (e.g., by using realistic thermal-hydraulic codes).
(6) The ABWR owes its very low core damage frequency, in part, to the l
redundancy and independence of its safety systems. There are plant locations where the three-fold redundancy / separation of the ABWR safety i
systems is compromised.
Provide an ITAAC that (a) identifies these areas and (b) provides -for a walkdown inspection of these areas to verify that no unnecessary common cause failures exits among the three safety _ divisions and their support systems.
Systems _to be considered j
include HPCF, LPCF, RHR, RBCW, RSW, and the electrical system.
Common i
cause failures checked for should include fire, flood, and. extreme environment. This walkdown could be included in the walkdowns to be
{
performed for fires and internal floods.
l i
(7) The PRA takes credit for use of the RWCU system as a high pressure decay heat removal system. Modify the PRA-based ITAAC to include I
DRAFT t
r 1
?..
assurance that the RWCU system is capable of providing decay heat removal capability when.RHR cooling has failed. This includes.
consideration of temperature effects on RWCU heat exchangers, temperature effects on piping, RWCU isolation signals, and emergency procedures (procedures should address both the loss of decay heat removal cooling following an event and recovery from an RWCU pipe i
break). The ITAAC also should confirm the ability of the RWCU isolation i
valves to close under the loads (i.e., differential pressures) associated with large LOCAs in the RWCU.
(8)
Provide a matrix that compares items included in RAP with those included in ITAAC to assure that safety significant items have been properly considered in both.
(9) GE's analysis of Class II sequences (loss of containment heat removal) in the PRA concludes that these sequences have a very low probability of leading to core damage because the containment 3
overpressure protection system will eventually open and the pumps that i
remove decay heat are capable of pumping saturated water.
Provide an i
ITAAC that assures that the pumps credited in the PRA (e.g., RHR and I
RCIC) are capable-of pumping saturated water at 360 F and that high temperature sensitive parts (such as resin beds) are properly capable of being isolated on high temperature.
l (10) Many PRAs have concluded that fires are important contributors to core damage frequency. GE's analysis of severe accident fires and the l
staff's review were predicated on fires not spreading between safety divisions.
Provide an ITAAC that specifically seeks to assure that fire, smoke, corrosive fumes, fire suppressants, and hot gases will not j
migrate to other divisions in the event of.a fire.
(11) Although the Reactor Service Water Pump House is modeled in the i
PRA and contains important safety equipment that provides heat removal, it is not part of the Certified design. Provide an ITAAC for the-Reactor Service Water Pump House that will assure that common cause failures are minimized, safety divisions and power sources are i
appropriately redundant and independent, that the fire and internal flooding assumptions in the PRA are designed into the pump house, and i
that capacities assumed in the PRA are realized by the as-built pumps, lines, and valves.
(12) The containment overpressurization system is.important for external event sequences and class II sequences.
Provide an ITAAC that looks at maintenance procedures in order to minimize the chance of inadvertently isolating the containment overpressure system by either-closing the system isolation valves or allowing the volume between the I
rupture discs to become pressurized. The ITAAC also should confirm that the isolation valves in the system are capable of closing against full l
containment pressure (90 psig) at the time of system actuation.
l (13) Basaltic concrete has important advantages regarding limiting l
containment overpressure that are modeled in the ABWR PRA.
Provide an DRAFT
I r
f I
ITAAC that lists the acceptable range of material properties to be used j
in the containment's basaltic concrete.
l (14) Drywell and wetwell spray are important capabilities of the ABWR t
as modeled in the PRA.
Provide an ITAAC that seeks to assure that the paths to provide drywell and wetwell sprays by alignment of pumps and l
valves and by the onsite ACIWA will actually provide these spray l
functions. This can be accomplished in part by examination of emergency t
procedures and by physical testing. The ITAAC also should evaluate whether the sprays in the as-built plant can be used following a seismic i
event, as is claimed by GE in its seismic analysis (when SRV discharge line fails). The ITAAC should examine the ability of the ACIWA to operate during a station blackout event.
4 (15) The proper operation of drywell/wetwell vacuum breakers is needed j
in certain circumstances to prevent wetwell failure.
Failure of the j
pool or the vacuum breakers would lead to an unscrubbed release.
Provide an ITAAC that assures proper operation of the vacuum breakers including location confirmation, shielding from pool flash / swell, and 3
initial operability.
)
(16) The decay heat removal reliability study assumes that divisional l
~
separation and independence will be maintained between one fully j
operable safety division and other divisions that may or may not be i
fully operable.
GE should develop an ITAAC that seeks to assure this divisional separation and independence of safety divisions.
It may be possible to provide this assurance through review of procedures applicable to maintenance in modes other than full power.
(17)
Importance analysis shows that RCIC is a very important system in preventing station blackouts from leading to core damage.
GE should
-j i
provide an ITAAC that confirms the ability of the ADS to depressurize the reactor following failure of RCIC due to battery depletion.
i i
j (18) An important assumption in the level 2 analysis is that water has f
little chance of entering the area below the vessel prior to vessel failure.
GE should provide an ITAAC that assures that no unforseen l
paths exist in the as-built plant that would render the 1ower drywell flooded at the time of reactor vessel breach in dominant severe accident j
sequences.
I i
i i
DRAFT 4
s CLARIFICATIONS NEEDED REGARDING THE ABWR PRA INPUT TO RAP December 22, 1992 page 19K-10, Section 19K.5 - Please explain why the hydraulic control units were deleted from the list of important SSCs.
pages 19K-11 and -12, Section 19K.8 - Previous staff comments inquired as to why ac/dc power were not listed as important SSCs in the shutdown analysis.
GE indicated in writing that it was going to add ac/dc power.
However, they do not appear on the list of important SSCs in Section 19K.8.
Please explain why.
i page 19K.21, Section 19K.11.7 - GE has proposed to inspect a limited number of systems (based on its PRA-based seismic margins analysis) once every 10 years by repeating the seismic walkdown which was conducted after construction in the general area of the equipment.
The staff finds the ccr. cept to be an excellent idea, but would propose the following modifications: perform the EPRI NP-6041 examination for seismic vulnerabilities again, but do not repeat the calculational portion of the walkdown. This will assure that the seismically l
important systems are all examined and will help to assure that the assumptions that were made in the ABWR PRA-based seismic margins i
analysis (e.g., supports) continue to hold for the as-built plant 10 l
years later.
page 19K-23, Section 19K.ll.12 - The staff and GE have discussed the importance of performing a good annual test of the smoke removal system.
.i The staff had pointed out the concern that the test reflect the potential for more than one door being open between divisions due to fire fighting or other needs.
It is important for the fire fighters to i
know if having more than one door open will nullify the smoke control system negative pressure capacity.
In Section 19K.ll.12 GE has indirectly addressed this concern by stating that the test should be performed without restricting personnel movement.
It is not clear to the staff if this admonishment will provide a determination of the capability of the smoke control system to work effectively with more than one door open between divisions. The staff. suggests that more direct wording of this concern would be useful.
Please address this l
1ssue.
I i
t l
'f
t r
CLARIFICATION OF LOCAs OUTSIDE CONTAINMENT December 22, 1992 Concern 1 i
1.
Table 19E.2 (a) Is this table complete in its evaluation of all possible bypass paths? (b) If not, do we know what has not been evaluated here?
(c) Do we know the limitations?
2.
(a) When estimating the conditional bypass probability, explain how EQ was taken into account.
(b) Address GE assured that potentially affected equipment was qualified? (c) If equipment was not known to be i
qualified, how was it handled?
3.
(a) For Figures 1, 2, and 3 in the December 17, 1992 GE draft SSAR submittal, explain how each value of X is calculated.
It is 3
unacceptable merely to state that the calculation is similar to other calculations in the staff's possession, although identical calculations can be referenced.
(b) Similarly, provide the calculations for Oo.
4.
For medium and large breaks, GE claims that because of the depressurization caused by such break sizes, the rate of loss of inventory from the break (after some unspecified time) is compensated for by available makeup sources outside of containment, such as firewater.
No basis is given for this claim.
(a) How much time does an operator have to switch over to an outside source if a break occurs outside of containment?
(b) Explain how this makeup will be provided at a dry site (perhaps one with cooling towers or a spray pond).
(c)
Provide further information/ commitments to assure that makeup will be available until the plant can be brought to a safe, stable state.
l Concern 2 1.
GE's response to concern 2 (whether GEs analysis was exhaustive in l
searching for and discovering potential bypass lines) is not l
satisfactory.
Provide a judgement on bypass potential based on up-to-i date P&lDs, not those from 1988.
Concern 3 1.
It appears that the value of Q (failure of another division) was l
estimatedtobeIE-3iftheL0bAinthesecondarycontainmentoccurred near another division wall.
(a) Please amplify on how this was determined and what was the basis for deciding which LOCAs were or were not IE-3 events.
(b) Also please explain the how the values of Q and i
Qo in Figure 2 (Medium LOCA Dutside of Containment) were determined.
2.
Please explain the assumed effect that LOCAs outside of secondary containment will have on at or dc power circuits that power divisions inside of containment.
i
. A t W),
f t3 Q9s
- f4 e% b N
10/29/92 b pN w
1.
Internal Floods - (a) The internal flooding analysis appears to not have considered a flood caused by emptying of the condensate storage tank into the reactor building. This flood appears as if it would result in a flood that is four to five feet higher than that caused by a flood from the suppression pool.
Discuss how the internal flooding analysis considered condensate storage tank floods and what was the result of this analysis.
(b) Will water tight doors need to be dogged?
If they are not, will they still hold water in/out? (c) GE is confirming the EQ for the ECCS pumps for a steam environment.
(d) Confirm that GE has added to RAP those components / systems in the DHR study, but not in the current RAP tables.
2.
RAP - GE will confirm that the diesel generator reliability numbers in l
the PRA are the same as those prescribed by the ATWS rule.
l 3.
PRA-Based Seismic Margins - (a) On 11/l'l/92, GE indicated it would strengthen the seismic capacity of the battery racks. Was this done?
(b) On 11/11/92, GE indicated it would look at loss of de power during ATWS sequences since dc power is needed for RCIC and ADS. Was this done? (c) The event trees for seismic events do not take credit for the
~
fire truck.
Is this an oversight? Should the truck be considered?
Where will the truck be housed?
4.
Equipment Not in Certified Design - Awaiting response to 9/21 question to GE on what equipment is taken credit for in the PRA that is not in the certified design.
j 5.
Shutdown Reliability - What is the effect on the capability to operate l
fire water valves (ACIWA) inside secondary containment in mode 5 event where steaming is to be the method of decay heat removal? Are these valves needed to supply vessel injection and maintain vessel level?
i i
6.
Local Operation - Awaiting response question on what equipment (non-
~
safety) is powered by the gas turbine and the diesel generators? Need COL action item on the procedures for lining up the generators.
7.
Fires - (a) GE will provide information on how the smoke removal test is performed (i.e., what is acutally tested and how it is tested).
(b) GE will confirm that fire fighting and core injection can or cannot occur L
simultaneously from the diesel driven fire water pump, the ac driven fire water pump, or the fire truck.
i 8.
GE to provide an unambiguous definition of unavailability.
I 4
O hmS i
Q10s a
January 27, 1993 t
1.
How do we assure that commitment for COL applicant to (e.g.) operate in shutdown with I train isolated, I train in standby, and only 1 train in i
maintenance is not changed? Unless it is in Tier 2, it can be changed without even as much as a 50.59-type process.
2.
Check how we are tieing down functional reliability of equipment.
Islit in an interface? What does a COL item really mean as a commitment?
Does a COL applicant have to do it? Is it a commitment for the entire license or only for now or for some limited time?
t 3.
Discussions with GE in San Jose on January 20th call into question the ability of the ABWR ECCS pumps to pump hot saturated water (360 F).
I What is reality? If cannot, Class 11 events are much more important, j
4.
What happens if the volume between the rupture disks in the COPS were to pressurize either before or during an event? Would it be alarmed?
Would it show up on some gauge? Can the pressure be relieved? If so, at what volumetric rate?
5.
GE must certify that the PRA represents the up-to-date design.
l 6.
GE (Gary Elliot) to provide me with marked up SSAR that states safety and nonsafety penetrations have same qualification requirements.
L 7.
COL Items - (a) It is unclear if GE has submitted all the requested COL action items. Check those of 11/10/92 response by GE to my 10/29/92 questions.
(b) Check if COL action item on flooding procedures (internal).
(c) GE stated that it would not take credit for siphon l
valve vacuum breakers if the UHS were above the plant.
Is this in the COL items?
(d) Check if GE has commitment to increase battery capacity.
(e) Check if GE has commitment to see.if SW pump house pumps are in separate watertight bays where internal floods will not damage them.
8.
Check GE's definition of availability and reliability.
9.
Check if GE has updated the RAP recommendations based on the latest shutdown risk work (IE-5 cond. CDF). Check if reliability in RAP is as
~
good as that in SB0 rule.
j l
10.
Check if the ACIWA manual isolation valves could be subject to steam i
environment (are they qualified), if there really is enough time to get l
into the area of the valves inside secondary containment under shutdawn conditions where the plant loses core cooling and the RCS water level is low. When will the water level in the RCS purposely be lowered? Check if these valves could be affected by internal flooding.
11.
Internal flooding - (a) Check. if the flooding of individual RSW areas will annunciate by division so operator knows which pump to turn off.
i (b) Check wording of internal flooding analysis regarding flood doors 1
and when can open them (about pg 10). Concern is that the wording would
?
t i
allow one to open doors in a way that could flood the system that you will be depending on (either that of the standby system or the isolated system).
(c) Check which rooms have water tight doors and which have only fire doors (e.g., RWCU). Are there any problems with the' design?
(d) Check GE's definition of minimum sets for internal flooding when shutdown.
See 11/11/92 notes.
12.
Seismic margins - (a) Check the changes in the seismic margins capacities of equipment.
(b) Check how seismic evaluated SRV line i
discharge break and RWCU break that is unisolable.
(c) Do the directions to RAP for the ten year seismic walkdown still limit the equipment considered or does it cause those performing the walkdown to look at the same equipment examined under the EPRI NP-6041 walkdown (but without performing the calculations)?
13.
What equipment is powered off the gas turbine, both safety and non-
~
~
safety. Will procedures exist for operation of gas turbine? Will they include stripping busses and loading on new safety loads? What about procedures to take advantage of the capability of the gas turbine to cross-tie loads to any DG or some offsite powered busses?
14.
Shutdown - (a) Check shutdown matrices.
(b) If have flood, what is l
available in the non-isolated systems if the isolated system is flooded?
[
Is the CCDF still IE-5? (c) Look at alarms on flood doors in RX building and between turbine building and control building / reactor building.
+
i I
l i
f
PRA-BASED ITAAC INSIGHTS The search for insights needs to be systematic. This includes'the vendor re-reading the PRA to glean out important insights. An example of such is an insight is from the ABWR PRA that states that the building housing the diesel-driven fire pump will be constructed in a way that if it collapses during an earthquake, the failure of the building will not affect the pump's ability to function.
The PRA insights identified will be " handed off" to the COL applicant for its use. There is a good chance that few of the people working for a utility (COL applicant) will read all of the PRA to gather insights.
By summarizing and placing the insights in one location, the chance for use and understanding of these insights is increased.
The PRA in and of itself will not be Tier 1 or 2.
Safety insights from the PRA (or portions of the insights) will go into Tier 2 (the design control document).
6 A subset of these Tier 2 safety insights will go into Tier 1.
The decision on what goes into Tier 1 primarily will be made by engineering judgement.
Insights to be considered include the following: important assumptions in the PRA, SSCs denoted by importance measures, bypass sequences (containment and suppression pool), SECY 90-016 features, how the design meets containment performance goals, external events, shutdown events, important core damage sequences, what keeps CDF low, and what has large uncertainty and in the extreme could become an important contributor.
Each insight will include a description of why it is safety significant.
Initial efforts should identify potential insights that were discarded and why they were.
Examples of why an insight was discarded could be that multiple other systems perform the same function or the numerical result (and implied insight) was caused by overly conservative assumptions / analysis.
In discussions with GE, it was decided that for -
the initial set of insights, if a reviewer had to ponder why an insight
' was not important, then at a minimum it was a candidate for an explanation of why it was not included in the insights list.
The staff will audit results.
After staff reviews / audits results and gives comments to GE, assuming that GE has done a reasonably good job of identifying insights, then the next step will be for GE to decide which of these insights go into Tier 2.
Again, the staff will audit this process. Once insights are allocated to Tier 2, the staff and GE will provide these insights to the respective appropriate technical reviewers / analysts for their consideration as to whether the insights are candidates for Tier 1.
I would expect that there will be additional discussions needed between the PRA people and the reviewers / analysts to help the analysts better understand the safety significance of pertinent insights.
f e
\\t Next, GE proposes which insights are to be included in Tier I and provid 1 markup of the Tier 1 material. The staff will audit this matertai. The staff also may do independent evaluations to determine which insights should be included in Tier 1.
O o
h