ML20046A495
| ML20046A495 | |
| Person / Time | |
|---|---|
| Site: | 05200001 |
| Issue date: | 07/26/1993 |
| From: | Poslusny C NRC |
| To: | Fox J GENERAL ELECTRIC CO. |
| References | |
| NUDOCS 9307280196 | |
| Download: ML20046A495 (25) | |
Text
,
' Docket 52-001 July 26, 1993
. NOTE T0: Jack Fox FROM:
Chet Poslusny il I am providing two enclosures which I have received from the staff. is a set of comments from Plant Systems Branch which identifies
~
items which need to be addressed in the August SSAR amendment.
I think we will need to discuss them in a phone call. is a set of documents A
which were generated by a PRA. task force. These will be'useful in the ITAAC meeting being held this week and a.so include information related to the August amendment.
1
-)
1 1
l I
\\
9307280196 930726 I7 PDR ADOCK 05200001 it!W A
pyg Q
.w
$ /e m y 0MM C f
hk' W-
GENERAL COMMENT
1.
There are no drawings in the SSAR or the ITAAC which clearly delineate the boundary between the two parts of the reactor building (secondary containment and the RB outside secondary containment). The Chapter 1 drawings, the fire drawings, and the Reactor Building ITAAC drawings should be modified to clearly identify this boundary.
6.2.1 - PRIMARY CONTAINMENT 1.
GE needs to address the ABWRs compliance with Generic Letter 83-08,
" Modification of Vacuum Breakers on Mark I
Containments" (NEW) 9.1.3 - FUEL POOL COOLING 1.
The FPC heat exchangers should not be listed under " ESSENTIAL" in Tables 9.2-4a and b.
They should be listed under "NON-ESSENTIAL." (NEW) 9.1.5 - OVERHEAD HEAVY LOAD HANDLING 1.
In an earlier phone call, we specifically discussed how handling heavy loads in the.MST would not take out more than 1 division such that safety functions would be prevented. GE explained that a dropped load could take out both MSIVs in the MST but the redundant inboard MSIVs would provide adequate isolation capability. However, a dropped heavy load could take out both trains of feedwater thereby nullifying it's ability to get water to the reactor (PRA insight). How does the design prevent this? (NEW) 2.
Also, as it relates to SSAR Subsection 9.1.5.2.2.4, we didn't discuss how dropped heavy loads are prevented from damaging more than 1 division of a safety-related system on the refueling floor and in containment. (NEW) 3.
Clarify that loads in radwaste and turbine buildings will not carry loads over safety-related equipment (NEW).
4.
Does the wording in 9.1.5.2.2.4 apply to the SGTS? (NEW) 5.
Once again, GE has undone an earlier correction. In amendment 21, GE correctly modified F5 of Table 3.2-1 to refer to the refueling platf orm. This closed Open Item 9.1.5-3. However, in Amendment 27, the old, incorrect nomenclature (refueling machine) was put back in the table. As you recall, a similar incident hsppened with the reference to a proprietary missile generation etudy. These kinds of mistakes result in mote work
for the staff (since we can't assume that once a correction is
- made, it will not be undone) and GE, and results in unnecessary ' dealy in completing our review. PLEASE BE-MORE CAREFUL AND IMPLE_liEFT SOME TYPE OF OA ON THE SSAR!!!!!!!
(NEW) 9.2.4-POTABLE AND SANITARY WATER
-l-1.
The system should not be completely out of scope. Those portions within certified buildings should be in-scope while the remainder is out-of-scope (NEW).
9.2.5 - ULTIMATE HEAT SINK (NEW) 1.
The SSAR must be modified to spe'cifically address provisions for inspection of the system.
This is not discussed in Subsection 9.2.5.1 or 9.2.5.10.
2.
The SSAR must address the issue of isolating parts of the system such that the safety functions are not interrupted.
9.2.11 - REACTOR BUILDING COOLING WATER 1.
A number of comments were provided to GE following the review of the ITAAC. They are listed below: (NEW) a.
9.2.11.1.1 (1) is unclear. What 'is the heat removal.
capacity based on, the LOCA or shutdown at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />? Also, the 20%
margin for the. heat exchangers should be discussed.
b.
Text is missing between p.
9.2-3.1 and p.
9.2-4.
Provide discussion clarifying that nonsafety-related heat c.
loads can be switched between divisions as long as_it doesn't impact the divisions heat removal capability.
d.
Identify on Table 9.2-4 which RIP coolers are cooled on each division.
e.
Identify CAM cooler (not just the CAM room cooler) and the HWH hot water heat exchanger in Table 9.2-4.
f.
Discuss system response to a low surge tank standpipe
- level, including the response to combinations of low standpipe level and LOCA signals.
'6/2/93 fax provides markups addressing this'. They look good.
-g.
In the nonsafety-related portion of the system, there are
2 system cross-connections. These should be discussed.
h.
Show RIP MG sets on ITAAC figure 2.11.3B.
i.
Delete Note 4 from SSAR Table 9.2-4C j.
Table 9.2-4b doesn't identify rack coolers k.
Why are division A, B,
and C RHR heat exchanger outlet sampling racks on one RCW division (div. B)? See Fig.
9.2-1, sheet 6.
1.
What does "HSCR" stand for and why are both divisions of this on one RCW division (Fig.
9.2-1, sheet 9)?
m.
What does "FDW" stand for (Fig.
9.2-1, sheet 9)?
n.
Table 9.2-4c refer to EDG and RHR htx division B instead of C.
6/2/93 fax provides markups correcting this.
o.
From Tables _9.2-4, it appears that the CUW htx doesn't transfer heat to the RCW system at shutdown conditions even though there is flow through the heat exchanger. Is this true?
p.
Are the isolation valves that close on a low surge tank level (F074 and F082) powered from different electrical divisions?
q.
Discuss in the SSAR the system response to a LOCA (should match ITAAC discussion).
r.
Clarify that surge tank is shared by HECW and identify makeup water sources (MUWP and SPCU).
s.
Identify how pneumatic valves fail on loss of power and loss of fluid, t.
Provide in Tier 2 the test and analysis method to be used to verify heat removal for ITAAC.
)
2.
SSAR Tables 9.2-4 show the FCS room coolers being cooled by all 3 divisions of RCW even though there are only 2 divisions of FCS. According to the ITAAC tables for RCW, the RCS room coolers are cooled by RCW divisions B and C.
I suspect that the ITAAC is correct. If so, SSAR Table 9.2-4a should be corrected. (NEW) 9.2.15 - REACTOR SE_RVICE WATIE 1.
Where will the_ response of the system to a high level in the' control building be discussed? (NEW)
.l i
I 9.3.1 - COMPRESSED AIR SYSTEMS
)
i 1.
Are the safety-related divisions of the HPIN system located in i
separate rooms? If-so, at what level of the RB are these rooms located? (NEW) i 2.
In a conference call on 5/20/92, GE stated that soft valve j
seats are not required for the HPIN check valves 'as called for in IE Bulletin 80-01.
We have not yet received this justification. (NEW) 3.
What leak tests.are performed on the ADS accumulator systems to ensure that a minimum. capacity is available for minimum ADS-valve actuations and duration? (NEW) q 4.
How are the ADS accumulators protected from failure during.a seismic event. (NEW) 9.3.3 - EOUIPMENT AND FLOOR DRAINAGE SYSTEM 1.
Clarify that the drain can withstand the effects associated with a pipe of components f ailure in the building compartments (NEW) 9.3.8 - RADIOACTIVE DRAIN TRANSFER 1.
Include words in the SSAR stating that system can withstand pressures associated with subcompartment pressurization. (NEW) 9.4.5 - REACTOR BUILDING HVAC 1.
. Include statement that system can withstand pressures-associated with pipe f ailures, fire, and smoke. Discuss damper setup. (NEW)
.10.4.7 - CONDENSATE AND FEEDWATER i
1.
The DFSER mentioned.a submittal made on 2/28/90 regarding.
feedwater flow control. This information needs to be in the SSAR. (NEW) 2.
- G1. 6 of amendment 27 has been deleted. Why? (NEW)
'Ay Ypyz fopce
[O!Mnt M J dbMGM 2-
~
This package includes the following:
1.
Important insights and assumptions in the ABWR PRA o
Major insights and assumptions in the FSER. Current staff efforts may result in additional insights.
o Judgement was exercised in assigning ITAACs that are related to these insights, GE insights (submitted to the staff as important features identified o
by the ABWR PRA) constitute a subset of the staff: insights.
2.
Severe accident related ITAACs by SCSB/DSSA 3.
List of major submittals to SPSB that are not-incorporated in the.SSAR 4.
SPSB comments on a.
GE submitted Road Map b.
GE submitted: Important Features Identified by the ABWR PRA 6/2/93,.
Important Features Identified by the ABWR PRA 6/23/93, Insights from the ABWR Severe Accident Analysis 6/4/93 5.
Comments.from PRA/HRA (communicated to GE 7/I5/93) b 4
1 0
I
, -+,
e
4 y
IMPORTANT INSIGHTS AND ASSUMPTIONS IN THE ABWR PRA July 23, 1993 Plant-Wide Insiahts
- 1) The COL Applicant is to perform a seismic walkdown following the procedures of EPRI NP-6041, revision I to insure that the as-built plant matches the assumptions in the ABWR PRA-based seismic margins analysis and to assure that spatial systems interactions do not exist.
Flooding interactions were evaluated in the internal flooding analysis in the ABWR PRA.
The PRA assumes that no high pressure of high temperature piping lines penetrate walls or floors separating two different safety divisions.
Piping penetrations are qualified to the same differential pressure requirements as the walls or floors they penetrate. [ITAAC 3.3 Piping DAC]
- 3) To prevent inadvertent spray or dripping from failing equipment, electric motors are all of drip proof design and motor control centers have NEMA Type 4 enclosures.
- 4) The fire analysis assumes that the routing of piping or cable trays during the detailed design phase will confirm with the fire area divisional assignments documented in the fire hazard analysis.
- 5) Subsection 9A.5.5 under "Special Cases - Fire Separation for Divisional Electrical Systems" lists the only areas of the plant where there is equipment from more than one safety division in a fire or flood area.
These should be the only areas where multiple divisions share the same fire / flood area.
Combustion Turbine Generator [ITAAC 2.12.11 Combustion Turbine Generator, ITAAC 2.12.13 EDG)
The combustion turbine generator (CTG), in conjunction with the ac-independent water addition (ACIWA) system, have significantly reduced the estimated frequency of core damage from station blackouts (the dominant contributor to core damage in most BWR PRAs).
In the ABWR SSAR, GE indicated that each of the emergency oiesel generators (EDGs) and the CTG can be used to power any of the loads identified in the PRA success criteria by manually closing selected breakers.
Even if offsite power is lost, the four onsite power sources can be used to power any safety or non-safety bus.
This provides significant flexibility which helps reduce the risk from station blackout and selected bus power losses.
Procedures must be prepared by the COL applicant to direct this
'l manual transfer of an EDG to a non-safety bus.
An important assumption about the CTG is that no support systems are needed to start or run the CTG.
The CTG starts automatically and safety grade loads are to be added manually.
The ABWR PRA assumes that maintenance on the CTG will only be performed when
I 2
the plant is at power.
This is based on GE's expectation that the CTG will need to be used during shutdown operations as a backup to the EDGs.
AC-IndeJendent Water Addition System [ITAAC 2.4.1]
This system is one of the single most important systems in the ABWR from the point of view of prevention and mitigation of severe accidents, since the accidents that have traditionally been identified in BWR PRAs as being the most challenging are station blackout and transients with failure of various ECCS or cooling systems. This system also provides benefits for fires, internal floods, shutdown events, seismic events, and events where containment cooling is lost.. It can provide water (as vessel makeup or drywell spray) from a seismic category I diesel-driven pump, a non-seismic ac motor-driven ump, or a fire truck.
4 i
use of the system as a backup source of water to the drywell sprays is perhaps the single-most important feature for reducing the consequences of severe accidents in the ABWR.
In this role the system serves to: (1) reduce containment overpressure and delay the time to actuation of. COPS, (2) eliminate the potential for drywell overtemperature failure in those events in which debris may be dispersed to the upper drywell, and (3) mitigate the consequences of suppression pool bypass by condensing steam produced in the drywell.
The fallowing are critical aspects of the system, as represented in the PRA:
1.
two fire protection pumps -- one seismic category I diesel-driven pump (i.e., ac-independent), one non-seismic motor-driven pump, 2.
connection provided outside of reactor building, which allows a firetruck to be used as a backup to the fire protection pumps 3.
system piping and valves configured to allow fire protection water to be used for either vessel makeup or drywell spray, but not both 1
simultaneously 4.
all valves and controls needed for system operation can be accessed and manually operated in a straight-forward manner and can be operated successfully (including the environment the operator will be in) following an earthquake, internal flood, fire, or internal event.
5.
check valves provided to prevent backflow from the reactor coolant system 6.
orifices installed in the associated piping to restrict the injection rates to the vessel and drywell sprays.
7 seismic Category I water supply independent of the suppression pool and the condensate storage tank.
RCIC [lTAAC 2.4.4]
RCIC is ac-independent and provides reliable high pressure injection.
This makes RCIC particularly important in preventing station blackout from leading to core damage.
In addition RCIC is very important for mitigation of control room fires or other emergencies that require the evacuation of the control room. The following' capabilities are important for RCIC:
1.
RCIC needs to be able to operate for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> following a station fy na-9r y.-,---rs, m
nr..---
+
y.
me 3
w-m--w-
3 1
blackout (using steam and de power) and the batteries at the end of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> need to have sufficient power in them to allow for RCS l
depressurization by the ADS.
RCIC pump and turbine are assumed in the PRA to be able to operate for at least eight hours without room coolers.
2.
For control room fires, the capability for local operation of RCIC outside the control room is very important.
3.
Sensitivity studies that increased SSC unavailabilities showed that an increase in RCIC unavailability would cause the greatest increase in estimated core damage frequency of any SSC. RCIC also was found to be the most sensitive system to increased outage time assumptions.
4.
The suppression pool temperature up to which RCIC can operate is important for Class II sequences. The ABWR PRA assumes that RCIC can operate up to a suppression pool temperature of 170 'F.
Reactor Buildin.g [ITAAC 2.15.10]
A flood in the reactor building could fail ECCS equipment and other important equipment. The follcwing are assumptions in the ABWR internal flooding analysis that limit the chances and increase the mitigation capabilities of the ABWR design:
1.
The volume of the reactor building corridor on level B3F that surrounds the three ECCS divisions is sufficiently large to handle the biggest breaks that can occur (including water from both the CST and the suppression pool).
2.
Suppression pool flooding in an ECCS room will reach equilibrium level below the ceiling of the ECCS room in which the flood occurred.
3.
Floor drains direct potential flood waters to rooms where sumps and sump pumps are located. The drain system is sized to withstand the maximum flood rate from a break in the fire water system.
Sizing of the drain system is to include provisions for plugging of some drains by debris.
4.
Non-divisional drains will drain to the non-division:11 sumps on appropriate floors.
5.
Floor BlF of the reactor building has overfill lines on the non-divisional sumps outside secondary containment.
If the sump pumps fail or the flow rate exceeds the sump pump capacity, the lines will direct water to the non-divisional corridor of the first floor (B3F) inside secondary containment.
6.
A water seal is provided to maintain secondary containment integrity.
7.
The ABWR PRA flooding analysis assumes that on the B3F level, all wall and ceiling penetrations are above the maximum water level of all potential floods.
Doors communicating from the ECCS pump rooms to the corridor on the 83F level are water tight doors.
B.
If a flood were to _ occur during shutdown, some of the ECCS rooms may be open for maintenance. ABWR procedures specify that one safety division will be maintained intact at all times during shutdown.
Similarly, a fire in the reactor building could damage important equipment.
The smoke control system in secondary containment is important in helping to prevent the migration of sm ke and hot gas layers from a faulted division to another. This is accomplished by pressurizing the surrounding areas so that
-i the smoke will be contained.
This capability and'its adequacy should be l
j
4 confirmed.
Turbine Buildina (ITAAC 2.15.11]
Floods in the Turbine Building can propagate to other buildings that have safety related equipment in them. The following design features help to prevent the propagation of such floods:
1.
Floor drains direct potential flood waters to rooms where sumps and sump pumps are located. The drain system is sized to' withstand the maximum flood rate from a break in the fire water system. Sizing of the drain system is to include provisions for plugging of some drains by delris.
2.
Non-divisional drains will drain to the non-divisional sumps on appropriate floors.
Control Buildina [ITAAC 2.15.12]
Flooding in the control room can lead to core damage. The following design features are important in preventing flooding in the control building:
1.
The ABWR internal flooding analysis assumes that flooding of the control building from the VHS cannot be maintained by gravity alone.
To limit the consequences of a RSW line break, the RSV system will be designed so that the VHS cannot drain into the Control Building by gravity.
2.
To limit the consequences of a RSW line break, there is a maximum of 4000 meters of pipe (2000 each for supply and return) between the UHS and the RCW/RSW room, which can be discharged to the RCW/RSW room following RSW pump trip.
3.
Floor drains direct potential flood waters to rooms where sumps and sump pumps are located.
The drain system is sized to withstand the maximum flood rate from a break in the fire water system. Sizing of the drain system is to include provisions for plugging of some drains by debris.
4.
Non-divisional drains will drain to the non-divisional sumps on appropriate floors.
Service Water Pumo House [ITAAC 2.15.14, ITAAC 2.4.5]
Previous PRAs and reliability studies have shown that loss of service water can be an important contributor to core damage. The service water pump house, which is outside the ABWR certification scope, is a building that must be designed to remove the following concerns:
l.
Prevent fires or internal floods from impairing multiple safety trains.
2.
Prevert common cause failures such as intake blockage from debris from affecting multiple trains.
Circulatina Water System [lTAAC 2.10.23]
Flooding from the circulating water system (an unlimited water supply) can lead to flooding of other buildings that do contain safety related equipment.
1 The following design features help reduce the chances that the circulating
-i water system break will cause core damage:
j i
j
5 1.
The circulating water system (CWS) has three pumps and each pump has an associated motor operated isolation valve.
To limit the consequences of a circulating water system break in the Turbine Building, for cases where the heat sink is at an elevation higher than grade level of the turbine building, an additional isolation valve is installed in each line.
2.
Internal floods are prevented / mitigated in part by automatic actions and operator actions. To prevent flooding of areas surrounding the condenser pit, there are to be water level sensors to alarm to the control room if the water level gets too high in the pit.
Diverse sensors will trip the circulating water and turbine service water pumps and close isolation valves in both systems if the water reaches a higher level.
l R_eactor Service Water System [ TAAC 2.11.9]
A break in the Reactor Service Water (RSW) Sy. stem can cause a flood in the Control Building that could lead to core damage.
For this reason, an anti-siphon valve's is installed in the RSW lines to prevent uncontrolled flooding of the Control Building should the RSW isolation valves fail to close on a RSW pipe break.
Reactor Water Cleanuo S1 stem [ITAAC 2.6.1]
The Reactor Water Cleanup (CVW) System provides some benefit in the ABWR PRA by removing decay heat at high pressure.
It would only be used in this mode if the containment cooling mode of the RHR system was disabled.
The isolation valves in the RWCV system must be ct p ble of isolating against a differential pressure equal to the operating pressure of the reactor coolant system in the evt.nt that there is a LOCA in the RWCV.
The reliability of these isolation valves should match the reliability assumed in the ABWR PRA. Only temperature sensitive equipment should isolate on high water temperature.............
Ultimate Heat Sink [ITAAC 4.1, ITAAC 2.11.8)
The ABWR PRA assumed that the service water system and the ultimate heat sink would work well in tandem to deliver adequate cooling to needed equipment.
There was no detailed examination of these systems in the PRA since they are not in the Certification scope. The ultimate heat sink and the Service Water Pump house should be designed in such a manner so that common cause failure of service water is extremely low. A site-specific PRA must be developed by the-COL applicant to show that there are no vulnerabilities (e.g., due to debris clogging of the intake, internal or external fires, external or internal floods) in the ultimate heat sink and the Service Water Pump House.
Remote Shutdown Panel [ITAAC 2.2.6)
- 1) The ABWR PRA fire analysis found that use of the remote shutdown panel is very important in mitigating fires in the control room.
The design of the remote shutdown. panel was enhanced by GE adding controls for a forth SRV (three needed to depressurize, plus one for a single failure).
..m m.
i i
w
--~
6
- 2) The ABWR decay heat removal reliability study found that operator actions making use of the remote shutdown panel were important during modes 3, 4, and 5.
Residual Heat Removal System [ITAAC 2.4.1]
The Residual Heat Removal (RHR) system is very important for the removal of decay heat during normal shutdown and in its ECCS function as. low pressure core flooder. The following design features and assumptions are important for assuring the RHR system is capable of removing decay heat in various modes and for various accident and transients:
1.
An important failure mode for beyond design bases earthquakes is the failure of the RHR heat exchanger in such a manner as to drain the suppression pool. This would potentially lead to core damage and would allow releases to enter the atmosphere unscrubbed.
In the ABWR PRA-based seismic margins analysis, the RHR heat exchanger is assumed to have a HCLPF of 0.79 2.
In modes 3, 4, and 5, the permissives and inhibits associated with the RHR Mode switch ensure that valve line ups are correct for all RHR functions, thereby preventing inadvertent diversion'of water from the RpV.
3.
The ABWR PRA and the DHR reliability study have shown that it is important for the RHR not to fail as an intersystem LOCA. The RHR system is designed to be able to withstand a short period of-experiencing normal reactor system pressures without the piping reaching its ultimate capacity. The DHR reliability study indicated that RHR valve interlocks are.important in preventing low pressure RHR piping from being inadvertently connected to systems at high pressure.
4.
The ABWR DHR reliability study determined a number of configurations of equipment for modes 3, 4, and 5 such that the estimated core damage frequency from decay heat removal failure conservatively was less than 1 in a million per year. An important assumption in this study was that the three RHR trains would be configured as follows during modes 3,-4, 4
and 5: One loop would be isolated, in standby, and operable with no equipment in maintenance; a second loop would-be the operating decay-heat removal loop; the third loop would be in maintenance.
5.
Shutdown cooling piping connects to a nozzle in the RPV at an elevation that is above the top of the active fuel. This reduces the chances of uncovering the core by vessel drain down.
6.
When in the shutdown cooling mode, some operating plants have experienced loss of decay heat removal on l'oss of power to logic circuits.
For the ABWR design, the RHR system does not isolate on loss of logic power.
{Ligh Pressure Core Flood System [ITAAC 2.4.2]
One of the HPCF pumps can be operated independently of the essential multiplexing system. This feature is an important factor in reducing the chances of the plant going to core damage since this design should reduce the chance of a common cause failure disabling all ECCS pumps.
'1
j l
7 Three ECCS Trains (ITAAC 2.4.2, ITAAC 2.4.4]
-The barrier between each of the three safety divisions-in the ABWR is at a minimum a 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> fire barrier that also resists internal flood pressures.
This design assumption significantly reduces the chance of an internal flood or fire propagating and causing core damage.
Eipino Upgrades to Prevent ISLOCAs In SECY 93-087 it was recommended that ALWR designers reduce the possibility of a loss of coolant accident outside of containment by designing all systems (to the extent practical) and subsystems connected to the reactor coolant system (RCS) to withstand full RCS pres mre.
Intersystem LOCAs are a concern because many releases associated with them are not contained, held up, or scrubbed, but rather are released directly to the environment. GE has modified the design of interfacing systems to the RCS to upgrade the piping to withstand full RCS pressure.
Lack of Recirculation Pipino [ITAAC 2.1.3]
There are no large pipes (i.e., > 2 inches in diameter) that penetrate the ABWR vessel below the level of the core. This has virtually eliminated-LOCAs as a severe accident concern for the ABWR.
Electrtc_ ally Driven Control Rod Insertio_n In many BWR PRAs, ATWS is a significant contributor to core damage frequency and risk.
The diversity (electrically driven) of the fine motion control rod system is important in lowering the estimated core damage frequency fer ATWS events for the ABWR.
Electrical Wirina Penetrations (ITAAC 2.12.10]
Wiring penetrations between divisions should be rated as three hour fire barriers and should be capable of preventing water / oil from an internal flood from migrating to another division.
DC Power Supph [ITAAC 2.12.12]
The ABWR PRA expects that loss of all dc power will lead to core damage.
The ACIWA system is a low pressure system and ADS, which is needed for reactor depressurization, requires dc power to operate. The ABWR PRA assumes that failure of the batteries will not prevent the diesel generators from starting and loading, even in the event of an earthquake. The de power supply should be well anchored and carefully designed to handle a design bases 0.3g earthquake.
The ABWR PRA-based seismic margins analysis assumed that'the HCLPF of the de power system _(batteries and inverter) is 1.lg.
If it is untrue that the EDGs can start and load without batteries, then the batteries are 'the only non-building SSC that could, by themselves, decrease the HCLPF of.
any accident sequence below 0.69 This would occur if the HCLPF of the
[
batteries were to fall below 0.69 l
l L
I
8
-The emergency batteries provide an important backup to the inverters.for.
providing DC power.
For this to be assured, the seismic failure modes of the-inverters and their AC supply must not allow an electrical fault to be propagated to the DC busses. The reverse case is also true (the inverters provide backup should the batteries fail).
For this to be assured, the diesels must be able to start and load without DC power from the batteries and the seismic failure modes of the batteries must not allow an electrical fault to be propagated to the DC busses.
Safety System Logic and Control There are four divisions of self-tested safety system logic and control (SSLC) instrumentation (two-out-of-four logic).
The ABWR PRA assumes that this will be a highly reliable configuration to actuate ESF core cooling and heat removal system as well as actuating the CRD scram system for defense against ATWS events. Assumptions about 'SSLC reliability and redundancy in the PRA substantially reduce the estimated core damage frequency.
Off-line testing for faults not detected by the continuous self-test feature were judged to be important in the PRA analysis.
Fire Truck The ACIWA makes use of a fire truck connection to provide water if the motor and diesel-driven pumps are unavailable.
The PRA assumes the overall reliability of the fire truck is 0.99, even in seismic events.
This would seem to imply that the fire truck would be onsite and housed in a building that would allow truck operation following a seismic event.
Reactor Pressure Vessel Isolation on low Water Level The ABWR shutdown reliability study indicated that the isolation of lines connected to the RPV on a low water level signal in modes 3, 4, and 5 prevents uncovering of the fuel for many potential RPV drain down events.
hpprtssion Pool Bypas:
The suppression pool is an important containment feature for severe accident progression and fission product removal, since releases from the reactor vessel are either directly routed to the pool (e.g., transients with actuation of ADS) or pass through the pool via the drywell-wetwell connecting vents.
However, the suppression pool function can be compromised in the ABWR design in the following ways:
vacuum breaker), or by excessive leakage of one or mor(e vacuum break i.e., a stuck open a
unisolated main steam line breaks rupture of the SRV discharge line(s) in the wetwell air space a
.. inadvertent opening and failure to close sample lines, drywell purge lines, and containment.inerting lines unisolated LOCAs in the reactor water cleanup and RCIC systems
+
The following are critical to assuring a low risk from wetwell/drywell vacuum breaker bypass, as modelled in the PRA-
- m1
9 1.
a low probability of vacuum breaker leakage (PRA assumes a leakage probability of 0.18 per demand on system) 2.
a low probability that the vacuum breakers fail to close (PRA assumes a failure to close probability of about 0.0005 per demand per valve) 3.
a high availability of drywell or wetwell sprays (and ACIWA as a backup) tc condense steam which bypasses the suppression pool.
4.
a position indication switch on each vacuum breaker valve that will indicate the valve to be open should the gap between the disk and seating surface exceed 0.9 cm.
(A gap less than 0.9 cm is necessary to assure credit for aerosol plugging taken in the GE analysis.)
5.
periodic confirmation by the operators that all vacuum breakers are closed.
(This reduces the potential for suppression pool bypass by assuring that the plant is not operated with a stuck open vacuum breaker, and that pre-existing leakage paths will be limited to small flow areas.)
6.
placement and shielding of the vacuum breakers such that pool swell associated with COPS actuation will not impact operation of the valves The following are critical to assuring a low risk from unisolated main steam line breaks:
1.
two air-operated, spring close, failed closed isolation valves in each line 2.
automatic MSIV actuation by redundant solenoids through two-out-of-four logic 3.
backup isolation capability from the turbine bypass valve The following are critical to assuring a low risk from rupture of the SRV discharge lines, particularly in seismic events:
1.
discharge lines are designed and fabricated to Quality Group C requirements 2.
welds in the airspace region of the wetwell are non-destructively examined to the requirements of ASME Section III, Class 2 3.
discharge lines are capable of accommodating seismic events at an e
acceleration level of 0.6g with a high confidence that there is a low probability of failure (HCLPF)
The following is critical to assuring a low risk from suppression pool via the sample, drywell purge, and containment inerting lines:
1.
lines will be locked closed during power operation, and under administrative control The following are critical to assuring low risk from LOCAs outside containment:
1.
redundant and seismically-qualified CVW system isolation valves, qualified to close under postulated break conditions 2.
blowout panels in the RCIC and RWCU divisional areas which prevent overpressurization and impacts on equipment in adjacent areas and other divisions 3.
reliable seating of redundant feedwater, SLC, and ECCS discharge check valves Lower _Drywell De_3 ion
^
i j
10
~
The design of the ABWR lower drywell/ reactor cavity is such that there is a low probability that the cavity will be flooded at the time of reactor vessel failure, but a high probability that the cavity will be flooded subsequent to vessel failure.
A dry cavity at the time of vessel failure reduces the potential for large ex-vessel steam explosions, whereas the subsequent flooding of the cavity helps minimize the impact of core concrete interactions.
The following ABWR design features are important to assuring a dry cavity at the time of vessel failure:
1.
lack of any direct pathways by which water from the upper drywell (e.g.,
from drywell sprays) can drain to the lower drywell, other than by overflow of the suppression pool, 2.
negligible probability of premature or spurious actuation of the passive flooder valves at temperatures less than 500 F or under differential pressures asecciated with reactor blowdown and pool hydrodynamic loads, and 3.
a capability to accommodate approximately 4300 cubic meters of water in the suppression pool before the pool overflows into the lower drywell.
The following features are important to assuring reactor pedestal and containment integrity for beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following reactor vessel failure, and to rendering CCI-induced containment failure a relatively insignificant contributor to risk.
4.
a 1.7m thick reactor pedestal capable of withstanding approximately 1.55m.of erosion from CCI without loss of structural integrity, 5.
the use of basaltic concrete in the floor of the lower drywell, which minimizes the production of non-condensible gases, and 6.
a sump shield to prevent core debris from entering the lower drywell sump.
7.
the lower drywell flooder system.
Note:
The lower drywell flooder system in the-ABWR provides a passive means of adding water to the lower drywell following reactor vessel breach.
This water would cover the core debris, thereby enhancing debris coolability, cooling the drywell, and providing fission product scrubbing.
The passive flooder system is a backup to other means of lower drywell water addition in the ABWR, including: (1) continued water addition through the breached reactor vessel, (2) suppression pool overflow as a result of water addition from water sources outside containment, and (3) ingress of suppression pool water after the_ core debris has penetrated the wetwell-drywell connecting vents.
PRA-
~
based sensitivity studies indicate that the incremental risk reduction offered by the passive flooder is system is minimal. This is because of credit taken in the ABWR for continued water addition using the ACIWA mode of RHR.
Cro_nlainment Ultimate Pressure Capacity The ultimate pressure capacity of the ABWR containment is limited by the drywell head, whose failure mode is plastic yield of the torispherical dome.
Subsequent to the original SSAR submittal, GE incraased the pressure l
capability of the drywell head from 100 psig to 134 psig, and increased the COPS setpoint from the original value of 80 psig to the final value of 90
't
11 psig. The strengthening of the drywell head increases the ability of the containment to withstand rapid pressurization events, such as direct containment heating, without loss of structural integrity, and provides additional margin between the COPS setpoint and the drywell failure pressure, thereby reducing the potential for drywell failure prior to COPS actuation.
Containment Overpressure Protection System (COPS)
[ITAAC 2.14.6]
COPS is part of the atmospheric control system in the ABWR, and consists of a pair of rupture disks installed in a 10-inch diameter line which connects the wetwell airspace to the stack. COPS provides for a scrubbed release path in the event that containment pressure cannot be maintained below the structural limit of the containment. Without this system, late containment overpressure failures would be expected to occur in the drywell, resulting in unscrubbed releases. COPS provides a significant benefit by reducing the source terms for late releases, and minimizing _ the potentisl for containment-failure-induced loss of core cooling (e.g., in Class II sequences). The following are important features of the system, as modelled in the PRA:
1.
rupture disk actuation at 90 psig +/- 5%
2.
minimum flow area (after actuation) equivalent to 8" diameter 3.
piping (and disk) designed to flow steam at a rate equivalent to 2%
reactor power, and accommodate peak pressure loads associated with system actuation 4.
no normally-closed or automatic isolation valves in vent path 5.
two normally-open, fail-open isolation valves in the vent path, manually operated from the control room, with key-lock switches 6.
capability of related isolation valves to close against full vent pressure Containment Inettjlig System Because the ABWR containment will be inerted during power operation, hydrogen combustion is not considered to be_an important containment challenge, and was not modelled in the PRA.
To assure the validity of this treatment, strict controls must be placed on the period of time that the reactor can be operated with the containment de-inerted.
Djre_gt Containment Heatina (DCH)
DCH is the only severe accident phenomena that represents a significant challenge to containment integrity (5% probability of containment failure given reactor vessel failure at high pressure).
The impact of DCH is
" controlled" in ABWR by reducing the frequency of high. pressure reactor vessel failure using ADS (30% of vessel failures).
The following aspects of ADS should be assured by ITAAC and RAP:
1.
reliability / availability consistent with Level 1 PRA assumpti.ons 2.
no dependency on ac-power 3.
availability of sufficient DC power to actuate in a long term station blackout (following loss of RCIC due to battery depletion)
There are no specific ABWR containment design feature to deal with DCH loads other than the general arrangement of the drywell and wetwell, and connecting r,.-,,s.,-y a -
e -, -
12 vents, which provide for a series of 90-degree bends that debris must traverse in order to reach the upper drywell.
Jm_portant Human Actions Human actions with high risk impact for the ABWR were identified based on the PRA and supporting analyses. Section 19D.7 of the SSAR includes a listing of these actions, classified into three categories corresponding to the COL-actions necessary to assure the validity of the PRA treatment of the action:
1 (1) critical tasks, (2) maintenance items, and (3) COL procedures and planning.
1.
The items identified as " critical tasks" in 19D.7, as well as actions to recover emergency diesels, have the greatest impact on core damage frequency and risk for the ABWR. Accordingly:
- these actions are to be addressed by the COL-applicant as part of the detailed design of human-system interfaces
- the following will be provided for each action:
- 1. clear unambiguous indication of conditions requiring the action
- 2. the operator must have the capability to perform the action in a straight forward manner
- 3. the operator must have clear written operating procedures regarding the actions to be taken
- 4. the operator must have thorough training in the conditions requiring the action.
2.
The probability of miscalibrating single and multiple sensors was assigned very low values on the basis that the COL-applicant would incorporate a special procedure governing calibration activities. At a minimum, the COL-applicants maintenance procedures for sensor calibration should require that whenever a sensor is found to be out-of-tolerance, before the sensor is recalibrated, the calibration instrument is first checked or an alternate instrument is used to confirm the condition.
3.
For items identified as " COL Procedures and Planning" items, the COL-applicant is to develop procedures to assure that these actions can be effectively implemented.
impp r t a n c ell)n c e r t a i n ty_An a l y s e s Examination of the top ten events contributing to uncertainties in the estimate of the ABWR core damage frequency (CDF) revealed that nine of these events were identified by importance analyses as leading contributors to C0F.
The highest contributor to uncertainties in the CDF as well as the CDF estimate was RCIC test and maintenance.
The remaining top contributors to uncertainties (and CDF) are listed in SSAR Table 19D.10-5.
These items constitute an important consideration in RAP.
y,-
l i
s:\\sevaccch\\GEITAAC 7/21/93 Severe Accident Related ITAACs ITAACS FROM SECY-90-016 / SECY-93-087 ISSUES Responsible Branch Anticipated Transient Without Scram SRXB (Thomas)
- Provide diverse scram systems Hydraulic and electric run-in - ITAAC 2.2.2, 2.2.7, 2.2.8 Automatic SLCS - ITAAC 2.2.4 Recirculation pump trip - ITAAC 2.2.8 Station Blackout EELB (Thatcher), SPLB (Burton)
- Provide an alternate ac power source of diverse design capable of powering at least one complete set of normal shutdown loads Alternate ac combustion turbine - ITAAC 2.12.11, 2.12.13 Fire Protection SPLB (Holmes)
- Ensure that safe shutdown can be achieved assuming that all equipment in any one fire area will be rendered inoperable by fire and re-entry is not possible ITAAC 2.15.10, 2.15.12
- Provide independent alternative shutdown capability ITAAC 2.2.6
- Provide fire protection for redundant shutdown systems such that one shutdown division will be free of fire damage ITAAC 2.15.6, Ensure that smoke, hot gases, or the fire suppressant will not migrate into other fire areas to the extent that they could adversely affect safe shutdown capabilities ITAAC 2.15.5c, 2.15.6 Intersystem LOCA SRXB (Thomas)
- Design systems and subsystems connected to the RCS to withstand full RCS pressure ITAAC 2.4.1, 2.4.2, 2.4.4, 2.2.2, 2.2.4, 2.6.1
- Provide capability for leak testing of pressure isolation valves ITAAC ?
- Provide valve position indication ITAAC ?
- Provide high pressure alarms ITAAC ?
Hydrogen Control SCSB (Monninger)
- Accommodate 100% metal-water reaction No ITAAC needed
- Preclude uniform H2 Conc. from exceeding 10%.
No ITAAC needed
- Provide containment-wide H2 control Inert containment - ITAAC 2.14.6 (revised) 1 "The AC System provides an inert atmosphere within the primary containment during plant operation.
This system prevents the combustion of hydrogen following a severe accident."
4 m
77
~
Core-Con ~ crete Interaction SCSB (Monninger)
- Provide reactor cavity floor ' space to enhance debris spreading Lower Drywell Floor Area - ITAAC 2.14.1 (added) 2 "To mitigate the consequences of an ex-vessel severe accident, the lower drywell floor space contains minimal floor obstructions therefore enhancing core debris spreading following an ex-vessel severe accident."
- Provide a means to flood the reactor cavity to assist in the cooling process Lower Drywell Flooder - ITAAC 2.14.1 (revised) 3 "Flooder valves are located in this area to flood the lower drywell to assist in the cooling process of ex-vessel core debris."
Firewater Addition System - ITAAC 2.4.1 (ok), 2.15.6 (revised) 2.4.1 " Division C of the RHR System also functions in an AC independent water addition mode. This mode provides a means of injecting emergency makeup water to the reactor by cross connecting the Reactor Building Fire Protection (FP) System header to the RHR System just outside the containment. This makes it independent of the normal safety-related AC power distribution network.
this mode is accomplished by opening two in-series valves on the cross-connection piping just upstream of the tie-in to the normal RHR piping. This is accomplished by local manual action at the valves.
Fire Protection System water can be directed to either the RPV or the. drywell spray sparger by local manual opening of the Division C RHR injection valve or the two Division C drywell spray valves."
4 2.15.6 "A fire water supply connection to the Residual Heat Removal System piping is provided from the portion of the FPS used for Reactor and Control Buildings to provide an ac independent water addition system to the RHR system for reactor vessel injection or containment sprays for prevention and mitigation of severe accidents."
- Protect the containment liner and other structural members with concrete Sacrificial Concrete - ITAAC 2.14.1 (revised) 5 "Corium protection fill is provided on the lower drywell floor to.
protect the containment liner and other structural members from core debris following an ex-vessel severe accident."
Pedestal Thickness - ITAAC 2.14.1 (revi3ed) 6-
"The pedestal is designed, such that corium induced ablation following an ex-vessel severe accident, will not result in structural failure."
.. I.
i '
Sump Doghouse - ITAAC 2.14.1 (added) l 7
"The containment lower drywell sumps ensure that core debris collected within them following an ex-vessel severe accident do not lead to melt-through of the containment liner."
- Ensure that the environmental conditions resulting from CCI do not exceed Service Level C for approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Concrete reduces production gases - ITAAC 2.14.1 (added) 8 "The corium protection fill limits the production on non-condensible gases due to corium induced ablation following an ex-vessel severe accident."
High-Pressure Core Melt Ejection SCSB (Monninger)
- Provide a reliable depressurization system Automati.c Depressurization System - ITAAC 2.1.2 (revised) 9
"(7) To provide a reliable depressurization system to prevent high pressure core melt ejection following an in-vessel core melt scenario."
- Provide cavity design features to decrease the amount of ejected core debris that reaches the upper containment Containment Design - ITAAC 2.14.1 (added) 10 "The containment design provides an indirect path from the-lower drywell to the upper drywell decreasing the amount of-ejected core debris that would reach the upper drywell in a liPME scenario."
Containment Performance SCSB (Monninget )
- CCFP 0.1 No ITAAC needed
- Deterministic Service Level C No ITAAC needed ABWR Containment Vent Design SCSB
- Prevent overpressure failure i
COPS - ITAAC 2.14.6 (faxed to GE 6/28/93) 1 e
w
r
?'
Equipment Survivability SCSB
- Features provided only for severe-accident mitigation need not be q
subject to the EQ, QA, and redundancy / diversity requirements
- Mitigation features must be designed to provide reasonable assurance that they will operate in the severe-accident environment for which they are intended and over the time span for which they re needed ITAACs needed Flooder Valves COPS ADS DW to WW vacuum breakers OTHER SEVERE ACCIDENT RELATED ITAACS Ex-Vessel Steam Explosion
- Provide a solid reactor vessel skirt ITAAC 2.14.1 (added) 11 "The reactor vessel skirt is solid with no penetrations that would allow water to migrate from the upper drywell to the lower drywell to participate in an ex-vessel steam explosion."
Suppression Pool Bypass
- Provide limit switches on the vacuum breakers No ITAAC needed (enveloped by design bases)
Design bases ITAAC needed b
b l
e s
a
-.er-
_.~s
AREAS OF THE ABWR PRA (CHAPTER 19) NOT YET IN THE SSAR July 23, 1993 seismic margins analysis resolution of low pressure venting during severe accidents resolution of Class II sequences and the ability of the ECCS pumps to pump hot water for sequences where containment cooling has been lost.
Section 19D.7 of the SSAR, Human Error Prediction, is going to have significant revisions to Amendment 30.
This is based on 6/30/93 telecon between Palla and Fredericks (GE).
GE has yet to complete response to issues raised in March 11, 1993 RAI.
- detailed description of final design of ACIWA l
- detailed description of final design of wetwell spray
- inconsistencies between EPGs and PRA beyond those documented in July 20, 1993 letter.
w
COMMENTS ON ABWR ROAD MAP AND GE'S LIST OF IMPORTANT FEATURES FOR THE ABWR Road Haps (PRA Road Maps 5/21/93) o Does not provide information on whether area is covered by RAP, Interface Item, COL Action Item, Technical Specifications, E0Ps, administrative procedures, other SSAR sections, or where explicitly discussed in Section 19.
o Road map needs to be much more specific and detailed as to the characterization of aspects of each insight to be included in the ITAAC, RAP, etc.
For example, concerning the EDGs on page 4, just stating EDGs is not sufficient.
Should also note that the ability of the EDGs to start and load without batteries is assumed in the ABWR seismic margins l
analysis and is an important assumption.
For fires the proper operation of the smoke control system in seccndary containment and other important jl buildings should be tested by an ITAAC.
o Road map needs to differentiate between Tier 1 and Tier 2 material and to identify when material needs to be in Tier 2, but not in SSAR sections other than Section 19.
Important Features (Important Features Identified by.the ABWR PRA 6/2/93, 6/23/93) o GE has captured the most important safety insights, but not all that need to be captured. The individual features specified often need to be expanded for them to be useful for inclusion in Tier 1 or Tier 2.
For example, on page 3 and 4 it states that "all needed valves can be accessed and operated manually: in the ACIWA system.
It does not differentiate under which circumstances, such as internal floods, fires, LOCAs, transients, shutdown, etc., which of these valves will need to be accessed.
The staff is in the process of systematically reviewing the SSAR Chapter o
19 for additional important features that may have been missed by GE.
The staff is expanding on the insights already ascertained.
~
Severe Accidents (Insights from the ABWR Severe Accident Analysis 6/4/93) o The staff reviewed the submittal and found it to be acceptable, with a j
few minor comments which have already been provided to GE.
l Comments from PRA/HRA Regarding Table 3.1 Human Factors Engineering 1.
Modify the Tier 2 description to indicate that the HFE design team results shall incorporate advice from PRA/HRA experts, which will be available to the team, as necessary.
2.
Add to the Allocation of Function Implementation Plan, "(d) risk significant human actions identified in the PRA."
after "..,
allocation of functions to personnel, system elements, and personnel system combinations shall reflect:... "
3.
Add to the Task Analysis Implementation Plan at the Tier I level, the Tier 2 words regarding that the identified " critical Tasks" shall include human actions which are identified through the PRA and.PRA sensitivity analyses after "... the analysis shall be used to identify which. tasks are critical to safety."
4.
Add to HF Verification and Validation at the Tier 2 level, "that the final control room design has not introduced any human engineering deficiencies which would either significantly increase the error rates-for human actions modelled in the PRA/HRA, or the potential for additional, risk-significant errors not modelled in the PRA/HRA."
I Q.4 6
I hmm- +. 4e M s. 6,s
= og.ww-.n.
,,,p p
A