ML20044D512
| ML20044D512 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 05/14/1993 |
| From: | Liparulo N WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | Borchardt R NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| ET-NRC-93-3886, NUDOCS 9305190237 | |
| Download: ML20044D512 (53) | |
Text
. _ _ _ _ _ _ _ _ _ _ _ _____________ _ __ __
O Westinghouse Energy Systems Electric Corporation $32g,3,,,, g33.g33 ET-NRC-93-3886 NSRA-APSI 93-0173 Docket No.: STN-52-003 May 14,1993 Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555 ATTENTION: R.W.BORCHARDT
SUBJECT:
WESTINGHOUSE RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION ON THE AP600
Dear Mr. Borchardt:
Enclosed are three copies of the Westinghouse responses to NRC requests for additional information on the AP600 from your letters of January 26,1993, February 18,1993, March 12,1993 and April 13,1993. This transmittal is a partial response to these letters. A listing of the NRC requests for additional information responded to in this letter is contained in Attachment A. The Westinghouse responses to the remainder of the requests for additional information contained in your letter of January 26,1993 will be provided prior to May 29,1993.
If you have any questions on this material, please contact Mr. Brian A. McIntyre at 412-374-4334.
d &
Nicholas J. Uparulo, Manager Nuclear Safety & Regulatory Activities
/nja Enclosure ec: B. A. McIntyre - Westinghouse F. Hasselberg - NRC 19000G 9305190237 930514 PDR ADDCK 05200003 B'd s A PDR g
I ET-NRC-93-3886 ATTACHMENT A AP600 RAI RESPONSES SUBMITTED MAY 14,1993 RAI No. issue 220.021 l Wind force & vertical velocity profiles 220.022 l Missile velocities 220.023 i Compliance with SRP Section 3.5.3 410.099 i SFP/ Aux /Radwaste area ventilation (WCAP-13053) 410.101 I VRS conformance to SRP (WCAP-13053) 410.104 l HP & hot machine shop HVAC (WCAP-13053) 420.002R011 PMS failure modes and effects analysis 420.011 l Operation of monitoring system for LOFW 420.014 l Interface arrangement between workstations 420.026 l Reactor coolant pamp speed monitoring 420.027 l Inter-cabinet communications 420.029 l Status indication criteria 420.038 l Number of control multiplexer cabimets 420.045 l Division synchronization 420.046 l P-18 420.048 i Time constants 420.049 i Reset reactor trip (not redundant) 420.082 l Safety panel displays 420.085 l Nuisance alarmt.
420.088 i First stage ADS valve 420.090 l Units involved in generating S s'.gral 440.032 1 Emergency response guidelines 440.034 i CMT scaling tests 720.055R0ll Accident management measures 720.056R01l Accident management issues I
, NRC REQUEST FOR ADDITIONALINFORMATION nui
+"
Question 220.21 1
The last paragraph in Section 3.3.1.1 of the SSAR states that " Vertical velocity profiles and gust response factors are calculated according to [the American Society of Civil Engineers (ASCE),7-88 (formerly ANSI A58.1-82),
- Minimum Design leads for Buildings and Other Structures *] for exposure D. His is the most severe of the four cases specified in [ASCE 7-88].* The most severe ases ppear to be the comoination of the gust response factors with exposure A and the velocity pressures with expere D for the velocity pressure exposure coefficient of Kg .
In the case of velocity pressure "q,," exposure D gives tugner values of qz. This reversal of the influence of exposure categories in terms of the q, and gust response factors can be confusing.
For the standard design, the exposure categories can vary. Herefore, provide the actual wind force profiles to be i used for the standard design for the various shapes of the structures. He applicant for a combined operating license (COI.) will have to compare the site-specific wind force profile to the design wind force profile.
Calculations of vertical velocity profiles with exposure D are not given in ASCE 7-88. Provide the actual vertical velocity profiles to be used for the standard design for the various shapes of the structures. The COL applicant will have to compare the site-specific vertical velocity profile to the design vertical velocity profile.
Response
Design wind pressures are summarized in Table 4 of ASCE 7-88. He design wind pressure for the main wind-force resisting system is a function of both the velocity pressure exposure coefficient, kg, and the gust response factor, Gh, which are given in Tables 6 and 8 for each of the four exposure categories. Although the magnitudes of the gust response factor, Gh , are higher for exposure A than for exposure D, the velocity pressure exposure coefficient for exposure A is significantly lower, and the design loads for exposure A are lower than for exposure D.
The design wind loads for the AP600 are based on exposure D, which gives larger loads than fcr the other exposures. Since the design is based on the most severe of the exposure conditions it is not necessary for an applicant for a combined operating license to compare against the design wind loads. It is sufficient to compare against the basic wind speed of 110 mph, which is shown as the site interface in Table 2.0-1.
The SSAR reference to vertical velocity profiles will be revised to velocity pressure exposure coefficient as used in ASCE 7-88.
The third paragraph of SSAR Subsection 3.3.1.1 will be revised as follows:
SSAR Revision:
W6 " d :q p:';!= Velocity pressure exposure coefficients and gust response factors are calculated according to Reference I for exposure D. His iv.-results in the most severe design wind loads of the four cases specified in Reference 1.
220.21-1
NRC REQUEST FOR ADDITIONAL.lNFORMATION iir !!j Ouestion 220.22 l l
Section 3.5.1.4 of the SSAR describes a missile with a vertical velocity of 74 mph. This is 70% of the postulated horizontal vehicities for a 1,800 kg (4,000 pounds) automobile and a 125 kg (275 pound),20.32 cm (8 inch) shell as recommended in Section 3.5.1.4 of the SRP. However, the tornado missiles specifial in Table 2.0-1 ao not have these vertical velocities for a 1,800 kg (4,000 pounds) automobile and a 125 kg (275 pounds),20.32 cm (8 inches) shell. Specify these vertical velocities in Table 2.0-1 or redefine the tomado missiles as Spectrum I as specified in Section 3.5.1.4 of the SRP.
Response
SSAR Table 2.0-1 will be revised to include the vertical velocity for the tornado missiles.
The missile site interface in Table 2.0-1 will be revised as follows:
SSAR Revision:
Missiles Tomado 4000 -Ib automobile at 105 mph horizontal,74 mph vertical 275 - Ib, 8 in. shell at 105 mph horizontal, 74 mph vertical 1-in.- diameter steel ball at 105 mph horizontal and vertical 220.22-1 W Westinghouse
NRC REQUEST FOR ADDITIONALINFORMATION Ouestion 220.23 Section 3.5.3 of the SSAR provides formulae for missile penetration calculations into steel or concrete barriers.
Also, it states that "Due to the conservative nature of these assumptions, the minimum thickness required for missile shields is taken as the thickness just perforated." However, Table 1 in Section 3.5.3 of the SRP specifies the minimum acceptable barrier thickness requirement for local demage prediction against tomado generated missiles.
Explain how the AP600 design complies with this guideline.
Response
The thicknesses of the concrete extemal walls and of the roof of the nuclear island satisfy the minimum thicknesses given in SRP 3.5.3 for Region 11.
SSAR Subsection 3.5.3 will be revised as follows:
SSAR Revision:
In using the modified NDRC, BRL, and Stanford formulas for missile penetration, it is assumed that the missile impacts normal to the plane of the wall on a minimum impact area (and in the case of reinforced concrete) do not strike the reinforcing. Because of the onservative nature of these assumptions, the minimum thickness required for missile shields is taken as the thickness just perforated.
Structural members designed to resist missile impact are designed for flexural, shear, and buckling effects using the equivalent static load obtained from the evaluation of structural response. Stress and strain limits for the equivalent static load comply with app.icable codes and Regulatory Guide 1.142. The consequences of scabbing are evaluated if the thickness is less than the minimum thickness to preclude scabbing.
The thicknesses of the exterior walls above grade and of the roof of the nuclear island are 24 inches and 15 inches, respectively. The roof is constructed using left-in-place metal deck. These thicknesses exceed the minimum thicknesses for Region Il tomado missiles specified in Standard Review Plan 3.5.3.
e W Westinghouse 220.23-1
NRC REQUEST FOR ADDmONALINFORMATION
.a I
Question 410.99 For Q410.95-Q410.104, demonstrate how the AP600 design meets applicable GDCs by providing failure modes and effects analyses and other requested details, as identified in applicable SRP section(s) review methodology.
Section 9.4.3 of the SSAR, " Radiologically Controlled Area Ventilation System (VAS)," partially falls under review guidelines of Section 9.4.2 of the SRP for the fuel handling area HVAC subsystem and Section 9.4.3 of the SRP for the Annex 11 and auxiliary building portion HVAC subsystems.
WCAP-13053 indicates that Westinghouse is taking an exception to Position C.1 of R.G.1.29 for the safety-related portions of the spent fuel pool area ventilation system, but other acceptance criteria are identified as " acceptable" to indicate conformance with GDCs 2,60 and 61. Demonstrate that this system conforms with the guidelines of R.G.1.29 (to show it meets GDC 2), Position C.2 of R.G.1.52 and Positions C.1 and C.2 of R.G.1.140 (to show it meets GDC 60 with respect to the capability of the subsystem to suitably control release of gaseous radioactive effluents to the environment), and Position C.4 of R.G.1.13 [to show it meets GDC 61 with respect to the subsystem's capability to provide appropriate containment, confinement, and filtering to limit releases of airborne radioactivity to the environment from the fuel storage facility under normal and postulated accident conditions (see Section 9.4.2 of the SRP for the fuel handling area HVAC subsystem)]. The P&lDs, flow diagrams, component data, and system description should reflect corresponding conformance information as identified in Section 9.4.2 of the SRP, i.e., Table 3.2-3 should reflect equipment information for HEPA filter (s), adsorbers, single failure criteria design for equipment, isolation dampers, radiation detectors, etc.
WCAP-13053 indicates that the auxiliary and radwaste area ventilation systems conform with Position C.2 of R.G.
1.29 and Positions C.1 and C.2 of R.G.1.140. Demonstrate that the Annex II and auxiliary buildmg portion HVAC subsystems conform with the Fuidelines of R.G.1.29 (to show it meets GDC 2) and Positions C.1 and C.2 of R.G.1.140 [to show it meets GDC 60 with respect to the capability of the subsystem to suitably control release of gaseous radioactive effluents to the environment (see Section 9.4.3 of the SRP)]. Similar applicable details identified above for the fuel handling area should be provided for these HVAC subsystems.
Response
Fuel Handling Area HVAC Subsystem:
Compliance with Position C.1 of Regulatory Guide 1.29 is not applicable to the fuel handling area HVAC subsystem because this HVAC subsystem does not perform any safety-related functions. The calculated radiological releases discussed in SSAR Subsection 15.7.4.2 do not take credit for HVAC isolation or filtration after a design basis fuel handling accident. Because this HVAC subsystem does not perform any safety-related fu ctions, it is not required to remain functional after a safe shutdown earthquake (SSE).
Compliance with Position C.2 of Regulatory Guide 1.29 is satisfied because the fuel handling area HVAC subsystem is evaluated for interaction with seismic Category I systems as described in SSAR Subsection 3.7.3.13 so that the fuel handling area HVAC subsystem cannot reduce the functioning of any safety-related plant features.
g 410.99-1
NRC REQUEST IJR ADDITIONAL INFORMATION lii. . . _
Compliance with Position C.3 of Regulatory Guide 1.29 is satisfied because the VAS fuel handling area HVAC subsystem does not interface with any seismic Category I components, and the connection of VAS nonseismic Category I equipment and duct supports to seismic Category I structures will not reduce functioning of seismic Category I structures. De containment air filtration sy stem (VFS) provides filtered exhaust from the fuel handling area when high airborne radioactivity is detected (SSAR Subsection 9.4.7.1.2). The non-safety-related VFS includes seismic Category I containment penetrations that maintain containment integrity during containment isolation (See SSAR Subsection 9.4.7.1.1). The containment isolation system is designed and fabricated in accordance with the seismic categories assigned by Regulatory Guide 1.29 (SSAR Subsection 6.2.3.1.1) and complies with Position C.3 of Regulatory Guide 1.29 as noted in SSAR Appendix 1 A.
Compliance with Position C.4 of Regulatory Guide 1.29 is satisfied because the pedinent Quality Assurance requirements of 10 CFR 50, Appendix B are applied to the seismic Category I portion of the containment penetrations in accordance with SSAR Subsections 6.2.3.2.2 and 3.2.2.4.
The guidance provided in Regulatory Guide 1.52 does not apply to the filtered exhaust system serving the fuel handling area since ESF filtration to mitigate a design basis fuel handing accident is not required.
The exhaust air from the VAS fuel handling area subsystem is unfiltered but monitored for airborne radioactivity ddng normal plant operation and refueling operations as shown in SSAR Figure 9.4.3-1 (Sheets 4 and 5). When high airborne radioactivity is detected, the VFS provides filtered exhaust for the fuel handling area. As described in SSAR Subsection 9.4.7, the VFS is a non-safety-related system and is not relied on to meet the 10 CFR 20 requirements. The VFS filtered exhaust conforms to Positions C.I and C.2 of Regulatory Guide 1.140 as follows:
w R.G. Position C.1 a The VFS filtered exhaust is designed for anticipated environmental operating conditions. The design includes a demister in anticipation of the possible formation of water droplets during extended isolation of the fuel handling area and an electric heater to reduce the relative humidity of the air entering the charcoal adsorber below 70 percent (See SSAR Table 9.4.7-1.) The filter plenums and exhaust ductwork located upstream of the exhaust fans (MA 02A and MA 02B) are stmeturally designed for transient pressure conditions resulting from the rapid closure ofisolation dampers and valves in accordance with ASME N509-1989. He exhaust filters are located in a shielded compartment based on anticipated accumulation of radioactivity.
C.I.b The VFS exhaust air filter units are located in their own compartment at elevation 135'-3" of the annex II building, as shown in SSAR Figure 1.2-26. Shield walls are provided to reduce radiation doses from the VFS exhaust air filter plenums to the surrounding annex 11 building areas.
C.l.c The VFS filtered exhaust will not degrade the operation of any engineered-safety-feature system based on the rationale for compliance with Regulatory Guide 1.29 discussed previously. 7he VFS is powered from the main ac power system (ECS), which is independent of the safety-related Class IE power sources. (See SSAR Chapter 8.)
410.99-2 W westinghouse
NRC REQUEST FOR ADDITIONAL INFORMATION C.I.d The VFS filtered exhaust includes a prefilter to remove particulates to extend the life of the HEPA filters, as shon in SS AR Figure L. 4.7-1. Normally, there are no significant amounts of airborne chemial contaminants. local portable filtration and/or guard beds filled with adsorbent are used to protect the permanent VFS charcoal adsorbers on an as-needed basis, if significant harmful chemical vapors are present.
C.2.a The VFS exhaust for the fuel handling area includes redundant filter trains with HEPA and charcoal filtration, as shown in SSAR Figure 9.4.7-1.
C.2.b 7he VFS filtered exhaust is rated at 4,000 ft 3/ minute (see SSAR Table 9.4.7-1) and consists of a HEPA filter array that does not exceed ten wide by three high for ease of maintenance.
C.2.c Proposed instrumentation, as shown in SSAR Figure 9.4.7-1, is based on ASME N509-1989 Table 4-2 for non-ESF systems and is consistent with the monitoring of pertinent filter pressure drops and airflow rates in accordance with the recommendations of ERDA 76-21, Section 5.6.
C.2.d The VFS exhaust filter units are designed to maintain occupational radiation exposure to plant operating and maintenance personnel as low as reasonably achievable. The VFS exhaust filter units are located within a shielded area to reduce radiation doses in adjacent, more frequently occupied plant areas in accordance with Position C.2.b(3) of Regulatory Guide 8.8. A permanent service gallery is provided for convenient access in accordance with Position C.4.a of Regulatory Guide 1.140. Plenum interior access space, required for filter changeout, is based on the guidance provided in Position C.4.h of Regulatory Guide 1.140.
The exhaust fans are k>cated downstream of the VFS filter plenums to maintain a negative air pressure within the filter plenums during Fystem operation. The filter plenums are located in an area oflow potential airborne contamination (annex 11 building). When the VFS provides filtered exhaust from the fuel handling area, auxiliary building (or containment), a negative operating pressure prevents unfiltered exhaust from exfiltrating into the filter compartments.
7 C.2.e The air inlet operiings for the VFS exhaust filter units are located within enclosed plant building areas (i.e., containment, annex II building, fuel handling area, and radiologically controlled areas of the auxiliary building) so the requirement for an inlet louver, a bird screen, and the like does not apply to the design of the VFS exhaust units.
C.2.f The filter housings are designed to have a maximum allowable leakage rate of 1.0 percent (SSAR Subsection 9.4.7.2.2) of rated airflow based on Leakage Class Il criteria for non-ESF housings provided in Table B-3 of Appendix B to ASME N509-1989. This does not comply with the maximum allowable leakage rate of 0.02 percent recommended by ANSI N509-1976 and referenced by Regulatory Guide 1.140. Because the filter plenums operate at a negative air pressure, the higher housing leakage rate does not adversely affect ALARA or significantly reduce system air cleaning effectiveness.
W westinghouse
" 88~3
1 NRC REQUEST FOR ADDITIONALINFORMATION s ==.
- i 5 VFS exhaust filtration units are field-tested in accordance with ASME N510-1989 as discussed in SSAR Subsection 9.4.7.4. Section 6 of ASME N510-1989 requires that duct and housing leakage rates be verified. The VFS exhaust ductwork is also designed and tested in accordance with ASME N509 and N510, respectively.
Compliance with Position C.4 of Regulatory Guide 1.13 to provide a controlled leakage building is satisfied because the spent fuel pool is completely enclosed by the radiologically controlled areas of the auxiliary building as shown in SSAR Figures 1.2-9 and 1.2-15. The auxiliary building is a seismic Category I structure (SSAR Table 3.2-2).
The fuel handling area HVAC subsystem maintains the normal ambient air pressure slightly negative with respect to adjacent clean plant areas to provide controlled building leakage and monitoring of exhaust air discharged to the plant vent (SSAR Subsection 9.4.3.2.3).
The ventilation and filtration systems comply with Position C.4 of Regulatory Guide 1.13 to limit the potential release of radioactive iodine and other radioactive materials by monitoring the airborne rac'ioactivity in the normal exhaust duct from the fuel handling area. The normal (unfiltered) exhaust duct is automatically isolated when high exhaust airbome radioactivity is detected (SSAR Subsection 9.4.3.2.4). The VFS provides filtered exhaust from the fuel handling area to maintain this area at a slightly negative air pressure during conditions of high airborne radioactivity (SSAR Subsection 9.4.7.1.2). As noted in our response to Q460.4D, the VFS exhaust filters include HEPA filters and charcoal adsorbers to filter radioactive particulates and iodine and are designed to cc nply with the guidelines of Regulatory Guide 1.140.
Although the VFS exhaust performs no safety-related functions, two 100-percent capacity filter trains and fans maintain system operability considering a single active component failure (SSAR Subsection 9.4.7.2.1). Active components, such as radiation monitors and isolation dampers, used to imlate the fuel handling area while the filtered exhaust is operating are also designed with redundancy to accommodate a single active component failure (SSAR Figure 9.4.3-1, Sheets 2,4, and 5). The fuel handling area exhaust duct is sized to provide transit time delay of exhaust air for detection of airbome radioactivity and closure of the building isolation dampers prior to the release of unfiltered air to the environment (SSAR Subsection 9.4.3.2.3). The building isolation dampers are of bubble-tight construction and fail-safe in a closed position if power or instrument air is unavailable (SSAR Subsection 9.4.3.2.2). He VFS filtered exhaust system can be manually connected to the onsite diesel-generators if there is a loss of offsite power (SSAR Subsection 9.4.7.2.4). Hence, the ventilation system does provide appropriate containment, confinement, and filtering to limit releases of airborne radioactivity to the environment from the fuel storage facility during normal and postulated accident (non-DB A) conditions in accordance with GDC
- 61. This HVAC system is non-safety related because it is not required to function so mitigate a design basis fuel handling accident.
The AP600 design provides confinement of the spent fuel pool and filtration of releases directed to the environment.
No credit for these features is assumed in the determination of the radiological consequences of a fuel handling accident (SSAR Subsection 15.7.4). In Position C.4 of Regulatory Guide 1.13, it is stated that:
The design of the ventilation and filtration system should be based on the assumption that the cladding of all of the fuel rods in one fuel bundle might be breached. The inventory of radioactive materials available for leakage from the building should be based on the assumptions given in Regulatory Guide 1.25, .. .
410.99-4 W westinghouse
i l
l l
NRC REQUEST FOR ADDITIONAL INFORMATION f.. r.: l
^
l The use of the assumptions given in Regulatory Guide 1.25 results in an excessive level of conservatism that distons .
l the understanding of the impact of the accident. As discussed in SSAR Subsection 15.7.4, the fuel handling accident dose analysis takes a number of exceptions to the guidance of Regulatory Guide 1.25. The analysis remains l conservative. <
System single failure criteria, based on SRP 9.4.2 guidelines, does not apply to the fuel handling area HVAC I subsystem became it does not perform any safety-related functions. The principal codes for the VAS and VFS cquipment components are shown in Table 3.2-3, with specific equipment perfortnance criteria shown in Tables 9.4.3-1 and 9.4.7-1. The design of the radiation monitors for the fuel handling area is discussed in SSAR Section 11.5.
Auxiliary and Annex II Building HVAC Subsystem:
'Re radiologically controlled areas of the auxiliary and annex 11 buildings are served by the VAS except for the hot machine shop, which is served by the health physics and hot machine shop HVAC system (VHS). Conformance to Position C.2 of Regulatory Guide 1.29 and Positions C.1 and C.2 of Regulatory Guide 1.140 for the VHS system .
is provided in the response to Q410.104. The following discussion applies to the VAS.
l Compliance with Position C.1 of Regulatory Guide 1.29 is not applicable to the VAS auxiliary and annex 11 building HVAC subsystem because this HVAC subsystem does not perform any safety-related functions. There are no design basis accidents (SSAR Section 15.6) that assume HVAC isolation or filtration of exhaust air from the auxiliary and annex 11 buildings. Because this HVAC subsystem does not perform any safety-related functions, it I is not required to remain functional after a safe shutdown earthquake (SSE). j l
l Compliance with Position C.2 of Regulatory Guide 1.29 is satisfied by reviewing the layout of safety-related i components and classifying portions of non-seismic Category I systems as seismic Category II, if their failure could l reduce the functioning of plant features required for plant safety after an SSE. l Compliance with Position C.3 of Regulatory Guide 1.29 is satisfied because the VAS auxiliary and annex 11 building HVAC subsystem does not interface with anv seismic Category ] components and because the connection of VAS nonseismic Category I equipment and duct supports to seismic Category I structures will not reduce functioning of seismic Category I structures. The VFS filtered exhaust is common to the fuel handling area auxiliary and annex H buildings (and containment). As noted above, VFS seismic Category I containment penetrations comply with Position C.3 of Regulatory Guide 1.29.
Compliance with Position C.4 of Regulatory Guide 1.29 is satisfied on the basis provided above for the fuel handling area HVAC subsystem.
The general exhaust air from the VAS auxiliary and annex 11 buildinFs is unfiltered but monitored for airborne radioactivity during normal plant operation, as shown in SSAR Figure 9.4.3-1 (Sheets 3,5, and 6). Therefore Regulatory Guide 1.140 applies only to the VFS, which provides filtered exhaust when high airborne radioactivity is detected. Compliance with Positions C.1 and C.2 of Regulatory Guide 1.140 is the same as described for the fuel handling area HVAC subsystem, except as noted in the following:
410.99-5 W Westinghouse l
l l
, .- -- . . - . . _ = _ . . . . _ . - - _ - . - - - . . - - _ . - . .._ - . - - - _- _ _
i NRC REQUEST FOR ADDITIONA.LINFORMATION I
- tt "'j! !
E ;
] l i
R.G. Position C.1.a Same rationale as the fuel handling area HVAC subsystem except that the formation of water droplets during isolation of the auxiliary and annex 11 buildings is not anticipated. l f
System single failure criteria, based on SRP 9.4.3 guidelines, does not apply to the auxiliary and annex II building [
HVAC subsystem because it does not perform any safety-related functions. The principal codes for the VAS and ;
VFS equipment components are shown in Table 3.2-3 of the SSAR, with specific equipment performance criteria j shown in Tables 9.4.3-1 and 9.4.7-1. The design of the radiation monitors for the auxiliary and annex 11 buildings !
is discussed in SSAR Section 11.5. .
l l SSAR Revision: NONE I i
r i
e I
i i
i 1
i 1
I l
410.99-6 E Wl388 i
I
!I ,
NRC REQUEST FOR ADDITIONAL INFORMATION w -1 Question 410.101
! For Q410.95-Q410.104, dernonstrate how the AP600 design meets applicable GDCs by providing failure modes and effects analyses and other requested details, as identified in applicable SRP section(s) review methodology.
l Section 9.4.8 of the SSAR, "Radwaste Building HVAC System (VRS),* falls under the review guidelines of Section 9.4.3 of the SRP. WCAP-13053 indicates that the auxiliary and radwaste area ventilation system conforms to
( Position C.2 of R.G.1.29 and Positions C 1 and C.2 of R.G.1.140.
l l
Demonstrate that this system conforms with the guidelines of(1) Position C.2 of R.G.1.29 for the nonsafety-related portions of the system (to show that they meet GDC 2) and (2) Positions C.1 and C.2 of R.G.1.140 (to show that l
it meets GDC 60). Also, provide justification for taking an exception to Position C.1 of R.G.1.29 for the VRS since it collects the vented discharges from potentially contaminated equipment and tanks, including the waste container processing chamber, compactor, glove boxes, dryers, and hoods, and since it provides for radioactive particulate removal and radiation monitoring of exhaust air prior to release to the environment.
Identify what negative pressurization level is maintained in the radwaste building with respect to adjacent areas, and provide corresponding flow rates of fresh air make-up and exhaust to provide the above pressurization level.
l Provide an equipment operability evaluation for those radwaste areas to demonstrate the system can withstand 104 *F and 130*F temperature environments. Address the habitability concerns inside these areas for the elevated temperatures.
l Providejustification for the provisions in the VRS design of only two 50-percent-capacity air handling units for the I supply air subsystem and two 50-percent-capacity exhaust filtration units for the exhaust subsystem versus redundant capacity units to satisfy the single failure criteria.
Response
The radwaste building ventilation system and the equipment contained in the radwaste building r.re non-safety related. SRP Sectioe 9.4.3, Paragraph 11.1 states that acceptance to GDC 2 is based on meeting the guidance of Regulatory Guide 1.29, Position C.2 for non-eafety-related systems. Compliance to Regulatory Guide 1.29 Position C.1 is not required since the VRS is non-safety related. Regulatory Guide 1.140 Position C.2 states that the system need not be redundant or designed to seismic Category I classification. Since the system is not seismic Category 1, it is not required to be functional after an SSE. Compliance to Position C.2 of Regulatory Guide 1.29 is achieved since the ventilation system is not required to remain functional and its failure by an SSE will not reduce the functioning of any plant feature included in items 1.a through 1.q of Regulatory Guide 1.129 Position C. I to an unacceptable safety level.
The VRS conforms to the guidelines of Regulatory Guide 1.140 Positions C.1 and C.2 as follows:
4' ' '-'
W wesunghouse 1
1 I
i
) NRC REQUEST FOR ADDITIONAL INFORMATION
- F- lii
1 ,
L.II.
j i
l 1 1. De system design is based on the anticipated range of operating parameters of temperature, pressure, relative {
humidity, and radiation levels. .
- 1 1
J 2. Shielding of components and personnel will be provided conunensurate with radiation sources located in the {
l vicinity of the VRS equipment. l
) :
I 3. There are no engineered safety feature (ESP) systems in the radwaste building, and no ESF systems interface j with the VRS. Therefore VRS does not have the potential to degrade an ESF system. 2 i
i i 4. Dust, chemicals, or other particulate matter has been considered in VRS system design. Local filtration for
! specific sources of dust and particulate matter is provided to capture that matter close to the source and address ;
i the specific filtration requirements of the contaminants. This local filtration will maintain lower contamination !
I levels in exhaust ductwork and improves system operation. l
, 5. The VRS exhaust system is designed to remove only particulate matter and consists of prefilters and HEPA l filters, fans, ductwork, dampers, and instrumentation in accordance with the requirements of Position C.2.
! 6. He total VRS system flow is 36,000 cfm, consisting of two 18,000-cfm trains to allow reliable in-place testing. l i I' l 7. Instrumentation is provided to monitor and alarm pressure drops across the system filters and system supply i and exhaust flow rates in accordance with the recommendations of Section 5.6 of ERDA 76-21. I
! 8. The system is designed to control leakage and facilitate maintenance for ALARA.
} 9. Intake louvers are provided at the mechanical equipment room intake plenum to minimize the effects of high i winds, rain, snow, ice. trash, and other contaminants. Filters are provided in the supply air handling units. *
- 10. Exhaust system air handling unit housings and ductwork conform to the design and test requirements of ASME l ,
j Codes N509-1989 and N510-1989.
i.'
The design criteria utilized for the VRS are to maintain a slight negative pressure inside the radwaste building relative to the outdoors. The supply air system is aumatically controlled to maintain this slight negative pressure i i by means of a differential pressure controller. The exhaust system is controlled to maintain a constant exhaust air i flow rate. The negative building pressure is maintained by an air flow rate differential (supply less than exhaust) l of up to 3000 cfm. This flow differential occurs when building doors are opened. When doors are closed, the flow 4 differential is anticipated to be on the order of 1000 cfm. Building negative pressure is controlled to maintain a
! setpoint of approximately 0.1" WG.
. A design temperature of 130'F is utilized for tank enclosures. These enclosures are not normally accessible. Each
- enclosure contains only tanks and associated piping, which are the only significant heat sources in the enclosures.
The 130*F design temperature occurs only when the tanks and/or piping exceeds that temperature.
}
a j
1 410.101-2 W-Westinghouse 1
- 1 i f
-l l
NRC REQUEST FOR ADDITIONAL INFORMATION s: H@
=
Areas designed for 104*F (maximum) are not normally occupied and contain equipment designed for that ambient temperature. These areas are limited to the casking area, truck bay, storage rooms, and mechanical equipment rooms. This design temperature is consistent with normal design practice for areas with frequent inspection / maintenance where there is no sensitive electronic equipment.
Regulatory Guide 1.140 Position C.2.a states that system redundancy is not required. The use of two 50 percent capacity air handling units for the supply air subsystem and two 50 percent capacity exhaust filtration units provides adequate redundancy. One supply AHU and one exhaust filtration unit is capable of maintaining the following minimum system requirements:
Area temperatures are maintained at levels that support personnel access and required equipment operation.
The building is maintained at a slight negative. pressure.
System air flow maintains the direction of air flow from areas of low potential radioactivity to areas of higher potential radioactivity.
SSAR Revision: NONE 4' ~3 E westinghouse
i NRC REQUEST FOR ADDITIONAL INFORMATION
, =
l E ~i l
Question 410.104 For Q410.95-Q410.104, danonstrate how the AP600 design meets applicable GDCs by providing failure modes and effects analyses and other requested details, as identified in applicable SRP s& tion (s) review methodology.
Section 9.4.11 of the SSAR,
- Health Physics and Hot Machine Shop HVAC System (VHS)," falls under the review guidelines of Section 9.4.3 of the SRP. WCAP-13053 identifies that the auxiliary and radwaste area ventilation system conforms to Position C.2 of R.G.1.29 and Positions C.1 and C.2 of R.G.1.140.
Section 9.4.11 of the SSAR states that the VHS collects the vented discharge from potentially contaminated sumps and equipment in the area, maintains the control access area and hot machine shops at a negative pressure with respect to the adjacent Annex I building c!:an areas to prevent the unmonitored release of radioactive contaminants to the environment, and provides for radioactive particulate removal and radiation monitoring of exhaust air prior to release to the environment. Demonstrate that this system conforms with the guidelines of (1) Position C.2 of R.G.1.29 for nonsafety-related portions of the system (to show it meets GDC 2) and (2) Positions C.1 and C.2 of R.G.1.140 (to show it meets GDC 60).
Identify what negative pressurization level is maintained in the control access area and hot machine shops with respect to adjacent clean areas of Annex I building. Provide correspcmding flows of fresh-air make-up and exhaust to provide this pressurization level.
Providejustification for the provisions in the VHS design of only two 50-percent <apacity air handling units for the supply air subsystem and two 50-percent-capacity exhaust filtration units for the exhaust air subsystem versus redundant capacity units to satisfy the single failure criteria.
Response
ne health physics and hot machine shop HVAC system is non-safety related. Regulatory Guide 1.140 Position C.2 states that the system need not be redundant or designed to seismic Category I classification. Since the system is not seismic Category I, it is not required to function after an SSE. Compliance to Position C.2 is achieved since the ventilation system is not required to remain functional, and its failure by an SSE will not reduce the functioning of any plant feature included in Regulatory Guide 1.29 Positions 1.a through 1.q to an unacceptable safety level.
The VHS conforms to the guidelines of Regulatory Guide 1.140 Positions C.1 and C.2 as follows:
- 1. The system design is based on the anticipated range of operating parameters of temperature, pressure, relative humidity, and radiation levels.
- 2. The VHS supply AHUs are located in the annex I building mechanical equipment room, which has no sources of radiation during normal plant operation. The exhaust filter units are in a mezzanine in the hot machine shop, which is not a high radiation area during normal plant operation. Shielding of components and personnel is commensurate with radiation sources in the vicinity of the VHS equipment.
W westinghouse
NRC REQUEST FOR ADDITIONALINFORMATION g;p
- 3. There are no engineered safety feature systems in the areas covered by the VHS and no ESF systems interface with the VHS. Therefore, the VHS does not have the potential to degrade an ESF system.
- 4. Dust, chemicals, or other particulate matter has been considered in the VHS system design. Iacal filtration for specific sources of dust and particulate matter is provided to capture that matter close to the source and to address the specific filtration requirements of the contaminants. This local filtration maintains lower contamination levels in exhaust ductwork and improves the system operation.
- 5. The VHS exhaust system is designed to remove only particulate matter and consists of prefilters and HEPA filters, fans, ductwork, dampers, and instrumentation in accordance with the requirements of Position C.2.
- 6. The total VHS exhaust system flow is 12,000 cfm. consisting of two 6,000-cfm trains to allow reliable in-place testing.
- 7. Instrumentation is provided to monitor and alarm pressure drops across system filters and system supply and exhaust flow rates in accordance with the recommendations of Section 5.6 of ERDA 76-21.
- 8. The system has bwn designed to control leakage and facilitate maintenance for ALARA.
- 9. Intake louvers are provided at the mechanical equipment room intake plenum to minimize the effects of high winds, rain, snow, ice, trash, and other contaminants. Filters are provided in the supply air handling units.
- 10. Exhaust system air handling unit housings and ductwork conform to the design and test requirements of ASME Codes N509-1989 and N510-1989.
The VHS maintains a slight negative pressure inside the health physics area and the hot machine shop by means of exhausting more air from these areas than is supplied. The air flow through the exhaust filtration units remains constant. The supply air flows to the health physics areas and hot machine shop are controlled to be 1000 cfm and 500 cfm, respectively, less than the area exhaust air flow. Since the system operates on an air flow control basis, no specific negative pressure setpoint is maintained, but it is anticipated that a negative pressure on the order of 0.1
- WG will be maintained.
Regulatory Guide 1.140 Position C.2 states that system redundancy is not required. The use of two 50 percent l capacity air handling units for the supply air subsystem and two 50% capacity exhaust filtration units provides ;
adequate redundancy for normal system operation. Hot machine shop activities can be stopped as required to support equipment maintenance or repair. One supply AHU and one exhaust filtration unit are capable of maintaining the following minimum system requirements-1
- Area temperatures are maintained at levels that will support personnel access and required equipment operation.
l
- The hot machine shop and health physics areas are maintained at a slight negative pressure.
l
! 410.104-2 l 3 WB5tiflgh0llSB
4 NRC REQUEST FOR ADDITIONALINFORMATION
- 12 ' !!i
'2 :j
- System air flow maintains the direction of air flow from areas of low potential radioactivity to areas ofIngher potential radioactivity. .
i SSAR Revision: NONE l
l
]
l l l i ,
! ]
i i
l l
l i
l i
'I I
t a
0 410.104-3 gg
l .
NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 1 l Ouestion 420.2 1
Section 7.2.2.1 of the SSAR states that the probabilistic risk assessment, in lieu of a failure modes and effects analysis, provides a quantification in terms of system unavailability for the failure of the protection systems.
R.G.1.70 " Standard Format and Content of Safety Analysis Report for Nuclear Power Plants" states that the applicant should submit a failure mode and effects analysis (FMEA) for the protection systems and components.
l General principles of reliability analysis of nuclear power generating station protection systems (IEEE STD 352)
( emphasize that the FMEA is a qualitative analysis. The probabilistic risk assessment does not provide the same l level of detailed information as provided by the FMEA. Provide the FMEA for the protection systems and l components of the AP6001&C systems.
1
! Resp 7se (Revision 1):
1 In accordance with Regulatory Guide 1.70 and IEEE Standard 352, an FMEA for the AP600 protection system will be provided. The analysis was completed in April 1993. The FMEA will be submitted as WCAP-13594 (proprietary ) and WCAP-13662 (non-proprietary)
- Advanced Passive Plant Protection System FMEA."
SSAR Subsections 7.2.2.1 and 7.3.2.1 will be revised, and a reference to WCAP-13594 will be added as follows:
l SSAR Revision:
7.2.2.1 Failure Modes and Effects Analysis (FMEA)
, p=s=s 1~ ,= == :=f e = =d =mm ==e we = T=.,=~
in!:r- '#
, .L = un=:I!:b:'!!y ':- 'h: fui! :: c'
- p :'..' -- , 'm : : paferm = : !: =:!: e ===' ::::w
- -ip " ':- q :::d.
~"= p:: :: :kr ; * : d=ig ..d : : 23h- : Jib'e . ----- ade fa!!= Dr.:gn :::-ib L ':!=de
.y rs,~
S; 2:= de .:gn ' scri'ica::^ nd !!d ::--
Sy 2 - : :'i:::: n and :!!d: ien pr .
F=:* '= ! St oty
- ^
, :- fune': =! :22=
Fai! =f d:::g: pr'dp!=
Sy:/: . :;=!!"::::--
a Sy:/: =!r'en:n': f= ::=
- N
- da.ign f=:=r p:r ce-* :: Jih!: . --- ~- -ed: fai! r ' S pr::::: - . y 'e- ' -#=ev p: * ..: - :y:2:- =--~- ad; f:!! :: --t = .!d : .3 : .::d!E': fui! :: d :ing d=ign bz: 2::!d:
- t-23d!: - , 'h; prhb:':-:= P ': ::.= r-: 21 ' : = pen =' !!d:':::= th:: 'd J: ' * :=&: n =d :---~- :d:
l fa!! :: pah:':' . % :ce - > " :h:: % : * %::- c' :N pr . ' -- , v, :L ; 1 :^ the r m = f ;
l 420.2(R1)-1
\
W Westinghouse l
)
t NRC REQUEST FOR ADDITIONALINFORMATION ;
l Response Revision 1 i
i
_;, ... - 35. .;7 _
c_ ;y;.;_ (gg.;;_g ; 3;p ;.;. ._ , , , , , =y g _._ e_ r5g.; ; , , , gg. ,n) 7_,. 5.i;;
- r;!!:F'!:y S2: =ppec 6: ; .= : =rp' 5'; ::= n 'n ;- - ) . I A failure modes and effects analysis is performed on the protection system. Through the process of examining feasible failure modes, it is concluded that the AP600 protection system maintains safety functions during single i failures. The failure modes and effects analysis is documented in Reference 1 of Subsection 7.2.3. l 7.2.3 References -
r I
- 1. WCAP-13594 (P) and WCAP-13662 (NP), "Advaaced Passive Plant Protection System FMEA.* ;
i 7.3.2.1 Failure Modes and Effects Analyses 1
l The pr5;F & rid x: r x:: (!r '::: ef: failure modes and effects analysis)(Reference 1 of Subsection 7.2.3) provides : ; rf'i= : n of 1: prchE'!!y an analysis of failures of:Er; .; d rc:=! =f;gn=i ., . :-
_. " -- d p !: tc;;^ -- ? i; rp;;* ;; r-Erin! pc.t e r3 =f;:y r the protection system, 7; pr- _ -- ;
.;:ter ' i:!;;;d dd= . . r rei f: !==. = 2:= _. 22 in Ei. : - '.2.2.? [
f r
[
r !
1 i
l l
t 420.2(R1)-2 T Wesugholise l
l
l l
l l NRC REQUEST FOR ADDITIONALINFORMATION i = . . . . .
Question 420.11 l
Using a block diagram similar to Figure 7.1-13 of the SSAR, describe the operation of the protection an't safety monitoring system for a loss of feedwater event. The description sl.ould trace the transmission cf the initiating signals from the sensors through the integrated protection cabinets, the engineered safety features actuation cabinets, and the monitoring and controls at the control room workstation to the actuated devices. The diagram should include all major components such as the sensors, the signal conditioners, the isolation devices, the multiplexers, l
the data buses, the indicators, the protection cabinets, through to the final passive residual heat removal system l
! valves. The diagram should show all channels and components, and interfaces. (Section 7.1.1)
Response
The initial response to a loss of feedwater event takes place in non-safety-related, defense-in-depth systems, such
.s the startup feedwater system and the chemical and volume control system. The actuated devices in these systems are controlled by the plant control system and use signals originating in the protection and safety monitoring system (such as steam generator level) that are transmitted from the integrated protection cabinets to the signal selector subsystems in the plant control system by dedicated data links.
If the defense-in-depth systems fail to mitigate the event, analyzed in SSAR Subsection 15.2.7 the protection and safety monitoring system will respond as described in Table 7.2-6 of the SSAR, and shown by Figures 42.0.11-1 l and 420. Il-2 which are attached. Figure 420.11-1, separately transmitted by letter number ET-NRC-93-3878; dated l 5/5/93, shows the channels, components, and interfaces for one division within the protection and safety monitoring l system. Figure 420.11-2 shows the interrelationships between the four divisions in the protection and safety ;
monitoring system for ESF actuations. The protection and safety monitoring system will respond in the following ;
manner (See Table 7.2-6): I e Passive residual heat exchanger (PRHR HX) actuation is initiated by low narrow range steam generator level ,
coincident with low startup feedwater flow (primary) or low wide range steam generator level (backup). Wide !
range steam generator level is located in the ESF1 subsystem in the integrated protection cabinets. Narrow range steam generator level and startup feedwater flow are located in the ESF2 subsystem in the integrated protection cabinets.
- Core makeup tank (CMT) actuation is initiated by low cold leg temperature via the safeguards signal (primary) or low wide range steam generator level coincident with high hot leg temperature (backup). Wide range steam generator level and hot leg temperature are located in the " SF1 subsystem in the integrated protection cabinets.
Cold leg temperature for generating the safeguards signa' is located in the ESF2 subsystem in the integrated protection cabinets.
The sensors for each subsystem that monitor these plant parameters transmit signals to independent signal conditioning and data acquisition equipment in the integrated protection cabinets. The required signal processing is performed in the ESF1 and ESF2 subsystems in the integrated protection cabinets. The output of the ESF1 and ESF2 subsystems is partial actuation signals or bypass signals that are transmitted to the engineered safety features W
Westinghouse
i $,. NRC REQUEST FOR ADDITIONAL INFORMATION ESF subsystems in the integrated protection n ypass signals from each cabinets of the eight are transm
- 2. The response to Q420.27 further discusses the communication paths b tour ESFACs as e ween the four divisions.
integrated protection cabinets. The ESFAC actuationEach ESFAC con a s rom all eight ESF subsystems in the integrated logic cabinet by one of the ransmitted redundant h lactuations. The output to two logic processors in the device. Inside the logic cabinet, thea four logic ons for each processors connected actuated are co provide command to the 2/3 voted power interface cards. n o three internal I/O buses, which in turn device actuation and contact inputs for device The feedback power interface cards provide contact outputs for satisfied, the output to the actuated device changes state.. When the 2/3 voted logic in the power interfa In the unlikely event that the automatic function of the protection and a safeguards signal. The operator also has ve RHR heat theandcapability exchanger to initiate of manua dedicated controls and indicators or soft control stations either in the y operating individual devic workstation. The signals from these operator interfaces are sent main control roomt or at the remote shutdown signals on the logie bus. The response to Q420.14 funher discusses th d dio the logic ca system-level and individual component manual actuations e e cated and soft controls available for In addition to the safety-related protection and safety monitoring system h provides diverse automatic and diverse manual means ofinitiating passive RilR h, t e non eat exchanger and CMT operation.
SSAR Revision: NONE 420.11-2 _ . . _ ~ _
W Westinghouse
. . .- _ = - - . - _ _ - - . . --- -. -- -.
i i
i J
NRC REQUEST FOR ADDITIONAL INFORMATION l i
iW $$ l h = l t
i Question 420.14 !
Clarify the statement in Section 7.1.1 of the SSAR that 'the control room is implemented as a set of compact j operator consoles featuring color graphic displays and soft control input device." Figure 7.1-1 of the SSAR does not show the control switches. Describe the manual control signal transmission paths from the main control room to the redundant engineered-safety-feature-actuated devices. Use block diagram-type information to illustrate the !
i signal paths from redundant workstations through the engineered safety features actuation subsystem, the l communication subsystem, and the multiplexer /de-multiplexer devices. The staff is interested in the interface i
! arrangement between two workstations, and the signal fmm the integrated protection system to redundant ESF l j divisions (see also Q420.11). List all hard-wired control circuits available in the AP600 design. ;
i i l I Response; i, i
The location and functional design of the control switches in the instrumentation and control architecture are j t
discussed within SSAR Section 18.9, ' Design Results for the Main Control Area," and the control desices are shown in Figures 18.1-1,18.9.7-1,18.9.7-2, and 18.9.7-3 (Proprictary). The final number and arrangement of f the controls in the main control room and remote shutdown area will be determined by the man-Machine interface !
design process described in Chapter 18 of the SSAR. l l l l Figure 420.14-1 shows how the control desices are integrated into the protection and safety monitoring system to j manually control engineered safety features-actuated devices. First, dedicated system-level controls are provided j that interact directly with the engineered safety features actuation cabinets (ESFACs).' The manual safeguards !
actuation controh also directly trip the reactor trip breakers. Dedicated and soft controls for mdividual actuated devices communicate with the logic cabinets that actuate these devices through the multiplexers and logic bus shown 3 in Figure 420.14-1. The architecture of the logic br.s is shown in SSAR Figure 7.1-13 (see the response to j Q420.34.) and discussed in Section 4.6 of WCAP-13391(NP), *AP600 Instrumentation and Control liardware i Description," Rev. O, May 15,1992 (Reference 3 of SSAR Subsection 7.1.6). Multiplexer design is discussed in section 4.4 of WCAP-13391. Redundant soft control stations are prosided in the main control room and remote shutdown area. Each soft control station communicates to the four divisions through an isolation desice. Each command issued by a soft control station requires a confirmatory action by the operator.
The following permissives and system-level actuations, identified in SSAR Figure 7.2-1 are implemented using dedicated switches hardwired to the integrated protection cabinets, the ESPACs, and the reactor trip switchgear:
- Manual PFJIR actuation
- Manual steamline isolation
- Manual safeguards actuation
- Containment cooling actuation ,
- Contair. ment isolation actuation ;
- ADS actuation !
l 420.14-1 l
i
! I l !
NRC REQUEST FOR ADDITIONAL INFORMATION im!lig Other dedicated switches may be identified by the man-machine design process described in Chapter 18 of the SSAR.
SSAR Revision: NONE l
i l
420.14-2
l l
2 3
m g O 1
, C t
m E. M
- 3 OlVl5 TON O y gO h- * . pt 3i p sr ac I
.t g
m O
c: !!
we-m vp p
- ii i, i t$ c i t a t r L+
Uwnta s s DIVISION B
. . . _ _ , [Jj
- T tm'
- J .O- d v g
l!
l "o'rs*ces i ,
s'at ttws , ( - --- g 1 "' N '- -' O !' C 9tm a* to e
- trni ca rro7 .
t o ewms a ,i ; ; was
- lvcovux civ a g v *c i c a mws ;j j j iwirtattes y l it
's l
- y [
@ ~ (I: [3[! - - - - j E sr. A c }. . . q9ty,l,c.,
f; ]j ,, 9 i
f itc tr H ucc F
-[ 11 5
O ii ! > ! ! 1 :?WN~ ~* '*'S __f_ M ii ii i ;
+ i
- j ;
i i ar**'"*
m,n yiyg g 4.___.__,..
i %.r a
- F o7 d i! !
' f' ctvens a L' f i
i O
!$ 'j i ssn ' ca t<cs ] Z
' ' ' ' )
?: l ll nrv o ii e e i, i . + e - i,
. . , . ,g
' ' AT i
(.
i""
ij ; ; '; e '-- =( b , ,
E'O "* 4 ~h j,5 l f i j A {ww t vn,p
- l {!
- C'E Ib- Civ c
{ :
e ie e i 4 e i ,
f L f _ i_i t_
(Q m - F _i__i u
!j i< inc! i D!ViS!ON A i _-h
' i *
- Uk3
. , , i L
t' t_
l t r't p sr a; s pt m
} -l oivision c j- _
W9 DFt*MAMT U t (fponUL St a? togs rrmasm TC AL L Ct v a S U.wS HanLMIAED CONNECit(N5
- - - - - - DE DICATED DAT AL INAS DAT A 54irj%vs A
N '
- i O
t a
p Figure 420.14-1 Protection and Safety Monitoring c- .
w System Interactions and Separation - anyw
NRC REQUEST FOR ADDITIONAL INFORMATION b
g Ouestion 420.26 i i
Describe the reactor coolant pump speed monitoring arrangement. Since there is only one speed sansor on each l reactor coolant pump, describe the failure mode of the speed sensor and its effect on the required pump trip ;
protective function. (Section 7.1.2.8.3) 1 Response: ;
The low reactor coolant pump (RCP) speed reactor trip and the low reactor coolant flow in a single cold leg reactor !
J trip are used to mitigate postulated loss of forced reactor coolant flow transients. The type ofloss of forced reactor coolant flow transient determines which of the two trip functions is used. The low RCP speed trip is the primary trip only foc complete loss of forced reactor coolant flow events. De low RCP speed trip uses only one speed sensor per RCP, and a reactor trip signal is generated if two out of four speed sensors exceed a low speed setpoint. j Partial loss of flow events use the low reactor coolant flow in a single cold leg reactor trip. The low reactor coolant flow trip uses four flow sensors in each of the four reactor coolant cold legs. A low reactor coolant flow trip signal is generated if two out of four flow measurements in a single cold leg exceed the low flow setpoint. j l
One of the reasons that the low RCP speed trip is not used for partial loss of flow transients is because RCP speed i cannot he used to detect a broken RCP shaft. If an RCP shaft brunks, the RCP motor could be postulated to [
continue operating. In this scenario a speed measurement would not detect the event. Iow flow in the cold leg with the faulted RCP would be detected. Therefore partial loss of flow events are mitigated by the low reactor coolant flow reactor trip. ,
1 1
he low RCP speed trip is used only for complete loss of flow transients. With a single speed sensor per RCP, j if a fault affects all four RCPs and a single failure of one of the RCP speed channels occurs, the remaining three l RCP speed channels are sufficient to satisfy the two out of four channel trip logic. !
I SSAR Revision: NONE l
l l
l l
1 1
420.26-1 i l
t l
- - .. . . . - , . - - m.-, _ _ . , . _ _
NRC ReiOUEST FOR ADDITIONALINFORMATION
- d- E w :p Ouestion 420.27 Describe the arrangement of the fiber-optic data links for inter-cabinet communications. Identify all the components (including power supply arrangements) to be used for inter-cabinet communications. List all the data links between the integrated protection cabinets. (Section 7.1.2.9)
Respor.se:
Figure 420.27-1 shows the interactions and separation between the four divisions in the protection and safety monitoring system.
Figure 420.27-2 shows the twelve data links between the integrated protection cabinets. Each of the four cabinets has transmit data links to the other three integrated protection cabinets and receives data links from the other three integrated protection cabinets.
Figure 420.27-3 shows the data links from the integrated protection cabinets to the engineered safety features actuation cabinets (ESFAC). Each of the sixteen lines represents four individual data links, two from the ESF1 subsystem in the integrated protection cabinet to each actuation subsystem in the ESPAC, and two from the ESF2 subsystem in the integrated protection cabinet to each actuation subsystem in the ESFAC.
Figure 7.1-13 shows the architecture of the logic bus in the protection and safety monitoring system.
Figure 420.27-4 shows the details of a typical inter-enbinet data link. In this figure, either one or both of the data links may be used, depending on the data conununication requirements. This figure also shows the redundant de power supplies in the cabinets provided for microprocessor subsystems and I/O termination frames.
Figure 420.27-S shows the details of a typical data h:ghway connection. In this figure, multiple cabinets communicate through the data highway nodes, depending on the data communication requirements. This figure also shows the redundant de power supplies in the cabinets provided for microprocessor subsystems and I/O termination frames.
The data links between the integrated protection cabinets are shown in Figure 420.27-2 SSAR Revision: NONE i
I r
420.27-1 1
l l
l
g pm mm >02H"O2 "
= 9OmE>dO
=
i: .
y:t t
h i i
4 g
i n
r
t o n ini ot o
a Marp
- C ,, v c
yS e _
,i t fed
,' , i o 0
n Sa a D' ,
A vA _
gi:
C i - , s
.iI
Y D , n _
C f
di o O , - .
M nt c .
fy _ $ a a r h.9D t
e .
,, , . nn .
7- ioI _
[6-d t c m _
e e _
t u , t os t
m ,_ ' s r y r
N o
c ,A C m, ,
r a
w PS r
, L t 1 N,,"
7 l ,
2 .
0 i )
2 _
4 9 .
7 f
e r
u _
l }
] ig O ,I a fl? }!
A c F O X s u X S N U a U N n N O
N O Mg I c* M O
I T
O ' A io S _
I t
5 A m A G I S s I
W S t
, , ' C t S 6f) TW t D
I
. _. v A A5 I i
_ V V t
l {
l
. V I
v i
t t
I D O . D aS R { 7 D o A C
EsO T tT T
}
. AaA CnC 4
D' rt M*
N) 's S
o aS s EuM D N D._ DcI .
Es, T EsO T tT A
C DN i0 '
C O S A
t A 1
" 5 I
AaA AoA e t N Ca I
cnc i ii F LwTA A
UrU O T C
N I
n EmD net l
E L Dm_
E S f DxN A AC A N A t ,
c I E MsA T S N T S _
j/ " t O
C A Y D A c
I e u D .
x p
- l' p, .I -
- f*if .l .f! !
e ? D D W .
- ii!: !
s N E E G O A T I C I A H
- c. .'
c a T W C
- t h r
- O I A _
s - -
s c t R D T S
- ()?iii' a ~ E A A E A li c T M D D _
s
_ c p
,i i ;lij,[- E N
A D -
, N V
r !i
}! e D -
D aS O C E P gi ' ,i' A
_ p m .
_ tsC r :
tT 1
_ AaA I r
c tac E 4
_ i t I i' h i T
a mD O tron N
. ct
'= , =
@ @ 8 o
bPOYNtJ P l
gI% I g _
,i 4 . a:y' I 1i4 id i; !4i i
I I
NRC REQUEST FOR ADDITIONALINFORMATION
- iiE -._-
H. :1::
e M
C
'C e
v r
o
=
o
=
e c
.~
49 ?'^W r-t %---4% h wF
- 2 ac Ike
>*, x.I
,. .. ~g l "a[ _ _ g 2 l E g k' I
gl' 9 R Q e . ~ p mg
(",
e e v e gA~
--* %--4 %--- --+ %--4# W %
U 1
t cc 0-
=g
$3 a yn -a g; ea ww 1 v. a ,
f i 4 5 O
N U < v
, o z a z , E WD r W O H 9 O
D O .... . _ . . . . , - _ . . _ . . . . . . . . .
& - W W ~ W %
a
< n Z E O -
< n z U U -
LO i
O W c . . . _ . . _ . . . . . _ . . _ . . . . . . . . . . _
OWm _
y WH <
U WH V O O "v a O 2 Q ' ,e _ a O
(~ : y '
.' *s e i
s < i t
s , i i i i s / _/ i i I 1 \ /' / I i'
< j , E i - .- i , i l '
y
, , - - s . . -
I I N i 8
. . , s ,
t / # -
g 5 s , i 6
, . - i ! a
- I s__ _s '
t
}
w Q tn m O Z O Z _, E W D F . _ _ . . _ . - -
- W O- F 4 a O w
- - < H Z < F Z - U C C U _ E O - IP' 0 W C OWm a W rD u< _... . _ . _ . .. . . . _ . . _ . . _ .
W - < s
- & H D u -
_a y Z c Z a
_ - a - a 0 1, O -
l w t_ '
3 b h S a W e aa ,
o W-Westinghouse
__ _ ._ . -. . .. ...m _ _ _ _ . _. _ .-_ ... . . . _ _ _ - . _ __
.-._._....m =_m_ - - _ . _ _ . . _ _ _ _ . . _ . . _ . _ _ _ _-
4 i
i C
T 7
N ax N C M
oivisiON B . . . . . - . OIVISION C
._. ........ .s
- , s ENGlNEERED ENGINEERED
, INTEGAATED INTEGRATED I SAFETY SAFETY PROTECTION PROTECT 10N
--. FEATURES FEATUAES . . _ .
j CABINET CABINET ACTUATION ACTUATION CABINET CA9INET i s- , e i t 's /
l
. ....f , ,. . . . . .
l.
.. ._ }l ... .. .. . . _.
,..4.........-.........._.i y- ,, -------------3, i i w v
..) ,/N, /\s, 7. ..
_.]
,. j ,
.. - ; . .-j ". /
{
. ..: _..._.}_.......-__, g t
i f
s i j o ENGlNEEAED ENGlNEERED
- INTEGRATED INTEGAATED SAFETY SAFETY h PAOTECT10N PROTECTlON FEATUAES FEATURES - - - -
- CABINET CABINET
} ACTUATION ACTUATION 3
- n CABINET CABINET p i V ..
' / 0 1 \ ......_........h..__.... ... ._ s / U DIVI 5lON D % .- . - . . - ~ . ~ . . . ./ D1 VISION A g
- o
!. z 1
0 >
r-
- EACH LINE AEPAE5ENTS #-OUR DATALINKS g i
O
- 4. z h
j' Figure 420.27-3 Protection and Safety Monitoring ::f System IPC/ESFAC Data Links @-
5
23 mmOCmM4 TO3 po0~d@y"r ZnO"5pdO2 -
yn -
- i
+
- =
lll.
c ,ll, lles o - -
. g k C v _ . n A
V 2 1
. M a w_ iL O -
6 a
- TE 5 lt /
5 _
_ t
%' 2 E - a
- S EV
. Y D
I 1 -
E + L - .
P - . S T L
G
/
. U v B 5 t e
4 7 I kl t S - . S 3 i n
_ B b f
(
A A U a Q E _
0 S u c C 0 .
5 5 p C-E o P -
8 E r T
N li v -
- V C lA e _
s oT t n
I N . .- uP L _
U i. _
- O A I
l A B a _
. C O
- I L
c .
. . - V G ip -
.ll;l;lqllI- ,i;.-
( y
_ - T
_ ,ll3 ilia 4-
- E
. - V 7 _
- - A
- N 9 A
F YL 2
0 2
x A .
R - O V 4 .
. g E
- IT E
5 e
- A 5 r
_ - . - N A u
. .
- ig
.A
_ ,ll7!ll;ilet F E
. - T
- ~
~
,l!7'
- ll,,Jlea- ' E -
_ - ' V -
. - A
- .- DF Y
- . L .
NA
- , v -
OV E
. g T .- I S _
_ g E . T .
. NA AS t.
I
- * . A
,l:7!!l;',1, u W E E L
. - T L O A
, . i ,_ -- .
A E T T
.,l:;lll7}li- N R T
. - - . O E I C V L
. O W GE I
N WE L A :
t V O H
- C A O E A B
A V E 0
li _v - 8
- S T S I T
A T C E
2 s . 4 - Y M D A t K C L
- S V S E C N N A I
1
+ E .
B TS N I I T A E l
. U Y E IN L L P C L
.PL
. - S 5 G IAA T T A O A MA A AE E B l 0 B I
_ . - E TA o S . - 0 U L C D D P v F - 5 S C B P O
W W 2 R -
5 p E L A A L L I F C n E l
A C C E lt 1
- W O
. XAT I R1 T T I
T . r* - .
P . P E P P NI m* .
. O L S OO - .+- .
N .
- A A 3 - - -
U /
CI C -
- s. . L 8 x x lll;jl.u - M G 4 4 T - .
yl
~:
( VE E
- 4 bMo.Nw6 5sgD$o
< 5'D O (
it r i. , t~ , 8agZ>r Z ,E>d@
!.;g' 1
i t _
e i
n _
b .
a C _
y _
a h
ig w
H _
A Y A y _
T 4 T A a AW AW t OH G D so a
i D n IH H o i
l t a e c c in
-- pn yo TC
- 5-
- 7
- 2 0
- +
2 4
e r
g
- - v ug
, * - A n i r YL F N B x
H x
H oME t
E g t S q A S N A
_!L l
. L r m
E
_ . T
_ ;;!'p!
- 4.I! -
R E R _
) E V E .
N L I L
C C
. . 5 W C MO L E B OC A D o _
_ E H A
_ V V v _ -
T S R S C E
o _ 1 ,
s T N .
0 2 5 3 S 3 v
3 u
T T S E D NOAA C L I O 1
1
+
E I B f 4 N C T T A L U 1 E Y Y P c P - S 0 G O n P A A A U
_ A C E W W A e E
S O L H H E p L S A GG B e B
A S E, I I I o A C C E E r H H F c T A l D C W C E .
P V o V o O O L A A -
U v P A P T T -
A 0 5 P t A A -
A 2 1 3 O i D D -
E1 + A L -
T C U - - -
_ N -
I M -
I MC 1 X -
N L -. IfL 3 H
- U - ME ++
_ NO'NY, sN I'
5g
- i I i. , I i i; .! ; ! I .]i 4]. ji; a e i:
NRC REQUEST FOR ADDITIONALINFORMATION 4
Question 420.29 Describe the status indication criteria for the containment penetration isolation valves. Is the status of the containment isolation valves (open/ closed) indicated in the main control room during normal operation, shutdown condition, and accident condition? (Smion 7.3)
Response
As specified in SSAR Section 7.5, Table 7.5-1, containment isolation valve position indication is prosided within the qualified display processing system (QDPS) located in the main control room. Guidance provided in NUREG-0800, Section 6.2.4, relative to position indication has been adoptui in the specification of AP600 containment isolation valve position indication. Status indication is available during normal, shutdown, and accident modes of operation.
(
SSAR Revision: NONE 420.29-1
i s
l NRC REQUEST FOR ADDITIONAL.INFORMATION l numiqg
'a -
J Question 420.38 i
Clarify whether the multiplexer configuration shown in Figure 7.1.20 of the SSAR applies to each workstation.
How many control multiplexer cabinets will be used in the plant? (Section 7.1.3.2) i l
- Response. ,
I Two safety-related multiplexer cabinets as shown in Figure 7.1.20 of the SSAR will be provided for each of the I four divisions in the AP600 instrumentation and control architecture, for a total of eight safety-related multiplexer !
cabinets. One of the two multiplexer cabinets in each division will handle the soft contml station signals and j dedicated control signals from and to the three workstations in the main wntrol room for the related ESF actuation
, cabinet and logic cabinets in the same division as the multiplexer. The other multiplexer cabinet in each division will handle the soft control station signals and dedicated control signals fmm and to the remote shutdown J workstation for the related ESF actuation cabinet and logic cabinets in the same division as the multiplexer.
The current estimate is that three non-safety-related control multiplexer cabinets will be needed to support plant control system requirements.
Each multiplexer cabinet contains two redundant microprocessor subsystems. 3ection 4.3 of WCAP-13391(NP),
'AP600 Instrumentation and Control Hardware Description,* Rev. O, May 15,1992 (Reference 3 of SSAR I I
Subsection 7.1.6) describes the multiplexer cabinets.
Figures attached to the responses to Q420.11 and Q420.27 show the multiplexer cabinet interconnections for a division in the protection and safety monitoring system.
SSAR Revision: NONE j
P 420.38-1
l l
NRC REQUEST FOR ADDITIONAL INFORMATION m :=
.=
l Ouestion 420.45 Describe how the timing between four redundant divisions are synchronized, and how the noise spikes are reset without causing inadvertent trips. The description should trace the transmission of the initiating signals from the sensors through the signal conditioning units, A/D converter, reactor trip group 1 (or 2) subsystem, trip logic ,
subsystems, dynamic trip bus, to the reactor trip switchgear (or other actuated devices). (Section 7.2.1)
Response
The four redundant divisions of the protection and safety monitoring system are not synchronized; all data links operate in the asynchronous mode.
The design of the instrumentation and control systems is protected against the effects of noise spikes by the EMI/RFI design features discussed in the responses to Q420.1 and Q420.20. Input filtering provides protection against process noise spikes. With the exception of the positive flux rate reactor trip, the partial reactor trips and partial ESF actuations are self-resetting. Because of the physical and electrical separation, a single noise spike will affect only one of the four redundant divisions. If a noise spike creates an intermittent partial trip or ESF actuation in a single division, the 2/4 bypass logic provides protection against inadvertent plant trips and ESF actuations.
SSAR Revision: NONE 420.45-1 W-Westinghouse 1 l
l l
l l
NRC REQUEST FOR ADDITIONALINFORMATION b .
I i Question 420.46 !
Sheet 4 of Figure 7.2-1 of the SSAR indicates a permissive interlock P-18. However, Table 7.3-2 of the SSAR, f
- Reactor Trip Permissive and Interlock,* does not list P-18. Describe the function of P-18 and correct the ;
discrepancy betwten Table 7.2-3 and Sheet 4 of Figure 7.2-1. .
t
Response
I If a dropped rod occurs such that P-18 is exceeded an automatic rod withdrawal block is initiated to prevent the j withdrawal of other rods which could reduce DNBR margin. -
i SSAR Subsection 7.2.1.1.10 and Table 7.2-3. will be revised as follows:
i SSAR Revision: [
7.2.1.1.10 Reactor Trip System Interlocks ;
i Automatic Rod Withdrawal Blocks
{
L Automatic rod withdrawal blocks occur on a power range negative flux rate below the P-17 setpoint (to j block the remaining rods that are not inserted by the rapid power reduction system) and on detection of a dropped i rod (P-18) to prevent departure from nucleate boiling in other core areas. Figure 7.2-1 Sheet 4 shows these block l functions. l Table 7.2-3 (Sheet 2 of 2) i Reactor Trip Permissives and Interlocks l
Designation Derivation Function P-17 Power range nuclear power nega- Blocks automatic rod withdrawal tive rate below setpoint P-17 Power range nuclear power nega- Permits automatic rod withdrawal tive rate above setpoint.
P-18 Detection of dropped rod Blocks automatic md withdrawal P-18 ' No dropped rods Permits automatic rod withdrawal i
420.46-1
l l
l NRC REQUEST FOR ADDITIONAL INFORMATION b
Ouestien 420.48 Sheets 4,5,16,21,22,23,25, and 27 of Figure 7.2-1 of the SSAR show many time constants (Tau 1 through Tau 55). Where in the SSAR are these time constants defined? Are they addressable constants? What assures that correct values were entered into the protection and control systems?
Response
The time constants are addressable constants in the integrated protection cabinets and the integrated control cabinets.
The time constants are changeable in the same manner as setpoints are in these cabinets.
The time constants for the protection system are defined in Table 3.3.1-1 of Chapter 16, Technical Specifications in the SSAR. Verification of the accuracy of the protection system time constants is assured by the suneillance requirements specified in the technical specifications.
The time constants for the coutrol systems are developed as part of a control system setpoint study / operability l analysis. Most of the time constants used in the control systems may be modified after initialinstallation based upon
! actual plant performance. The values are initially installed as defined by the results of the setpoint study. Startup tests then verify the proper operability of the various control systems. The type and degree of testing is described in Chapter 14 of the SSAR.
If the startup tests indicate adverse control system performance in comparison with expected results, the time constants are adjusted / modified to improve system performance. Likewise, if future plant operation indicates a controller problem due to a change in some aspect of the plant, the control system setpoints can be adjusted at the plant's discretion.
Validation and verification of the installed control system setpoints are handled by the plant procedures.
SSAR Revision: NONE i
l l
l l 420.48-1 l W Westinghouse l
l
NRC REQUEST FOR ADDITIONALINFORMATION gr rg Question 420.49 Describe the " Reset Reactor Trip (not redundant)" function shown on the left side of Sheet 13 of Figure 7.2-1 of the SSAR. How does it work in each division? Does it reset the 2/4 logic or reset the reactor trip breakers?
Response
The ' Reset Reactor Trip" function shown on sheet 13 of Figure 7.2-1 is used to reset the reactor trip breakers.
The function w.fi anly reset the breakers if the signals which initiated the reactor trip have disappeared or have been cleared.
SSAR Revision: NONE i
l 420A94 W
Westinghouse
l NRC REQUEST FOR ADDITIONAL INFORMATION Ouestion 420.82 Section 18.9.1.1.4 of the SSAR states that the video display units will be seismically qualified and provide l
post-accident monitoring capabilities in accordance with Reguk:ory Guide 1.97. This section states that the l hard-wired system level control switches are discussed in Subsection 18.9.7.3.3. However, there is no l Subsection 18.9.7.3.3 in the SSAR. Should the reference be Section 18.9.7.3.2? The control functions described l
in Section 18.9.7.3.2 of the SSAR are to bring the plant to safe shutdown. Are the variables on the video display I units categorized as
- Type A* variables in accordance with Regulatory Guide 1.97? Provide detailed information on
- Safety Panel
- displays which provide guidance to the operators to use We dedicated controls.
Response
l The subsection that should have been referred to in Subsection 18.9.1.1.4 is SSAR Subsection 18.9.7.4, as the attached revision to Chapter IS shows.
l l
- The controls described in Subsection 18.9.7.4 are the hard-wired, system-level control switches and those required 1 l to obtain and maintain a safe shutdown condition. The design of these controls will follow the design process outlined by Chapter 18. l The variables on the video display units are not categorized as ' Type A,* as there are no
- Type A* variables for the AP600 as shown in SSAR Table 7.5-1.
l
. The displays used for the QDPS are similar to those created by Westinghouse for its PAM systems in current I
operating plants. These displays will be developed consistent with the information display philosophy and techniques adopted for the AP600. The information needed to obtain and maintain safe shutdown (e.g., feedbacks necessary to ensure that proper plant response has been made to operator actuations)is an output of the function-based task analysis and the design process described in Chapter 18. This detailed design information on the safety panel displays that support the operators while using the dedicated controls is not part of design certification and will be completed in fulfilling the ITAAC commitment.
SSAR Subsection 18.9.7 section numbers have been revised as follows:
SSAR Revision:
l l
l t
l 420.82-1 W Westinghouse i
NRC REQUEST FOR ADDITIONALINFORMATION h
18.9.7 The Design for Controls This subsection describes the types of controls used in the AP600 main control area, as well as their uses and their design characteristics. It also describes the interface between the controls and the displays.
18.9.7.1 Controls Guidelines for Design Integration This subsection describes the guidelines used to design the different types of controls, and to integrate those controls with the information system components including the wall panel information station, the workstation displays, the alarm system and the computerized procedures. He types of controls covered include both discrete control switches and soft control units. Subsection 18.8.2.1.3.3, discusses a guidelines document that provides direction to the M-MIS designers of the controls interface system functional design.
18.9.7.2 Controls Mission The mission of the controls in the main control area is to allow the operator to operate the plant safely under normal conditions, and to maintain it in a safe condition under accident conditions.
18.9.7.3 Controls Design Basis a
he 1&C architecture uses both discrete control switches and soft control units. The discrete control ;
switches are controls dedicated to a single function, with each switch having a single action. As shown in Figure 18.9.7-1, the soft control units are control devices whose resulting actions are selectable by the operator.
The soft control units are used to provide a compact alternative to the traditional control board switches by substitut-ing virtual switches in the place of the discrete switches. The final configuration of these elements is dependent l upon the results of the M-MIS design process. The operation of the soft control units is largely transparent to the !
operator. The operational differences between the dedicated control switches and the soft control units are the necessity to select the device to operate and the addition of a confirmation step to issue the command as opposed to moving the switch actuator. This confirming action helps prevent inadvertent operations.
18.9.7.4 Controls
[ Westinghouse Proprietary]
[Provided under separate cover]
18.9.7.5 Display Access Mechanisms To access displays efficiently on the operator workstations, control mechanisms are used to navigate in i both the displays on the video display units (controlled by the data display processors) and the soft control displays.
An interface between the data display processors (part of the data display and processing system) and the soft control units (part of the plant control system or the protection and safety monitoring system) is provided. This interface allows the operator to call up a control on a soft control unit by selecting a component or function on the data 420.82-2 W westinghouse
NRC REQUEST FOR ADDITIONAL INFORMATION Ei.g display processors' video display units, shown in Figure 18.9.7-2 in the data display and processing system. The data display processors in the data display and monitorinF system then issue a signal to the appropriate soft control I unit and the soft control unit responds by displaying the requested control. Figure 18.9.7-2 illustrates the relationships between the various display processors and the soft control stations. The exact requirements for these I
navigating mechanisms are derived during the M-MIS design process.
18.9.7.5.1 Display Access Controls Performance Requirements The display access controls performance requirements are derived from the M-MIS Design Process.
18.9.7.5.2 Display Access Controls Functional Requirements The display access controls functional requirements are derived from the M-MIS Design Process.
18.9.7.5.3 Display Access Controls Interface Design Specification The display access controls (both static and dynamic) interface design specification are written after the display access controls performance requirements and the display access controls functional requirements.
18.9.7.6 Soft Controls
': 8.9.7. 6.1 Soft Controls Performance Requirements The soft controls performance requirements are derived from the M-MIS desi Fn process.
18.9.7.6.2 Soft Controls Functional Requirements The soft controls functional requirements are derived from the M-MIS design process.
18.9.7.6.3 Soft Controls Interface Design Specification The soft controls (both static and dynamic) interface design specification is written after the soft controls performance requirements and the soft controls functional requirements are developed.
18.9.7.7 Dedicated Controls for Safe Shutdown 18.9.7.7.1 Dedicated Controls for Safe Shutdown Performance Requirements The dedicated controls for safe shutdown performance requirements are defined in the M-MIS design process.
18.9.7.7.2 Dedicated Controls for Safe Shutdown Functional Requirements 420.82-3 W westinghouse i 1
)
l l
NRC REQUEUT FOR ADDITIONAL.INFORMATION :
- 3. .. 4
.t :::
1
?
The dedicatul controls for safe shutdown functional requirements are defined in the M-MIS design process.
18.9.7.7.3 Dedicated Controls for Safe Shutdown Interface Design Specification j i
The dedicated controls for safe shutdown interface design specification is written after the functional ;
requirements and performance requirements for these controls are written.
j 18.9.7.8 Controls Integration j The controls integration testing follows the verification and validation methods outlined in Section 18.8.
18.9.7.9 Controls Software Specification I l !
The controls software specification is written after the controls software requirements are defined.
l 18.9.7.10 Controls Hardware Specification [
The controls hardware specification is written after the controls functional rec;uirements and performance f
, requirements are defined. i l
i
! t 18.9.7.11 Controls Verification ;
The controls verification process is performed during the M-MIS design process as described in !
Section 18.8. l l !
I I l
. i' l
l l t
l l
l 420.82-4
[ M ifEtl0086 l
i l
l l
i 1
I NRC REQUEST FOR ADDITIONAL. INFORMATION Question 420.85 Nuisance alarms have been a common problem in existing plant alarm systems. Describe the features in the AP600 alarm system design to minimize the potential for nuisance alarms. The design should ensure that the specific method chosen for each alarm will not prevent occurrence of the alarm when it is actually needed.
Section 18.9.2.4.7 of the SSAR lists some conditions when the alarm system will not be available. Without the alarm syster support panel displays, the control room operators do not have access to the queues of alarm messages. % hat is the alternate to support plant operation under these conditions?
Response
The AP600 alarm management system supports a performance requirement that states that the system supports a
" dark board" philosophy (see SSAR Subsection 18.9.2.2.S). His means that when there are no abnormalities in the plant's processes, there are no alarm messages for the operator. This is achieved by two features of the AP600 alarm management system:
- 1. Those messages that have been traditionally displayed through the use of annunciator tiles, but which are not messages of abnormality but are rather messages about the change of status of equipment, are collected and presented in a separate area. These status messages are not displayed in the same location as the abnormality or true alarm messages. Messages about equipment status that may need to be displayed for significant periods of time are treated separately and, therefore, are not nuisance alarms.
- 2. Because the logic processing in the AP600 alarm management system is done in software rather than in hardware, the message trigger logic can be significantly enhanced so that the actual region of process abnormality can be precisely defined in the logic. For example, hot leg temperature is measured with RTDs located in special flow mixing devices. Accurate temperature measurement depends upon forced flow for complete fluid mixing. Unless the RCPs are on, the temperature measurement from the RTD is not correct. Any alarm message that does not include the status of the RCPs may be a nuisance alarm or may not be displayed when the process is in an abnormal state.
In addition, the robustness of the AP600 alarm management system logic processor permits the message ;
trigger logic to include many other functional operators than simply those of Boolean logic. Among these are time delays. He appropriate application of time delays permits the trigger logic to be written so that l process oscillations that are the result of a normal plant transient can be permitted to dampen without l causing an abnormality message to appear. When the transient is gone and a true abnormality exists, the logic is fully operational. l i
l Each message is treated and analyzed separately with regard to defining the process region of applicability. Plant- ;
wide states (plant mode) do not globally suppress alarms unless such logic is used in the automatic control system, I as is the case, for example, with permissives.
4202sa W westinghouse
/
i l
NRC REOUEST FOR ADDITIONAL INFORMATION i wi:mm r
C l
I l
l The AP600 alarm management system does not suppress or eliminate any messages. It manages the display of all l l messages. This management includes choosing among several locations for the display of each message. This I choice is among display devices and locations that have different relevant salience in the control room. True l abnormality messages are displayed on devices and in locations that have the highest salience. Conversely, equipment status messages are displayed on devices and in locations that have lower salience.
l The three bulleted items in SSAR Subsection 18.9.2.4.7 are functional requirements for the AP600 alarm management system. Their purpose is to guide the design so that the likelihood of these failure conditions is minimized.
t l The alarms appearing on the alarm overview display are those that are the highest priority. In the unlikely event
! that all support panel display devices in the control roem are unavailable, the operator can see that the chronological I
listing of alarms is available from the available hardcopy list.
The allocation of the AP600 alarm management system functionality to the available hardware and the determination of what and how much hardware is necessary is being guided or bounded by the definition of system unavailability noted in the bulleted items in Subsection 18.9.2.4.7. The AP600 alarm management system is a fully redundant system. In the particular case of the support panel, there are several CRTs on the control desk, many of which are
- able to present the support panel displays. This redundancy is used to back up the failure of any one CRT on the l desk. The CRTs are used to back up failures of the wall panel information system.
! When there are no means to display the queues of alarm messages in the alarm support panel displays, the operator can use the information displays, where many of the alarm setpoints are displayed using the same logic that the alarm system uses. There are CRTs available to the operator at his workstation so that he can pull up a set of major plant displays and observe the condition of the process variables. If the information system on the CRTs is unavailable, then the operator is instructed to go to the center area where the QDPS is available. The critical safety function status trees are built into the QDPS information system. The operator can obtain information regarding high-level plant activities from them. Whatever the operator needs to achieve and maintain safe shutdown is available throughout the range of power operrtions in this center bridge area, regardless of the availability of the alarm system.
l SSAR Revision: NONE l
i l
420.85-2 WM Westinghouse 1 1
l l
I l
i
NRC REQUEST FOR ADDITIONALINFORMATION
. nu
- v. .-
1 Question 420.88 I
The "Ist Stage ADS valve" signal is shown initiating a reactor trip. It is not listed as a trip initiator in the SSAR ;
or WCAP 13382 or shown on the Process Block Diagrams. Provide detailed information on this trip initiation. j (Sheets 2 and 15 of Figure 7.2-1)
Response
Reactor trip on a first stage ADS actuation signal is listed as a trip initiator in SSAR Subsections 7.2.1.1.7 and r 7.1.5.1. A reactor trip on first stage ADS valve actuation is shown in the process block diagrams transmitted by letter ET-NRC-93-3860, dated 4/8/93. {
i WCAP-13382 will be corrected to include reactor trip on first stage ADS valve actuation in its next revision. !
SSAR Revisions: NONE -
f i
i i
1 I
i i
i i
i 420.88-1 I
l 1
_ _ _ - - 2
l l
NRC REQUEST FOR ADDITIONALINFORMATION till !!t
'n H Ouestion 420.90 Clarify which units are involved in generating the *S" signal. Here are two cases of interest: the *S* signal that ,
goes to reactor trip group 1, and the "S" signal that is ured in ESF actuation. (Section 7.3.1.1.3) [
Response: ;
Figure 420.90, separately transmitted by letter number ET-NRC-93-3878; dated 5/5/93, shows the sensors and j microprocessor subsystems involved in generating an *S" signal within a single division of the protection and safety I monitoring system. Each of the four divisions in the protection and safety monitoring system uses an identical arrangement. The conununications paths between the four divisions used to generate reactor trips and ESF ;
actuations are discussed in the response to Q420.27. An example of the generation of ESF actuations is presented in the response to Q420.11.
I Input from the sensors used to generate the *S* signal is acquired by the signal conditioning in the integrated protection cabinets. His data is processed in the ESF subsystems, which are also in the integrated protection cabinets to generate bistable outputs. _ The histable outputs from the ESF subsystems in the four divisions are transmitted to the engineered safety features actuation cabinets (ESPAC) in each division over dedicated data links, shown in Figure 420.27-3. When the 2/4 logic is satisfied for the proper combination of plant parameters, the ,
ESPAC cabinet generates an *S" signal, which is transmitted to the logic cabinets over the logic bus, where this (
signal is used in the interlock logic for individual components. l l'
The *S* signal from the ESFAC in each division is also sent to the reactor trip group 1 (RTI) subsystem in that division's integrated protection cabinets, where it is combined with the "S" signals from the other divisions by the 2/4 logic in the integrated protection cabinets to produce a partial reactor trip.
SSAR Revision: NONE !
i i
i i;
I i
1 420.90-1 i Y W USS l
1 l
l
NRC REQUEST FOR ADDITIONAL INFORMATION Question 440.32 TMI Action Item I.C.1 of NUREG-0737 requires that licensees prepare emergency operating procedures (EOPs).
The inforrastion in the EOPs should provide assurance that operator and staff actions are technically correct and the procedures are easily understood for normal, transient, and accident conditions. In order to assist the plant owner-operator in preparing the EOPs, emergency response guidelines (ERGS) should be provided as a part of the design certification application. The overall content, wording, and format of procedures that affect plant operation, administration, maintenance, testing and surveillance must be in compliance with the guidance provided in NUREG-0737 and its Supplement 1. The EOPs should be function-oriented procedures to mitigate the consequences of the broad range of mitigating events and subsequent multiple failure or operator errors without the need to diagnose specific events.
Provide a complete version of the AP600 Emergency Response Guidelines (ERGS). The staff understands that the AP600 ERGS are based on the current Westinghouse Low Pressure ERGS (LP-ERGS), which the staff previously reviewed (see Generic Letter 83-22). If Westinghouse proposes to submit a revised version of the LP-ERGS that reflect design-specific differences associated with the AP600, then describe these differences, including the technical bases for these differences (see Q620.50 for a related question regarding the ERGS).
Response
SSAR Chapter 18 describes the process that will be followed to develop the AP600 man-machine interface including the plant procedures. As discussed with the NRC staff on January 22-23,1992 and November 19,1992, the process described in Chapter 18 is provided for design certification. The results of the process, including the specific Emergency Response Guidelines, are not provided. In addition to describing the process that will be used to develop AP600-specific Emergency Response Guidelines, Subsection 18.9.8 also provides the high-level operator action strategies for emergency operations. The high-level operator action strategies provided are of a level of detail appropriate for design certification.
The man-machine interface system ITAAC specifies Tier 1 aspects of the process described in Chapter 18. The j development of the AP600 Emergency Response Guidelines is implicit in the fulfillment of the M-MIS ITAAC and is not part of design certification.
i As stated in Subsection 18.9.8.1.1, the development of the AP600-specific Emergency Response Guidelines is based I on the Westinghouse low-pressure Emergency Response Guidelines. An effort is in progress to compare the low- j pressure ERG reference plant system designs to the AP600 system designs to identify the design differences. A !
l report summarizing the results of this effort will be provided to the NRC by June 30,1993.
Westinghouse is also preparing a set of matrices and figures depicting event mitigation strategies and levels of defense-in-depth. The matrices and figures will be provided to the NRC by June 30,1993. These matrices and figures together with the high level operator action strategies included in SSAR Chapter 18 and the design differences document provide the information for assessing the role of the operator in event mitigation. The level of detail provided in these documents is sufficient for design certification.
' ^
W Westinghouse I
I
\
l NRC REQUEST FOR ADDITIONAL INFORMATION 1 zu I;
- g; a
SSAR Revision: NONE i
440.32 2 W85tinghouse
NRC REQUEST FOR ADDITIONAL INFORMATION
=
g= wi Ouestion 440.34 )
In its January 19, 1993 response to a question on the core makeup tank (CMT) tests dated July 21, 1992, l Westinghouse states that *[tlhere will be no formal scaling report for the CMT tests. Since the CMT test is a separate effects test, ...the boundary conditions for the test can be separately controlled....[thus] there is no need l for a detailed scaling report.* While it is true that some conditions can be more closely controlled in a separate effects test environment than in a systems test environment, once the test starts, the conditions that evolve, such as natural convective flows and temperature distributions, are governed by the physical processes occurring during the test itself, including heat transfer to and from the CMT and depressurization of the test loop (simulating ADS actuation). If the geometry of the test article is substantially different from the prototypic component, the thermal-hydraulic behavior of the two could be different. This is the case with the CMT test. The component in the plant has an aspect ratio (height to diameter) of about 1.7, whereas the test article has an aspect ratio of about 5. Multi-d;mensional behavior in the actual CMT, including stratification, intemal recirculation, and energy transport, may not be adequately represented in the test article, which looks much more one-dimensional. This behavior may have a substantialimpact on the response of the CMT during an accident. Therefore, provide a detailed scaline analysis showing that the thermal-hydraulic phenomenology observed in the CMT test can be directly related to tlutt expected in the plant component during the range of events where the CMT is expected to be in operation.
Response
As agreed at the February 25,1993 core makeup tank meeting in Pittsburgh, Westinghouse will provide a scaling rationale for the core make-up tank tests that are planned at the Westinghouse Waltz Mill site. This scaling rationale will include the discussion of the key thermal-hydraulic phenomena, and how the planned experiments will provide data on these phenomena relative to the AP600 passive plant performance. The scaling logic will include a Phenomena Identification and Ranking Table (PIRT) to help rank the relative importance of the different phenomena for the tests as well as the full-scale PWR. When developing the PIRT, Westinghouse will also discuss and assess the modele in its codes relative to the key phenomena identified in the CMT PIRT.
The scaling logic will also include the test facility calculations using the WCOBRATTRAC code, which has been used to help specify the test design and instrumentation. The facility calculations will be compared to the AP6Cr3 SSAR plant calculations and conditions.
The CMT scaling logic will be completed by July 15,1993 and can be forwarded to the Staff by July 30,1993.
SSAR Revision: None l
l 440.34-1 ;
3 Westinghouse l 1
l
NRC REQUEST FOR ADDITIONALINFORMATION u
i '
Response Revision 1 R.= =w [
l l Question 720.55 i
The unique design of the AP600 may provide a passive method to both prevent and mitigate severe accidents with ;
a minimum of human intervention. The insights to effective accident management plans can be developeu from the ,
success criteria developed from the PRA's assessment of containment performance. Provide a description of i Westinghouse's planned use of the AP600 PRA to identify and assess accident management measures. l Response (Revision 1):
l Prevention and mitigation of accidents, including severe accidents, have been an integral part of the design process l for the AP600. A significant objective in the passive plant design is preventing accidents from progressing to core ,
damage. Additional features to protect the plant fission product boundaries in the event of a core damage :.ccident j have also been included in the AP600 design. The derivations of the design features are diverse; some fcctures are j derived from generic severe accident analyses, and others have been derived from AP600 accident analyses. i Specific design features have been incorporated into the AP600 plant as a result of generic severe accident l phenomenologicalinsights from previous severe accident work. An example of such a design feature is the lower !
containment layout, which provides for submerging the reactor vessel with a minimum water discharge to !
containment. There are also accident management features incorporated into the AP600 based on key findings from the AP600 PRA. Examples of AP600 features from the PRA include manual operation of the reactor coolant !
depressurization system and the passive RHR system upon detection of high core exit temperatures, and manual operations to flood the reactor cavity with water from the IRWST if it has not drained automatically into the reactor vessel. !
t As part of the development of a comprehensive accident management plan for the AP600, a systematic review of [
the Level I and level 2 PRA results is being carried out to identify and document potential accident management !
- insights. These insights relate to the prevention of core damage, mitigation of core damage, protection of fission f product boundaries, and mitigation of fission product releases. Prior to the beginning of the systematic review, ;
guidelines were developed to establish the scope and conduct of the review of the various segments of the PRA. i An existing Westinghouse data base of accident management insights, which were derived from insights identified ,
in a number of PWR IPE studies and from NRC research, is being reviewed for applicability to the AP600. l Additionally, insights identified and documented during the Westinghouse development of generic severe accident management guidance for the Westinghouse Owners Group (for operating Westinghouse PWRs) will be reviewed i for applicability to the AP600. A number of accident management insights have already been identified and {
documented as part of the AP600 severe accident phenomenological evaluations; these are documented in WCAP- f i
13388. ;
l Based on the insights identified, candidate accident management strategies will be developed. Additional severe l l accident evaluations and analyses, when appropriate, will be canied out to determine the feasibility and effectiveness of candidate accident management strategies. All candidate accident management strategies will be evaluated by ,
l a small team of senior PRA experts and AP600 designers. Accident management strategies found to be effective will be integrated into the AP600 accident management plan. Initially, the candidate accident management strategies will be used to develop high level severe accident management guidance (see also the response to Q720.56).
720.55(R1)-1 W-W85tingh00St I
NRC REQUEST FOR ADDITIONAL INFORMATION I
Response Revision 1 l
t l
His approach results in a complete and comprehensive integration of the AP600 PRA and severe accident I considerations into the AP600 accident management plan which includes plant design features, symptom-based l emergency response guidelines, and severe accident management guidance. The development of the AP600 l
emergency response guidelines is discussed in the response to Q720.54, and the severe accident management i guidance is discussed in more detail in the response to Q72.0.56. Also, the approach takes maximum advantage of l the ongoing work in severe accidents by both the industry and the NRC.
PRA Revision: NONE j l
i i
}
r I
i i
s i
i t I i i l
l I
l i
)
i I
l 720.55(R1) 2 '
T hinghouse 1
!_______ _. . _ _ . . . _ _ _ __ _ _ _ _ _ _ _ , , , , _I
i 1
l i
l NRC REQUEST FOR ADDITIONALINFORMATION J
1 .: ig i Response Revision 1 5 i 2
l-1
- Ouestion 720.56 ,
i e !
The AP600 PRA does not indicate how the accident management issues discussed by SECY 59-012 will be 1 l implemented. Describe Westinghouse's planned approach for assuring that each of the five elements of accident f i management defined in SECY-89-012 will be appropriately addressed by the vendor and licensee. Identify the ;
j respective responsibilities of Westinghouse and the licensee for addressing each of the five elements, and any l methods and/or guidance that are expected to be used in this process l
. I Response (Revision 1):
)'
l The Westinghouse plan for addressing the severe accident management program requirements discussed in SECY-89-012 for the AP600 will be based on the current efforts by the Westinghouse Owners Group to develop severe accident management guidance for the current generation of operating plants. Westinghouse is developing this ;
s guidance for the Westinghouse Ouners Group. From the standpoint of potential severe accident phenomena and j potential challenges to the plant fission product boundaries, the AP600 response to severe accidents is similar to that i j of the current generation of Westinghouse PWRs. Thus, the ongoing Westinghouse Owners Group program to ,
j develop generic severe accident management guidance has direct applications to the development of AP600 plant i severe accident management response guidance. It is expected that the respective responsibilities of Westinghouse }
j and the licensee for addressing each of the five elements of SECY-89-012 uill be similar to the respective ;
responsibilities of the Westinghouse Owners Group and the licensees for the current operating plants. The f
{ respective responsibilities are summarized in the following paragraphs.
I j To take full advantage of the draft WOG guidance and the NRC feedback on that guidance, Westinghouse plans to ,
j initiate development of a generic severe accident management program for the AP600 after the Westinghouse !
j Owners Group provides their draft severe accident management guidance to the NRC on June 30,1993. High-level !
j severe accident management Fuidance for the AP600 will be developed and submitted in support of the design !
d certification by November 1993. Completion of the development of the severe accident management guidance for l the AP600 is part of the man-machine interface specification, and its timing will be consistent with that design
- ITAAC. f
- l 1
] The accident management issues discussed in SECY-89-012 cover a broad range of accident management activities f a including the symptom. based emergency operating procedures and the utility site emergency plan. He severe
- accident management issues discussed in SECY-89-012 must interface with both of these. For the AP600, the l interface with the symptom-based emergency operating procedures will be similar to the interface for the current :
i generation of operating plants (i.e., the transition from emergency operating procedures to severe accident !
management guidance). While the site emergency plan is expected to be simplified for the AP600, the interface f' g between the emergency plan and the severe accident management guidance, on a broad scale, is very similar to that
! for the current generation of operating plants. That is, the severe r.ccident management guidance must fit the !
l emergency response team responsibilities and authorities, including the chain of command. While generic symptom- l
. based emergency operating guidelines exist to establish a concise interface, the site emergency plan is developed l l by each utility, based on specifics ofits emergency response organization and interfaces with federal, state and local
{
] government agencies. Dus, the severe accident management program for the AP600 cannot totally address the ;
i i (
720.56(R1)-1 !
i W WBSungh0086 !
, s l
d
.- -, . . , w-.-, ,. , .- - . . -.
4 i
l i
NRC REQUEST FOR ADDITIONAL. INFORMATION l E g
= Response Revision 2 f issues discussed in SECY.89-012. Some of the issues, such as overall decision-making responsibility and duties j and responsibilities ofindividualsin the emergency response organization, training, and so on, are interfaces with ;
the utility site emerFency plan that can be addressed only in the combined license application. l he following is a high-level discussion of the method in which Westinghouse will address each of the severe i i
accident management issues discussed in SECY-89 012 for the AP600-Accident Management Procedures ;
i This element refers to the consideration of generic accident management strategies identified by tae NRC to enhance '
the ability to cope with the severe accident scenarios that tend to dominate risk in PRAs for tb current generation of operating plants. These strategies have been identified in several NRC reports, including R REG /CR-5474 and j NUREG/CR-5781. The AP600 applicability of the strategies identified in NUREG/CR-5474 is discussed in the response to Q720.54. The AP600 applicability of the strategies identified in NUREG/CR-5781 will be part of the insights evaluation discussed in the response to Q720.55. As discussed in :he responses to Q720.54 and Q720.55, the applicable NRC strategies will be further considered in the development of either generic symptom-based j emergency operating procedures or generic severe accident management guidance, as appropriate. l Training for Severe Accidents Training is within the scope of the utility emergency plan. Thus, the specific details of severe accident management I training are in the scope of the combined license application.
Accident Managernent Guidance Westinghouse will develop generic severe accident management guidance for the AP600 that provides a means of ,
diagnosing plant conditions during a severe accident and a set of strategies for responding to those plant conditions.
De Westinghouse Owners Group severe accident management guidance, being developed for the current operating plants, will be used as a basis for defining the AP600 severe accident management Fuidance. From the standpoint l
of potential severe accident phenomena and challenges to the plant fission product boundaries, the AP600 severe l accident response is similar to that of the current generation of Westinghouse PWRs. Thus, the ongoing Westinghouse Owners Group progu to develop generic severe accident management guidance has direct l applications to the development of the AP600 plant severe accident management response guidance. The AP600 l severe accident management guidance will incorporate those insights from the AP600 PRA and other applicable sources, as described in the response to Q720.55. The severe accident management guidance developed for the l AP600 will provide a means for diagnoning challenges to the plant fission product boundaries, for responding to l challenges with appropriate s.'rategies, and for retuming the plant to a controlled, stable condition. H e severe i
accident management guidance will also identify potential negative impacts (e.g., increased challenge to a fission l product boundary) of implementing each of the strategies contained in the guidance. Finally, the guidance will contain information related to the expected plant response after implementation of a particular stategy. The severe accident manaFement guidance will also identify a limited set of computational aids to assist ia diagnostics and/or to permit rapid evaluations of the magnitude of some of the negative impacts associated with implementation of a specific strategy.
t 720.56(R1)-2 i 3 W 85 4 10ilS8
_ ._ -~ _ ._.. _. . . . _ _ _ _ ,
(
l NRC REQUEST FOR ADDITIONALINFORMATION Resporoe Revision 1 Instrumentation j t
"Ihe severe accident management guidance just described relies upon the diagnosis of challenges to fission product l boundaries and the diagnosis of a controlled, stable state. Westinghouse will identify, in the AP600 severe accident inanagement guidance, primary and secondary instmmentation indications for thos.e key r=rameters nooded for !
diagnosis. This approach is consistent with the approach taken in the Westinghouse Owners Group severe accident !
management guidelirw for current operating plants. Also, where appropriate, the severe accident management l guidance will identify methods for inferring the parameters needed for diagnosis from other instrumentation readings. During the development of the AP600 severe accident management guidance, any insights regarding instrummtation (particularly with regard to instrumentation sursivability and readout range) will be documented and ;
further evaluated. .
Decision-Making Responsibilities l Based on information developed during the Westinghouse Owners Group severe accident management guidance i program, the decision-making responsibilities during a severe accident should not change significant'y from those l
( already specified in the utility site emergency plan for existing plants. The only signincant difference introduced !
l by severe accident management guidance is the broader responsibility for the plant technical support staff to provide l recommended actions to the control room staff after core damage has occurred. The tools available to the technical ;
support staff for this broader responsibility are the severe accident management guidance derived from the AP600 j generic severe accident management guidelines. Considerations related to decision-making responsibilities during i an accidat, including severe accidents, are in the scope of the combined license application. l PRA Revision: NONE i
l 720.56(R11-3 l T Westinghouse I
i - -- . _ _ . _ . . . _ . . _ _ _ _ _ _ , , , ,. - . _ _ _