Forwards Responses to NRC 930218,0312,0413 & 28 RAIs on AP600

ML20045C782
Person / Time
Site:	05200003
Issue date:	06/17/1993
From:	Liparulo N WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	Borchardt R NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
ET-NRC-93-3905, NUDOCS 9306240353
Download: ML20045C782 (52)
v • d • e

Text

. - _ _ ____

Westinghouse Energy Systems Bm 355 Pittsburgh Pennsylvania 15230 0355 Electric Corphration ET-NRC-93-3905 NSRA-APSle93-0213 Docket No.: STN-52-003 June 17,1993 Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555 ATTENTION: R.W.BORCHARDT 4

SUBJECT:

WESTINGHOUSE RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION ON THE AP600 4

Dear Mr. Borchardt:

Enclosed are three copics of the Westinghouse responses to NRC requests for additional information on the AP600 from your letters of February 18,1993, March 12,1993, April 13,1993 and April 28, 1993. This transmittal completes the responses to the February 18, 1993 letter. A listing of the NRC requests for additional information responded to in this letter is contained in Attachment A. The questions associated with the February 18,1993 letter are 440.33 and 440.34. The response for 440.33 is provided in this letter. The response for 440.34 was provided in the Westinghouse transmittal letter dated May 14,1993.

4 2

These responses are also provided as electronic files in Wordperfect 5.1 format, if you have any questions on this material, please contact Mr. Brian A. McIntyre at 412-374-4334.

t Ylh A/V&

Nicholas J. Liparuto, Manager Nuclear Safety & Regulatory Activities

/nja Enclosure I cc: B. A. McIntyre - Westinghouse I F. Hasselberg - NRR l 2200Cu ,

iona {

9306240353 930617 PDR ADOCK 05200003 k3 A PDR g

ET-NRC-93-3905 A1TACHMENT A AP600 RAI RESPONSES SUBMITTED JUNE 171993 RAINo. Issue 220.0091t0ll Containment capacity reduction factors 420.015 l Workstation graphic display design features 420.016 l Alarm system design features 420.025 l RC hot leg / cold leg temperature measurement 420.040 - l Technical support center I&C design 420.047 i Manual block control switch location 420.073 l Remote shutdown workstation 420.091 l Request for clarification 420.093 l WCAP-12648 420.094 l LLNL DID & diversity report 420.095 l Protection system setpoint methodology report 420.096 l Automatic tester subsystem 420.099 l Global trip subsystem failures 420.100 l Bypass of reactor trip instrumentation channels 420.101 l Definitiopn of failures attributed to software 420.102 l Missing information from Chapt 16 Table 3.3.4-1 440.033 l Applicability of 3-tube PRHR tests 471.013 l Head closure system 471.015 l Tank venting to building ventilation system 720.054R0ll Accident management strategies 1

a

NRC REQUEST FOR ADDITIONAL INFORMATION Response Revizion 1 M..

Question 220.9 Clarify the discussion of capacity reduction factors and factors of safety in Section 3.8.2.4.2.2 of the SSAR. j Capacity reduction factors are intended to reduce the theoretical buckling values to the predicted buckling strength.

They account for imperfections and are usually based upon a correlation of theory and experiment. Factors of safety must be applied in addition to the capacity reduction factors. Factors of safety relate to uncertainties in loading and variability of analytical predictions.

1

Response

1 SS AR Subsection 3.8.2.4.2.2 will be revised to clarify the discussion of the capacity reduction factors and the safety l factors. Capacity reduction factors are used ia evaluating the predicted capacity of the head. Safety factors are considered in defining the allowable pressure capability of t'.e head for various service conditions.

Revision 1 of this response includes changes related to the internal pressure capacity of the ellipsoidal head for severe accident conditions. These changes are made to conform to the NRC Staff position on the Passive Plant Utility Requirements Document. These revisions are underlined.

SSAR Subsections 3.8.2.4.2 (first paragraph), 3.8.2.4.2.2, 3.8.2.4.2.8, the references in Subsection 3.8.6, and  ;

Table 3.8.2-2 will be revised as follows: l SSAR Revision:

3.8.2.4.2 Evaluation of Ultimate Capacity The capacity of the containment vessel has been calculated for internal pressure loads for use in the probabilistic accident analyses and severe accident evaluations. Each element of the containment vessel boundary was evaluated to estimate the maximum pressure at ambient temperature corresponding to the following stress and buckling criteria:

• Deterministic severe accident pressure capacity corresponding to ASME Service Level C limits on stress intensity, Code Case N-284 for buckling of the equipment hatch covers, and sixty percent 4wo-4MrJ+of critical buckling for the top head. The deterministic severe accident pressure caracity corresponds to the proposal in SECY 93-087 to maintain a reliable leak-tight barrier approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the onset of core damage under the more likely severe accident challenges.

• Best-estimate capacity corresponding to gross membrane yield at the ASME-specified minimum yield stress (SA537, Class 2, yield stress = 60 ksi, ultimate stress = 80 ksi), and critical buckling for the equipment hatch covers and top head.

220$R M W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 1 3.8.2.4.2.2 Buckling Evaluation of Top Ilead

_ _ ._ . .. . . . _ .p..m. e. ru

...._..x...._..t..:..t.a.. __.:_ _.a _._ . t. . n. . . . _ . . , ... .~ . a.g u. 4dd-w n.._.___t.._...a.t.._...

. .. y . . . .~

. r.:~. _a.. p

.,m tonapheri=! h=d "":e ::tir u= cp=iE=!!y =!=ted !r niinind:: the !c=! etr*+er-end4mek1!ng in the kemskie

• • g+eth-ne 'ap h:23 u= =:!y: d using the EOSOR 5 =mpu:= =de (Ref=== !). Si : cad *t* mil: =",:nid=*'i*a

.. r i . a t. u. ._

. ~ .. x. . ..y_ u. _.. .._.. ._ _. ... ..

. _ _ a. _

. _._. i. .: a. ea.

. . . : .a. y_ . .._. *u_. .

..r...

. . i. __ u. ._.t. _. .__ .., t.. .. .a. i . . . _ . , _ ... __ _a .., . t. _., 1._. .... . .t_ : ..,....._.._t

'=d Wp. ^. ::itic ! h=hling p === cf m pMg ve= ::!=!: ed =ing :!=.!!: p=fect!y p!= !: n=:=in! p=perties

._a _ ,.._ u. ...

_g e.n u_., v.: . .u. _ c . u .,. a. : ._.1. g. . m.a. _.a. . ...__

r.

. . . r , n. 7. .. a. , ... . _.t_~. .: t. , __ i : _ . t., 7.. ._._.x. ..

. . . .g t

e.u __..__ .. v. : .m u. _ f4.

_ t. . _.. .y . .. c. ... u. . . _. . . ._ _ . . . . . _..a._,a. _ : _. m._,.1-pr_.. ~....

.. . . . . . . . . .. ._ _ r o c ;w . . v.:_.o.

. . r .s. .m.1_ .. ale-region

........_aa..

. . , . - i. .c. ,_ c_ _......

Capacity =dectinn_f=:nr fe: :=p=f:::ir =na'! ::y == = .ideed 5=.ed r enmparir c' EOSOR 5

_ _a. ,. _ _ ,. . ..

. . ~_., . ;4._. . r. .. u. . . . , e . , , . t._. ._ g.. key.pa,. ..__, ..

_ ... .. . . . . . - .. _..g.

m. ., .. a. u n e n n. . .c. ...~_m. . . : _ cm. .. . . _

lar . , c. ..L. 4._._.#.e- 4 ".1. 1. .r . _4. . ,._t.. . .. .. .. .m .. .. m.1.,. _ .1 . , _~ . a. : _ M f_f D. C._r* !c'D. n_ nth &4 ,.. .m. t_,. ri. u+n"..L__1, L. _mt le*ng

. . .m_. _1. t. ._m.- _.1 _ . _ . . ..

p === predieted by BOSOR-5 ::p=.r-" initialkki :.g. ",: Tet.! ! :h :=.: n=!! cf SS p=g :- 79 p==n* cf the p=di J p ==re c'?! peig. "^r T=: 2 the :::-: =d predi J va! e::= =;ual. He inhin! 5=kling did re! ==e .

faile= f^: chh cf th :=: , =d :=.: p === = "=ed ic n= =.2 ="' up:=e.c===J in 4he+ph= ,2! =p. Se eollap' e p===u =re-th::: !c fau: tim = the i ::: ! he "ing p==u==

.. r ,

r. ._. ..u... . ._..

_ _ x. ... .., _.. t. . . _ ..ct. .. .a. . . ,.. c .u. .. .i. n. t_nn , ,. . . _u._ _. r . o.. __.

.. ,r. ... _artion-of-4.. t.. . i. . __ a . art

• _.a.__ r._ ._. ... _ . -. . u.-

pMg, h=ud en the EOSOR 5 ena!y ^, "':ich u= 'he r "i= yield.eriterien =d ep=irj;j =;n;;== y;;73 cr4g k.- ^ pp!y!=g : =prity J=ti= f=*cr of 0.'9

. th: :-i:!=! '=hling pr. == pt:J! d by EOSOR-4.woubt ,

re=l! :n : ::! ! b=kling :: : p==== cf 137 p=g. "=.ed r- th =: re=!M de=ibed 25: e,thi ' ='de, = en if I

" n=e !c ==r, =!d .- * !=d !c failure. n=, the EOSO". 5 :==! : cre u=J di:=t!y :: =. tim =pec!!y, r'e'-

m._.a..- .. u_ '. irmted-h," ' . . ". '. . , . .". _ . . .1.

.. . . ,^. * ', ' _". .: . .

144: c=cluded t'" 'ha .iP60^ h=d =pasily ===p= ding te min!== cp=ifM p !d ! cy=! *^ "'i peig, F i!a= =!d = cut-at-a-highe p::==e uhen ',=! -traina :=h u!tinate-eithe  !=e ta : 5=! b=hl*4n-the knuekl#er-at.4he cc." " ^e =own dmilai-tuh=e r cheerved i: Tec' ! =d 2. Large-deneetions.of4h+wown

,,g;o, _ _.u u '- - vi6eant th= !=ge deSetiorm-of4h cy!!nde " ce :lwrwe,-4nore+p=: 25' vc the-top-head th= ne : '- the cy!!rier,-

Se-"!:e L=c! C ::p=

• _ for-4he 'ap head.are-ealeulated-frc 'he aritical-bu4 ling-pre +ur+-predieted-by BOSO". , .( . .^ ..c W_ '_'^^, _c Mion-ll', c'.. _"-- ". _ , ". . . _,- a '. .c

. - . "., _ "_ _ . '. y_". . *en-e-+a fet," '_ ' ~ " ' . ^. .^-

comp:s v: ::=== ' : Ser =dL =! ^., =d allow *-an-in=== ef 20 p=..,e f= Sem!= L=c! C. S!: g:ven an g u. . . . t.1. . _ _ - . . . . .v . - . .. r .,n.v .._

. , .. . 4. t r_ . . . a _ g,..,. . _ r ., . .c . n. . 1. _ . : __ :g;. c. _._ _ . ,_ r .r . ,. . . _ i. e _ . a. ;34,_,

Inabena"*' ce".$2 nI"en! 2O[cchty-of- 4tvipr-h0k ' ' " ~ "

'"fety :' I ". : ? " . ' {r==r#4 " 'b $ estr@-

sponding :c : : --i!: :::endeten*ity eq=! to y::!d. He S :-!= L=c' C =p=::y = hown4n4he4ab!: h==! on the4aeter c' =f :y " ' .5. W ' ;^-id==! cpp=priate f= the 'n!!c. >ing reames

'" ^.SME+afety4ac n =e primarily-intended fer =mpr= un d= !c alemal-prc+ure r- "=c:are+4 hat 4nay be+trongly+enaitiv+4o.imperfectioner E"ip=idal-end-torispherieal4= d =5juted-tc i-' =l-premre-are-not+trongly = ' e % imperfeetionar 220.9(R1)-2 W-Westin ouse

l 1

NRC REQUEST FOR ADDITIONALINFORMATION Response Revision 1 I E...

- Ped!: ; :" the-knen gh:n de: t :;=r ' '- :' fundien : de nn:ca::d by the ef eerweJ4*%

> he:: f:!! re-wevered : pn .:=; " thece-k+-four4imewhe4nitiaWekling prem= .

S== :::! den' , A :- LOCA p!w,4:yd:c;:n 52::, :=leated eguir ' % S=ie L:=' C li A : ::: !cw probability,-

The top head has a radius-to-height ratio of 1.728. This is not as shallow as most ellipsoidal or torispherical heads, which typically have a radius--to-height ratio of 2. The ratio was specifically selected to minimize the local stresses and buckling in the knuckle region due to internal pressure. As the ratio decreases, the magnitude of com-pressive stresses in the knuckle region decreases; for a radius-to-height ratio of 1.4 or smaller, there are no compressive stresses, so there is no potential for buckling.

Theoretical Buckling Capacity The top head was analyzed using the BOSOR-5 computer code (Reference 1). This code permits consideration of both large displacements and nonlinear material properties. It calculates shell stresses and checks stability at each load step. Yield cf the cylinder started at a pressure of 144 psig using elastic - perfectly plastic material properties, a yield stress of 60 ksi, and the von Mises yield criterion. Yield of the top of the crown started at an internal pressure of 146 psig. Yield of the knuckle region started at 152 psig. A theoretical plastic buckling pressure of 174 psig was determined. At this pressure, the maximum effective prebuckling strain was 0.23 percent in the knuckle region where buckling occurred and 2.5 percent at the crown. The maximum deflection at the crown was 15.9 inches.

Predicted Pressure Capacity The actual buckling capacity may be lower than the theoretical buckling capacity because of effects not included in the analysis such as imperfections and residual stresses. This is considered by the use of capacity reduction factors based upon a correlation of theory and experiment. The capacity reduction factor for the top head was evaluated based on comparisons of BOSOR-5 analyses against test results of ellipsoidal and torispherical heads. This evaluation is described in the following paragraphs and concludes that no reduction in capacity need be considered.

That is, a capacity reduction factor of 1.0 is appropriate.

The knuckle region of ellipsoidal and torispherical heads is subjected to meridional tension and circumferential compression. The meridional tension tends to stabilize the knuckle region and reduces its sensitivity to imperfection.

The radius-to-height ratio of 1.728 of the AP600 head results in a larger ratio of meridional tension to ,

circumferential compression than on shallower heads, further reducing the sensitivity to imperfection. I Welding Research Council Bulletin 267 (Reference 22) shows a comparison of B('SOR-5 predictions of buckling against the results of 20 tests of small-head models. These results are summarized in Table 4 of the reference and show ratios (capacity reduction factors) of actual buckling to the DOSOR-5 prediction with an average of 1.2. Only one of the 20 cases shows a capacity reduction factor less than 1.0.

Table 3.8.2-3 shows the key parameters, test results, and BOSOR-5 predictions for two large, fabricated 2:1 torispherical heads tested and reported in NUREG/CR-4926 (Reference 23). The theoretical plastic buckling pressure i

W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 1 I $

1 i

predicted by BOSOR-5 represents initial buckling based on actual material properties, no initial buckling did not j cause failure for either of the tests, and test pressure continued to increase until rupture occurred in the spherical l cap. The collapse pressures were three to four times the initial buckling pressures, j

= Test IIcad 1 - The test result of 58 psig is 79 percent of the predicted theoretical plastic buckling pressure of 74 psig. Many of the buckles occurred directly on the meridional weld seams of the knuckle. The knuckle welds were noticeably flatter than the corresponding welds of Test head 2. ne as-built configuration extended inside the theoretical shape at some of the meridional weld seams and was most pronounced at the k> cation of the first observed buckle. Test head 1 exceeded the tolerances for formed heads specified for containment vessels in NE-4222.2 of ASME Section III, Subsection NE.

• Test IIend 2 he test result of 106 psiis 100 percent of the BOSOR-5 predicted theoretical plastic buckling pressure. For test head 2, the welds had no noticeable flat spots. There was a smooth transition between the sphere and knuckle sections. Test head 2 was well within the ASME Code,Section III allowable deviations.

The low-capacity reduction factor of 0.79 for test head 1 is attributed to excessive imperfections associated with the fabrication of relatively thin plate (0.196 inch). These imperfections were visible and were outside the tolerances permitted by the ASME Code. The results of test head I are therefore not considered applicable to the AP600. The results of test head 2 and of the small-scale models described in the Welding Research Council Bulletin support the application of a capacity reduction factor of 1.0.

The capacity of the AP600 head was also investigated using an approach similar to that permitted in ASME Code Case N284. This code case provides alternate rules for certain containment vessel geometries such as cylindrical shells. The section on ellipsoidal and torispherical heads will be included in a future revision of ASME Code Case N284. The theoretical elastic buckling pressure was calculated to be 536 psi using the linear elastic computer code BOSOR-4 (Reference 24). A reduction factor (def' m ed as the product of the capacity reduction factor and the plastic reduction factor) was established as 0.385 based on the lower bound curve of test results of 20 ellipsoidal and 28 torispherical tests specimens, which also include the two large, fabricated heads previously  ;

discussed. This resulted in a predicted buckling capacity of 206 psig. l The preceding paragraphs address incipient buckling, it is concluded that buckling would not occur prior to  !

reaching the pressure of 174 psig predicted in the BOSOR-5 analyses. Tests indicate that pressure can be signifi- l cantly increased prior to rupture after the formation of the initial buckles. However, the capacity of the top head is conservatively taken as the pressure corresponding to initial yield of the top head, which occurred at a pressure of 146 psig based on minimum specified material properties. Failure would occur at a higher pressure when local strains reach ultimate either close to a local buckie in the knuckle region or at the center of the crown. Large deflections of the crown region would be less significant than large deflections of the cylinder since there is more space above the top head than next to the cylinder.

The deterministic severe accident pressure capacity is taken as 60*rcent of critical buckling. His is consistent with the safety factor for Service Level C in ASME Code Case NJ and results in a containment head capacity of 104 psig.

220.9(R1)-4 W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 1 . . . .

3.8.2.4.2.8 Summary of Containment Pressure Capacity The ultimate pressure capacity for containment function is expected to be associated with leakage caused by excessive radial deflection of the containment cylindrical shell. This radial deflection causes distress to the me-chanical penetrations, and leakage would be expected at the expansion bellows for the main steam and feedwater piping. Here is high confidence that this failure would not occur before stresses in the shell reach the minimum specified material yield. This is calculated to occur at a pressure of 144 psig at ambient temperature and 120 psig at 400'F. Failure would be more likely to occur at a pressure about 15 percent higher based on expected actual material properties.

The deterministic severe accident riressure that can be accommodated according to the ASME Service Level C stress intensity limits and using a factor of safety of 1.67 for buckling of the top head is determined by the '

capacity of the 16-foot-diameter equipment hatch cover. The maximum capacity of the hatch cover, calculated according to ASME Code Case N 284 Service Level C, is 96 psig at ambient temperature and 90 psig at 400'F.

I 3.8.6 References 1

22. D. Bushnell, " Elastic-Plastic Buckling of Internally Pressurized Ellipsoidal Pressure Vessel Heads," Welding l Research Council Bulletin 267, May 1981. l

23. J. G. Bennett, "An Assessment of Loss-of-Containment Potential Because of Knuckle Buckling for 4:1 Steel Containment Heads," NUREG/CR-4926, LA-10972-MS, April 1987. (This report also includes the Contractor's Report: " Buckling and Rupture Tests of Two Fabricated Torispherical Heads under Internal Pressure," by R. B. Grove, S. W. Peters, C. D. Miller, and M. F. Eder, C.B.I. Industries, Inc. Research Laboratory.)

24. D. Bushnell,

• Stress, Stability, and Vibration of Complex Branched Shells of Revolution: Analysis and User's Manual for BOSOR-4," LMSC-D243605, lockheed Missiles and Space, Palo Alto, Cal.,1972.

T Westinghouse 220.WR M

i I i

! NRC REQUEST FOR ADDITIONALINFORMATION l

> 1 1 .. . . . .

Response Revision 1 l Table 3.8.2-2 I Containment Vessel Pressure Capabilities l

Containmerit Element Pressure Capability at Ambient Temperature Deterministic Severe Minimum Specified 4 Accident Capacity (I) Yield (2)

^ SME S:.-!:: Ex! C lO j

j Cylinder 125 psig 144 psig 2

Ellipsoidal head 104 44-psig 146 psig

)

22-foot equipment hatch 117 psig 1% psig  !

16-foot equipment hatch  % psig 161 psig l Personnel airlocks(3) > 163 psig . >300 psig i

j (1) The buckling capacity of the ellipsoidal head is taken as 60 percent of the critical buckling pressure calculated 1 by the BOSOR-5 nonlinear analyses. Evaluations of the other elements are according to ASME Service level C and include use of Code Case N284.

i a

(2) He estimated maximum pressure capability is based on minimum specified material properties.

! J l (3) %e capacities of the personnel airlock are estimated from test results.

i i

i 1

1 i-3 s

d 220.9(R1)-6 I

W Westinghouse 4

i b

o r._ y.,. ,. -- ...

l l

NRC REQUEST FOR ADDITIONAL INFORMATION jE l

l l

l Question 420.15 l i l l Describe the design features of the graphic displays on the workstation. The description should include but not be limited to a comparison to the EPRI hi-hilS requirements (Section 7.1.1).

1 Response: l l

The scope of the M-MIS as defined in Section 1.1 of the ALWR URD Requirements, Chapter 10, is the same l l definition that Westinghouse uses to define its M-MIS. The ALWR Chapter 10 requirements pertaining to the 1 I

displays are incorporated into the design of the display system.

The displays at the operator workstation can be displayed on any of the available video display units at the l workstation. They consist of the following: l l

. Overview display that is currently active on the wall panel infonnation system.

Functional displays depicting a functional view of the plant, such as RCS temperature control, RCS pressure control, etc. These will use virtual meters and trends and other graphical images to 1 portray important parameter information.

Physical displays that are virtual P&lDs, depicting the physical status and alignment of equipment, and dymunic status / availability indication of supporting equipment. These displays use graphical images similar to those currently found on P&lDs, but enhanced to add dynamics.

Computerized procedure displays that have the dynamic plant infonnation to help determine the plant configuration and process conditions appropriate for the completion of a pmcedural step.

Point detail displays that allow the opemtor to view sensor and component data, i Alann support displays that pennit the operator to query the alann system and view chronological I listings. ahmn trigger logic, available messages, etc.

In addition, each workstation will have a set of soft control devices that have graphical depictions of panuneters being contmiled and the current and possible status of individual components.

The display system is window oriented. The operator uses a mouse, trackball, or simihtr device to point to display elements and as a mechanism for navigation. The displays are primarily graphical with alphanumeries where necessary. The exact number of displays in the system, how the operator will navigate among them, and how operations are canied out will be determined as a portion of the human factors engineering ITAAC commitment.

Between the workstations, there are system-level dedicated controls and the qualified display processing system (QDPS) with the Class lE display devices and the display information necessary to achieve and maintain a safe shutdown condition, as well as the resources necessary to support postaccident monitoring.

The sensor inputs to the QDPS come through either the QDPS remote input / output cabinets, the integrated protection cabinets or the protection logic cabinet and the ESFAC (all of which are part of the protection and safety monitoring system), and are distributed to the QDPS display pmcessors.

T Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION g.

The sensor inputs to the rest of the displ:!y system corne through either the IPC and ESFAC or the integrated control cabinets in the plant control system, to the monitor bus, and are distributed to the appropriate display processor.

SSAR Revision: NONE i

i l

1 1

l l

i 420.15-2 W Westinghouse

1 NRC REQUEST FOR ADDITIONAL INFORMATION l Question 420.16 l l

Describe the design features of the advanced alann system. The description should include but not be limited to a cornparison to the EPRI M-MIS requirements (Section 7.1.1).

1 1

Response: ,

I SS AR subsection 7.1.1 describes the I&C architecture for the plant. The mapping of the 1&C design to the alann system functions, described generally in Section 43 (Alanns) of Chapter 10 of the ALWR URD requirements, and the functions and features of the AP600 advanced alann system. described in SSAR subsection 18.9.2, follow:

• Inputs to the alann system are taken from the monitor bus (see SSAR figure 7.1-1).

. Inputs to the monitor bus are via appropriate paths identified in the same figure.

Typical infonnation used by the alarm system includes process variables and component statuses received from other equipment connected to the monitor bus.

The ALWR URD M-MIS requirements will be employed as design criteria for the AP600 advanced alarm system.

Particuhtr details of the design will be detennined by carrying out the design process described in the human factors

, engineering ITAAC. .

l SSAR Revision: NONE I l

1 1

W Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION b

! Question 420.25 Describe the reactor coolant hot leg and mld leg temperature measurement arrangement from the sensor to the integrated protection abinet. Ilow is spatial dependency of the RTDs that are mounted 120 degrees around the pipe compensated? Describe how the '1"8, Delta T, Overtemperature Delta T setpoint, and Overpower Delta T setpoint software is developed. What type of adjustment is required during plant operation? Are the time constants in these equations allowed to be changed by the operator? What procedure assures that the trip setpoints are properly maintained? (Scaions 7.1.2.8 and 7.2.1.1.3)

Response

Fast-response temperature detector installations are provided in the hot and cold legs of each reactor coolant loop.

. These consist of detectors with rapid temperature response characteristics installed in special thin-wall-design thermowells. These devices generate input signals to the integrated protection cabinets. 'Ihere are six detectors in

, each hot leg and two detectors in each cold leg. 'Ihe hot leg detectors are arranged in four groups of three fast-response RTDs spaced 120 degrees around the loop pipe. This arrangement produces a 2-out-of-4 logic for hot leg temperature on a plant-wi'le basis. The cold leg detectors are arranged to produce a 2-out-of-4 logic for cold leg

temperature on a per-steam-generator basis.

'lhe spatial dependency of the three hot leg RTDs is compensated for with manually input biases. Given the three filtered hot leg RTD measurements, Tuo73, j = 1,1 & .3 Biased hot leg temperatures are calculated using:

I go7,

=T uo7, - P,S,* (l) where: ,

l

. l uor, " biased hot leg RTD temperature, *F l T,=

yo measured and filtered hot leg RTD temperature, *F l S* = m nu lly input bias that corrects individual hot leg RTD measured value to the loop hot l 1

leg average, *F p, , currection factor for power level. See Equation 3 for calculation of P, . (Value of P, from previous cycle is used.)

420.2m W Westinghouse i

i l

l NRC REQUEST FOR ADDITIONAL INFORMATION ,

Z!!

Imp average hot leg temperature is calculated using: ,

Tyor, = [ "" A t

he correction factor is calculated:

T '

p* ,, Tuorf avo (3)

Al*

where:

Tu,, =

cold leg temperature, 'F AT* =

referen full power delta-T, 'F  ;

f i

ne T.,,, delta-T, overtemperature delta-T setpoint, and overpower delta-T setpoint software is developed using the process described in SSAR Reference 7.1.6.4 (WCAP-13392 NP, "AP600 Instrumentation and Control Ilardware and ,

Software Design, Verification, and Validation Process Report").

He constants and time constants in the overtemperature delta-T and overpower delta- T setpoint equations are ,

defined in Table 33.1 1 of Chapter 16 (rechnical Specifications) of the SSAR. The surveillance requirements of l the technical specifications ensure that the trip setpoint equations are properly maintained. During plant operation, adjustments may be made that maintain setpoints and time constants within technical specification limits. *nx:se adjustments would be made in accordance with plant technical specificatiors, surveillance procedures, and administrative controls. De procedures that ensure that the trip setpoints are properly maintained are the responsibility of the combined operating license holder.

SSAR Revision: NONE l

i:

l T Westinghouse 1

. . ,. . ~ . . , . . .. __ . . _ , , . - - - . --

P l  :

NRC REQUEST FOR ADDITIONAL INFORMATION )

n=n .l un -- 'I Question 420.40 :

Describe the 1&C system design for the Technical Support Center. (Section 1.2.1.5.3) '

)

l

Response

The mission and tasks of the AP600 technical support center are described in SSAR Subsection 18.8.2.1.1.2.5. The design and verification and validation of the TSC are discussed in SSAR Subsection 18.11.2. l The design of the TSC wu. 'e crfonned according to the M411S design process described in SSAR Section 18.8  ;

and is the responsibility of the combined license applicant.

The TSC will have the same set of operational displays on graphics workstations as on the opemtor's workstations .

in the main control area.~- The graphics workstations in the TSC are part of the data display and monitoring system -

(DDS) and are driven by the same plant data as the operator displays in the main control room and remote shutdown area. The TSC infonnation system will be capable of reliable data collection, storage, analysis, and display, as well as communication capability sufficient to determine site and regional status, determine changes in status, forecast - j status, and take appropriate. actions, in accordance with"the guidance in NUREG4r/37. No plant ' controls are available in the TSC. The TSC will have sufficient. communication equipment to support internal plant communications and communications with authorities outside the plant boundary.

i SSAR Revision: NONE l'

]

i l

l l

I 1

i 1

12 m W westinghouse i

.i-. ._...J. . .. . . . _ . , _ . , .- -

. . - . - -. .. ~- . - - . . . - - _. . .-. .

i 1  !

4 l j NRC REQUEST FOR ADDITIONAL INFORMATION ,

j - - - - - - - . .  ;

i

! ex- l i Question 420.47 -}

L j Sheet 3 of Figun 7.2-1 of the SSAR and some other sheets show manual bkick control functions (momentary blocki -l 3

or momentary reset). Where are these manual control switches located? 'If these controls are performed from the

operator workstations. describe the detailed control and status indication capabilities. '

1 1 7 4

1

. Response:

. The task analysis (described in SSAR subsection 18.8.2.1.2) will define where the controls are located and what l j detailed control and status indications are needed. The design process to develop the detailed control and status  !

j indication capabilities is described in SSAR Section 18.8. This task is the responsibility of the combined license i applicant.

SSAR Revision: NONE '!

! (

! I i.

4 3 +

2 i i

7 4

1 1

1 5

I i

1 1

a d

W-Westinghouse '

i j- :I s ,

p y-r--- - S - - -

, -57 m. -, ...%,., 6 , 3 ,, ,ww--- .- ,-39-w ym q 9 6.yri. .w<t

l NRC REQUEST FOR ADDITIONAL INFORMATION t Question 420.73 Describe the design of the transfer switch (s) that transfers the control capabilities from the main contml room to the remote shutdown workstation. The design should address all the interfaces with the protection and safety monitoring -

system and plant control system. Address the fire protection and human factors engineering aspects of the design.

Describe the design of the displays at the remote shutdown station. Do the displays remain available at the main control room when the control functions are transferred to the remote shutdown workstation? (Section 7.43)-

Response

The transfer switch function transfers control capability from the main control room to the remote shutdown workstation. %e transfer switch function is performed by a set of switches in the remote shutdown room. De ,

mntrols transferred include discrete controls associated with the integrated protection cabinets, discrete controls associated with the ESFACs, soft contmls and discrete mmponent controls for safety-related components, and soft ,

controls. De transfer switch fundion also isolates non-Class 1E functions from the main mntrol room.

Actuation of the transfer switches in the remote shutdown room issues signals that isolate the main control room functions and enable the controls on the remote sl:utdown workstation. De transfer switch set is in the same fire

! zone as the remote shutdown workstation. In the unlikely event that a failure of the transfer switch function transfers l control from the main control room to the remote shutdown room, operation will be moved to the remote shutdown l room. If the remote shutdown room is uninhabitable, control will be retumed to the main control room by de-energizicy the remote shutdown multiplexer cabinets in the instrumentation rooms.

De displays available at the remote shutdown workstation are a subset of the displays available at the main mntrol ,

room workstations. Qualified displays are available at both the remote shutdown workstation and the main control

• room workstations. Transfer of control to the remote shutdown room will not disable the displays in the main control room.

SSAR Revision: NONE l

l 420m T westinghouse f

NRC REQUEST FOR ADDITIONAL INFORMATION Question 420.91 N

i Clarify whether all ESF equipment trains are initiated by au four divisions of the ESFAS. The staff's current I understanding is that four divisions, each containing two gmups of ESF detection instrumentation, apply identical l output signals to two (Al & A2) identical ESF actuation subsystems replicated in four divisions of the ESFAC l cabinets. The two (Al & A2) ESFAS subsystems drive two " logic buses" per division, resulting in eight logic buses going (among other phtces) to the four protection logic cabinets (PLCs), where they are applied to two " functional logic processors" per protection logic cabinet. In each division, the logic buses appear to be separated - logic bus I applied to functional logic processor 1, and logic bus 2 to functional logic processor 2. The functional logic processors drive and sense ESF equipment through three field buses attached to various 2/3 votmg power interface l cards. Confinn or clarify the following (Section 7.3.1.1): j l

a. Divisional breakdown occurs at the ESFAC cabinets. Each ESFAC division drives a single I division of the PLC and can control only the equipment attached to that PLC dmston. I

b. The breakdown of the ESF equipment attached to each PLC division is unknown, but different l among divisions.

Provide the breakdown of the ESF equipment attached to the PLC divisions and exphdn the maintenance provisions and bypasses at this level. Asymmetry of available ESF equipment in certain maintenance configurations may make the reactor inore vulnerable to certain accident ceasequences.

Response

a. The ESFAC in each division drives a single division of logic cabinets and can control only the equipment attached to that division. The figures attached to the responses to Q420.11 and Q420.27 show this architecture.

b. Most of the ESF equipment attached to the protection logic cabinets is dual redundant. The valves in these redundant pairs are each assigned to one of the four independent divisions. Within the instrumentation and control architecture, the four divisions of safety-related cabinets are symmetrical and have identical capabilities. ESF equipment assignments to the logic cabinets are determined by logic cabinet loading and fire zone considerations.

The AP600 engineered safeguards systems are designed in accordance with the single-failure criteria and probabilistic risk assessment (PRA) objectives, with the assignment of electrical divisions in accordance with the design objectives The confirmation of the design pmcess is the failure modes and effects analysis and the PRA.

The response to Q420.51 addresses the maintenance provisions and bypasses used for surveillance testing in the protection and safety monitoring system, which includes logic cabinet testing. Because the automatic tester for the ESFAC and associated logic cabinets tests one-half of the redund:mt subsystems at a time, the redundant subsystems in the s une cabinets are available to respond to a plant event that occurs during the testing.

W_ WestinEhouse

L 5

1

f. .-

1 l

-l NRC REQUEST FOR ADDITIONAL INFORMATION

!iMii a__

i-

Attached to this response is a preliminary list of ESF valv'es and dampers showing electrical power' division - -

assignments.

SSAR Revision: NONE ,

f  ;

i 4 .,

i i

i '!

t t

i 3 i

, I 1

i 1

i ..i i .l l ,

i -!

i ,

. 1 i

i 1,

s 5

4 d

4 1

420.91-2 W

Westinghouse i

1 s

, + m- _.

4 1

! NRC REQUEST FOR ADDITIONAL INFORMATION

n=i!

Table for Q420.91 Valves and Dampers with Safety Division Power.

Sorted by System

! Power Tag No. Valve Description Division CAS PL V040 Containment isolation - ORC D

l. CCS PL V200 Containment isolation - inlet B i CCS PL V201 Containment isolation - irdet A j CCS PL V207 Containment isolation - outlet A

CCS PL V208 Containment isolation - outlet B  !

! CVS PL V001 RCS letdown stop valve A i CVS PL V002 RCS letdown stop valve C CVS PL V(M5 WLS letdown IRC isolation C l CVS PL V(M7 Letdown flow ORC isolation D

CVS PL V081 RCS charging stop valve C CVS PL V084 Aux PZR spray line isolation C.

l CVS PL V090 Makeup line cont isolation D l

CVS PL V091 Makeup line cont isolation A-

, CVS PL V092 11ydrogen addition cont isol D j CVS PL V136A Demin water sys isolation D

CVS PL V136B Demin water sys isolation B i CVS PL V171 PXS makeup line cont isol valve . A 1

PCS PL V001 A PCCWST isolation valve A

PCS PL V001B PCCWST isolation valve B 3 PCS PL V002A PCCWST isolation valve A

PCS PL V002B PCCWST isolation valve B i PSS PL V001 A liot leg sample isolation A PSS PL V001B Hot leg sample isolation B

PSS PL V002 Containment sump sample isol B PSS PL V008 Cont isolation - air sample line B i PSS PL V009 Cont isolation - air sample line D PSS PL V010A Cont isol - liquid sample line B 4

PSS PL V010B Cont isol - liquid sample line D PSS PL V0ll Cont isol - liquid sample line -A j

i 420.91-3 i T Westinghouse i

4 i

NiiO REQUEST FOR ADDITIONAt INFORMATION lM!!

u --

Table for Q420.91 Valves and Dampers with Safety Division Power Sorted by System Power Tag No. Valve Description Divison PSS PL V023 Cont isol - sample retum line A-PSS PL VC46 Cont isol - air sample line A PXS PL V002A CMT A CL inlet isolation D PXS PL V002B CMT B CL inlet isolation C PXS PL V003A CMT A CL inlet isolation B PXS PL V003B CMT B CL inlet isolation A PXS PL V005A CMT A PZR line isolation B PXS PL V005B CMT B PZR line isolation A PXS PL V014A CMT A discharge isolation D PXS PL V014B CMT B discharge isolation C PXS PL V015A CMT A discharge isolation B PXS PL V015B CMT B discharge isolation A PXS PL V021A Accumulator A N2 supply - D~

PXS PL V021B Accumulator B N2 supply A PXS PL V027A Accum A discharge isolation B PXS PL V027B Accum B discharge isolation C PXS PL V030A CMT A steam trap bypass isol D PXS PL V030B CMT B steam trap bypass isol C PXS PL V031A CMT A stemn tmp bypass isol B-PXS PL V031B CMT B stemn trap bypass isol A PXS PL V033A CMT A steam trap disch isol D PXS PL V033B CMT B steam trap disch isol C PXS PL VfM2 ORC Nitrogen supply cont isol D PXS PL V101 PRiiR HX inlet isolation C PXS PL V108A PRHR liX discharge isolation A PXS PL V108B PRHR HX discharge isolation B PXS PL Vil7A Recire sump A isolation B PXS PL VI17B Recirc sump B isolation A PXS PL VI18A Recirc sump A isolation D j PXS PL VI18B Recirc sump B isolation C j PXS PL V121 A IRWST inject A isol B i PXS PL V121B IRWST inject B isol C

!~ 420.91-4

W Westinghouse i

1 i

i

, -- ,- , . ,- .- -. .. - a

'l 1

l I

NRC REQUEST FOR ADDITIONAL INFORMATION -

Table for Q420.91 .

Valses and Dampers with Safety Division Power j Sorted by System

]

Power l Tag No. Valve Description Division - J PXS PL V130A IRWST gutter bypass A isol D PXS PL V130B IRWST gutter bypass B isol A PXS PL V301 A PH adjustment tank disch isol A PXS PL V301B PH adjustment tank disch isol B RCS PL V001 A ist stage ADS .A I RCS PL V001B ist stage ADS A i RCS PL V001C ist stage ADS B RCS PL V001D lst stage ADS B RCS PL V002A 2nd stage ADS C RCS PL V002B 2nd stage ADS C RCS PL V002C 2nd stage ADS D RCS PL V002D 2nd stage ADS D RCS PL V003A 3rd stage ADS _ A RCS PL V003B 3rd stage ADS A  !

RCS PL V003C 3rd stage ADS B RCS PL V003D 3rd stage ADS B RCS PL V004A 4th stage ADS A&C RCS PL V(XMB 4th stage ADS A&C RCS PL V004C 4th stage ADS B&D-RCS PL VO(MD 4th stage ADS B&D RCS PL V152 RCS head vent ADS valve B RCS PL V153 RCS head vent ADS valve C RNS PL V001 A RCS inner suction isolation B RNS PL V001B RCS inner suction isolation B RNS PL V002A RCS outer suction isolation D RNS PL V002B RCS outer suction isolation D RNS PL Voll RHR control / isolation valve A RNS PL V022 RHR pump suction hdr isolation A RNS PL V023 IRWST suction line isolation D RNS PL V024 IRWST discharge isolation D T westinghouse 420s ks

i c

NRC REQUEST FOR ADDITIONAL INFORMATION :

m ly u-Table for Q420.91 Vahes and Dampers with Safety Division Power Sorted by System Power Tag No. Valve Description Division SFS PL V034 Contaimnent isolation B ,

SFS PL V035 Containment isolation A SFS PL V038 Containment isolation A' SGS PL V027A PORV block valve B SGS PL V027B PORV block valve D SGS PL V036A Steam line ccmd drain isolation D SGS PL V036B Steam line cond drain isolation D SGS PL V040A Main steam line isolation B&D SGS PL VO40B Main steam line isolation B&D SGS PL V057A Main feedwater isolation B&D SGS PL V057B Main feedwater isolation B&D SGS PL V067A Startup feedwater isolation D SGS PL V067B Startup feedwater isolation D SGS PL V074A SG blowdown isolation D SGS PL V074B SG blowdown isolation B l' SGS PL V075A SG series blowdown isolation B i

SGS PL V075B SG series blowdown isolation D

! SGS PL V086A Steam line cond drain isolation B SGS PL V086B Steam line cond drain isolation B i SGS PL V233A Power operated relief valve D l SGS PL V233B Power operated relief valve B l SGS PL V240A MSIV bypass isolation valve B&D l SGS PL V240B MSIV bypass isolation valve B&D l SGS PL V250A Main feedwater control valve D l SGS PL V250B Main feedwater control valve D l SGS PL V255A Startup feedwater control valve B i SGS PL V255B Startup feedwater control valve B l

VBS MD D214 MCR envelope supply air isol A VBS MD D215 MCR envelope supply air isol C VBS MD D216 MCR envelope return air isol A VBS MD D217 MCR envelope return air isol C i

420.91-6 3 Westinghouse r

1 i

NRC REQUEST FOR ADDITIONAL INFORMATION I

Table for Q420.91 Valves and Dampers with Safety Division Power Sorted by System j l

Power l Tag No. Valve Description . Division VBS MD D220 MCR envel toilet exh air isol A VBS MD D221 MCR envel toilet exh air isol C ,

VES PL V005A Actuation valve A A VES PL V005B Actuation valve B B VFS PL V003A Supply air ORC isol valve A A VFS PL V003B Supply air ORC isol valve B A VFS PL V004A Supply air IRC isol valve A D VFS PL V004B Supply air IRC isol valve B D e VFS PL V009A Exhaust air IRC isol valve A D VFS PL V009B Exhaust air IRC isol valve B D VFS PL V010A Exhaust air ORC isol valve A A VPS PL V010B Exhaust air ORC isol valve B A VWS PL V058 Chilled water supply _ ORC isol D VWS PL V062 Chilled water supply IRC isol A VWS PL V082 Chilled water return IRC isol A VWS PL V086 Chilled water return ORC iso! D WLS PL V004 RCDT containment isolation IRC A WLS PL V006 RCDT containment isolation ORC D l WLS PL V055 Sump containment isolation IRC A WLS PL V057 Sump containment isolation ORC D WLS PL V067 RCDT gas containment isolation A WLS PL V068 RCDT gas containment isolation D t

420m T Westinghouse i

NRC REQUEST FOR ADDITIONAL INFORMATION E

Question 420.93 WCAP-12648,"AP600 Incore Instrumentation System Electromagnetic Interference Test Report," describes the test program that was conJucted to investigate EMI concerns in the proposed AP600 Incore Instrumentation System (IIS).

l Provide clarification on the test configuration, test results, and Westinghouse's conclusions to respond to the following concerns:

a. According to the Electric Power Research Instituted (EPRI) study, about 80 percent of EMI problenis are due to the conducted EMI generated within the facility. Only 20 percent comes from nullated interference. Westinghouse's test configuration is only modeled for radiated interference.

Provide justification for not considering the EMI effect from conducted EMI.

b. The test configuration should be close to the actual plant configuration. If configurations are different, then an analysis should be perfonned to address the factors alTecting the test results.

Describe the differences between the test configuration and the AP600 plant configuration, including the circuit grounding arntngement. For example, the FID assembly consists of a thimble l tube approximately 50 feet, but the test configuration used only 6 feet of Mineral Insulated (MI) cable. Is this a fair representation?

1

c. Justify not analping the effects of noise susceptibility of the FID signal ground as one of the reasons for interference.

l 1

d. Describe the location of the rod position indication detector coil and the CRDM power cable relative to the FID cables. What are the characteristics of these signals?

e. What are the conductivity and the permeability of the CRDM coil housing metal? What is the thickness of the housing metal?

f. At what ninge of frequencies is the FID signal most vulnerable?

g. What is the noise tolerance level of the FID and thernmcouple signals?

h. Describe the reasons for selecting the test monitoring equipment. What are the input characteristics of the monitoring device? What does 1 mv represent in Figures 7 through 15?

i. What is the reason for displaying test results in a time domain instead of a frequency domain?

Provide the test results in a frequency domain.

J. The actual design of the FID circuitry has low-pass filters to eliminate high frequency interference.

What is corner frequency of this filter? How effective is it against the EMI from the CRDM coil?

Response

420.93-1

3. Westinghouse

l l

I NRC REQUEST FOR ADDITIONAL INFORMATION l

h l The test prognun that Reference I reported was a proof of principle test to detennine if major noise problems would he present in the incore instrument design. The questions contained in this RAI will be addressed as part of equipment qualification. Since equipment qualification is beyond the scope of design certification and since the painf l

of principle test produced satisfactory results, no further testing will be perfonned as part of design certification.

l l Since the test reported in Reference I was perfonned, a 3N stainless steel radiation shield, shown in the attached figure, was added. This shield will provide additional EMI/RFI shielding for the fixed incore detector (FID).

The issues raised in the RAI that can be answered at this time are as follows:

a. Conducted EMI will be considered in the equipment qualification test.

b. The test configuration in the equipment qualification test will more closely duplicate the actual plant l configuration. The test mported in Reference I was a proof of principle test.

1

c. The noise susceptibility of the FID signal ground will be considered in the equipment qualification test.

d. The h> cation of the FID cables relative to the nxi position indicator coil and the control rod drive mechanism (CRDM) cable exit is shown in Figure 1 of Reference 1 and in the attached figure. The CRDM coil current wavefonn is shown in Figures 8 through 15 orReference 1. The nxi position indicator (RPI) cables are energized by 60-ID. ac power at a nominal 6 volts. The current in each RPI sensing coil is approximately 0.35 ampere.

e. The primary material used for the CRDM housing is ASTM A536 ductile cast iron. There are also 410 stainless steel bolts, a 304 stainless steel guide conduit, and a 304 stainless steel radiation shield tube, as shown in the attached figure. These materials were not chosen for specific electrical or magnetic properties.

Data to estimate the conductivity and penneability is available in the Standard llandbook for Electrical Engineers. The attached figure, "CRDM and FID Cross Section" provides thickness data.

f. The range of frequencies to which the FID is vulnerable will be addressed in the equipment qualification test. The FID signals will be heavily filtered since the detector response is inherently slow,

g. The noise tolerance of the FID and thern ocouple signals will be addressed in the equipment qualification test.

h. The test equipment was selected based on its suitability to simulate the plant electronic environment, energize the EMI souwes, and detect and measure the effects of EMI. The constant of proportionality between the actual signals and the displayed signals in Figures 7 through 15 can be readily detennined from the information provided in the figures. As an example,in Figure 9 a signal level of 0.25 microamp at the Jetector is proportional to 12.5 millivolts (mvolt) on the display. From this relationship a constant of proportionality of 0.02 microamp/ millivolt is calculated.

i. This was a limited test to determine levels of EMI coupling. No data was takea in the frequency domain.

420.93-2 3 Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION

f f@

l.

j. The corner frequency of the FID circuitry will be selected to be consistent with the response characteristics of the detector to reduce interference from EMI to an acceptable level.

References:

420.93 1 Ekeroth D., "AP6(K) Incore Instrumentation System Electromagnetic Interference Test Repot1,"

WCAP-12648, Rev.1 (Proprietary) and WCAP-13322 (Non-Proprietary), April 1992.

SSAR Revision: NONE J

w westingnouse

• • "~

(-

NRC REQUEST FOR ADDITIONAL INFORMATION i

Radiat SI Tube N

\ 1.643

\ \ s\ W2.750 Iron c (SS ,410)

Housing (ASTM A536)

Incore Instrument

(@ 0.385) 0.750 Incore Guide Conduit (SST 304) j CRDM and FID Cross Section

1. * '" ^

westinghouse I

l l

l

! NRC REQUEST FOR ADDITIONAL INFORMATION l

Question 420.94 In its response to Q420.5, Westinghouse states that a defense-in-depth analysis of the protection and safety monitoring system, as described in NUREG-0493, will be subtnitted upon completion. In parallel to the l Westinghouse analysis, the L.awrence Livermore National Laboratory (LLNL) performed a defense-in-depth and

! diversity assessment of the AP600 protection system (SS AR Sections 7.2 and 7.3) for the Nucle:u Regulatory Commission (NRC). A draft technical report documenting the assessment is attached with this request for additional mfonnation (RAl). Address the following concerns that are raised by the LLNL report:

a. The LLNL report is based on infonnation submitted by Westinghouse on the AP600 docket. Some assumptions were made for this assessment. Verify the validity of these assumptions (Section 3.6 and Figure 3 of the LLNL Report).

b. The potential vulnerabilities identified by the analysis are summarized in Section 5 of the LLNL Report. Address the proposed actions with respect to each of these vulnerabilities.

c. The Glotxd Trip Subsystem appears to be the most vulnerable subsystem for the reactor trip function. Provide detailed infonnation with appropriate justification for the design of the Global Trip Subsystem.

Response

The Lawrence Livermore National Laboratory (LLNL) defense-in-depth and diversity assessment is incomplete because it does not include the diverse actuation system (DAS) within its scope. The design of the diverse actuation system addresses any vulnerability of the plant control system (PLS) and the protection and safety monitoring system (PMS) to low-probability common-mode failures that would prevent proper operation of plant defense-in-depth systems and phmt safety systems. The DAS provides a diverse means of reactor shutdown, reactor coolant system inventory control, core decay heat removal initiation, containment cooling initiation, and containment isolation.

Exclusion of the DAS from the defense-in-depth and diversity assessment ignores the results of the probabilistic risk j assessment and the requirements of the ATWS rule (10 CFR 50.62).

I a-l. Comments on the assumptions in Section 3.6 are as follows:

l l

3.6.1.1 - The postulated simultaneous faihm: of deadman timers is a low-probability event. j 3.6.2.1- The primary trips listed in Tables 7.2-5 and 7.2-6 are based on the trip functions used in I the deterministic analyses presented in SSAR Chapter 15. The secondary trip functions l identified in Tables 7.2-5 and 7.2-6 are assumptions based on evaluations of expected sequence of events for the Chapter 15 transient an:dyses if a primary trip is postulated to be nonfunctional.

3.6.2.2- The information in the SSAR is correct. See the response to Q420.21.

420.94-1

%,v, Westinghouse

1 l l l

l l

l NRC REQUEST FOR ADDITIONAL INFORMATION l I

l 3.6.2.6- The postulated failure of the soft control station is a low-probability event. The response l to Q420.87 also applies to this postulated failure 1 l

3.6.5.4 - Figure 7.2-1. The flux doubling calculation block that refeis to Note 2 ("This circuit is control grade duplicate") is not correct. That note was climinated and the reference en the drawing should also have been eliminated. With respect to the assumption of boron l dilution bhick not being used m SSAR Chapter 15, this is incorrect. The automatic boron dilution bhick is assumed to function during the boron dilution transient analyzed in SS AR i subsection 15.4.6. l 3.6.6.2 and 3.6.6.4 - These assumptions do not specify which type of events, such as Condition II,111, or I IV, loss of cooktnt accident (LOCA), they apply to. I For conventional Westinghouse nuclear power pkints it has been demonstrated that a coolable geometry and j the integrity of the RCS pressure boundary can be maintained during transient (Condition 11) events without  !

a reactor trip if the turbine is tripped and emergency feedwater is started. Based on these past analyses the l ATWS rule was written (10 CFR 50.62). This nde specifies that a diverse automatic means of turbine trip and emergency feedwater actuation (i.e., AMSAC) be installed on pressurized water reactors.

For the AP600, the DAS provides an automatic function that trips the turbine and actuates the PRHR to provide decay heat removal. In response to Q440.26, a commitment was made to perform an AP600 ,

specific limited ATWS analysis to demonstrate that tripping the turbine and initiating PRHR will have l results comparable to those of past Westinghouse plants during an ATWS. Additionally, the DAS provides an alternate method for reactor trip by tripping the rod drive motor-generator sets.

There are several features in the control and ESF systems that will mitigate heatup transients, caused by reactivity increases or loss of heat sink, and cooldown transients initiated by feedwater malfunctions or rapid turbine loading, which result in excessive reactivity increases. These features include the following:

.Rai withdrawal blocks initiated by:

- Low margin to overtemperature delta-T trip

- Low margin to overpower delta-T trip

- Negative flux rate

- Rod drop

.The low margin to overtemperature delta-T (C-3) turbine runback signal

.The low margin to overpower delta-T (C-4) turbine runback signal

. Actuation of startup feedwater on low steam generator level

. Actuation of passive RHR on low steam generator level

. Low Tavg (C-16) interlock (stops turbine loading)

. Turbine trip on safeguards actuation ("S") sigmd 3.6.6.5 - The time assumed for operator actions should be event dependent.

420.94-2 W- WeStincrh00Se a

- - -- . . _ - - -. --. .- . . . . .- . _ -. . ~_

3 .-

4 ,

I ,

1 NRC REQUEST FOR ADDITIONAL INFORMATION -

j ,

a-2. Comments on figure 3 are as follows:

i The data links from the division B, C, and D integrated protection cabinets to quali5ed data processor A .

~

{ should be shown in the same manner as the data link from the division A integrated protection cabinet with

a data link I/O module receiving the signals from the other divisions.

1 Input signals to the Al ESF actuation subsystem and A2 ESF actuation subsystem come from both the ESF ,

group 1 subsystem and the ESF group 2 subsystem; not just the ESF group 1 subsystem as shown.

a- .

{ The table of IPC does not agree with the listing of reactor trips and ESF actuations in SSAR subsections

{ 7.1.2.2.1 and 7.1.2.2.6. (See assumption 3.6.2.2 of the LLNL report.)

1 i l h, c. The low-probability, potential vulnerabilities of the pmtection and safety monitoring system, which includes i

the global trip subsystem, are addressed by including the diverse actuation system, described in SSAR subsection

l. 7.7.1.11, in the AP600 instrumentation and control architecture.

F 1

it 4

J SSAR Revision: Figure 7.2-1 will be revised as follows:

l Remove note 2 on Figure 7.2-1, Sheet 3.

]

l '

i i

1 lJ I ,

a I

i k

T i

1 420.94-3 4

W Westinghouse 1

1

,,,m. , g , + -

_..~4~ . _ . . mm... a - - _ . . . ..m.. .m _-_ m mm--.mo - - s _ _ _

I

(

I .

l NRC REQUEST FOR ADDITIONAL INFORMATION H

l i

Question 420.95 The Technical Specification (TS) bases B 33.1 and B 33.2 described in Chapter 16 of the SSAR state that the basis l

of the setpoints is described in Chapters 6,7, and 15 of the SSAR. There is no single document to describe the  ;

setpoint methodology. Provide a single domment that includes all the protection systems setpoint methodology j similar to the Westinghouse setpoint methodology document for ay. rating plants. '

l Response.

1he standard setpoint methodology document includes equipment-specific details not required for design artification.

j A setpoint methodology document describing the details of the AP600 setpoint study will be provided during the i equipment procurement phase. 'lhis document will be similar to the numerous Westinghouse setpoint methodology l

documents that have been submitted for operating plants and wili be in the format the NRC is accustomed to receiving.1he protection systems setpoint methodology used for the AP600 is essentially the same as the standard Westinghouse methodology approved by the NRC for various operating plants, including several with digital systems. l 1his approach incorporates a statistical combination of error components with proper treatment of dependent and l i

independent terms. As with previous Westinghouse setpoint studies for digital protection systems, pmticular care ,

is taken to reflect the unique characteristics of the digital system.

J SSAR Revision: NONE )

l i

l I

42 usa T Westinghouse

NRC REQUEST FOR ADDITIONAL INFORMATION Round: 0 Question Set: 10/28/92 [ '[

l Question 420.96 Section 7.1.2.2.8 of the SSAR discusses the Automatic Tester Subsystem. Define the role of the Automatic Tester Subsystem with respect to the Technical Specification surveillance testing. Describe the interfaces between the control room workstations and the Automatic Tester during Technical Specification surveillance tests.

Response

The automatic tester subsystems providt4 i i the AP600 instrumentation and control architecture are used to perfonn a subset of required technical specification surveilkmce testing. The automatic tester subsystem in the integrated protection cabinet performs the channel operational test (COT) listed in SS AR subsection 16.1.1, " Definitions." The automatic tester subsystem in the ESFACs performs the actuation logic test listed in subsection 16.1.1. The testing is performed at the instrumentation and control cabinets, The automatic tester subsystems provide indications to the main control room that testing is being perfonned. Test signals from the division under test communicate to other instrumentation and control equipment and provide indications in the main control room that confm~ n operation of I the display and alann systems.

SSAR Revision: NONE 1 i

I l

. 420.96-1 W_

Westinghouse

l NRC REQUEST FOR ADDITIONALINFORMATION l

Question 420.99 As discussed in 0420.94, a failure in the Global TYip Subsystem would prevent a reactor trip. Ilowever, there is l no discussion on the Global Trip Subsystem in the Tedinical Specification Bases described in Chapter 16. Provide  ;

a discussion of the required actions to deal with the Gkhal Trip Subsystem Failures. (IS B 33.1 of Chapter 16)  !

i

Response

A single failure of one of the four redundant global trip subsystems in the protection and safety monitoring system will not prevent a reactor trip.

The gkhal trip subsystem is part of the reactor trip system instrumentation described in TS B 3.3.1 of SSAR Chapter

16. 'The actions required to deal with a global trip subsystem failure are covered by function 19, " Automatic Trip logic," conditions M and R, "One or two channel (s)/ division (s) inoperable," of Table 33.1-1 of SSAR Chapter 16.

SSAR Revision: NONE

'f l

l i

i 4

J 420.99-1

[ WB5tingh0US8

NRC REQUE.ST FOR ADDITIONAL INFORMATION Round:0 Question Set: 10/28/92 f

Question 420.100 Provide justification for indefinite bypass of one or two reactor trip system instrumentation channels. Include a description of the failure modes effects analysis (FMEA) and probabilistic risk assessment (PRA) studies that support the indefinite bypass. Identify the components that would be bypassed. Also, provide a listing of the engineered safety features affected by the trip bypass of sensors shared with reactor trip system. Provide an analysis of the effect on ESF system reliability. (TS 3.3.1 and TS 3.3.2 of Chapter 16)

Response

The operation of the reactor trip bypan logic is described in the responses to Q420.31, Q420.37, Q420.41, and Q420.89. The response to Q420.37 addresses the case of two channels in bypass. With one channel or division bypassed, the 2/4 logic reverts to 2/3 logic. With two channels or divisions bypassed, the 2/4 logic reverts to 1/2 logic. In either case, the single failure criterion is not violated and the plant is in a safe condition.

Reference 1 discusses the consequences of single-point failures. When single-point failures are detected, the failed channel is bypassed and the protection system reverts to a reduced logic level (2/4 to 2/3 or 2/3 to 1/2). Lnmediate repair is desirable, but not essential, for maintaining plant operation. The remaining channels maintain the plant's operational status. Sensor failure is discussed as item 35 of Table 2 in Reference 1. Board failure is discussed as the remainder of items in Table 2.

The PRA accounts for test and maintenance unavailabilities of the I&C system by including them in the random failure rates of the hardware.

Trip bypasses may be applied to individual reactor trip channels in the integmted protection cabinets. The individual reactor trip channel bypasses do not affect ESF functions in the integrated protection cabinets; the ESF subsystems are provided with separate ESF bypass capability. There is a global bypass that will bypass the group of reactor trip channels and ESF actuation channels in a single division's integrated protection cabinet set. When the global bypass  ;

is applied, the effect is the same as each reactor trip and ESF bypass being applied individually.

Upon failure of a sensor that is shared by the reactor trip system and ESF actuation system, individual bypasses will be applied to the specific reactor trip and ESF actuation outputs affected by the failed sensor. The application of the reactor trip bypasses and ESF actuation bypasses is shown on the proce s block diagrams.

The 2/4 logic used for ESF system level actuation is equivalent to the 2/4 reactor trip logic. This 2/4 logic is applied at the input of the ESFACs to signals generated in the intn; rated protection cabinets. The voted inputs are then combined to produce system-level ESF actuations. With one channel bypassed, the 2/4 logic reverts to 2/3 logic.

With two channels bypassed, the 2/4 logic reverts to 1/2 logic. In either case, the single failure criterion is not violated and the plant is in a safe condition.

W westingh0use

. ._ _ ._ _ __ . _ . . __ . _ _._w.._. - _ _ ._ , _._. . _,

i e

.1 l NRC REQUEST FOR ADDITIONAL INFORMATION -

Round: O '

iMA Question Set: 10/1/92 i n-  :

References:

i j 420.100-1 Morandini, S., " Advanced Passive Phant Protection System FMEA." WCAP-13594 (Proprietary) ,

j and WCAP-13662 (Non-Proprietary), April 1993 1

SSAR Revision: NONE a

3 I .

r i

i  !

i J  :

?

.i 1

1 1- -

I  !

I t i '

i 4

1 4

4 i

)

i 1

i j

4 i'

4

420.100-2

N W95tingh0USS e

4 i

i -

i

- - - - - , - - ---ww- w"-

9-m-% w

l I

NRC REQUEST FOR ADDITIONAL INFORMATION l

l l

Question 420.101 Provide the TS definition for failures that are attributed to software errors. Address the potential common mode failure aspects of such errors. Identify the appropriate LCOs for different categories of identified software errors based on the impact of the error on system (s) operability. (TS 3.3.1 and TS 3.3.2 of Chapter 16)

Response

i l

l No special technical specification distinction is made for instrumentation inoperabilities due to software errors. The surveillance tests specified verify the ability of the instsumentation systems to perform the safety functions required.

In addition to the surveillance tests, the system perfonus continuous hardware self-checking / diagnostics and provides the operator error messages, either fatal (charmel inoperable) or nonfatal. I The software is thoroughly tested during the verification and validation process. Any software errors that may remain after the verification and validation process are likely to be functionally insignificant. However,if the system ,

soltware fails (i.e., locks up), the channel / division output is put in the preferred mode (e.g., trip). Additionally, the l l potential for software or other failun's has been accommodated by the design of the RTS and ESFAS, which include l

sufficient redundancy and diversity to perfonn the required protection functions if a significant failure occurs (including software).

Sof tware error and potential common-mode failure operability detenninations will be made in accordance with the technical specification OPERABLE-OPERABILITY definition and the NRC guidance provided in Generic Letter 1 91-18. These opembility detenninations establish the extent of the instrumentation system inoperabilities. These determinations will be made on a case-by-case basis. LCO 3.0.2 requires compliance with the Requin:d Actions in the event any ch:umel/ division is found to be inopemble. (LCO 3.0.2 states, "Upon discovery of a failure to meet an LCO, the Required Actions of the associated Conditions shall be met.")

Since there are no predefined categories of software errors, there is not a separation of LCO requirements based on software error classification. LCOs 3.3.1 and 3.3.2 require the reactor trip and ESFAS functions to be operable in the specified modes.

SSAR Revision NONE l

l l

l l

W Westincrh0use o l

l

NRC REQUEST FOR ADDITIONAL INFORMATION Round: 0 Question Set: 10/28/92 l?%

Question 420.102  !

Provide the missing information in Table 3.3.4-1, " Remote Shutdown Workstation Instrumentation and Controls."

of Chapter 16.

l

Response

The contents of Table 3.3.4-1, " Remote Shutdown Workstation Instrumentation and Controls " in SSAR Chapter 16 will be determined by the man-machine interface design pmcess described in SSAR Chapter 18. This process is addressed by design ITAAC 4.1 " Human Factors Engineering." He integration of the remote shutdown room into the overall man-machine interface design is described in SSAR subsections 18.8.2.1.1.2.4 and 18.11,1.

The remote shutdown workstation is similar in design to the main control room workstations shown in Figure 18.9.1-1 and provides a subset of the functions provided on the main control room workstations SSAR Revision: NONE l l

1 l

l I

i a

4 420.102-1 W westinghouse

J-d NRC REQUEST FOR ADDITIONAL INFORMATION I

i Question 440.33 In its January 19, 1993 response to a question on the passive RHR heat exchanger tests dated July 21, 1992, Westinghouse states that '[t]he passive residual heat removal (PRHR) tests were performed as full-scale tests. As such, a scaling analysis was not performed." While the tubes used in the test represented the full length of the AP600 PRHR heat exchanger (HX) design at that time, a 3-tube array was used to represent a heat exchanger i composed of several hundred tubes. As such, the staff does not consider the test to be ' full-scale." In addition, since the PRHR test was conducted, the design of the PRHR HX has undergone numerous changes, including i configuration, placement in the IRWST, and number of tubes. Accordingly, provide an analysis demonstrating that a the results from the 3-tube tests can be applied to the current design of the PRHR HXs. The analysis should j consider (but not be limited to) tube flow rates /Reynolds numbers, pressure drops, conditions (temperatures, vapor l generation rates, flow distribution through the tube array) on the outside of the tubes, and flow dist:ibution in the i HX headers.

4 ll

Response

The PRHR heat exchanger test was designed to be a full-height, full-pressure, prototypic test of passive RHR heat exchanger tube geometry. Although the design of the heat exchanger has changed since the test program began, Westinghouse believes the important heat transfer mechanisms for the current PRHR heat exchanger were modeled i in the test program in such a way that the results remain valid. He test was designed to characterize the heat transfer performance of the PRHR heat exchanger tubes and, more specifically, to determine the applicable outside j surface boiling heat transfer correlation for the tubes when immersed in the IRWST. He boiling heat transfer o

) correlation was found to be dependent on the tube wall superheat and is similar to existing nucleate boiling correlations. For low values of wall superheat or wall-to-bulk-fluid temperature conditions, free convection heat transfer dominates. As the wall superheat increases, the free convection heat transfer merges with a fully developed j boiling curve. Since the PRHR tests were full-beight tests, the relationship of wall superheat (i.e., Twall-Tsat) to heat flux is representative of the actual PRHR heat exchanger.

The current heat exchanger is a so-called C-tube design, comprised of heat exchanger tubes with two horizontal

sections and one vertical section of tube. The average vertical heat exchanger tube is approximately the same l length as the tubes tested in the PRHR test. Therefore the buoyancy effects of the current heat exchanger will be j similar to those observed in the PRHR test. Regarding the horizontal tube sections, data from the literature l (Reference 1) have shown that the heat transfer through the horizontal tube bundle will be greater than that in the 1

vertical tube bundle. Herefore, the heat transfer correlation for the horizontal portions of the PRHR tubes was

{ assumed to the same as that of the venical tubes for events in which the minimum PRHR capacity is utilized. For events in which the maximum PRHR heat transfer correlation is needed, a conservatively high heat transfer correlation was applied to the heat exchanger. %is design approach bounds the uncertainty of the test data and

. penalizes the AP600 system response.

, Regarding the number of tubes employed in the PRHR test, the PRHR test utilized three vertical tubes spaced at the prototypic tube pitch. In addition, tests were performal in which the tubes were placed in a channel created j by a circular baffle, which severely limited the flow of water around the heat exchanger tubes. Plume tests were ggg 440.33-1

).

.-m g w. -- *'~MU w 4**-="PM'

i

, NRC REQUEST FOR ADDITIONALINFORMATION j

performed to determine the geometry of the superheated plume around the PRHR tubes to assist in determining an

~

optimum row to row pitch. A baffle was placed at various locations in front of the tubes to further restrict the flow l of water around the tubes. Finally, tests were conducted with three tubes in operation, two tubes in operation, and l J

only one tube in operation. AS reported in WCAP-12980, the results of these tests showed no difference in heat

transfer regardless of the number of tubes operating, and regardless of whether baffles were placed in front of or

, behind the tubes. Westinghouse concludes that reralts of the tests are applicable to the current PRHR configuration.

l - l j He following data compares the physical parameters of the PRHR test and the actual PRHR heat exchanger design. j i

i Parameter PRHR Heat Exchanger PRHR Heat Test l 1

[ Number of Tubes >>3 3 1

4 Tube OD/ID (in.) 0.75 / 0.62 0.75 / 0.62 l

Tube Material 304U316L Stainless Steel 304 Stainless Steel j Tube Pitch (in.) 1.5 1.5

.75 to side wall and baffle i

• i j Tube l_ength (avg.) Similar 216  ;

4

- vertical (in.)

Number of Rows of Tubes >>1 1  ;

} He following table presents a comparison of the test conditions and the actual conditions that the PRHR heat i exchanger will experience during accident mitigation, as calculated in the SSAR analyses. As this table shows,  !

the PRHR tests encompass the calculated AP600 plant conditions.

i i l j

i I

l i

440.33-2 T Westinghouse

-y v- -.,. - - - - - , - - -

~e

• i NRC REQUEST FOR ADDITIONAL INFORMATION

. = \

l l

l Tube Flow Rate Tube Reynold's Inlet Temp Pressure ,

(gpm/ tube) Number ( F) (psia)  !

i Min Max Min Max Min Max Min Max )

PRHR Test 0.3 9 13000 377000 250 650 500 2500 less of Normal Feedwater with offsite power 0.78 5.22 33000 219000 500 600 1700 2500 w/o offsite power 0.78 1.11 33000 47000 450 610 1700 2500 i Feedline Break 0.78 1.20 33000 50000 500 650 2200 2500 Main Steamline Break 0.34 3.56 14000 149000 250 600 300 2250 SG Tube Rupture 0.78 1.20 33000 50000 500 600 '1700 2250 1

Reganling the water in the IRWST, the analyses contained in the AP600 SSAR assume an initial temperature of l 120 F for events in which PRHR heat transfer performance is modeled conservatively low (degraded), and

]

700F for events in which PRHR heat transfer performance is modeled conservatively high (higher heat transfer).

For all events, the temperature in the IRWST will rise until saturation temperature is reached. In general, most l transients are over before saturation is reached in the IRWST. He test program conducted steady-state and l transient tests that were pseudo-steady state. He steady-state tests were conducted with the IRWST at {

saturation. The transient tests were conducted with the IRWST initial temperature at ambient conditions '

(typically 700-80 0F) and were used to develop heat transfer coefficients with subcooled water in the IRWST.

He tests also showed a stratified but very uniform heatup of the water in the IRWST and showed no significant bulk boiling of the water in the tank until the entire tank reached saturation.

In addition to the PRHR tests described in WCAP-12980 and WCAP-12666, there will be test data obtained on l a simulated PRHR in the full-pressure, full-height SPES-2 systems experiments. Rese tests will use up to three full- length tubes built in a C-tube configuration with the proper horizontal length to vertal length ratios, t hese tubes have been instrumented in the same fashion as the PRHR separate effects tests so that heat flux data can be compared between the two different facilities. %e AP600 low-pressure integral systems tests at Oregon State University (OSU) is a one-fourth scale test and utilizes a PRHR heat exchanger containing 88 C-tubes.

This exchanger is also instrumented in the same manner as the PRHR separate effects test so that the heat exchanger heat flux can be calculated from the test data and compared to the SPES-2 tests as well as the PRHR tests. There will be specific tests performed to measure the heat transfer performance of the PRHR beat exchanger. While the OSU tests are scaled, they will provide data on a larger heat exchanger bundle that has a similar configuration as the AP600.

l He heat transfer mechanisms modeled in the PRHR test and the current heat exchanger design are the same, so the separate-effects data remains valid. The additional data from the SPES-2 and OSU integral tests will  !

provide confirmatory data for the current PRHR configuration.

gg, 440.33-3 i L - - -.

I NRC REQUEST FOR ADDITIONAL INFORMATION l

References:

1. S.J.D. Van Stralen and W.M. Sluyter, ' Investigations on the Critical Heat Flux of Pure Uquids and Mixtures Under Various Conditions," International Journal of Heat Mass Transfer, Volume 12, pp.1353-1384, 1 % 9. 1 l

l l

SSAR Revision: NONE ,

l

)

i C

=

440.33-4 W M ngholise

. NRC REQUEST FOR ADDITIONALINFORMATION l L l l

Guestion 471.13 Section 12.3.1.1.1 of the SSAR states that the head closure system is designed to minimize the reactor head stud I tensioning time. Describe in more detail the operation of the system in tensioning and detensioning the head studs.

Include a breakdown of the estimated time and person-rem for each portion of this operation.

Response

The AP600 integrated head packsge (IIIP) design is substantially based on integrated head packages found on several l

Westinghouse operating PWRs. The major difference is the addition of top-mounted incore instrumentation (for the AP600 design), which has no impact on reactor head stud tensioning operations. Additional shielding is also builtinto the AP600 design to reduce radiation exposure to refueling personnel fr - 6e incore instrumentation and control rod drive mechanisms during refueling operations.

The AP600 IHP is designed to use the stud tensioning systems being used today on operating plants with integrated head package designs. The estimated working time and person-rem exposure for reactor vessel disassembly.and reassembly used in the AP600 ALARA evaluation are as follows: I I

Working Time Person-Rem i

• Detension/ Remove Studs 12 hrs 0.36 i a

• Install / Tension Studs 28 hrs 0.46 Estimated Total 40 hrs 0.82 f i

SSAR Revision: NONE  !

i t

471.13-1 1 W

Westinghouse  ;

l 1

I 1

l I

,-m . . . , _ , , . . - .. . _ . . , , _ _ _ . - . _ _ _ . , . . . ..,.,..,j

NRC REQUEST FOR ADDITIONAL INFORMATION

' ~

1:12:::!"

'Ah Ouestion 471.15 Section 12333.2 (I) of the SSAR states that atmospheric tanks that contain radioactive materials are vented to the building ventilation systems for filtration prior to release. List all the tanks that are vented to the building ventilation systems.

Response

Tank vent lines are not directly mnnected to the building ventilation ducts; rather, the tanks are vented locally to the room atmosphere, and the room atmosphere is in turn controlled by the building ventilation system.

'Ihe effluent holdup tanks in the liquid radwaste system are vented to their rooms through local llEPA filters. 'Ihese tanks reaive effluent afler it leaves the reactor coolant system and is processed through the chemical and volume control system demineralizers and filters and the liquid radwaste system degasifer. A small amount of radioactive gas is expected to evolve from this effluent after its receipt in the tank.

Other radioactive tanks vented directly to their rooms are the following:

Passive core cooling system In-containment refueling water storage tank Spent fuct cooling system Spent fuel pit

. Refueling cavity Liquid radwaste system

=

Containment sump Effluent monitor tanks (2 tanks)

Waste holdup tanks (2 tanks) e Waste monitor tanks (2 tanks)

• Detergent waste tank Detergent waste holdup tank

=

Chemiad waste tank SSAR Revision: NONE T Westingtiouse e sa

NRC REQUEST FOR ADDITIONALINFORMATION Response Revision 1 Question 720.54 The review of the AP600 PRA indicates that accident management strategies were limited to items such as cavity flooding and replenishment of the passive containment cooling water. In order to support the staff's review of the PRA and its implications, discuss the applicability and significance of each of the accident numagement strategies identified in Generic letter 88-20, Supplement 2 to the AP600 design. Specifically, identify any AP600 design i features that eliminate the need for a strategy, or facilitate implementation of a strategy. j l

Response (Ravision 1): I i

l Generic I,rter RR-20, Supplement 2, lists the following accident management strategies:

2.0 Strategies Related to insufficient Coolant 2.1 Reduce Containment Spray Flow to Conserve Water for Core Cooling 2.2 Early Detection / Isolation / Otherwise Mitigate Interfacing System LOCA 2.3 Refill RWST 2.4 Ensure Recirculation Switchover 2.5 Ensure Heat Removal Using Emergency Connections to Existing / Alt Water Supplies 3.0 Strategies Related to Unavailable Injection Systems 3.1 Extend ECCS Availability by Switching Pump Suction (BWR only) 3.2 Bypass ECCS Purg Protective Trips 3.3 Use Non-Safety Charging Pumps for Core Injection I 3.4 Use Hydro-Test Pump for RCP Seal Cooling

, 3.5 Use Condensate or Startup Feedwater Pumps to Feed SG 4.0 Strategies Related to less of Power 4.1 Conserve Battery Capacity by Shedding Non-Essential Power 4.2 Use Portable Battery Chargers to Charge Batteries 4.3 Emergency Replenishment of Air Supply 4.4 Emergency Bypass of Protective Trips for Diesel Generator 4.5 Emergency Crosstie of AC Power between Two Units 4.6 Use of Diesel Generator to Power Control Rod Drive Pump (BWR only) 4.7 Use Diesel-driven Fire Pump to inject Water into SG or Containment Spray 5.0 Strategies Related to less of Heat S'mk 5.1 Reoi n MSIV / Turbine Bypass Valves to Regain Heat Sink 6.0 Strategies Related to Imss of Heat Sink 6.1 Provide Additional Supply of Borated Water 6.2 Inject Additional Borated Water after Core Damage (BWR only)

W Westinghouse 20 m m

1

l i

i

, NRC REQUEST FOR ADDITIONALINFORMATION Responso Revision 1 d

He following is a discussion of each of the strategies that apply to PWRs:

i 2.1 Reduce Containment Spray Flow to Conserve Water for Core Cooling j nis strategy does not apply to the AP600 since it does not have a containment spray system.

i l 2.2 Early Detection / Isolation / Otherwise Mitigate Interfacing System LOCA 1

i Re aim of this strategy is to mitigate the effects of intersystem LOCAs outside containment through the j use of early detection and isolation.

! Discussion:

%e AP600 has incorporated additional features to reduce the chance of an interfacing systems LOCA as '

i compared to current PWRs. Rese features include a third valve in both the normal RHR system (RNS) j suction and the discharge lines and a higher design pressure of the RNS so that it will not fail if exposed  ;

to full RCS pressure. In addition, many high-pressure / low-pressure interfaces that exist in current plants  !

-i between the RCS and the ECCS pumps outside containment have been eliminated on the AP600 because it does not use ECCS pumps.  !

l

He core damage frequency for intersystem LOCAs outside containment is calculated to be less than IxE- l l 10/ year. His calculation includes credit for reclosing valves that have been inadvertently opened.

4

~

Conclusion:

i He improvements made to the normal residual heat removal system have reduced the importance of this j strategy. This strategy is modeled in the PRA to further reduce the probability of an intersystem LOCA

outside containment.

$ 2.3 Refill the RWST I

i The aim of this strategy is to provide additional water to the RWST in case recirculation is not available.

i I Discussion:

He AP600 greatly reduces the possibility that recirculation will not be available. Recirculation is provided j by two separate sumps with each sump containing redundant and diverse valves to allow water to recirculate. One of the valve types is a de motor-operated gate valve and the other is a swing-disk check valve. In addition, there are redundant and diverse means of creating recirculation flow, gravity-driven M

720.54(R1)-2 W

Westinghouse i

E 1

l NRC REQUEST FOR ADDITIONAL INFORMATION i

Response Revision 1 j flow through tha safety-related IRWST injection lines directly to the reactor vessel, and pumped flow through the nonsafety-related normal residual heat removal system to the reactor vessel.

l The AP600 PRA has identified that loss of recirculation in the longer term due to a slow loss of fluid caused by failure to isolate the containment to be important. Credit was taken for IRWST makeup in this cr.se. The normal source of makeup is from the chemical and volume control system. An additional l source ofIRWST makeup is available from the spent fuel pit cooling system. There are other makeup

.; features that were not modeled in the PRA; these features involve temporary connections to the spent fuel 4

pit cooling system and to the normal residual heat removal system. Rese connections provide for long-j' term makeup to the IRWST and to the RCS, respectively, from other plant water sources and from portable water supplies. See the response to Q 471.2.

h

Conclusion:

i ,

%e use of safety-related passive systems and nonsafety-related active systems provides redundant and

diverse ways of initiating and driving recirculation flow, which greatly reduces the potential for failure of recirculation. One situation was identified in the AP600 PRA where makeup to the IRWST would be i

beneficial, and a strategy was adopted to accomplish this makeup.

2.4 Ensure Recirculation Switchover

) He aim of this strategy is to ensure that a recirculation flow path exists for the ECCS during a LOCA

event by using operator actions to back up automatic switchover in case that it fails.

j Discussion:

i f As discussed in item 2.3, the AP600 employs redundant and diverse switchover valves as well as means 4

to drive the recirculation flow once a recirculation path has been opened. One of these paths includes check valves that do not require any external actuation (automatic or manual). He other paths include j MOVs that are automatically actuated on low 1RWST level. Hey can also be actuated manually by the operators.

l j

Conclusion:

i i This strategy is less important for the AP600 because it has both process-actuated (check valves) and l automatic remotely actuated (motor-operated valves) recirculation paths. His strategy is not modeled in j the AP600 PRA: however, it will be considered in the AP600 EOPs.

1 2.5 Ensure Heat Removal Using Emergency Connections to Existing / Alternate Water Supplies he aim of this strategy is to ensure an adequate long-term water supply to maintain reactor coolant inventory and to remove heat from the reactor and the contaimnent. He strategy is to use raw water from a

4 720.54(R1)-3 4

s g - , . . . . . ., . . ~ , , - - . _ . , , . _

1 i

NRC REQUEST FOR ADDITIONAL INFORMATION Responso Revision 1 4

i

! the service water system as makeup to the reactor or to the steam generators through temporary connections j in case higher-quality water supplies are not available.

4

! Discussion:

1 The AP600 passive safety-related systems have a major role in core damage prevention in the PRA.

j Provisions have been designed into the passive safety-related systems to allow for water makeup from j nonsafety-related plant water systems as well as temporary connections to other plant water systems or to j portable supplies. These connections provide makeup to the containment to maintain long-term core i cooling and to the passive containment cooling system to maintain containment cooling. These connections

] are further discussed in the response to Q 471.2.

l As shown in the response to Q 720.13, the active nonsafety-related systems are much less important to

risk. These active systems do have makeup connections from other plant water systems such as the

, demineralized water system. Adding additional connections to provide service water to reactor and SG l makeup systems would not be risk significant. Such connections increase the risk of adversely affecting

plant availability because of inadvertent use.

Conclusion:

1 1

l The additional redundancy and diversity provided by the safety-related passive systems make this strategy j much less risk significant for the AP600. A variation of this strategy has been adopted. Connections have

been provided in the AP600 to allow for temporary hookups to in-plant water sources or to portable water j supplies for long-term makeup to the containment and the passive containment cooling system.

3.2 Bypass ECCS Pump Protective Trips j 'Ibe aim of this strategy is to be able to manually bypass or to reset pump protective trips to prevent or j delay the loss of core cooling.

j Discussion:

i The AP600 passive safety-related systems do not use pumps, so this strategy is not applicable to them.

j Active nonsafety-related systems use pumps, so this strategy is potentially applicable to them.

As shown in the response to Q 720.13, the active nonsafety-related systems are much less risk important than the passive systems. Adding manual bypasses to pump protective interlocks would not be risk significant. In addition, such bypasses could adversely affect plant availability if they are improperly operated.

4 a

' 720.54(R1)-4 W-Westinghouse e

n J

i

, ..n.. , , , .- - .

NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 1 h kh 1

Conclusion:

Because of the reliability of the safety-related passive systems that do not utilize pumps, there is little i reliance on active systems and pumps. As a result this strategy is not risk significant for the AP600. l 3.3 Use Non-Safety Charging Pumps for Core Injection l l

He aim of this strategy is to supply water to the reactor by using nonsafety-related high-pressure pumps. j Discussion:

1 The AP600 chemical and volume control system makeup pumps are nonsafety-related pumps that can i perform this strategy. Rese pumps are included in the AP600 PRA in the very small LOCA event tree where they can protect the core independently from the passive systems. Their use in small LOCAs has not been modeled. .

i In addition, the normal residual heat removal system can provide lower pressure makeup to the reactor. l This has been modeled in the PRA in situations where ADS has been actuated and multiple failures have occurred such ti.at passive injection from the IRWST may not be possible.

Conclusion:

De AP600 design has incorporated this strategy, and it has been modeled in the PRA in the events where success is most likely. The AP600 EOPs will include this strategy.

1 3.4 Use Hydro-Test Pump for RCP Seal Cooling l

, This strategy does not apply to the AP600 because the AP600 reactor coolant pumps do not have seals.

l 3.5 Use Condensate or Startup Feedwater Pumps to Feed SG The aim of this strategy is to provide steam generator feedwater from nonsafety-related pumps such as the startup feedwater pumps or the condensate pumps.

Discussion:

The AP600 has nonsafety-related startup feedwater pumps that are modeled in the PRA. Rese pumps are started automatically by the control system, are automatically loaded on the nonsafety-related diesels, and take suction from the deaerating water storage tank and the condensate storage tant. The use of condensate pumps to provide steam generators makeup has not been modeled in the AP600 PRA.

W Westinghouse 720.sms

\

NRC REQUEST FOR ADDITIONALINFORMATION Responso Revision 1

Conclusion:

His strategy has been adopted in the AP600 using the startup feedwater. Considering the reliability of the passive systems and the adoption of this strategy on the startup feedwater, the extension of this strategy to the condensate would not be risk significant.

4.1 Conserve Battery Capacity By Shedding Nonessential Power The aim of this strategy is to conserve battery power for essentiel loads for as long as possible in the event of station blackout.

Discussion:

He AP600 has incorporated several design features that significantly increase battery life in the event of station blackout. Rese features include battedes to support safe plant conditions for station blackout durations of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The ESF actuation cabinets are loaded on separate batteries sized for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />; needed ESF functions are actuated before 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Most of the passive safety-related systems use fail-safe valves that actuate on loss of de pow er. The loss of de power would only cause the unavailability of ADS, containment pH adjustment, and less-risk-important containment isolation valves. Manual load shedding was not incorporated in order to simplify the operator response. One type of non-essential load shedding is provided. Some of the internal I&C abinet redundancy is only powered by non-battery-backed ac power, which reduces the drain on the batteries in a station blackout. Here is also a connection provided

o allow easy hookup of temporary electrical generators.

Conclusion:

The AP600 design incorporates several features that significantly increase the battery life in a station blackout. The use of temporary electrical generators to provide de power through temporary connections has not been modeled in the PRA at this time, but will be considered in the EOPs.

4.2 Use Portable Battery Chargers to Charge Batteries The aim of this strategy is to recharge batteries during a station blackout.

Discussion:

As discussed in item 4.1, the AP600 design incorporates several features to extend the battery life in a station blackout. Along with the long-life batteries and the separation of functions and batteries, the AP600 design incorporates connections to hook up small, temporary electrical generators.

720.54(R1)-6 W.-

WB5tingh0llSS

4 4

l NRC REQUEST FOR ADDITIONALINFORMATION I

Response Revision 1

Conclusion:

4 his strategy has been adopted in the AP600 although it has not been modeled in the PRA. Note that

because most of the AP600 plant passive safety-related systems use valves that actuate on loss of de power, a this strategy would be less risk significant than it is in current plants. See SSAR Subsection 8.3.2. This strategy will be incorporated into the EOPs.

l 4.3 Emergency Replenishment of Air Supply i

This strategy does not apply to the AP600 because there are no air-operated valves in the passive safety- l related systems or in the setive nonsafety-related systems that require air supply system to accomplish their j safety or risk-important operation.

4.4 Emergency Bypass of Protective Trips for Diesel-Generator ne aim of this strategy is to be able to manually bypass or to a e-' diesel-generator protective trips to l prevent or delay the loss of ac power. 3 l

Discussion. j He AP600 passive safety-related systems have a major role in core damage prevention in the PRA. %ese passive systems do not require ac power, so this strategy is not relevant to these systems.

As shown in the response to Q 720.13, the active nonsafety-related systems are much less risk important.

Dese nonsafety-related systems require ac power, which can be provided by offsite connections or by onsite sources such as the plant turbine generator or by the nonsafety-related diesel-generators. Capability of manually bypassing or resetting selected protective trips is provided. See SSAR Subsection 8.3.1 and Figure 8.3.1-1.

Conclusion:

Because of the low risk importance of the active nonsafety systems, which utilize ac power, this strategy has not been modeled in the PRA. The AP600 EOPs will consider use of the existing bypasses and resets of protective trips for the diesels.

4.5 Emergency Crosstic of AC Power between Two Units ne aim of this strategy is to provide an alternative source of ac power to help recover from a station blackout.

g 720.54(R1)-7

NRC REQUEST FOR ADDITIONAL INFORMATION Response Revision 1 Discussion:

he AP600 is being licensed as a single-unit plant and such crossties are not provided. In addition, the AP600 passive safety-related systems have a major role in core damage prevention in the PRA. Rese passive systems do not require ac power, so this strategy is not relevant.

As shown in the response to Q 720.13, the active nonsafety-related systems are much less risk important.

These nonsafety-related systems do require ac power, which can be provided by offsite connections or by onsite sources such as the plant turbine-generator or by the nonsafety-related diesel-generators.

Conclusion:

Because of the reliability of the passive systems and the relatively low risk importance of the active systems, which utilize ac power, this strategy is not risk significant for the AP600. l I

4.7 Use Diesel-driven Fire Pump to inject Water into SG or Containment Spray The aim of this strategy is to provide an alternative source of steam generator injection or containment spray,

]

1 I

l Discussion:

1 i

The AP600 does not have a containment spray system. However, the passive containment cooling system provides the ultimate heat sink and would be amenable to a similar strategy. The AP600 incorporates a j connection from the fire pumps to the passive containment cooling system. See P&ID Figure 6.2.2-1 in the SSAR.

He AP600 has nonsafety-related startup feedwater pumps that are modeled in the PRA. Rese pumps are started automatically by the control system, are automatically loaded on the nonsafety-related diesels, and take suction from the deaerating water storage tank and the condensate storage tank. Two safety-related passive features also provide core decay heat removal, the passive residual heat removal heat exchanger, and passive feed and bleed. Each of the passive features is redundant and diverse from the other.

Conclusion:

Pumping fire protection system water into the steam generators via the fire pumps would not be risk significant. It could adversely affect plant availability ifit were used inadvertently.

A 720.54(R1)-8 W Westinghouse a

NRC REQUEST FOR ADDITIONAL INFORMATION Responso Revision 1 5.1 Reopen MSIV / Turbine 13ypass Valves to Regain Heat Sink he aim of the strategy is to reopen the MSIV and turbine bypass valves in order to use the condenser as a heat sink to extend the water supply.

Discussion:

1 Tbc AP600 has nonsafety-related startup feedwater pumps that are modeled in the PRA. Rese pumps are l started automatically by the control system, are automatically loaded on the nonsafety-related diesels, and take suction from the deaerating water storage tank and the condensate storage tank. In addition, two i passive features also provide core decay heat removal, the passive tesidual heat removal heat exchanger I and passive feed and bleed. Each of the passive features is redundant and diverse from the other. I I

Conclusion:

l I

Making the condenser available increases the time of startup feedwater availability, which has no effect on the current AP600 PRA results. As a result, this strategy is not risk significant.

> 6.1 Provide Additional Supply of Borated Water he aim of this strategy is to ensure that there is a large supply of berated water to support long-term makeup to the reactor while maintaining adequate shutdown margin, 1

Discussion:

The chemical and volume control boric acid tank is a large, additional source of borated water. Here are l also means of batching more borated water for the boric acid tank.  !

Conclusion:

He AP600 does not have a sensitivity to loss of shutdown margin due to the large amount of borated water stored in the accumulators, core makeup tanks, IRWST, and the boric acid tank. There is capability to l make additional borated water in the CVS. This capability was not modeled in the PRA but will be considered in the EOPs.

SSAR Revision: NONE E Westinghouse 0.5mW J