ML20045D777
| ML20045D777 | |
| Person / Time | |
|---|---|
| Site: | 05200001 |
| Issue date: | 06/24/1993 |
| From: | Fox J GENERAL ELECTRIC CO. |
| To: | Poslusny C Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 9306300044 | |
| Download: ML20045D777 (32) | |
Text
1
'i +
)
. GENuclearEnergy rk .
GeneralElectric comcan )
U5 Curtnet Avenue. San.iose. CA 95125 l 1
June 24,1993 Docket No STN 52-001 Chet Poslusny, Senior Project Manager Standardization Project Directorate Associate Directorate for Advanced Reactors ;
and License Renewal Office of the Nuclear Reactor Regulation ,
Subject:
Submittal Supporting Accelerated ABWR Schedule - Markups of SSAR Sections 19.7 through 19.13
Dear Chet:
The attached markups (less 19.8 which was transmitted June 23,1993) are provided to reflect minor modifications resulting from Staff review and internal verification. His material will be reflected in Amendment 31.
Please provide copies of this transmittal to D. Scaletti, J. Moninger, G. Kelly, and R. Palla..
Sincerel , .
Yr/
Jack Fox Advanced Reactor Programs ec: Alan Beard (GE) ,
Jack Duncan (GE) p ,
Norman Fletcher (DOE) -
l.
1 ,
- f$
l i
W1 -1 i
i Ji@3-34 i
l l t
..nn.n- i 9306300044 930624- ') I PDR ADOCK 05200001
.A PDR.
t:
', 23A6100 Rev. 0 ABWR Standant Safety Analysis Report l l
l 19.7 PRA as a Design Tool In addition to its use as a measurement tool to assess the degree to which PRA related goals were satisfied as summarized in Section 19.6, the PRA was used to substantially influence the design. During the course of the review of this PRA, the NRC requested that the way in which operating experience was factored into the design and the ways in which the PRA influenced the design be described. This description is provided here.
19.7.1 ABWR Design and Operating Experience The design of the ABWR covered a period of about 12 years, from 1978 to 1990. The world wide experience of several companies including ABB-Atom, Hitachi, Toshiba, ANM and GE was used to establish the original design. During the design process, JD0 b
methods were employed to ensure that operating experience was factored into the design. These are summarized in Subsection 1.8.3, particularly Table 1.922.
k, In addition to the general design process noted above, three specific design .
b '
I improvements compared to earlier designs were introduced which provide benefits from a PRA perspective:
(1) The plant is designed for a safe shutdown earthquake (SSE) of 0.3g. Most operating BWRs have an SSE of 0.2g or less. Thus, the ability to withstand earthquakes is improved. Very large margins are expected at low seismic sites.
"I gh (2) The elimination of recirculation piping has substantially reduced the j potential for LOCAs, particularly large LOCAs.
(3) The use of three separated ECCS divisions, provides the benefits shown in the l internal events analysis. In addition, this separation reduces ABWR vulnerability to fires and floods. j 4
I 19.7.2 Early PRA Studies PRAs were used extensively in the early design effort for making design decisions. This has resulted in millions of dollars of cost savings without compromising the plant safety.
Several key studies are summarized here.
(1) Core Cooling Systems A core cooling system optimization study was performed. This study enabled the core cooling and heat removal functions to be combined and the total number of ECCS divisions to be reduced from 4 to 3, resulting in significant cost savings.
' 'rtA as a Design Tool 19.7 1
1 1
)
, 23A6100 Rev. O ABWR standard safety Analysis Report A RCIC reliability study was performed. This study enabled the elimination of one high pressure core cooling system by upgmding the RCIC system reliability.
g p 6 7 h A sk comparison study was performed.This compared the core damage uency for BWR/4,5, and,6 plants with the ABWR and identified the fc ,y/ importance of modifying the ADS logic to initiate on low water level.This
>> change improved the ABWR safety significantly for transient event sequences.
(2) Reacdvity Control Studies ofABWR scram system reliability and scram system unavailability uith alternate rod insertion enabled the incorporation of a less expensive ATWS mitigation system in place of an alternate system pror>osed for an earlier design. This change also results in significant cost savings.
(3) Instntmentation Studies An ABWR instrument reduction study and reliability assessment enabled the elimination of 60% of the sensor instrumentation in the reactor safety systems without impacting plant safety. Other studies performed have identified significant cost reductions in the ABWR multiplexing systems and other inst umentation systems.
(4) Control Rod Drive Improvements The early ABWR ATWS design was based on utilizing the capabilities of the new fine motion control rod drives (BiCRD) to meet the intent of USNRC ATWS Rule 10CFR50.62 for improvement of hydraulic scram reliability.
Adoption of the BiCRDs provided improved scram reliability by elimination h' of the scram discharge volume, which is a potential common mode failure W / point for current BWRs using the locking piston-type CRDs. 'Re scram reliability goals were met without use of the Altemate Rod Insertion (ARI) valves specified in 10CFR50.62. However, subsequent PRA studies showed that adoption of the ARI valves in the design would provide a further substantial reduction in the probability of ATWS. Since the cost of adding the ARI valves to the design at that time was minor, it was decided that their incorporation into the design was appropriate.
The DiCRD brake mechanism is provided to prevent a rod ejection in the event of a break of the scram insert line. As a result of PRA studies, the design N.
[i !D, s was changed from the centrifugal-type bmke used in the early design to the . l /_I gb current electro-mechanical-type break. The PRA studies indicated that the brake design had to be fully testable on an annual basis to meet the goals for M
197 2 PRA as a Desogn Tool
l.
23A6100 Rev. 0 ABWR standard satery Analysis Report rod ejection frequency. It was determined that the electro-mechanical brake h design was easier to test. and would not have any impact on the plant outage I critical path. s (5) RIP Trip Study The reliability of RIP power supply was evaluated. The probability of 1 simultaneous trip of all RIPS was calculated. The objective of this study was to assure that the probability of an all RIP trip event is low enough to classifv such c g'
an event as an accident. The study resulted in a 4-bus configuration for the RIP l power supply. In addition, motor generator sets were adopted to prevent an all RIP trip event from occurring following a loss of AC power. j
! 19.7.3 PRA Studies During the Certification Effort As part of the ABWR certification effort, the PRA was further used to improve the l
design. This effort was first reported in the 1991 Probabilistic Safety Assessment and l Management Conference. An AC-independentwateraddition system and a combustion l turbine generator were added to reduce the probability of core damage. A lower drywell flooder and a containment over pressure protection system were added to mitigate the l effects of core damage in the unlikely event that such damage should occur. The studies l which lead to these and other improvements are summarized here.
(1) Initial Probabilistic Risk Assessment The initial PRA effort for ABWR Certification indicated that the ABWR had abundant means of pre.enting severe accidents and mitigating their consequences and that the goals (Section 19.6) could be satisfied. However, key insights gained from this effort led to the selection of edditional features as described in the following paragraphs.
f l The core damage frequency from internal events was determined to be about
, one event per million reactor years of operation. Although this result was very favorable, the core damage frequency was dominated by station blackout. A simple,"AC-independentwater addition system"was added to the design. The cost impact is quite small since only a few small lines and manually operated j valves are added. A combustion turbine generator, required by the Electric l r Power Research Institute Advanced Light Water Reactor Requirements g Program was also added to the design. These features virtually eliminate g
station blackout as a contributor to core damage decreasing the frequency by an order of magnitude.
In other evaluations, it was determined that if molten core material were present in the lower dnwell, it would ablate the t eactor vessel pedestal in the PRA as a Cesign Tool 19.7-3
l .
l
- 23A6IOORev.0 ABWR Standani Safety Analysis Report l
l l
egion of the wetwell/dgwell vents, allowing suppression pool water to enter the lower dowell. This would quench the corium and terminate core-concrete in teraction, non-condensable gas generation and drywell atmosphere heatup; all favorable effects which lessen the potential to fail the containment function. However, it did not seem prudent to take favorable credit for a l rather uncertain process. Earlier conceptual studies had identified the concept of a " passive drywell flooder" which could be relied on with much greater certainty to produce the desired favorable effects. Since this was a low cost system (several pipes and thermally activated valves) it was added to the ABWR design.
The drywell head was found to be the most probable failure location should the containment be pressurized to a point well above the design pressure. If such an unlikely failure were to occur, fission products could be released without the benefit of suppression pool scrubbing. Fission product retention in BWR suppression pools has been found to be very beneficial in reducing the amount of fission products released from the containment. Even before specific numerical calculations had been performed, the potential benefits of a device that would relieve containment pressure through the suppression pool were apparent. Therefore, a con tainmen t overpressure ? elief feature was added to the design to accomplish this function.
Examination of dominant severe accident sequences indicated several areas in which the Emergency Procedure Guidelines could be improved for the ABWR. Prevention of accidents can be improved in seismic initiated loss of offsite power events by instructing the operator to manually operate heat removal system valves if transformer loss has made power operation of those valves impossible. Accident mitigation can be improved for the ABWR accident sequences in which corium has penetrated the reactor vessel by filling the drywell with water to the level of the bottom of the reactor vessel, rather than to the top of the active fuel as done for earlier BWRs.
(2) Feature Descriptions and Resulting Benefits As a result of the studies summarized above, four new features were added to the design to enhance the plant's performance under severe accident conditions. The added features are described in the following paragraphs.
(a) AC-Independent Water Addition 9 I I
Two fire protection system pumps are provided on the ABWR: one pump is powered by AC power, the other is driven directly by a diesel '
j engine. A fire truck can provide a backup water source. One of the fire
_I protection standpipes is cross-connected to the RHRinjection line to the 19.7,8 PRA as a Design Tool
l
. 23A61CD Rev. 0 ABWR standard safety Anairsis nep0rt .
reactor vessel through normally closed, manually operated valves. From l i
this line, fire protection water can be directed to the reactor vessel after the reactor vessel has been depressurized. Fire protection water can also be directed to the dqwell spray header to reduce upper dquell pressure ;
and temperature. Should drywell head failure occur (an extremely unlikelyevent especially given the containmentoverpressure protection i feature discussed below), use of dnwell spray also reduces the release of -
volatile fission products from the containment. AW$ ,
(b) Combustion Turbine Generator ,
A combustion turbine generator (CTG) starts automatically. It is automatically loaded with selected investment protection loads. Safetv-grade loads can be added manually. This provides diverse power if none ,
of the three safety-grade diesel generators are available. !
f /AT f n
- The CTGis a standb onsit non-safety power source to feed permanent f**b' - nh loads f during lossof-offsite power events. It is not seismically I qualified. The unit also provides an alternate AC power source in case of l a station blackout event.
l The CrG is designed to supply standby power to the three turbine
! building (non-Class IE) 6.9 kV buses which carry the plant investment protection loads.The CrG automatically starts on detection of a 30% .
voltage drop on the 6.9kV bus. The 6.9kV bus is tripped and the CTG sequentially assumes the loads.
CTG failure will not affect safe shutdown of the plant. The unit is not required for safety but is provided to assist in mitigating the consequences of a station blackout even ever, the plant can c C with a station blackoutwithout the CTG i
The CrG can supply power to nuclear safety-related eqt ipment if there is complete failure of the emergency diesel generators and all offsite power. Under this condition, the CTG can provide emergency backup power through manually-actuated Class-1E breakers in the same manner
! as the offsite power sources. This provides a diverse source of onsite AC l power.
(c) Lower Dgwell Flooder The lower drywell flooder allows water from the suppression pool to enter the lower drywell during severe accidents where core melting and subsequent vessel failure occur. Several pipes run from the vertical pedestal vents into the lower dnwell. Each pipe contains a fusible plug PRA as a Design Tool 19.7 5
_ , ..- .-- - - , , . _ _ . -, , ,- .~ . .. .
23A6100 Rev. 0 ABWR Standant Safety Analysis Report l 6 2bDh tb f*' f $
l valve connected by a flange to the end of the pipe that extends into the I
lower drywell. In the unlikely event diat molten corium flows to the lower dnwell floor and is not covered with water, the lower dnwell .
atmosphere will rapidly heatup. The fusible plug valves open when the <
I drywell atmosphere (and subsequently the fusible plug valve) _-
l temperature reaches 260 C. 'Ihe fusible plug valve is mounted in the vertical position, with the fusible metal facing downward, to facilitate the s'
% opening of the valve when the fusible metal melting temperature is
) 9 reached. When the fusible plug valves open, suppression pool water will be supplied through pipes to the lower dowell to quench the corium, s cover the corium, and remove corium deca; heat. The result will be a j sl 4 reduced intemction between corium and dqwell floor concrete which in g9 turn will reduce dqwell temperature and pressure from
{ noncondensable gas generation. There will be less chance of dy overpressurizing the containment and causing radionuclide leakage to g 4., the atmosphere. The lower drywell flooder is a passive injection system.
s No operator action is required.
k j h /
(d) Containment Overpressure Protection System i A
. If an accident occurs which increases containment pressure to a point r-where containment integrity is threatened, the pressure will be relieved y}4 to the atmosphere by a line connecting the wetwell to the plant stack.
j qqq Providing a relief path from the wetwell vaponpace precludes an I
uncontrolled containment failure. Directing the flow to the stack
% *b A 3 4 provides a monitored, elevated release. The reliefline, d ed for .[kiI I 150 psig, contains hrupture diskh edwhich o t ssure above the design pressure but below the Service Level ability of the l
g containmentyf overpressure occun, the nipture di w' open and L -
pressure is relieved in a manner that forces escaping fission products to pass through the suppression pool. Relieving pressure from the wetwell, as opposed to the dowell, takes advantage of the fission product scnibbing provided by the suppression pool. After the containment pressure has been reduced and normal containment heat removal capability has been regained, the operator can close two normally open air-operated valves in the relief path to reestablish containment integrity. Initiation of the pressure relief system is totally passive. No power is required for initiation or operation of the pressure relief
! fimction.
(c) Seismic Capability of Added Features After the above added design features were further developed, additional PRA studies were performed focusing on seismically inidated 19.7-6 PRA as a Design Tool l
~
23A6100 Rev. 0 ABWR Standard Safety Analysis Report events. The combustion turbine generator is not scismically qualified so no credit was taken for its operation in the analysis. The other three features have relativelv high seismic capacities. Most of the AC-independent water addition system is seismic Categog I and has three pumping sources: AC<lriven pump, direct diesel <lriven pump, and a fire truck. The balance of the system consists of pipes and manually operated valves which have relatively high seismic capacity compared to many components in conventional safety systems. The lower dqwell flooder is virtually invulnerable to a seismically induced failure (pipes and valves whose likely failure mode would probably introduce water to the lower drywell). The overpressure protection system is seismic Category I, and a seismically-induced failure is not likely to prevent the relief function provided by the rupture disks.
(3) Emergency Procedure Guideline Improvements Emergency Procedure Guidelines (EPGs) were improved in several areas.Two examples are described here.
(a) Accident Prevention In a high fraction of seismically initiated station blackout sequences, diesel generators are available to supply power to pumps in the heat removal system but lower voltage power necessary for operation of MOVs may not be available because of transformer failure. The transformer seismic capacity is less than that of the EDGs. However, the necessag valves can be operated manually and this capability will be reflected in the detailed procedures to be developed from the EPGs.
(b) Accident Mitigation EPGs developed for earlier BWRs call for the operator to f211 the containment to the level of the top of the active fuel if the reactor vessel water level cannot be determined or cannot be maintained above the top of the active fuel. For an ABWR plant which has undergone a severe accident, this strategy can be improved. Filling the containment to a lower level than the TAF is appropriate for two reasons. First, noncondensable gases in the containment are compressed to a lesser l degree and containment pressure is reduced compared to the earlier I
strategy. Second, filling the containment to a lower level avoids flooding the containment overpressure protection system and the potential for I subsequent damage to system piping if the rupture disk setpoint l
i pressure is reached. Therefore, the operator is directed to fill the _
l containment to the level of the bottom of the reactor vessel. In the verv l
FRA as a Design Tool 19.7-7 l
L__________________._________
t
. 23A6100 Rev. 0 ABWR Standant Safety Analysis Report i
+
l long term, for post accident recovery and cleanup operations. it would probably be necessary to increase containment water level to an elevation above the top of the acdve fuel.
In the process of preparing the PRA, human actions were summarized and sensitivity studies were preformed. An overview of this process is provided in Section 19.11.
, (4) Further Improvements l
Subsequent to the above described improvements, several other improvements were$
ide 'fied and incorporated into the design. En f*
- Ce? VI 1 50f Gg The pres ure capability of the drywell head w r- .M, nerease the contain ent pressure capability. Basaltic con rete wasl added to the lower drywell to reduce the potential for ngnd le 8 s generadon which ;
could result if core damage occurs. g//
As a result of the fire PRA studies (Appendix 19M) the capability u c of automatic depressurization vakts from the remote shutdown panel was improved. N g
Based on studies of the potendal effects of failures in Safety System Logic and l Control, surveillance testing of microprocessor-based controllers was l
l "q) increased in frequency to quarterly to improve the ability to detect failures 1
i h are not detected by the continuous self-test feature.
'i ad/lkIm 4 l h - 51h M>W D As a result of the i al flood PPA studies, several improvements or addidonal design detail were eloped to reduce the potential for inte al j g ese additional features, which e g g flooding to pose a significant threat, !
shown in Table 19R.6-2 include the follow' : condenser bay water 1 el 4
b sensors to terminate serious flooding in the t 'nebuilding;contro building /
l j
uNid floor water level sensors to terminate major pote tial flooding so ces; a id be O limitation on the reactor service water (RSW) pipe ength to the rst RSW /
p isolation valve to limit the water volume which cot Rfarained/nto the ]
control building followingisolation of an RSW reaganIITdeindenal floor k' p,dd ms, s and doors in the reactor building to revent floods from having significant impa gJ .
Consideration of severe accident phenomena indicated the ability to cool the
. core debris in the lower drywell could be compromised if a significant debris -
mass were to enter the containment sumps. If the core debris were not qu fli%ontinued con --tion with its resultant non-cn sab gas generati< pressurization even 19.7 8 . PRA as a Design Tool
. 23A6100 Rev. 0 ABWR standard safety Analysis Report with successful containment heat iemoval. To prevent this possibility. a protective barrier around the sumps was added to the design.This barrier prevents the increasing of molten debris into the containment sumps in the event of a severe accident while allowing water to enter the sumps during normal operation. Several of the key safety functions, previously performed manually, were automated.
(5) Summary Probabilistic Risk Assessment studies conducted for the Advanced Boiling Water Reactor during the certification effort provided valuable insights to plant performance under transient and accident conditions. Although the '
studies indicated that the established safety goals could be satisfied, an AC.
independent water addition system and a combustion turbine generator were added to the design to substantially reduce the probability of a sequence of events which leads to core damage. To reduce the potential consequences of a core damage event, should one occur, a passive means of flooding the drywell with water and a passive containment over pressure relief systers were added to the design. EPGs were also improved to further enhance the capability to prevent accidents from occurring and to mitigate subsequent consequences.
The studies discussed above were conducted by examining the plant design and operation from many different perspectives and thus arejudged to
! constitute a thorough search for design and procedure " vulnerabilities." No prescriptive attempt was made to define the term vtdnerabilities in this context,it beingjudged the better approach to give engineers experienced in many disciplines a wide latitude in identifying potential weaknesses and .nen dealing with each issue as it was raised case by case.
19.7.4 Conduct of the PRA Evaluations The PRA was conducted in accordance with the Key Assumption and Groundrules developed under the Advanced Light Water Reactor Program. This document was developed with input from many individuals experienced in PRA.
PRA models consisted of fault trees and event trees as described in the "PRA Procedures l Guide" NUREG/CR-2300. Detailed plant models included plant systems and equipment and dependencies arising from common cause failure, htunan error and support system failure, thus enabling potential vulnerabilities to be identified.
19,7.5 Evaluation of Potential Design Improvements [
PRA techniques were used in the evaluation of whether there are additional potential design modifications which would be cost-beneficial to implement (Appendix 19P) and PRA as a Design Tool 19.7 9
j
+
- 23A6100 Rov. 0 ABWR Standard Safety Analysis Report l
l l
l i
in the technical support of the evaltiation of Severe Accident Stitigation Design j Alternatives (SA3f D.\) for compliance with the National Environmental Protection Act j (NEPA). Evaltiations tised the PRA event trees as a guide for estimating conservauve benefits from a vaiiety of potential modifications.
l l
l l
t
- 19. 7~ 10 PRA as a Design Tool l
23A6100 Rev. 0 ABWR Standard Safety Analysis Repott p, 4s >! J ? n L ~ Cn
.r a_1
,-i~--
. J
, , ,A
. - v,, , , i m om ( ~
19.8 PC." l,,ps; :. ;TAAC (This section in nally omitted.)
4 h&fIff h ,
7dr A A x p / n
( y Eb>$W && P i
F I
l i
23A6100 Re v. 0 ABWR standaniSafety Analysis Report 19.9 COL License information A review was conducted to determine actions which will be completed by the COL applicant.
W by>
The section represent; the results of that review. / g [L 19.9.1 Event Specific Procedure for Unisolated CUW Line Break
- ONkl l An unisolated reactor water cleanup system (CUW) line break, although very unlikely q to occur (Subsection 19E.2.3.3), could lead to reactor building flooding and eventual depletion of ECCS water sources if the break could not be isolated. Attempting to j l
control RPV water level in the normal range could lead to a continuous coolant outflow l tiu ough the break since the CUW suction nozzle and the RPV drain line connection to I the suction line are below the normal RPV water level.
j Since this is a very specific event, it wasjudged inappropriate to complicate the symptom-based Emergency Procedure Guidelines (EPGs) with actions to mitigate the event. An event-specific procedure will be developed by the COL applicant using the following guidance:
(1) If a CUW break or leak occurs (as indicated by room sump levels, high flow,
! temperature indication, radiation level) and successful automatic or manual isolation does not occur (as indicated by lack of closed indication on at least one of the two CUW isolation valves or lack of zero flow indication), the following actions should be taken.
(2) Scram and depressurize the RPV if these actions have not occurred I
automatically. Attempt to close the CUW isolation valves from the main control room. Close the RPV drain line globe valve from the main control room. Control RPV water level in accordance with the EPGs if at least one of the CUW isolation valves is closed. The level should be controlled between the top of the active fuel and 15 inches above the top of the active fuel if drain line closure is not successful. (The RPV drain line connects to the CUW suction line at this elevation). If drain line closure was successful, control water level between the top of the fuel and 5 feet above the t the fuel. (The CUW 1 suction line is about 6 feet above the top of the ft se the temperature l
compensated fuel zone and wide range water lev cation and pumps l which can be throttled (CRD,IUIR, condensate pumps)
(3) When practical, enter the CUW room and/or the containment and affect the necessary repairs.
19.9 1 COL License Information
i ,
23A6100 Rev. 0 ABWR Standard Safety Analysis Report 19.3,1,3. I P9"r A I N 1
19.9.2 Confirmation of CUW Operation Beyond esign Bases ;
- D Cl?W can be used to remove decay heat f urger a ident conditions by bvpassing the #
regenerative heat exchanger as noted in,section 156. This causes the nonregenerative heat exchanger to remove additional heat. However, this could lead to exceeding the !
design temperature limits of the CUW nonregenerative heat exchanger and some #/D portions of the piping of the CUW and the reactor building cooling water (RCW) i systems. i When the design of the CUW and RCW systems (including piping and support structures) is completed, the COL applicant must confirm that if the CUW is operating in the heat removal mode, the following areas will remain functional while operating outside their design basis temperature values: ,
(1) The CUW nonregenerative heat exchanger t
(2) The CUW piping downstream of the regenerative heat exchanger (3) The RCW piping downstream of the nonregenerative heat exchanger (4) The feedwater piping downstream of CUW injection 1
Piping supports for the above piping 4- Ay\
k(5) f<.a I n 6;r ategf epE 19.9.3 Event Specific Procedures for Severe External Flooding , f In ternal flooding is addressed in Appendix 19R. Thc site selection process will take into i account the worst case predicted flood. Then grade level and flood control methods fWF, f (e.g., site grading) will be detennined based on this predicted flood level. The grade i7 l level floor will be 0.3 meters above this predicted flood level. Therefore, external l flooding should not be a major concem for the ABWR. To further reduce the susceptibility of external floods, plant and site specific procedures will be developed by the COL applicant for severe external flooding using the following guidelines:
g gg_
(1) Check ic : bad the =:..Qt door between the turbine and service Y' buildings,< $ c/oJc.2, --
A
)!
1 (2) Sandbag the external doors to the following:
(a) Reactor buildin (b) Control buildin (c) Service building (d) Pump house at the ultimate heat sinig (e) Diesel generator fuel oil transfer pi 19.9 2 COL License Information
tr)graf hBysf c -)
When the CUW is used to remove decay heat by bypassing the regenerative heat exchanger, steps should also be taken to prevent boiling in the shell side of the nonregenerative heat exchanger (NRHX) by increasing the reactor building closed cooling water (RBCCW) flow through the NRHX. To accomplish 70!?c this the steps:
following plant emergency procedures should consider L _;k ..ed to the l
(1) Terminate RBCCW flow to the RHR heat exchangers 1
(2) Bypass the hot water heat exchanger in the RBCCW line (3) Bypass the flow control valve which controls RBCCW flow through the NRHX i
23A6100 Rev. 0 ABWR standard safety Analysis neport
- JLQ fy f c!cm Agg u'$1uu ,7,e g, y , _
fI V fnyt in tb 3
/% (3A(f) Radwaste building >.)
h) Plug the diesel generator room floor drains to prevent backflow.
3 (;d Shut the plant down.
Y(pi Use power from the diesel generators or CTG if offsite power is lost.
hnderground passages between buildings would not be affected because they are required to be watertight.
19.9.4 Confirmation of Seismic Capacities Beyond the Plant Design Bases The seismic analysis assumed seismic capacities for some equipment for which information was not available. It is expected that these capacities can be achieved, but gL.
confirmation must be deferred to the COL applicant when sufficient design detail is ,
available. The actions specified in Section 1911.5 will be taken by the COL applicant.
- ~.- ) '
19.9.5 Plant Walkdowns L5 A plant walkdown to seek seismic vulnerabilities will be conducted by the COL applicant -
in accordance with EPRI NP-6041 as noted in Section 19F1.5.
Similar walkdowns will be conducted by the COL applicant for internal fire and flooding events.
19.9.6 Confirmation of Loss of AC Power Event
~
{t The COL applicant will confirm the frequency estimate for the loss of AC power event [ ,
(Subsection 19D.3.1.2.4). This review will address site-specific parameters (as indicated in the staffs licensing review basis document), such as specific causes (e.g., a severe storm) of the loss of power, and their impact on a timely recovery of AC power.
19.9.7 Procedures and Training for Use of AC Independent Water Addition System >
v Specific, detailed procedures will be developed by the COL applicant for use of the AC.
independent water addition system (including use of the fire truck) to provide vessel injection and drywell spray. Training will be included in the COL applicant's crew training program.
i 19.9 3 l COL License Information l
- a
. 23A6100 Rev 0 ABWR Standant Safety Analysis Report i
f$ '
19.9.8 Actions to Avoid Commo ause Failures in the Essential Multiplexing \
System (EMUX) g L To re i e the potential for significant DIUX common cause failures, (see Subsection 19N.4.12 , the COL applicant will take the following actions:
(1) To eliminate remote multiplexing unit (RhiU) miscalibration as a credible source of D1UX common cause failure, administrative procedures will be established to perform cross-channel checking of RhfU outputs at the main control room safety system logic and control instntmentation, as a final check point of RhiU calibration work.
(2) To prevent any unidentified D1UX faults / failure modes (e.g., an undetected sofavare fault) from propagating to other DfUX divisions, the plant operating procedures will include the appropriate detailed procedures necessay to assure that the ABWR plant operations are maintained in compliance with the governing Technical Specifications during the periods of divisional EhfUX failure. This will assure that such unidentified faults are effectively eliminated as a credible source of DiUX common cause failure.
These procedures will also include the appropriate symptom-based operator actions to assure that adequate core cooling is maintained in the hypothetical event of an entire DiUX system failure. N h M P, fa outyd h) to Mitigate Station Blackout Ev$ !
19.9.9 Actions ents g l It was necessag to make several assumptions in the assessment of plant performance M q under station blackout conditions as noted in Subsection 19E.2.1.2. The following f ll actions will be taken by the COL applicant to confirm these assumptions: !
(1) Confirm that the minimum condensate storage tank volume is 570 cubic metess.
(2) Develop batten loading profiles to define appropriate load shedding during station blackout to ensure that RCIC can be operated for at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. It is k expected that compliance with COL license information item 8.3.4.16 will satisfy this need.
(3) Perform analyses to confirm that RCIC room temperature will not exceed equipment design temperature without room cooling for at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
(4) Perform analyses to confirm that control room temperature will not exceed -
equipment design temperature for at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> without room cooling.
19.9-4 COL License information
1 1
. .i I
i
( ,
i l
l -
N 'D (3) ' To eliminate maintenance / test errors as a credible source of EMUX '
common-cause failure, administrative procedures will be established-which will not permit the same technician to work on multiple divisions of the EMUX.
h I
b P
I t
h i
I l
l l
i g'
a +
1 l ABWR Standant Safety Analysis Report 1 l
l l
(5) Develop pmcedures for the emergency replenishment of gas supply for safety-related, pneumatically operated components. A discussion of the types of i actions which could be taken is in Subsection 19E.2.1.2.2.2(2)(b).
A3n1 GkK -
19.9.10 Actions to Reduce Risk of Internal Flooding [M in the unlikely event of significant flooding from internal sources (addressed in f Appendix 19R) such as the ultimate heat sink, suppression pool, condensate storage tank, or fire water system, actions will be completed by the COL applicant to ensure that the following can be performed to mitigate flooding in the turbine, control, and reacto'r buildings:
l (1) Training on isolation of potential flooding sources.
l l (2) Maintenance of pump tsip and valve isolation capability of potential unlimited )
flood sources should be controlled to assure that flood mitigation capability ]
exists at all times. If pump trip and valve isolation capability is unavailable, 1 procedures to monitor applicable piping lines for leakage must be l implemented and replacement / repair of failed components must be completed as soon as possible or other mitigative features must be implemented.
(3) Sizing of floor drains must be adequate to accommodate all potential flood rates. In sizing the floor drains, the following considerations must be addressed: 7, (a) The maximum vohune and flow rate of ential flood sources on each -
floor must be calculated based on ANS /ANS 58.2, Design BasisFor Protection OfLight WaterNuclearPouerPlants gainst The Efects Of, 3 7. NO
^
Postulated Pipe Rupture. _ a & . -- &w (b) The floor drain sizing must be able to drain the highest flow rate in that area without allowing flood buildup to reach installed equipment (i.e.,
less than one foot) and also prevent accumulation in one area flowing to another area containing equipment from a different train or division.
(c) The size and number of floor drains should address the probability of some drains becoming clogged with debris.
(4) Procedures for maintenance of watertight integrity of buildings and rooms especially during shutdown conditions.
(5) Procedure to ensure that if flooding occurs in an ECCS divisional room that the watertight door to the affected room will not be opened until watertight integrity of the remaining ECCS rooms is assured.
COL License Information . 19.9-5
- _ - ,. ~_ .. _ , ,, - -. -.
L
__-d
'o standant Safety Analysis Report l ABWR l
) fle O hlcbdis '" h Q W P n t be (6) Complete a site specific analysis for potential flood sources and required '
mitigation features.
AG 19.9.11 Actions to Avoid Loss of Decay Heat Removal and Minimize Shutdown Risk '
J To reduce the potential for losing shutdown decay heat removal capability (addressed in Appendix 19Q), procedures will be prepared by the COL applicant for the following:
(1) Recovery of failed operating RHR systenh (2) Rapid implementation of standby RHR systems if the inidally operating RHR system cannot be restoreg (3) Ensuring that instrumentation associated with the following functions is kept available if the system is not in rnaintenance:
, RPV isolation valve kl 0 l~ ^"iG 4 , - HPCF LPFI
- RPV water level, pressure, and temperatur i
RHR system alarms
- - EDG
{- 1 Refuelinginterloc
- Flood detection and valve / pump trip circui I (4) Use of alternate means of decay heat removal using nonsafety grade equipment such as reactor water cleanup, fuel pool cooling, or the main l condense (5) l'se of alternate means for inventory control using nonsafety grade equipment such as AC-independent water addition, CRD pum , and main ,
feedwater and condensat (t.e,, # W"'"r (6) Recove T from loss of offsite pow f, gg%
(7) Boiling as a means of decay heat removal in Mode 5 with the RPV head removed including available makeup source 19.9-6 COL License Information 1
- _ . . . , _ _ . , - . _ . - - . ._ . . _ , ,-.~_,-..,e,-,. . . _ . . , - ~
23A6100 Rev. O
. ABWR Standant Safety Analysis Report l
1 l
(8) Conducting suppression pool maintenance, especially as it relates to reduced availability of ECCS suction sourcesh (9) Fiie/ flood watches during periods of degraded safety division physical integritg g gr.
il M" (10) Ensuring that at least one divisio of saferv equipment is not in maintenance and its physical barriers are intact if 6e ^e 2 Fision: an liiin.ih.;a.. me C pa. J' p r ,,,. pm.,n _rp u . e,,sj ea m , ,.n- . t c. noodg g (11) Fire fighting during shutdow (12) Use of remote shutdown panel while the plant is shutdow To reduce other risks durin shutdown, procedures will be prepared by the COL '
applicant for the followin (1) Firefighung with part of the fire protection system in maintenanc (2) Outage planning using guidance from NUMARC-91-01 (3) Use of freeze seals and RIP and CRD replacement 19,9,12 Procedures for Operation of RCIC from Outside the Control Room jop[
In the PRA fire analysis (Subsection 19M.6.2) credit is taken for operation of RCIC from k_
outside the control room. The COL applicantwill develop procedures and conduct g training for such RCIC operation.
The procedure should be developed along the following lines: ,,1 (1)
Station operation of theoperation RCIC suction valves personnel (CST suction and and provide suppression pool _ /'commun E[
suction), RCIC turbine trip and throttle valve, RCIC turbine steam dntfNion g l valve, outboard steam isolation valve, RPV injection valve, turbine spee control panel, and the Remote Shutdown System. pf l
l pdg &y v '[
(2) If the RCIC steam isolation valves are closed, open these valves from their MCCs. If necessary, disconnect power to the outboard steamline isolation valve and open it using the valve's manual handwheel.
1 (3) Disconnect or de-energize all control signals to and from the turbme. 1 (4) Close the turbine t+ valve.
18 N i
I COL License Information 19.9-7
' 23A6100 Rev, 0
! using their handwheels.
(6) Use a portable speed sensing instrument to monitor turbine speed.
(7) hianually manipulate the trip and throttle valve and manually open the RPV injection valve using their handwheels. Ataximize injection flow by l
manipulating the trip and throttle valve and operate the turbine below the '
I overspeed trip value. If the turbine trips on ovenpeed, reset the uip and l
throttle valve, and manipulate this valve to operate the turbine.
(8) 51onitor RPV waterlevel at the Remote Shutdown System. Alaintain RPV water level between Level 3 (Iow level) and Level 8 (high level).
, / 2-19.9.13 ECCS Test and Surveillance interval /
The test and surveillance ' e assumed in the PRA are documented QD.6-1 through 19D.6- The COL applicant will develop a plan and implement procedures for identifying significant departures from these assumptions.
]
19.9.14 Accident Manageme it W Rp,12 As noted in Section 19.11, the human actions for which credit has been taken in this PRA have been compiled (Section 19D.7) and checked against the emergency procedure guidelines. Some of these arejudged to be sufficiently important to warrant separate COL action items in this section (see Subsections 19.9.1,19.9.7,19.9.lg. All of the human actions identified should be reviewed by the COL applicant so thal detailed procedures can be developed and the appropriate tmining conducted.
Directions and guidance for operation of the containment overpressure system (COPS) shutoffvalves should be developed. Appropriate care should be taken in the development of these procedures to ensure that the recovery of containment heat removal or containment sprays do not induce late containment structural failure. If a suppression pool water level of at least one meter above the top of the top horizontal connecting vent can be maintained following COPS operation, the COL applicant may wish to consider leaving the shutoff valves open until after recovery of Containment Heat Removal since the fission product release will be dominated by the initial noble gas release. In addition, the procedure for closure of the shutoff valves should include steps for the re-introduction of nitrogen into the containment. In developing accident mitigation stategies, the COL applicant may wish to examine the potential benefits of divwell spray operation if the containment fails in the drywell. Source term calculations, gg s
such as the one in 19E.2.2.8 indicate the release to the atmosphere may be substantially decreased by initiating dnwell sprays after fission product release begins.
19.9-8 COL License Information
. 23A6100 Rev. 0 ABWR standard saiety Analysis aeport -
l For human actions which are taken that rely on instrumentation which may be M !
operating outside of the qualification range, the expected performance of the fpo 4 ;
instrumentation should be determined and additional guidance provided to the operator if needed.
Accident management strategies should consider the potential for recriticality during the recovery. Recriticality could occur either as a result of boron dilution in an ATWS event or as a result of control blade relocation during the recovery of a badly damaged-core. A possible strategy could be a caution for the operators and/or tecimical support- '
staff to monitor the power level (perhaps indirectly via the rate of containment pressurization) and enter ATWS procedures as necessary. i 19.9.15 Manual Operating of MOVs Joo As noted in Subsection 19.7.3'(3)(a), manual operation of MOVs can be used to improve the availability of decay heat removal. The COL applicant will implement procedures for such an operation.
l t
l
)
i t
I i
l l
r COL License information 19.9-9
23A6100 Rev. 0 ABWR Standant Safety Analysis Report .
19.10 02:!gn and R ,::b!!!!y Assumptions and insights Related to Systems Outside of ABWR Design Certification The systems for which credit was taken which are outside of the ABWR design certification are those portions of the reactor senice water (RSW) svstem outside of the control building including the safety related ultimate heat sink (UHS), the power cycle heat sink, parts of the offsite power system, and the fire truck which supplies the AC independent water addition system.
19.10.1 Reactor Service Water (RSW) System and Safety-Related Ultimate Heat Sink (UHS) Assumptions The configurations of the RSW system and UHS as defined by ABWR system drawings and design performance specifications provided the bases for PRA fault tree modeling and evaluation. The total heat removal capacity of these configurations is sufficient to remove heat loads associated with emergency shutdown and post-LOCA core and containment cooling.
The design features and capacities of the RSW system are such that any one dhision can provide sufficient cooling capacity to remove decay heat provided that two RSW pumps, two reactor building cooling water (RCW) pumps, and three RCW heat exchangers in that division are in operation. In addition, one RCW and one RSW pump, and two RCW heat exchangers provide sufficient cooling capacity to support the core cooling (injection) function for ECCS equipment in a division. These assumptions were made in both internal event and seismic analyses. Developing a plan and implementing procedures for validating these capabilities are COL interface items.
Those portions of the RSW System that are outside of the control building are not in the ABWR scope and are described as interface requirements. Outside the control building, the pumps, stminers, valves, instruments, and controls are located in the UHS pump house. Piping connects those portions of the RSW system in the UHS pump house and the control building.Though not part of the certified design, these [L components are modeled in the Level 1 PRA based on RSW system drawings and specifications. Modeling is presented in Figure 19D.6-14 and component reliability Ol' assumptions are documented in Table 19D.f>6.These out of scope portions of the RSW -
system were modeled as an integral part of the RCW/RSW fault tree for each division.
Reliability of the RCW/RSW system in each division was calculated to be 0.9997 in c(L -
succ:mfully supporting the ECCS injection function (single train success) and 0.991 in successfully supporting the heat removal ftmction (two train success criterion).
I.S , ec. ewe w M k RSW solation valve at-thedischerge of =eh p"f, nnd beWr in utomatic& close n a high water finethe em g egig Q. rhagsfrontboth numne ,rc '- me? ,
level (Do meter) in the control building RSW/RCW rooms. In addition, anti-siphon [
vnwe nrr inenm4i>> h s ~tarto ensure that RSW flow will stop when the RSW pumps Design and Reliability Assumptions c(4h andinsights Rela to Systems Outside %teDesign Certification of ABWR 19.10-1
' j l 23A6100 Rev. O
~
ABWR Standard Safety Analysis Report i
Af are tripped and the isolation valves remain open. The reliability assumptions for RSW system components are contained in 19R.6.5. -
19.10.2 Reactor Service Water (RSW) System and Safety-Related Ultimate Heat Sink (UHS) Insights The design features and capabilities of the RSW System and UHS conuibute to the reliability of decay heat removal and ECCS injection. If a transient is initiated by an internal event or a seismic event while the plant is at power, loss of heat removal is one potential threat which must be considered.
While the plant is shutdown and the containment is open, shutdown cooling and/or fuel pool cooling provides decay heat removal. Insights from the shutdown risk study in Appendix 19Q indicate that there are multiple means of removing decay heat during shutdown. Even if all decay heat removal systems fail, the core can be kept covered by l injecting water in to the reactor vessel using any ofseveral systems and allowing the waar in the RPV to boil. Appendix 19Q provides guidelines on what systems may be l
maintained during shutdown while still maintaining an acceptably low risk due to loss of the operating decay heat removal system.
l The configuration and capabilities of the RSW System and UHS also contribute to the I
reliability of emergency core cooling system performance by remosing heat from the Reactor Building Cooling Water (RCW) System as described in the preceding section. A In the event of an RSW line leak in the control building RSW/RCW room, flogr' water level detators alert the operator, trip the RSW pumps and close the isolation valves in the affected division. Insights from the flooding probabilistic risk assessment indicate that either the pump trip or isolation valve closure features (either automatically or due ,
to operator action) must be successfulin tergnjtiglge flogorder to reduce the '
l risk from control building flooding. li;er pump trippmg alone w result in termination '
of the flood, anti-siphon valve (s) amdd bc included in the RSW system design. w cnx. r4)
The design of the RSW pump house must ensure that no more than one division of RSW k will be affected by a break in a RSW line. 4 Acw14 %lh %dy fru& 5%,LAl.e pt.pd 85 (kf & M 19.10.3 Power Cycle Heat Sink Assumptions **)Nt k /@
These assumptions are noted in Table 19D.4-2. Thev relate to the ability to recover the i heat sink given that it has been lost.
19.10.4 Power Cycle Heat Sink insights The circulating water pumps are tripped in the event of a turbine building flood.This j trip is expected to be sufficiently reliable to assure a negligibly small addition to the l I
J 19.10 2 Design and Reliabihty Assumptions andinsights Related to Systems Outsids of ABWR Design Cortsfication l
l
i 23A6100 Rev. 0 l* ABWR standani Safety Analysis Report inadvertent plant trip frequency. Beyond this observation, no special attention to the power cycle heat sink is needed from a PRA perspective.
19.10.5 Offsite Power Assumptions h These assumptions are noted in Subsection 19D.3.1.2.4. A value of 0.1 loss of offsite @
power events per year was assumed. representing a 90% confidence value. Credit is also taken for offsite power recovery and diesel generator recovery, based on operating ,
experience. Most of these assumptions are more reflective of the offsite power grid than b-I equipment at the plant. However, Subsection 8.2.3, paragraph (4) is an interface requirement to analyze the site specific incoming power line configuration relative to W' -
the PRA assumption. Switchyard equipment inspections are included in the PRA input to the reliability assurance program (Appendix 19K).
19.10.6 Offsite Power insights The ABWR has three separate safety-grade divisions of ECCS including one division with an RCIC which does not require AGpower. The ABWR also has a combustion turbine generator that can supply AC power to the ECC systems in the event of a loss of offsite power and failure of all three diesel generators. Finally, the AGindependent water addition system can be used to maintain core cooling. Therefore, the results of the internal event and seismic event evaluations are not particularly sensitive to o; assumptions about offsite power. /Jf), S 1l 3. 'f .
_T. /
19.10.7 Fire Truck Assu tion mWFN yg W The fire truck provides a ba p wa r source for the AGindependent water addition i system. As noted i(Subsection l.." '
overall reliability for fire water injection was ~I taken as Oh for transients. This reliabihty is controlled by operator error rather than equipment availability. It isjudged that the following reliability targets (availability on deman ),if satisfied will support the injection function assumed in the PRA:
th d* Y W Y fire truck:
W Off #Nb* 0.9 diesel driven fire water pump: 0.9 These values should be achieved if the actions noted in the PRA input to reliability assurance (Appendix 19K) are included in the reliability assurance program.
19.10.8 Fire Truck insights fvd//
The AGindependent water additio system was added to the original ABWR design to provide a diverse and seismically n:gged means of adding water to the reactor vessel and spraying the drvwell. Because ofits importance. it is included in the PRA input to the reliability assurance program (Appendix 19K), and its use should be included in the applicants training program. The later is included as an action item i Secdon /
r# g.bl Design and Reliabili'v Assumptions andInsights Related to Systems Outside of ABWR Design Cenification 19.10-3
23A6100 Rev. 0 ABWR. standard satery Analysis neport m y p r.luy $ A Y 19.11 Human Action Overview I
Several functions, p ' My performed manually, were automated to reduce the dependence on human actions. In addition, other studies were performed to provide an improved understanding of human actions in the PRA.
JDO Sensitivity studies of the core damage frequency resulting from the level 1 analysis were conducted (Section 19D.7). From this study, four human actions after accident d initiation were found to be the most important. They are actions taken to provide water injection to the reactor vessel if the several automatic injectior features fail to-accomplish 'his function.
In addition, the PRA was reviewed to compile a list of human actions which were assumed in other parts of the analysis (Section 19D.7). From this list and the above mentioned sensitivity studies, actions were identified which should be given k[
I consideration as being " CRITICAL TASKS" as defined by the human factors evaluation Design Acceptance Criteria, as noted in Section 18E.2. These human factors are listed and discussed in Section 19D.7.
CK T The human actions lists were also reviewed to ensure consistency with the ABWR emergency procedure guidelines (Appendix 18A). This review is documented in Appendix 18F. Some of the actions are not appropriate for inclusion in the synptom based emergency procedure guidelines. These are included in the COL applicant action item list in Section 19 COL Lic6iis~e Informati
. ,k
- I l M*,.S l
1 I
l l
Human Action Overview 19.11-1
,m
- 23A6100 Rsv. 0 ABWR standant Safety Analysis Report c L L- f 19.12 Input to the Reliability Assurance Program -
The major results of the PRA were reviewed to determine the reliability and
/ ,
maintenance actions that should be considered by the COL applicant throughout the life of the plant. This review is documented in Appendix 19R The Level 1 analysis results were reviewed by examining two importance measures
("Fussell-Vesely" and " Risk Achievement Worth"). Individual systems and components :
were identified as being most important (Table /pj<-l The balance of the PRA was reviewed (Sections 19R4 through 19R10) to determine L
other important features not addressed in the Level 1 analysis.
The most important features thus identified were finally reviewed to determine appropriate maintenance and surveillance actions (Section 19R11).
l l Input to the Reliability Assurance Program 19.12 1
._ _ . . _m._ m - _ _ _ _ ~ . . _ . _ _ - _ . ._ __.
s 23A6100 Rev. 0 ABWR ' Standard Safety Analysis Report i
i 19.13 Summary of insights Gained from the PRA-The PRA was conducted with several objectives in mind:
(1) To ensure that the PRA-related goals in the ABWR Licensing Review Bases f established in 1987 were satisfied.
I (2) To review and improve the design capability for potential weaknesses or relative vulnerabilities, not withstanding the achievement of the Licensing Review Bases goals.
(3) To identify the most important aspects of the design and its operation so that particular attention can be placed on these aspects during certification, detailed design and plant operation.
(4) To provide additional basic studies which were not anticipated when the Licensing Review Bases was established.
(5) To provide uncertainty / sensitivity studies of key restdts.
The objectives were achieved as noted in the following subsections.
19.13.1 Licensing Review Bases Goals ~#
These goals were established to ensure that an appropriate balance between accident l prevention and accident mitigation is achieved by ABWR, The goals (Table 19.6-1 provides a summary) focus on prevention (core damage frequency less tha er year), mitigation (avoiding containment failure from several potential threats) and j offsite consequences (as measured by offsite doses, consequences, conditional containment failure probability, and the Safety Goal Policy Statement).
Measurement against these goals and the features which are important in achieving the goals are discussed in detail in Section 19.6. The goals are satisfied, indicating a very robust design with an excellent balance between accident prevention and mitigation ,
features.
19.13.2 The Search for Vulnerabilities As noted in detail in Section 19.7, the PRA proce:s was used extensively to improve the j i design. even though it could be argued that satisfying the goals of Section 19.6 was b sufIicient. Improvements were made in many areas, including for example: the tf (M automation of several accident prevention functions, the addition of a combustion turbine generator to improve power supply diversity, the addition of an Ah j independent water addition system to improve accident prevention and mitigation, and l l
the addition of two passive accident mitigation features (the lower drvwell flooder and ,
l the containment overpressure protection system) which substantially address i
Summary ofInsights Gained from the PRA 19.13 1
., e
- 23A6100 Rev. O \
1 ABWR standant Safety Analysis Report
- Pita ceilbrafA uncertainties associated with severe accident progression. Procedural improvements l I
were also identified. Many other e. mples are cited in Section 19.7 to illustrate the manner in which PRA techniques Jere used throughout the design process to improve the design. l i
19.13.3 The Most important Aspects of the Design The ABWR design and its operation was reviewed to determine the features and operator ac tions which are most important from a PRA perspective. Applying addidonal focus in these aspects can provide confidence that ABWR operation will be as accident r 'sta as c,haracterized by the PRA $te miort mrpovM bh k tCre AMSA In Je cft + l.9, 8 ,
The potential for human error was reviewed extensively (Section 19.11) to ensure that
" CRITICAL TASKS" were identified for the human factors Design Acceptance Criteria and to ensure that human actions are covered by the emergency procedures guidelines or other, more specific procedures.
The PRA results were reviewed to determine which surveillance and maintenance activities are most important with respect to assuring that PRA assumptions will be valid throughout plant life (Section 19.12).
19.13.4 Additional Studies % bwM 8" "
Several additional studies which were n . anticipated in the original Licensing Review Bases were conducted to further review te robustness of the ABWR design.
The potential for internal fires to lead to core damage is studied in Appendix 19M. The basic AlnVR features of separating the three safety divisions into individual fire zones O and the ability to control key systems from outside the control room are the major reasons that very low core damage frequencies are calculated.
Internal flooding is investigated in detail from both a deterministic and probabilistic penpective in Appendix 19R. Divisional and building separadon along with other key flooding mitigation features are identified which lead to the con pon at there is a JoD very small threat posed by internal flooding. Genemi guidelin for addr ssing the - - . - ,
potential for severe external flooding are provided in Section 9.9.3 V
^ $u k- ^
A seismic analysis (Appendix 191) was conducted to assess the potential for seismic events beyond the design basis to lead to core damage. It was determined that there is high confidence in a low failure probability, even at ground accelerations approximately two times the plant seismic design basis. Key components and their seismic capacities are identified so that the COL applicant can review the design capability against those assumed in this margins analysis. 1 l
1 19.13 2 Summary ofInsights Gained from the PRA
C 23A6100 Rev. 0 ABW6 Standard Safety Analysis Report An assessment of the potential for core damage to result from ABWR operations while shutdown is documenled in Appendix 19Q. Potential precursor events are reviewed for their applicability to ABWR and several ABWR features are noted which reduce the nsk from activities conducted while shutdown. A decay heat removal reliability study is conducted to provide input to the COL applicant as to which complements of decar heat removal and water addition systems could be kept available while shutdown to reduce the risk of core damage resulting from the loss of an operating RHR system.
19.13.5 Uncertainty and Sensitivity Studies b c-,
Following quantificatio of the level 1 PRA, a data ncertainty study was performed /
(Section 19D.10). Tl level I results show a mean re damage frequency of about 1.5E-7 events per year. 'hu Ie effect of data uncerta' ity is relatively minor. The most M important contribution to the uncertainty is RCIC maintenance activity. This activity is addressed in the PRA input to reliability assurance (Appendix 19K).
A companson of the level 1 quantified results to those for Grand Gulf was also i developed to document the major reasons for reductions in the frequency of the various j accident classes (Section 19D.11). The sensidvity of the results to equipment outage times and surveillance intervals was also considered (Section 19D.9).The contribution y h of human errors was compared to the comribution from an operating plant and found f
a;;
to be substantially lower.
k Uncertainties associated wir severe accident progression were examined in detail through the use of contai ment event trees supplemented by decomposition event trees. The latter were us d to study the potential for different outcomes of various k severe accident events. he results show that the ABWR design is very robust. Analysis of phenomi_na such . direct containment heating were performed which indicate that the probability of o urrence with significant magnitude to fail the containment is verv
( small. The design i not sensitive to assumptions affecting debris coolability due tom estal design. The studies also demonstrated diat l
high stren nd ower drywell the features of the ABWR design substantially reduced the uncertainty associated with many severe accident phenomena. In many areas, these studies were conducted in i greater depth than studies with similar objectives reported in NUREG-1150 and its !
supporting documents. In addition, the basis for thejudgments made is described in detail.
19.13.6 Systems and Effects Not Modeled in the PRA /
19.13.6.1 Equipment Aging Aging or other deterioration of cables, pipes, walls and structures is not directly addressed in the analysis or in the RAP. It is expected that routine maintenance and inspection of equipment for in senice inspection requirements and plant walkdowns will iden tify deterioration of cables, pipes, walls and support structures to the extent that Summary of Insights Garned from the f'RA 19.13 3
. i
- 9 23A6100 Rev. 0
) ABWR Standard Safety Analysis Report i
I such deterioration would reduce the safety of the plant. It is assumed that detection of <
any deterioration of this equipment willlead to prompt corrective action to return the l equipment to its as-designed condition. l 19.13.6.2 Plant Control System and Control Room The plant control system and control room are not directly modeled in the PRA, although the RPS and other risk significant syst :ms are modeled. The control system impact on safety will be primarily throtch the 'sotential to cause transients as initiadng events. The ABWR control system is expecad to be more reliable than control systems of operating BWRs, because of additional redondancy and frequent self<hecking of control circuits and components. Therefore,it should not be a significant contributor to plant transients. ;
The control room is being designed with human factors considerations, so the ability of operators to take proper corrective action in abnormal situations will be greater than that in operating plants. The analyses have considered conservative values for operator actions, so the enhanced control room design is not expected to negativelyimpact plant safety and does not have to be explicitiy modeled in the PRA.
19.13.6.3 Equipment Lubrication Systems Equipment lubrication by active subsystems, including lube oil pumps, has been reviewed with regard to the possibility that several different loops or divisions of safety 6 related equipment could be simultaneously disabled by a single failure. The lube oil Off- pumps within a given division of a safety related system, such as in the RHR system, are powered by the same electrical dhision that powers the pumps. Thus, loss of one electrical division would only disable one division of the RHR stem or another multi-division system. It isjudged that detailed modeling oflubri tion systems is not necessary, u ' 3.a the failure rate for a given equipme item includes the failure of its lubricating ystem.
f F)G d I/UN '
h)fl d d
(1 c 1 .' g re ,
> l# s g * $., c yV Wpf t 19.13 4 Summary ofInsights Gained from the PRA
_ , _