ML20056D956
| ML20056D956 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 07/19/1993 |
| From: | Kenyon T Office of Nuclear Reactor Regulation |
| To: | Liparulo N WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| References | |
| NUDOCS 9308190072 | |
| Download: ML20056D956 (41) | |
Text
n-cD "E cv UNITED STATES 3%
.e
!.k() 1[j.i j Z
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 o
July 19,1993 Docket No.52-003 Mr. Nicholas J. Liparulo Nuclear Safety and Regulatory Activities Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, Pennsylvania 15230
Dear Mr. Liparulo:
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION (RAI) ON THE APSGO As a result of its review of the June 1992 application for design certifica-tion of the AP600, the staff has determined that it needs additional informa-tion in order to complete its review. The additional information is needed in the area of probabilistic risk assessment (PRA) (Q720.59-Q720.260).* These questions cover the level 1, Level 2, level 3, external events, and shutdown portions of the PRA submittal. Enclosed are the staff's questions.
Please respond to this request within 90 days of the date of receipt of this letter.
The staff notes that there are several requests for additional information for which responses have not been received that are critical to the staff's understanding of the PRA results. These issues concern the use of the material access authorization program (MAAP) code for determining success criteria and how the results of the MAAP code compare to best estimate thermo-hydraulic codes like RELAP, the need for Westinghouse to perform uncertainty and additional sensitivity analyses, and the need for updated source term and offsite consequence analyses.
In previous responses, Westinghouse indicated that this information would be provided by the following dates:
Number Westinghouse Proposed Submittal Date 720.11 February 1993 720.12 Additional Sensitivity Studies, June 1993 720.12 Uncertainty Analysis, May 1993 720.52 June 1993 720.53 June 1993 i
~
- The numbers in parentheses designate the tracking numbers assigned to the questions.
p j
9308190072-930719
\\
P" ^"" "" En mggfi;fRp3tggy
a Mr. Nicholas J. Liparulo July 19,1993 o
Because these responses are still outstanding, we have not reiterated these questions in the enclosed package.
~
You have requested that portions of the information submitted in the June 1992, application for design certification be exempt from mandatory public disclosure. While the staff has not completed its review of your request in accordance with the requirements of 10 CFR 2.790, that portion of the submit-l ted information is being withheld from public disclosure pending the staff's final determination.
The staff concludes that this RAI does not contain those portions of the information for which exemption is sought. However, the staff will withhold this letter from public disclosure for 30 calendar days from the date of this letter to allow Westinghouse the opportunity to verify the staff's conclusions.
If, after that time, you do not request that all or portions of the information in the enclosures be withheld from public disclo-sure in accordance with 10 CFR 2.790, this letter will be placed in the Nuclear Regulatory Commission's Public Document Room.
This RAI affects nine or fewer respondents, and therefore is not subject to review by the Office of Management and Budget under P.L.96-511.
If you have any questions regarding this matter, you can contaci. me at (301) 504-1120.
Sincerely, Original sgng p.g Thomas J. Kenyon, Project Manager ^
Standardization Project Directorate Associate Director for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation
Enclosure:
As stated cc w/ enclosure:
See next page DISTRIBUTION:
1* Central File PDST R/F TMurley/FMiraglia DCrutchfield
- PDR RBorchardt TEssig TKenyon RHasselberg TGody, Jr., EDO JMoore, 15B18 MSiemien, 15818 PShea MPohida, 10E4 RPallo, 10E4 AEl-Bassioni, 10E4 ACRS (11) w/o encl i
i 0FC:
LA:PDST:ADAR PM:Pg:ADAR PM:PDST:ADAR (A)SC:PDST:ADAR NAME:
PShea g TKh:sg R
lie'rg TEssig g DATE:
07/jq/93 07/f/93 07/M/93 07//f/9k f 0FFICIAL RECORD COPY:
DOCUMENT NAME: SCSB.RAI
i i-Mr. Nicholas J. Liparulo Westinghouse Electric Corporation Docket No.52-003 AP600 cc:
Mr. B. A. McIntyre Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit P.O. Box 355 Pittsburgh, Pennsylvania 15230 i
Mr. John C. Butler Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit Box 355 Pittsburgh, Pennsylvania 15230 Mr. M. D. Beaumont Nuclear and Advanced Technology Division Westinghouse Electric Corporation One Montrose Metro 11921 Rockville Pike Suite 350 Rockville, Maryland 20852 Mr. Sterling Franks U.S. Department of Energy NE-42 Washington, D.C.
20585 Mr. S. M. Modro EG&G Idaho'Inc.
Post Office Box 1625 Idaho Falls, Idaho 83415 Mr. Steve Goldberg Budget Examiner 725 17th Street, N.W.
Room 8002 Washington, D.C.
20503 Mr. Frank A. Ross U.S. Department of Energy, NE-42 Office of LWR' Safety and Technology 19901 Germantown Road Germantown, Maryland 20874 i
b f
REQUEST FOR ADDITIONAL INFORMATION ON THE WESTINGHOUSE AP600 DESIGN PROBABILISTIC RISK ASSESSMENT n
General 720.59 All RAI responses, except those that involve clarification, must be incorporated into the probabilistic risk assessment (PRA) to ensure a complete final design certification package.
Provide the corrected PRA pages containing the RAI responses.
In addition, confirm that the Appendices listed in your response to Q720.57 identify all of the differences between the AP600 PRA and the AP600 SSAR.
720.60 The staff anticipates that the PRA may need to be re-quantified due to issues identified during its review.
Incorporate changes to the PRA that result from the staff's review into the sensitivity studies, uncertainty analyses, and final PRA quantification.
720.61 Justify the applicability of any data extracted out of operating plant data bases, including the data base in the EPRI ALWR Utility Requirements Document for passive plants.
_g 720.62 Westinghouse has evaluated the following external events:
- seismic, internal floods, and fire.
For site specific hazards such as external floods and hurricanes, the staff recommends that Westinghouse perform a bounding analysis. When a particular site is chosen, its characteristics will be compared to those assumed in the bounding analysis to ensure that the site is enveloped. See SECY 087, " Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light Water Reactor Designs," for further discussion of the subject.
Level 1 PRA 720.63 In 0720.3, the staff asked Westinghouse to describe how adverse failure modes from the new features were incorporated into the PRA.
Westinghouse responded by stating a search was completed and potential errors of commission are described in the PRA (Section DI).
Describe the process by which these adverse failure modes were identified and integrated into the PRA (provide examples).
The staff.
also maintains that adverse interactions do not only involve errors of commission, but also thermal-hydraulic and other systems interactions.
By adverse failure modes, the staff means systems interactions that (a) could introduce new initiating events, (b) could fail multiple safety systems, or (c) could motivate the operator to take wrong actions.
For example, a leak may short multiple cabinets from the Protection and Safety Monitoring System and initiate a plant trip, or maintenance error could fail multiple boards.
In addition, develop and submit guidance that will be used Enclosure
y
_. 1 by the combined operating license (COL) holder to conduct additional systematic searches so that additional failure modes can be identified following construction.
720.64 In Q720.13, the staff requested system importances.
In Westing-house's response, the staff notes that system importances for the following systems were missing:
(a) the instrumentation and control (I&C) systems, (b) the plant's ac and de power systems, and (c) the plant's support systems (component cooling water, plant air systems, etc.).
Evaluate importances for these systems and discuss the complete list of system importances in the PRA results section.
720.65 In Q720.6, the staff requested a summary of sequences in which recovery actions were credited.
Based on staff review of Table 720.6-1 of Westinghouse's response, the staff notes that some of the diagnostic probabilities appeared low compared to the THERP screening diagnosis values.
If the THERP nominal diagnosis values were used, a supporting task analysis should have been performed. Therefore, provide an example task analysis for the following diagnostic and procedural based errors that supports the use of the nominal diagnosis values that were assigned:
RHN-MAN 01, LPM-MAN 01, LPM-MAN 02, LPM-MANO3, LPM-MAN 04, ADN-MAN 01, CMV-MAN 01, PRN-MANO3, CVN-MAN 00, DUMP-MAN 01, CIB-MAN 01, PRN-MAN 02, and ATW-MANO3. These particular operator actions wre identified as being potentially risk significant from important ana!yses that the staff has independently performed.
720.66 In Q720.6, the staff requested a summary of sequences in which recovery actions were credited.
In response, Westinghouse provided Table 720.6-1, which contained recovery actions for the dominant sequences and their associated performance shaping factors (9 of the 67 recovery actions were described). This table did not clearly describe what systems were being actuated, the availability of DAS, DIS, or PMS, the availability of alarms, etc., for each of.the recovery actions.
Expand Table D-1 in the PRA (which includes all human error probabilities) to include:
r a.
the type of alarms and instrumentation (i.e., hot leg level) that would be available to the operator when he must perform these recovery actions, l
b.
whether DAS, or PMS, or DIS is available, I
c.
the time available to perform the recovery action, f
d.
the stress level, e.
whether procedures are long or short, f.
whether a checker is available, and 9
the location of the action.
f
This information is critical for the staff to understand the importance of operator actions during a severe accident and the validity of the human reliability analyses that was performed.
720.67 During the staff's review of the response to Q720.6, the staff noted that many HEP actions reported in Table D-1 were not used in cutset quantification or were not used in the AP600 data base. -In the response to Q720.6, Westinghouse stated that the ATWS recovery action ATW-MANO3 was not credited due to the short time for recovery, but this action does appear in the fault trees and sequence cutsets.
Explain whether ATWS recovery actions ATW-MAN 01 and ATW-MAN 04 were credited in the PRA. These possible discrepancies should be addressed in Table D-1.
720.68 During the staff's review of the response to Q720.6, the staff identified that the following human errors are reported in Appendix D, but have not been used in the AP600 data base: CIP-MANOS, CVS-DIL, RHN-MANDIV, PC-MAN 01, PC-MAN 02, PSA-MAN 01, CIA-MAN 01, and SGA-MAN 01.
Explain these possible discrepancies and correct Table D-1 accordingly.
720.69 During the staff's review of the response to Q720.6, the staff identified that the following human errors are found in the AP600 data base and reported in Appendix D, but were not used in cutset quantification: ADN-REC 01, CCB-MAN 01, CCN-MAN 02, CIL-MANOS, CIP-REC 01, CMNOREC01, IWNO-MAN 00, LPM-MANOS, LPM-REC 01, PC-MAN 01, PRN-MAN 02S, REN-MANO3, RHN-MAN 02, RHN-MAN 03, SFN-MAN 00, VLN-PAN 01, and 20N-MAN 02.
Explain these possible discrepancies and correct Table D-1 accordingly.
720.70 In Q720.4, Westinghouse was asked to identify areas of the AP600 design that the PRA indicated were important to reducing or maintaining risk, and should be addressed in the ITAACs. Describe how PRA insights were used to develop the ITAACs, DAC, and D-RAP.
Include examples. Provide cross references in the PRA between the D-RAP, Technical Specifications, and ITTAC requirements for test and 1
maintenance unavailabilties assumed for all systems, and assumed system availabilities goals (i.e., DAS and DIS).
For example, the-PRA assumed the unavailability of DAS to be 9.0E-3.
The staff found no unavailability goal for DAS during its review of the D-RAP.
720.71 In Q720.8, the staff asked Westinghouse to describe what systems are necessary to bring the reactor to cold shutdown conditions and to a static condition of 400 degrees. The passive systems are designed to not need operator intervention for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and to be able to achieve a safe state. Westinghouse responded that if the success criteria in Table 7-4 of the PRA is met, then stable shutdown conditions are' typically established in less than one hour.
Westinghouse also responded that stable shutdown conditions'are maintained in the long term by the continued operation of the available system that satisfy the success criteria. Define what operator or system responses are required to keep these conditions t
i e
.b for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> per initiating event group (as defined in Table 7-4),.
once the safe stable conditions (as defined in Table 7-4 of the PRA).
n are reached. For each of the initiating event groups, define how the-plant can be brought to. cold shutdown once the safe stable conditions (as defined in Table 7-4 of the PRA) are met.
720.72 In Q720.8, the staff asked Westinghouse to define the mission time t
that was used in the PRA and to justify the magnitude. Westinghouse responded that a mission' time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was used because stable plant conditions are achieved within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time.
Therefore, the results of the PRA do not suggest that the mission i
time should be extended. However, the staff identified some sequences with an impaired containment (i.e., end state-two sequences) that can result in a loss of inventory and may result in core damage after-24 hours.
For example, in the large LOCA event-tree, a large LOCA is postulated to occur with a pre-existing 3
containment opening.that results in core damage in about' thirty
- i hours.
Identify such sequences and justify the use of-a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> j
mission time for them.
720.73-In Q720.12, the staff requested that Westinghouse perform an uncertainty analysis. The analysis has not been submitted,yet. -The-staff acknowledges that distributions will be computed for the-frequency of core damage for (a) each plant damage state, (b) each initiating event group, and (c) the total core damage frequency from internal events in accordance with the Westinghouse response. When i
the uncertainty analysis is performed, provide.the staff with the i
probability density distribution for the total CDF for (a) safety-rated systems only and (b) all systems.
l level 1 PRA Ouantification 720.74' The staff notes that the event trees' endstate'2 sequences were~not quantified (see WCAP-12699). These endstate 2 sequences. result in core damage with an impaired containment. Quantify these sequences and include the results in the PRA'or justify why quantification of j
these endstates is not necessary.
In addition, describe how the 1
probability of containment bypass was estimated (referred to-as Po in the PRA). Revise the CDF and dominant sequences, as necessary.
720.75 The staff notes that the containment bypass fault trees, CIC ~and CID:
1 were not used. These fault trees were developed for an impaired containment.
Explain why these fault trees were not quantified or-used.
720.76 In Appendix C.4, considerations were given for the CVS and Startup Feedwater System to provide coolant-injection to the IRWST. in the advent of-an impaired or leaking containment. However, following its--
review of'the event trees, the staff noted that these items'were not considered in'the containment performance assessments. Discuss the I
J e-
+-v
<v.
e-<
r-.g mm
~
i
?,
importance of these two systems for impaired containment sequences and discuss why these systems were excluded from the event trees.
720.77 In most cases, the staff's requantification of the AP600 fault trees l
using IRRAS correlated very well with Westinghouse's quantification of the AP600 fault trees. However, the staff has noted problems with the fault tree linking process. The review indicates that missing cut sets, extra cutsets, and missing or additional basic events may l'
exist. The systems most affected appear to be (a) large system fault trees that were quantified by breaking the tree into subtrees and (b) fault trees that contained a large number of linked support systems.
The fault trees most affected appears to be ADS.
Provide the following information:
i a.
references that support the benchmarking of ULINK, i
b.
procedures by which the fault trees were linked and then benchmarked (example:
Events DIS and CCX-DAS do not appear in CE.WLK cutsets even through they should appear. The ADS.WLK linked fault tree is missing about 10 events and includes two common cause failures not found in the system hierarchy:
CCX !
SA and CCX-19-YA.), and l
c.
an assessment of the potential for these linking problems to i
alter the system and sequence importance assessments and the bottom line CDF numbers.
j Revise the CDF and dominant sequences, as necessary.
720.78 In January 1993, Westinghouse transmitted corrected values for basic events that were incorrectly assigned multiple failure probabilities.
Correct and re-quantify the PRA results using the correct basic event values.
720.79 Justify why a numerical value was substituted in the fault tree linking process for the system cutsets of fault tree AC2AB.
Discuss what effect that incorporating these cutsets would have on the total core damage frequency. Correct and re-quantify the PRA, as appropriate.
j 720.80 Justify why the fault trees were quantified with so many different truncation cutoff limits. The fault trees have combinations of 4
cutset siz,e limits from 2 to 6 and probability limits from 1 x 10 to 1 x 10"2 Justify and evaluate the influence of these truncation limits on sequence cutsets and sequence frequency.
Determine whether these' truncation procedures can result in the omission of any single i
order cutsets.
In particular, the following fault trees seem to have significant truncation problems:
(a) ADA, (b) ADIA, (c) RECIRC, (d)
{
ADAL, and (e) ADM.
Missing cutsets and additional cutsets were found in these fault tree files.
i
. 720.81 Past PRAs have revealed that containment bypass sequences tend to dominate risk. Yet for the AP600 design, the PRA states on page 7-3 that large breaks outside containment are precluded by design.
However, no supporting documentation or references were supplied.
i Discuss the technical basis for this argument and the design aspects of the AP600 that preclude large breaks outside of the containment.
720.82 The AP600 PRA documentation did not discuss how the design features of the AP600 mitigate containment bypass due to ruptured steam generator tubes. This item is of interest to the staff because the Commission is considering implementing design requirements aimed at reducing or eliminating containment bypass due to steam generator tube rupture events.
Provide a summary of the AP600 design features that mitigate the amount of containment bypass leakage from single or multiple steam generator tube ruptures.
720.83 Common cause failures were omitted in certain parts of the PRA due to consideration of management procedures and QA practices. Discuss and justify the details and considerations that were given to design diversification, manufacturing QA, and plant management practices that limit common cause failures in the AP600 design. Westinghouse should also reference where these design details, QA practices, and plant management practices will be included in ITAACs, DACs, Technical Specifications, or Administrative Controls (whichever is applicable) and include these references in the PRA.
Since common cause failures appear to be dominating the AP600 risk profile, identify which common cause failures were deleted from the PRA due to these details.
720.84 Discuss the capability of the AP600 plant to be brought to cold shutdown condition following operation of the passive containment cooling system and the potential equipment failures caused by the adverse containment environment.
720.85 Describe the process that was used to identify (a) low-frequency accident initiators leading to core damage that could significantly challenge prevention and/or mitigation equipment and (b) low-frequency initiating events with very high consequences (multiple initiators, multiple steam generator tube ruptures, etc.).
720.86 Justify using MGL common cause factors that are different from those recommended by EPRI in the Utility Requirements Document (Volume 3, Revision. III, 5/92) for the gravity injection check valves. The gravity injection check valves were identified as being important in achieving the reported core damage frequency estimates based on the importance analyses. The values selected by ENEL and Westinghouse result in a factor of 10 reduction in the common cause failure rate of the gravity injection check valves than would be calculated using the EPRI values.
720.87 The staff notes that spurious operation of the ADS contributes more than fifty percent of the Large Break LOCA initiating event
_7_
frequency. This frequency was computed to be 4.95E-6 based on quantification of the ADS system fault trees. The design value for ADS spurious operation as specified in Revision 1 to WCAp-13202 was assumed to be once in every six hundred years, which is a factor of thirty five higher than the value listed above.
Explain this discrepancy and correct the PRA, as appropriate.
720.38 Justify the pipe rupture frequency that was used to develop the LOCA initiating event frequencies.
If the pipe rupture frequencies from the EPRI ALWR Utility Requirements Document are used for the sequence frequencies associated with passive RHR tube ruptures, small and very small LOCAs would increase by a factor of five.
720.89 In Appendix C, the PRA states that PMS card failure could lead to inadvertent ADS actuation. Describe how this failure was incorporated into the LOCA initiating event frequencies.
720.90 It appears that the very small LOCA frequency did not account for leaking valves, flanges, and seals.
Explain this possible-discrepancy.
720.91 Software common cause failure for all cards fails automatic actuation of the CMTs and ADS. Thus, this event was identified as being an important risk contributor from the risk achievement analyses. The basic event probability for common cause software error is described 4
to be 1.1 x 10 in Appendix E.
Provide the basis for and the validation of this probability.
In particular, explain the basis for the factors given_in the equation that was used to generate this value.
720.92 Describe how the data bases that were used to develop the. failure probability for the PRHR heat exchanger tubes were qualified for the AP600 design.
720.93 The fault trees in the AP600 PRA were modularized. Describe the procedures that were used to prevent overlooking of system dependencies during fault tree modularization.
720.94 Appendix F indicated that the common cause failure of the logic cards and boards during the 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> and monthly. testing dominated the risk achievement importance measures and increase the. core damage frequency by large factors. These failures appear to largely affect ADS operation. However, the ADS system importance did not reflect these values. Describe in detail the test and/or maintenance errors for the I&C systems that are required to cause these common cause failures.
Describe what frontline systems are'affected and how they are affected by these errors.
For each of the postulated 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> and monthly testing failures, describe if other potential I&C failures could occur and what is their likelihood.
720.95 Common cause failures of pressurizer level transmitters and CMT level signals ' dominate the risk achievement importance analyses.
In a
f particular, common cause failure of the pressure level transmitters fails automatic and manual actuation of ADS and CMTs. What is the source of the data that was used to quantify the common cause failures and how was this data qualified to be applicable for the AP600 design? Describe any differences between the system model for l
water level indication used in the PRA and that used in the design.
720.96 The AP600 was designed such that the station blackout events contribute minimally to the AP600 risk profile. Describe how the generic EPRI data on battery failure and common mode failure was qualified to be applicable for AP600 design.
720.97 The staff notes that the passive containment cooling sumps use both MOVs and gravity check valves for injection while IRWST injection uses only gravity check valves. With the uncertainty over the performance of gravity check valves at low pressure differentials, explain why the parallel IRWST injection path is isolated with gravity check valves and not MOVs. Describe what risk reduction considerations were used in the selection of valves for these parallel injecti r naths.
720.98 Explain why the NRHR was not considered to mitigate Large Break LOCAs and Safety Injection Line breaks.
If the operator should not use the NRHR following Large Break LOCAs and Safety Injection lines breaks, what procedures would prevent the operator from actuating NRHR and the consequences if the operator inadvertently actuates NRHR.
Discuss and describe these procedures.. What is the likelihood that the operator will fail to follow procedures? Include this HEP in Table D-1.
720.99 As reported in Appendix B, approximately eighty five percent of the small break LOCAs occur in or through the pressurizer instrumentation lines.
Explain how the CMTs and ADS would manually and automatically actuate, given a break in the pressurizer instrumentation lines.
It is the staff's understanding that the CMTs and ADS require the pressurizer level transmitters for manual and automatic actuation.
l The staff suspects that the pressurizer level transmitters would give inaccurate readings.
In addition, explain how the instrumentation and the S-signals would respond to this event, and whether the instrumentation is environmentally qualified.
{l 720.100 The AP600 design makes use of natural circulation as a passive process to ensure safety. The staff _wants to' determine the extent t'o-which the digital I&C systems have been verified for the range of -
natural circulation flow conditions expected during operation.
Describe how the digital protection system's software 1.s being validated for expected natural circulation conditions under accident and non-accident conditions.
720.101 Describe what would happen if the passive RHR was inadvertently 1
actuated during full power operation. This event could occur i
i i
. following a loss of air or de power. Describe how the plant would respond and how the operators would respond during such an event.
720.102 Provide the reliability of the monitor bus and discuss how failures of the monitor bus could fail DAS, DIS, or PMS.
If the monitor bus and its subcomponents are shared between DAS, DIS, or PMS, describe how failure of the monitor bus and its sub-components were incorporated in the PRA.
In addition, describe what actions are required to restore or to re-configure the monitor bus, if the monitor bus fails.
720.103 The staff notes in Appendix C that the Protection & Safety Monitoring System is heat sensitive. Appendix C states that 120*F is the maximum temperature allowed for card operation, and loss of HVAC for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> does not result in the cards exceeding 120*F. How has the availability of the HVAC system been incorporated into the availability goals for the Protection and Safety Monitoring System and the Plant Control System? How would the PMS system respond if HVAC was lost for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after a severe accident?
720.104 From a review of the design documentation, it appears that instruments and signals from the same source are used for both-i process control and safety control. The interface is isolated by devices meeting IEEE standards in order that feedback from non-safety related equipment does not affect safety related functions. How were common cause failures modeled in the PRA to take into consideration the potential for process control interference on the operability of the safety rated systems? Are there situations in which h
malfunctioning process control equipment can induce improper or inaccurate safety instrumentation signals? What considerations have been given to identifying these types of conditions in the design' review process? Were the common cause techniques utilized in the PRA used to assist in the identification of these non-safety system feed back effects on the DAS and DIS systems?
720.105 Summarize how the common cause failures of the microprocessor components were determined. These CCFs were assigned small values in the data base, but no discussion was found describing their calculation in Appendix C20, as indicated per the guidelines of WCAP-12699.
720.106 The peak cladding temperatures appears to be the sole criteria for establishing the adequacy of core cooling in the AP600 PRA. Justify
.this criterion. The staff is concerned that, because the peak cladding temperature that was selected exceeds the clad ballooning temperature, the success of passive core cooling under small differential pressures would be affected.
720.107 For reactivity accidents, the EPRI Requirements Document assumes-core damage if the axial peak radial average energy exceed 280 cal / gram.
Justify why peak cladding temperature was used as the acceptance
}
criterion for reactivity accidents.
l
.r
. 720.108.he staff notes in the MAAP calculations for the Level I success criteria that multiple steam generator tube ruptures result in core damage for some equipment configurations.
Evaluate the sensitivity of core damage frequency to variations in the assumed frequency of -
multiple steam generator tube ruptures.
In addition, assess the change in multiple steam generator tube rupture frequency due to anticipated steam generator tube plugging and allowable steam generator tube leakage.
720.109 The MAAP acceptance criteria calculations indicate periods of core uncovery for bretk sizes in the range between 10 to 4 inches.
Provide a table that includes (a) the peak cladding temperature, (b) the peak steam temperature, (c) the amount of core uncovered, (d) the time to core reflooding, given a core uncovery, and (e) the calculational code used, for each success path credited for each initiating event group in Table 7-4 of the PRA.
720.110 Discuss the influence of the ADS valve's discharge coefficient on the acceptance criteria for the medium to very small LOCAs.
720.111 Provide a listing of the references which were used to indicate the quality of the data benchmarking for the ADS critical flow models that were used in the MAAP code to determine the success criteria.
720.112 Summarize the mechanisms that were considered for common cause failure of the gravity injection check valves. Describe the external events that may influence their operation and discuss LOCA and/or ADS force induced failure (water hammer, etc.) of the gravity check valves.
720.113 Describe the impact of containment pressure on the Level I ADS '
(
success criteria. Discuss how increasing the containment back pressure impacts (a) gravity" draining of the IRWST coolant into the vessel, (b) sizing of the 4 stage ADS valves, and (c) the 4" stage ADS valve's mode change performance.
720.114 According to available AP600 design drawings, the 4th' stage ADS-valves are piston air-operated valves that fail as is. These valves i
require power from one of the plant's.de power busses and air supplied by the compressed air system. Describe the failures considered for the 4th stage ADS valves' backup compressed air system and how these failures were' included in the ADS system fault tree.
720.115 Two systems are used to provide containment air filtration:
a containment purge system and a mini-purge system.
The mini-purge system operates during reactor operation.- In order for the mini-purge system to function, ac power must be.available. Appendix'C21 discusses issues related to containment isolation. However, this mini-purge system did not appear to have been considered in the PRA.
(see Table C21-1A). Only the two trains of the containment purge j
.)
i
'l
I system (identified as VFS trains A&B) were included in the PRA assessment. Describe the impact of failing to isolate the mini-purge system on the containment bypass sequences and the total CDF.
720.116 The Spent Fuel Pit Cooling System (SFPC), a non-safety related system, provides filtration and cleanup for the water in the IRWST during normal operation and the transfer of water between the refueling water cavity and the IRWST during refueling operations.
The staff suspects that this system could present a potential containment bypass path during an accident. This system was alluded to in the PRA, but did not appear to be modeled. Describe the impact of failing to isolate this system on the containment bypass sequences.
Level 1 PRA - Human Error Contribution to Risk 720.117 Describe how AP600 HRA insights have been used to improve the design of the AP600 facility.
The items of interest include operating procedures, man-machine interfaces, instrumentation, and the digital control systems.
720.118 How were the HEPs modified to account for the role of the operator as a monitor and decision maker rather than performing actions directed by procedures 7 Describe how the HEP's were modified to reflect that the AP600 design uses advanced digital technology.
720.119 The staff is concerned that inadvertent draining of the IRWST though the MOVs down stream of the sump screens during power operation could potentially induce vessel damage. Discuss the risk significance of this action and what steps have been taken by Westinghouse to ensure that the likelihood of inadvertent draining is minimized.
720.120 The AP600 PRA and the EPRI ALWR Requirements Document indicates that credit was given to reducing the risk-from a LOCA due to leak-before-break considerations.
However, it is not clear how the AP600's leak detection system was used in these assessments.
Describe how the acoustic leak detection system and other leak detection systems were used in estimating the LOCA HEPs.
720.121 The staff _ notes that some containment isolation valves may require manual closure to maintain containment integrity.
For example, i
during a loss of offsite power, the mini-purge lines are opened and these lines represent a potential containment bypass path if left -
opened. However, operator actions like these were not modeled or discussed in the PRA.
Provide a list of valves and their associated systems that require manual containment closure for each initiating event group.
In addition, discuss how these operator actions were incorporated into the PRA and include these HEP actions in Table D-1.
720.122 The staff believes that diverse instrumentation readings could occur during natural circulation conditions-(example:
passive RHR
- l operation with an intact RCS with 2 phase flow) that could resemble a LOCA. Conditions resembling a LOCA could occur when the plant is cooled quickly (ex. startup feedwater is recovered) and voids collapse, dropping pressurizer level.. The staff is concerned that i
the operator would actuate the ADS even though it might not be necessary. Can this scenario or other scenarios motivate the operator to inadvertently actuate ADS? How were these actions were included in the LOCA frequency calculations? What are the human l
error probabilities and associated performance shaping factors? How were they computed and incorporattd in the PRA?
~
720.123 It is the staff's understanding that manual and automatic actuation of the CMTs and ADS depend on pressurizer level transmitters and RCS hotleg transmitters (pressure transducers). These sensors are sensitive to flow rate and coolant flow patterns. Describe how the operator would respond should the instruments give erroneous readings (example: erroneous indications of a LOCA) (see Q720.122 for a related concern).
Is other vessel level indication available to the operator? Summarize how these issues were considered in the PRA, and e
in selecting the present location of the level instrumentation.
720.124 The staff notes that full height vessel level indication was not provided for the operators, similar to the full height level f
indication available in current BWRs.
If the core was partially uncovered (level dropped below the RCS hotleg transmitters), the operators would have no indication what the reactor vessel level was.
Explain how core recovery using the NRHR could be credited without full height vessel level indication (see Q720.123 for a related i
concern).
Explain what cues the operator would have to actuate NRHR in this situation.
This information should be included in Table D-1.
j 720.125 In Appendix C20, Westinghouse states that failure of the Protection i
Logic Cabinets in the PMS and PLCS systems fails automatic actuation and manual actuation of the non-safety related systems.
Explain how operator recovery for these non-safety related systems was credited (and whether DAS or DIS is operable).
720.126 The PRA mentioned that shutdown workstations are used should loss of the main control room's function occur.
Is containment system isolation provided at these workstations for those systems that i
require manual isolation in the advent of core damage?
I 720.127 The staff is concerned about the effect of multiple steam generator tube ruptures on reactivity margins. The AP600 PRA indicated that boron dilution was not a concern for a single. tube rupture event.
.However, if a multiple tube rupture occurred and the ADS was inadvertently operated, the staff is concerned that inventory from i
the secondary could induce a reactivity event.
Provide the sequence of events and human actions that could lead to reactor vessel boron dilution during a multiple steam generator tube rupture event, and their likelihood of occurrence.
l
720.128 The PRA states that when the RCPs are not functioning (following a transient or small LOCA), the pressurizer sprays are inoperable.
In these situations, the operator would use CVS to provide makeup for the pressurizer auxiliary sprays. The staff is concerned that actuation of the CVS under these conditions would change the.HEPs for operator recovery following the LOCA or transient. The staff is also concerned that the actuation of the CVS could induce common cause software / hardware failures of PMS since actuation of the CVS seems to initiate testing of the communication and alarm server boards. These common cause testing failures that dominate the risk achievement importance analyses could occur following the postulated transient or i
small LOCA.
Describe how actuation of the CVS followin!. transient or small LOCA influence operator recovery and common cause software /
hardware failures of PMS and DAS.
720.129 Provide the hot leg temperature set points used for manual ADS and cavity flooding operations.
Include temperature differentials and l
the expected rates of temperature increase between the set points for
?
manual actuation of ADS and cavity flooding.
720.130 Following a severe accident (after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />), the AP600 SSAR states that the operator must initiate coolant makeup to the containment to account for leakage. Describe each possible path for the coolant makeup including (a) the valves that the operator would actuate to provide makeup, (b) the cues that would promp+ the operator to initiate coolant makeup, and (c) how were these HEPs incorporated into the PRA.
Include these HEPs in Table D-1.
720.131 Provide the definition of a closed system as it pertains to f
containment isolation penetration.
Describe what operator actions i
are required to maintain these systems (including saety and non-safety system) closed following an initiating event.
Insiahts: Uncertainty and Sensitivity Analysis j
720.132 Section 8 of the PRA states that the postulated failure of all non-safety related systems resulted in a factor of thirty increase in core damage frequency for internal events.
For this u.se, common cause failure of all logic compenents was assumed, but nanual actuation of reactor trip and the passive RHR system is ionsidered to be available. The PRA does not clearly state for each safety system i
whether manual and automatic actuation was affected.
ror this sensitivity study case, describe in detail what safet.r systems are considered to be available and whether automatic and/.ir manual actuation is available for each safety system.
In addtion, for this sensitivity study case, list all the non-safety relateo systems (frontline and support) that were considered to be. unavailable.
Section 8.3.1.2 of the PRA should include this information.
720.133 The AP600 PRA indicates a high degree of reliance on software to manage accidents. The importance of human actions on accident 1
J
I [
mitigation was not fully documented in the PRA..In order for the t
staff to fully understand the relative importance of human actions vs reliance on software, perform sensitivity studies that assurae no operator actions in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for each of the three sensitivity cases described in Section 8 of the PRA. These cases include the base case, credit for safety-related systems assuming that the DAS and DIS are available, and credit for safety-related systems assuming that the DAS and DIS have failed.
720.134 The staff notes in Section 7 of the PRA that MAAP 4 was used to provide the LOCA su uess criteria. The operation of the PRHR heat exchanger and/or the gravity flow of coolant to the core under some postulated LOCA conditions is a complex two phase flow process.
Mechanistic flow models in the past have not provided predictable results for the low pressure conditions pre:,ent in an AP600 LOCA.
Stratified and countercurrent flow, along with the presence of noncondensible gases, make the calculations difficult. There is no 1
evidence in the open literature that the MAAP code provides a predictive and reliable tool to evaluate the success criteria of the PRHR or gravity flow from the IRWST under low pressure conditions.
t Describe the sensitivity and independent validation studies performed to determine these success criteria.
720.135 The sensitivity studies of Section 8 and Appendix F of the PRA j
indicate that the LOOP CDF is strongly influenced by the non-safety-related systems' performance. The relative change in CDF is about three orders of magnitude.
For this sequence, provide the contribution to the CDF for each of the non-safety rated systems.
L 720.136 The sensitivity studies of Section 8 and Appendix F of the PRA indicate that the PRHR tube rupture sequence's CDF is strongly i
influenced by the non-safety-related systems' performance.
The relative change in CDF is about two orders of magnitude.
For this-sequence, provide the contribution to the CDF for each of the non-safety rated systems.
External Events i
Fire j
720.137 Frovide the following information regarding the fire analysis in Appendix I of the PRA-a.
Submit the fire barrier drawings and genera 1 arrangement drawings-used in the AP600 fire analysis. These drawings should indicate the boundaries for each fire barrier and fire zone and whether each boundary is a 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> rated ~ fire structure.
a l
l l
-=
l i
b.
Provide a table that lists the combustibles and transient combustibles anticipated for each fire barrier and fire zone.
Appendix I should identify where these combustible loadings are referenced in ITAACs or RAP.
j c.
Clarify whether the 3-hour-rated fire structures constitute the boundary of each fire area.
If any fire area is not completely surrounded (including walls, floors, and ceilings) by a 3-hour--
rated fire structure, identify the fire barrier and the enclosed equipment.
d.
Discuss and justify why fire propagation between fire barriers is f
not considered to be credible for each fire barrier not completely surrounded by 3-hour-rated fire structures.
j e.
Define what is a ' safe stable state" as referenced in the fire PRA.
Include (1) the containment status, (2) the timing upon l
which this steady state is achieved in the containment and primary system, (3) the systems that were included in the fire analysis that can achieve these conditions, and (4) the possible equipment failures resulting from operation of the passive containment cooling system.
f.
Propose an appropriate probabilistic screening criteria by which each fire area in the AP600 design that contains equipment that can be used to mitigate any Level 1 internal events initiator can be eliminated from' further analysis.
Submit the probabilistic screen analyses that was _ used to determine the fire areas that require further quantification and those fire areas that could be eliminated.
g.
Provide a step-by-step quantification of a fire area that could not be screened out from further analysis and resulted in fire core damage sequences.
720.138 Justify why plant components, such as check valves, tank, pipes, etc., will not be affected by a fire in a manner that could disrupt natural circulation or passive core cooling system operation.
720.139 Provide detailed justification for all partitioning of the fire
}
frequencies according to combustible loading for a fire area.
720.140 For each fire area, explain in detail how the fire initiating event frequency, the detection probability, and the suppression probability i
were factored into the fire area initiating event frequency.
720.141 for each fire area, if any equipment is assumed to be urdamaged by a fire occurring within the fire area, identify the equipment and justify why'it is not damaged by smoke, heat, or fire suppressants.
e i
i
c
.. 720.142 Define what is meant by a "significant fire" and discuss what effect the " loss of the monitoring or control of plant operation functions" have on the front'line systems, PMS, DAS, and DIS (see Section I.2.2.1 of the PRA).
720.143 The staff does not consider twenty feet of separation to represent a fire barrier (see SECY-90-016 " Evolutionary Light Water Reactor Certification Issues and Their Relationship to Current Regulatory Requirements;" SECY-93-087, " Policy, Technical, and Licensing Issues Pertaining to the Evolutionary and Advanced Light-Water Reactor Designs;" and the June 26, 1990 staff requirements memorandum)..
In general, a bounding, but.very useful assumption is to assume that any fire in a fire area fails all equipment in that fire area instantaneously. Did Westinghouse use this separation criteria in its fire analysis 7 If so, justify its use.
720.144 Justify why offsite power could not be lost during a fire plus plant trip. Smoke and combustion products exhausted to the outside air could affect offsite power transmission.
720.145 Provide the analysis that screened the following initiators from further consideration and quantification in the fire analysis:
(a) loss of offsite power, (b) MSIV closures, (c) opening of ADS valves, (d) opening of the secondary side's safety relief valves, (e) station blackout, and (f) ATWS. Discuss the AP600 design features that preclude these initiators from being credible that are referenced in Section 1.2.2.2 of the PRA.
720.146 Section I.2.2.3 of the PRA states that the fire analysis only considers what is modeled in the internal events PRA.
Discuss the completeness of the modeling of the AP600 PRA and why this assumption is acceptable for fires.
720.147 Identify all fire areas that contain two or more safety-or non-safety-related divisions (including electrical, fiber optic, or mechanical equipment) or equipment shared by two or more safety-or non-safety-related divisions.
If an individual fire area contains' two or more safety-or non-safety-related divisions, identify all the equipment in that fire area.
720.148 Explain what the phrase " cable routing is defined by division only" means in Section I.2.2.3.1 of the-PRA.
720.149 Describe how fire affects the Protection & Safety Monitoring System, the Plant Control System, and the Diverse Actuation System.
Discuss how the logic cards would be affected by high temperatures, smoke, fire suppressant gases, and liquids.
720.150 Discuss the assumptions that wer used in the modeling of common cause instrumentation failures resulting from a fire in the compartments in which the safety signals are demultiplexed from the fiber optics cables.
. 720.151 A postulated fire in the main control room was screened from further analysis due to the availability of the remote shutdown workstations.
However, the staff notes that in order for the remote shutdown workstations to function, they must be energized from the main control room. Discuss the ability of the operations crew to energize the remote shutdown workstation from the control _ room during a control fire.
720.152 Fire propagation in many sequences is limited by 3-hour-rated fire structures.
For each fire area, describe the expected burn times of fires in these regions and how the fire will be suppressed.
For those fires whose burn time exceeds 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, describe the effects of fire propagation between fire areas.
720.153 The analysis associated with fires at shutdown were solely based on a fire disabling the NRHR system.
From the staff's review, it appears that the quantification of event tree CSL (LOCA during hot / cold shutdown) needs to be re-evaluated. Reassess the shutdown fire risk analysis to include the effects of the revaluation of the CSL and CSLD event trees.
720.154 Provide the analysis that evaluates the potential for fire induced boron dilution events during shutdown operations.
720.155 The PRA indicates that combustion events in the battery compartments were not addressed. Justify why combustion events could be screened out and describe the design features or plant practices that have been credited in the PRA to protect against hydrogen combustion events in the battery compartments. Westinghouse should reference in Appendix I where these design features or plant practices are addressed in ITTACs or DACs (whichever is applicable).
720.156 Loss of service water was not considered to be an initiator assuming a postulated fire in the pump house. The fire analysis did not appear to consider the effects of fire on the power service to the pump house. Assess the risk associated with a fire induced loss of power to the service water pumps and its influence on the core damage frequency.
720.157 Provide a more detailed analysis of fire at shutdown. Westinghouse should provide an analysis that considers operator error, maintenance, open doors between divisions, added combustible material, etc. Westinghouse should quantitatively address the effect of a fire in one division and random failures / maintenance unavailabilities in the other.
Seismic 720.158 Provide a detailed description of the methodology used in performing the PRA-based seismic margins analysis. This description is particularly important because there are limited examples of the practical implementation of this methodology.
r 720.159 Provide the following information in Appendix H of the PRA in order i
for the staff to identify (a) the systems, structures, and components (SSCs) that should be added to the reliability assurance program, (b) the human errors that should be added to the COL applicant's training program, and (c) the key equipment that should be added to ITAAC:
a.
The seismic cutsets were based on the 100 dominant core damage sequences from the sensitivity study that credited safety-related systems only. Of these 100 dominant sequences, only the LOCA and loss of offsite power sequences were evaluated using HCLPF values. This method is unacceptable because the most limiting i
seismic sequences may not appear in the first 100 sequences.
Also, the Westinghouse seismic analysis did not consider ATWS sequences.
In addition to an ATWS, consider other seismic initiators (.e.g. steam line breaks) that could result in a different plant respunse than just the loss of offsite power and LOCAs.
For each seismically induced transient /LOCA/ATWS, Westinghouse should use a systematic approach (like event trees) to identify sequences leading to core damage, and submit this-analysis. This approach should account for random failures and human errors, as well as seismically induced failures. This i
analysis should ensure that sub-criticality, vessel inventory, core, and containment cooling are maintained, and that their HCLPF values are assessed.
b.
For each of the seismic core damage cutsets, in addition to the i
seismic only combinations, report combinations of seismic and random failures / human errors. These cutsets should appear in Table H-2 as
("cutset element, HCLPF g" ) * (random probability or human error probability)
Report only the seismic / random / human error combinations where the random or human contribution is.001 or greater. Seismic / random /
human error combinations that result in the same HCLPF as the seismic only combination are considered to be "non-minimal" and do not need to be reported.
c.
Provide a list of SSCs (including frontline systems, support systems, and special components like tanks and heat exchangers) modeled in the seismic margins analysis. This list should include the associated HCLPF for each SSC.
Indicate the method and the data base that used to estimate the SSC HCLPFs.
720.160 The Westinghouse seismic margins analysis appears to have incorrectly used the seismic margins MIN / MAX approach.
In the MIN / MAX approach, a sequence HCLPF is equal to the lowest HCLPF of the contributing cutsets, and the HCLPF of each cutset is the highest HCLPF of any cutset element. Address this concern.
b
4 720.161 List all-equipment credited in the seismic analysis that is not housed in a seismic category I structure.
720.162 For each seismic core damage cutset (includes seismic only combinations and seismic / random / human error combinations) whose HCLPF capacity is less than twice the Safe Shutdown Earthquake (SSE),
identify any active and passive systems and components, and operator errors that are important for containment isolation whose failures would lead to a release. Report these active and passive systems failures and operator errors if the HCLPF values are below twice the SSE.
720.163 Address the effect of having some non-seismic category I equipment available following a seismic event, including " sensitivity" evaluations and assumptions.
720.164 Discuss the effect of a seismic event on relays, including the possibility of relay chatter.
720.165 Provide guidance to be used by the COL applicant to perform a seismic walkdown of the as-built plant to search for vulnerabilities and confirm that the plant corresponds to the assumptions in the AP600 seismic analysis. The walkdown guidance provided in EPRI NP-6041 is acceptable. The seismic analysis should reference where this commitment is identified in ITAACs.
720.166 Discuss seismic / random failure / operator error combinations identified in Q720.156 and Q720.159 that result in core damage with a potential containment bypass / isolation failure less than twice the SSE.
720.167 Provide an estimate of the HCLPF values for equipment required to bring the AP600 to a cold shutdown state after the occurrence of a SSE.
Internal Floods 720.168 Provide the following information in Appendix I:
a.
Submit the plant drawings that were used in the AP600 flood analysis. These drawings should indicate the boundaries for each flooding area or room that contains any equipment or components that used in reaching a safe, stable strte (safety equipment).
If a ficod in a specific area or room could spread to a flooding area that does contain safety equipment, then these rooms should be indicated on the drawings.
b.
Define what is a " safe stable state" as referenced in the fire PRA.
Include (1) the containment status, (2) the timing on which this steady state is achieved in the containment and primary system, (3) the systems that were included in the flood analysis
r4
, that can achieve these conditions, and (4) possible equipment failures resulting from operation of the passive containment cooling system.
c.
List the equipment or components that are used in reaching the safe, stable state (safety equipment) for each flooding area or room identified in part a. above.
d.
Define what constitutes the boundaries for each flooding area' or room identified in part a. above. Clarify whether each boundary is a fire barrier, a fire door, a water tight door, etc.
In addition, clarify whether the fire or water tight doors are alarmed when physically opened and the redundance of drains. (if -
some become plugged).
e.
Provide the event trees (or fault trees, etc.) for each flooding area that was quantified in part a.
These trees should start with the flooding initiating event and consider (at each node)
(1) successful detection of the flood, (2) successful mitigation of the flood, and (3) the conditional probability of reaching safe shutdown given the equipment that survived the flood.
720.169 Describe the component locations for the passive containment coolant makeup system.
In addition, describe the potential flood locations and the potential system outage effects if this system were inadvertently drained through the charging line(s).
720.170 In-containment flooding was not assessed in the PRA because it does not affect-the ability of the reactor to be shutdown. However, significant internal containment flooding-can result in a turbine trip, reactor. scram, and other systems initiations.
Provide the analysis that addressed the influence internal containment flooding has on the Level I initiating event frequencies. Discuss the influence of containment flooding on ATWS events.
720.171 Flooding is not modeled during power operation in the NRHR pump rooms. The staff notes in the PRA that this system can experience pump seal failure if the system is overpressurized during operation.
Discuss the potential for NRHR as a flood source and describe the potential for flood propagation.
720.172 The staff is concerned with the potential for containment bypass as a result of flood water. Discuss the potential for MOV and A0V interlock failure-and inadvertent NRHR pressure' isolation valve failure as a result of flooding.
720.173 The assessment of-the flooding scenarios indicates that rupture of an-NRHR line results'in'significant flooding.
It was indicated in the PRA that this scenario would be developed; however,- it was not provided (see Sections 1.1.2.4.2 and I.1.2.3.1.2).
Discuss the effects of a rupture of an NRHR line during shutdown on'the shutdown core damage frequency and include the effects of IRWST water.
i
Shutdown Analysis r
720.174 Based on the staff's review of previous shutdown PRAs, the staff concludes that using Technical Specification modes to define the l
shutdown plant operational states that need to be evaluated is not adequate. The shutdown analysis needs to consider the changes in i
vessel level, reactor coolant system integrity, decay heat, and unusual valve lineups etc. that occur within modes during shutdown operation.
For example, the staff notes that refueling (Mode 6 as defined in the SSAR) was not included in the shutdown PRA.
Typically, during refueling, vessel level must be reduced below the vessel flange to remove the vessel head. Due to the reduced vessel level, the time to core boiling has not typically been much different than at reduced inventory conditions. Westinghouse should consider these plant operational states within their shutdown analysis, or provide quantitative justification for their exclusion.
720.175 Shutdown risk is very outage specific, and depends on the various shutdown plant configurations combined with the various maintenance activities.
Previous shutdown PRAs have identified outage maintenance as a key contributor to shutdown risk. The impact of 4
outage maintenance was not included in the shutdown PRA, nor were the support system initiators. For example, successful mitigation of a loss of decay heat removal and LOCAs during shutdown require normal RHR, passive RHR, RCS depressurization, and gravity injection.
However, maintenance and surveillance testing on these systems and their support systems (such as dc power) were not included in the shutdown analysis.
Identify the assumed systems unavailabilities i
that reflect outage maintenance and surveillance testing, and provide references in the shutdown PRA to the applicable ITAACS, RAP, Technical Specifiations, etc. that ensure that these availabilities i
will be met.
In aadition, Westinghouse should consider support system initiators that could initiate a loss of normal RHR and/or loss of the passive core cooling systems, and address this in the analysis.
l 720.176 Hot standby was not modeled in the PRA because the plant response to j
a loss of core cooling during hot standby is the same as full power operation. Westinghouse assumed that all of the safety-related and j
non-safety-related systems and actuation signals (both automatic and manual) are available. These assumptions are not valid if these systems are taken out for maintenance during hot standby. Therefore, Westinghouse should reference in the shutdown analysis where the applicable ITTACS, Technical Specifications, or RAP define that the maintenance unavailabilities assumed for all systems at full power are the same for hot standby.
720.177 Previous PWR shutdown PRAs have identified that operator error during reduced inventory operations (as defined by Generic Letter 88-20) dominates PWR shutdown risk. Sections F 4.3.1 and F.4.5.2 of the shutdown PRA states that only manual actuation is provided for core I
r
makeup during reduced inventory conditions using gravity injection.
However, review of the gravity injection fault tree (IW2A) found that credit was taken for manual actuation and automatic actuation of j
gravity injection using the non-safety-related DAS.
Explain this apparent discrepancy and correct the appropriate sections in Appendix 1
F or fault tree IW2A.
In addition, include the manual actuation i
failure of gravity injection, IWN-MAN 00, in Table D-1 (see Q720.62).
720.178 Previous shutdown PRAs have identified reduced inventory operations i
as a dominant contributor to shutdown risk. To assist the staff in determining whether the risk of overdraining the vessel during reduced inventory conditions is negligible, provide the following information in the shutdown PRA:
(a) the low hot leg level setpoint, (b) the highest hot leg level setpoint at which cavitation of the normal residual heat removal pumps can occur, (c) the low-low hot leg level set point, (d) the shortest time it takes to drain vessel level from the low hotleg level set point to highest normal residual heat removal pump cavitation setpoint, (e) the reference in ITAACs and/or DACs (whichever is applicable) that verifies that the hot leg level instrumentation has been tested for adverse reduced inventory conditions (such as core boiling and a completely drained hotleg, etc.), (f) the reference in the RAP or Technical Specifications that will ensure that the hot leg level instrumentation will be operable during Mode 5, and (g) a quantitative basis for excluding overdraining events.
720.179 Since gravity injection is a success path for every shutdown initiator occurring at hot shutdown, cold shutdown, and reduced inventory operations, describe when the gravity injection check valves and the M0V block valves will-be tested and maintained. The staff is also concerned.about what actions will be performed to minimize the collection of debris in the IRWST. When will-the IRWST be inspected for debris collection 7 720.180 The AP600 makes use of two independent hot leg level instruments to measure vessel water level during shutdown midloop conditions.
Describe how the common cause failure modeling of the level instruments was estimated.
720.181 Clarify whether the low hotleg level signal, used.to monit' or and control the reactor vessel water level during draindown, is also part of the safety-related Protection and Safety Monitoring System or the safety-related Plant Control System.
720.182 In Section F.4.3.2 of the PRA, it states that, with the exception of refueling when personnel / equipment hatches can be open, containment integrity is maintained, and that only the containment penetrations of operating systems are open.
Identify each open penetration and specify whether the penetration is closed automatically through an actuation signal, or the operator must close the penetration manually or remotely following a shutdown initiator.
j
3 720.183 In the shutdown analysis, provide references stating'where the applicable ITAACS, Technical Specifications, or RAP define that the I
equipment and personnel hatch will not be opened until the plant reaches Mode 6 (see Q720.182).
720.184 Describe when the depressurization valves are placed in the open position in Section F.4.4.2 of the shutdown PRA. For example:
Is it before drain down or during the drain down7 Also, describe the status of the depressurization valves (whether the valves are blocked open,etc.).
720.185 The staff notes that, in event tree CSND (loss of decay heat removal r
during shutdown following failure of passive RHR), successful CMT operation is not required for successful depressurization and gravity' injection. Successful CMT operation is also not required for LOCAs during shutdown (event tree CSL). However, in both event-trees, successful CMT operation was always questioned.
Clarify whether the event tree endstates in which the CMTs fail are correct.
720.186 Event tree CSL (LOCAs at hot / cold shutdown conditions), considered two initiating events:
the operator opening valve V024, and the rupture of the Normal RHR pipe. The initiating event frequency.for the Normal RHR pipe rupture was based on the EPRI generic failure estimated as 2.6x10'p error probability for opening valve V024 was rate data. The huma Since this human error probability is extremely low, provide the justification for this low value.
720.187 Provide justification as to why mid-loop conditions with water level at the hot leg center line is assumed to have negligible impact due to the short duration of midloop operation (8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) (see Section F.4.5.2 of the shutdown PRA).
For the Drained Maintenance tree, the-staff concludes that assuming that the vessel water inventory is at the vessel' flange is not conservative because _the vessel level must be dropped to midloop conditions to install the nozzle dams. Provide.
the hot leg level at which the nozzle dams are installed, and the time for heatup and boil-off of the vessel water inventory, given this level.
720.188 In event tree CSL (LOCA during hot / cold shutdown), the Normal RHR 4
LOCA frequency is taken to be 8.6 x '10 / year. However, in event tenance), the Normal RHR LOCA tree CSLD (LOCA daring drained maip/ year. The Normal RHR_ piping frequency is taken to be 4.5 x 10' rupture frequency appears to be different between'the two event trees.
Discuss the differences between these two Normal RHR initiating rupture event frequencies.
720.189 For the shutdown event trees, define shutdown endstate LP and include this definition in the shutdown analysis.
i
i ;
720.190 The shutdown event tree CSND (Loss of Decay Heat Removal.During Shutdown) appears to have end state. sequence numbering problems or is.
missing several sequences.
Provide these sequences and/or correct the end state numbering for this event tree.
720.191 Discuss the frequency of an interifacing system LOCA occurring through the nitrogen and water fill connections to the CMTs and accumulators following maintenance actions during shutdown and startup operations.
The staff notes that inter-facing systems LOCAs were not evaluated to be important in the PRA.
720.192 Provide a discussion in the shutdown PRA detailing how the' shutdown source term was estimated.
l f
720.193 State in the shutdown PRA whether both Normal RHR pumps are normally -
operating during hot shutdown, cold shutdown, and reduced inventory-conditions.
720.194 The staff found that operator recovery of the Normal RHR system wss not included in fault tree RNC2 during a loss of decay heat removal.
during hot shutdown, cold shutdown, and midloop operation.
The staff believes that, given a loss of Normal RHR, the operators would try to recover Normal RHR before actuating the passive core cooling system.
Describe (in the shutdown PRA):
(a) the expected operator actions to immediately recover core cooling 'given a loss of Normal RHR during shutdown (including inadvertent closure of the suction valves, loss 1
of one operating pump, etc.), (b) the type of available instrumentation that characterize Normal RHR status (e.g., discharge flow, etc.), (c) long term decay heat options including availability
.of IRWST and Passive RHR, (d) recovery actions for a loss of reactor coolant inventory (includes loss of IRWST coolant), and (e) operator actions to prevent primary system over-pressurization.
720.195 A review of the shutdown CET indicates a large fraction of the shutdown sequences have been grouped into the OK endstate. During the staff's review of the supplied documentation, it was not able to determine the reasons for these results.
Provide the reasons for these results.
720.196 Section F.4.4.1.2 of the PRA states that, at cold shutdown, if a total loss of Normal RHR occurs and the pressure is not satisfactorily relieved through the one Normal RHR relief valve, a pipe failure in the Normal RHR system could occur. The staff is concerned that gravity injection would automatically. actuate, and a containment bypass sequence could occur. A second bypass sequence could also occur as a result of a stuck open relief valve. These scenarios were not considered in the event trees. Discuss these scenarios in detail in the PRA, provide the time that the operator has to respond before the IRWST is drained into the auxiliary i
building, and describe possible recovery actions. Determine the core i
damage frequency resulting from these scenarios and the assess the offsite consequences due to containment bypass.
I
-i
t 720.197 In Appendix F of the PRA, discuss how the plant is brought to cold shutdown from full power.
In addition, discuss briefly how refueling is conducted. This discussion should include the systems that can be used and the reliability of the systems involved. This discussion j
should also include how the AP600 design is protected from low temperature overpressure events and how it is performed. During shutdown, low temperature overpressure protection appears to depend on a single safety valve, V021, in the Normal RHR system.
720.198 Discuss the process that was used to search for test and maintenance errors that could cause shutdown initiators or loss of support systems (such as de power).
In addition, describe how these errors were incorporated into the PRA.
Provide a list of the test and maintenance errors and the corresponding human error probabilities.
720.199 In the assessment of the boron dilution events, the probability of a l
~
MOV inadvertently opening was taken to be 2.5x10.
This value was taken from the EPRI generic data base. Assess the likelihood that the MOVs will be inadvertently opened due to test and maintenance activities during shutdown.
720.200 The rupture probability of the Normal RHR piping is based only on generic data and does not include potential overpressurization events i
that can rupture this piping with the Normal RHR system operating.
Provide an evaluation of the Normal RHR LOCA frequency that considers:
(a) the low temperature over-pressurization initiating event during shutdown, (b) relief valve V021 sticking, and (c) Normal RHR pump seal failures.
i 720.201 Describe the risk-based considerations have been given to disabling the Normal RHR automatic suction and isolation valve signals when the reactor head has been removed during shutdown.
level 2 and 3 PRA Containment Pressure / Temperature Capacity 720.202 The response to 0720.24 provides the estimated containment ultimate pressure capacity, but does not provide the probability distribution l
function.
Furthermore, this information is only provided for ambient temperature and 400*F. The results of MAAP calculations reported in Appendices L and N of the PRA indicate that gas temperatures in certain regions of the containment exceed 500K for short periods of time (e.g., in the steam generator and upper compartment during i
several hydrogen burn sensitivity calculations, and in the steam generator compartment during sensitivity case " DRY").
In this i
regard, provide the following:
a.
the maximum expected containment shell temperature that would encompass all severe accidents. This value should reflect the
'I j potential for localized heating due to such phenomena as diffusion flames, and failure of the passive containment cooling system.
b.
the conditional containment failure probability distribution function for the AP600 containment (probability of failure as a function of containment pressure)'for temperatures representative of severe accidents. As a minimum, specify the conditicnal containment failure probability values for:
(1). pressures of 70 psig, 90 psig, 120 psig, and the pressure corresponding to
.j ultimate capacity, and (2) temperatures of-'400K and the maximum containment shell temperature.
]
720.203 Discuss the development of the containment failure probability.
distribution. Specifically address:
(a) the contributions to uncertainty from uncertainties in material properties and modeling, a
and (b) whether/how the allowable corrosion of the containment vessel over the 60-year plant design life has been reflected in the estimate of ultimate pressure capacity (a corrosion allowance is not identified in responses to Q252.22 through Q252.28).
720,204 Identify and di.scuss the potential containment failure locations -
l (including major penetrations) and their respective likelihoods.for steel shell temperatures for temperatures representative of severe accidents. Discuss whether the relative ranking of potential failure t
locations changes over the range of temperatures expected for severe accidents.
j t
720.205 Provide an assessment of the potential for containment leakage at i
elevated temperatures and pressures.
Include an estimate 'of the a
expected leakage areas as a function of pressure.and temperature, as
~j applicable.
720.206. Provide Westinghouse's estimate of the containment pressure that would result in stresses in the main feed and steam line containment penetration bellows in excess of ASME Service Level C stresses..
j Provide this pressure for the range of containment temperatures expected during severe. accidents.
720.207 An inconsistency exists between the AP600 plant. description document (WCAP-13202) and the PRA. The PRA indicates that the containment is more leak tight and thus more effective in' retaining-fission products than current. reactors. However, it'is argued in WCAP-13202 (page 1 -
i
- 11) that in order to make leak testing.more efficient,'the a
containment will have a slightly higher leak rate than current-reactors. -Clarify this apparent discrepancy. 'In addition, describe t
any risk basis for the selection of the containment-leakage rate.
720.208 Describe the capabilities of the AP600 reactor cavity and structures I
to sustain the impulse loading associated.with rapid pressurization events, such' asiex-vessel steam explosions, without loss of a
structural integrity.
l 3
y
. Treatment of Uncertainties 720.209 Based on information discussed in a February 23, 1993 letter, and provided in the PRA, the response to Q720.51, and WCAP-13388, the staff is unable to conclude that certain severe accident phenomena / events cannot lead to failure of the AP600 containment.
These phenomena / events include hydrogen deflagration and detonation, direct containment heating, rapid steam generation and steam explosions (both in-vessel and ex-vessel), temperature-induced steam generator tube rupture, reactor vessel failure given a flooded reactor cavity, and ex-vessel core debris coolability.
In order to provide a defensible and scrutable basis for establishing the risk significance of these phenomena for the AP600, provide the following:
)
a.
a systematic treatment of uncertainties in each of these phenomena / events, and any other phenomena / events which could have a significant impact on AP600 containment performance. This should include identification of major contributors to uncertainty, quantification of each of these contributing factors considering the current state of knowledge, and propagation of these uncertainties. The result of this assessment should be a probability distribution which describes the expected range of outcomes for each issue (e.g., a range of pressure rise for direct containment heating), and the associated degrees of
- belief, b.
modified CETs which includa treatment of each phenomena, as well as representation of the full range of issue outcomes, and c.
justification for the quantification of these events in the CETs.
Use probabilistic tools, such as decomposition event trees or an approach similar to that described in NUREG/CR-5423, to treat the uncertainties in each of these phenomena / events.
720.210 Provide an importance analysis for the Level 2 PRA to' identify important contributors to AP600 containment performance. This assessment should be similar to importance analyses typically performed as part of the Level 1 PRA (to identify important contributors to core _ damage frequency), but would focus on containment features, containment challenges, and operator actions which contribute to containment performance (containment integrity as well as containment failure frequency). As part of the response, provide separate lists of features, challenges, and actions ranked in terms of their importance in (a) limiting containment stresses below ASME Service Level C in the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, (b) preventing uncontrolled fission product release after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and (c) limiting the CCFP to less than 10% for all time periods after core damage.
720.211 A MAAP 3.0B code familiarization effort was recently completed by the NRC Office of Research. As part of this effort, a contractor report was developed by Brookhaven National Laboratory documenting the I
l
. results of the review ("MAAP 3.0B Code Evaluation, Final Report", J.
Valente and J. Yang, October 1992). This report provides a number of recommendations on the use of the code, including recommendations for base case parameter values and expanded sensitivity analyses beyond those called for in the EPRI (Gabor, Kenton & Associates) guidance document, " Recommended Sensitivity Analyses for an Individual Plant Examination Using MAAP 3.0B".
Although the focus of the EPRI guidance document and the BNL review was on the use of MAAP 3.0B code in support of Individual Plant Examinations, the staff believes that 4
many of the recommendations in the EPRI guidance document and the BNL review are relevant to the use of the MAAP 4.0 code in support of the AP600 review. Accordingly, provide the following information regarding the use of the MAAP 4.0 code:
a.
an itemized listing of each of the recommendations in the above EPRI guidance document, an assessment of its relevance to the MAAP 4.0 code, and a discussion of how this recommendation was addressed for the AP600 PRA application (this information should provide a more complete accounting of the EPRI recommendations than provided in response to Q720.50),
b.
an itemized listing of each of the recommendations in the BNL review document, an assessment of its relevance to the MAAP 4.0 code, and a discussion of how this recommendation was addressed for the AP600 PRA application, c.
results of any additional analyses recommended in the above documents and not included in the original PRA submittal.
Recriticality 720.212 Provide an assessment of the potential for recriticality accidents in the AP600 design in the event that the core is re-flooded by the IRWST coolant after the control rods have melted, but before the core begins to relocate.
Include in this response an estimate of the time window in which the core would be vulnerable, and the fraction of the core that would be vulnerable (the latter as a function time).
720.213 Provide an estimate of the core exit temperature that would be indicative of the onset of control rod melting, and discuss whether any specific actions would or should be taken by operators in response to these indications as part of accident management.
Core Melt Arrest by Ex-Vessel Flooding 720.214 The CETs take full credit for the ability of reactor cavity flooding to retain the melt in-vessel.
Based on review of WCAP-13388 and related heat transfer analyses by various investigators, the staff concludes that there are considerable uncertainties in the prediction of heat transfer from the debris to the surrounding water, and insufficient evidence to take complete credit for core retention in-vessel due to cavity flooding. Accordingly, submit modified CETs
.c
, that represent (e.g., with a top event) the potential for vessel failure in a flooded cavity. The techniques described by the Finnish in assessing the potential for reactor vessel failure of the VVEP-440 flooded cavities may provide a bases for selection of the vessel failure probabilities for these conditions.
720.215 Summarize the sequences that require the operator to anticipate the need for cavity flooding, i.e., sequences in which flooding would not occur prior to vessel failure without operator action.
720.216 The response to Q720.21 provided only an example of criteria that might form the basis for operator actions to flood the reactor cavity.
Provide more specific information regarding the procedures and criteria for actuation of the reactor cavity flooding system. As part of the response, specify the set points for alarms or decision points (e.g., hydrogen concentration values or core exit temperatures), or describe how these will be established. Also, provide an estimate of the time available to actuate this system for each accident class / sequence that it is credited in the PRA.
720.217 Recent work by Kastenberg, et.al., for operating reactors indicates the reactor vessel will fail in the flooded cavity configuration shortly after the water in the reactor cavity becomes saturated.
Provide the time required to submerge the. vessel, and the time required to reach coolant saturation conditions in each of the flooded cavity scenarios analyzed for the PRA.
720.218 For the case identified as "CR", provide the temperature history of the reactor vessel outside wall and the coolant temperature in the reactor cavity while the cavity is flooding up to contain the molten corium in-vessel.
720.219 Provide the details of the reactor vessel insulation system for the AP600. Describe the assessment of the ability of cavity water to penetrate this insulation and cool the reactor vessel.
Identify any ITAAC or COL-action items to confirm that the insulation system in the as-built plant is consistent with the assumptions in this heat transfer analysis.
Temperature-Induced SGTR 720.220 Transients events are of interest to the staff in that they constitute a large fraction of the. initiating events for the AP600.
Steam line breaks upstream of the MSIVs are of particular interest because they have the potential to bypass the containment in the event of a coincident steam generator tube rupture (SGTR). A review of WCAP-13388 indicates that,'in several sequences, the steam generator.(S/G) tube temperature exceeded 1000K. According to MAAP calculations, these temperatures can be expected to occur in sequences with reactor cavity flooding and long term retention of corium in-vessel. Temperatures of this magnitude create the potential for multiple S/G tube ruptures due to creep rupture.
4
i.
However, based on the staff's review, the potential for temperature-induced SGTR does not appear to have been fully quantified in the PRA. The staff notes that while creep rupture of the hot leg may be predicted to occur somewhat earlier than creep rupture of the steam generator tubes, there is considerable uncertainty regarding the occurrence and timing of creep rupture, both in the hot leg and S/G tubes. These uncertainties are compounded by the significant differences in piping sizes, materials, and temperature histories for tne hot leg and S/G tubes, as well as the possibility of small pre-existing leakage in the S/Gs, that could alter the calculated temperature histories.
In view of these uncertainties, the staff considers it quite possible that a temperature-induced SGTR occurs prior to creep rupture of the hot leg.
In this regard, provide the following:
a.
an assessment of the potential for temperature-induced SGTR events in conjunction with breaks upstream of the MSIVs, considering the uncertainties associated with creep rupture. As part of the response, provide an estimate of the probability of a temperature-induced SGTR based on an assessment of the intersection of the creep-rupture uncertainty distribution for each potential break location, 1
b.
a separate'CET that further develops and quantifies core damage events in conjunction with SGTR (Accident Class VI), including those that result from molten pools ~ contained in-vessel.
c.
an assessment of the influence of multiple S/G tube ruptures on the quantification of the CET for the flooded-cavity accident sequences considered in the PRA, and d.
an assessment of the impact that pre-existing S/G tube leakage, on the order of the maximum allowed by Technical Specifications, would have on the probability of temperature-induced SGTR.
720.221 An AP600 demonstration calculation using SCDAP/RELAP5 has been completed by the NRC Office of Research. This calculation was performed for the steam generator tube rupture -sequence modeled in the AP600 PRA. One of the major differences observed is that the i
MAAP calculations do not predict the occurrence of creep rupture of the steam generator tubes prior to creep rupture of the hot leg.
In order to better understand the capabilities of the MAAP code'to predict the timing and location of creep rupture failure, provide the following information:
a.
a description of how the Miller-Larson creep-rupture model is implemented in the MAAP calculations, _ including a description of the model (e.g., from the MAAP manual) and related input and output parameters, b.
a comparison of MAAP calculations with available creep rupture data, and l
! i c.
the pressure and temperature history in the hot leg and steam generator tubes during the "SGTR" sequence.
720.222 Transient sequences such as loss of feedwater can result in core damage at high RCS pressure, thereby leading to creep rupture of the hot leg or steam generator tubes. The MAAP calculations indicate that creep rupture would occur in the hot leg prior to the steam r
generator. However, the margins appear to be small.
In this regard, provide an estimate of the margins between creep rupture of the hot leg and the steam generator tubes for the sensitivity case titled "LFW1" (i.e., a characterization of how close the steam generators are to creep rupture failure relative to the hot leg).
720.223 Briefly summarize the considerations that were given to the potential 7'
for temperature-induced SGTR in establishing technical specification requirements that limit through wall cracks in the steam generator tubes. Describe what these limits are for the AP600 steam generators.
720.224 For each of the sequences described in Appendix L of the PRA, provide the following:
e a.
the predicted S/G tube temperature history and peak temperatures (where not already reported),
l b.
a summary of the plant system availability, e.g.,
a table showing failed and available systems in each sequence, and c,
a comparison of the sequences analyzed in the Level 2 portion of l'
the PRA, with the dominant sequences in the Level 1 analysis, based on system availabilities / failures developed in item b.
above. The purpose of this comparison is to show that dominant sequences in the Level 1 analysis are encompassed by the calculations performed in the Level 2 analysis.
720.225 It is the staff's understanding that MAAP does not model heat transfer from the hot leg piping to a surrounding water pool (in the event that the piping becomes submerged). As such, the MAAP calculations may overstate the likelihood of hot leg creep rupture in those cases where the piping is covered by water.
In order to assess the significance of this concern, provide the following information:
a.
a description of how heat transfer from reactor coolant system
)
piping is treated in the MAAP code, b.
a table showing the time of hot leg submergence and time of hot f
leg creep rupture for each sequence in which creep rupture is credited, and i
c.
an assessment of the impact that a more rigorous treatment of i
heat losses from the RCS piping would have on the probability of I
creep rupture of the hot leg as well as steam generator tubes.
[
' Additional Bypass Paths 720. M According to the PRA, the spent fuel pool cooling systems can be used to add coolant to the containment volume.
Provide a description of how and when the spent fuel pool cooling system would be used to add coolent to the containment and vessel during a core damage event. As part of the response, discuss the potential for bypass as a result of
?
these actions, and identify any provisions provided in the design
{
(such as additional check valves) to prevent bypass. Justify why the CET did not take into consideration the containment bypass potential for this system.
720.227 Provide an assessment of the potential for containment bypass through the reactor cavity cooling system, given high reactor cavity <
temperatures (e.g., in excess of 1400K).
Identify and discuss any measures taken to reduce or eliminate this system as a containment i
bypass path in the event that the heat exchanger's tubes are ruptured or failed due to molten corium attack or from the effects of FCIs.
720.228 Discuss the considerations that were given to the potential for containment bypass as a result of hydrogen-combustion-induced failure of the IRWST, including failure of connected piping systems such as fill lines. Justify not treating this as a potential containment bypass mechanism in the Level 2 analysis.
High Pressure Vessel Failure 720.229 Provide an assessment of resulting peak pressure loads in the AP600 reactor cavity given the following conditions:
(a) high pressure melt ejection into a dry reactor cavity, (b) high pressure melt ejection into a flooded cavity, without coincident ex-vessel steam explosion, and (c) high pressure melt ejection into a flooded cavity, with coincident ex-vessel steam explosion. This assessment should either be bounding in nature, or, alternatively, consider the full range of uncertainty in related processes and parameters, in which case a range of credible pressures and associated degrees of belief should be provided.
720.230 The sensitivity case entitled "CC" in Appendix L of the PRA results in a 68 psia pressure rise in the containment at the time of reactor l
vessel failure.
Provide the following information related to this case:
(a) the quench time, (b) the amount of core material contributing to peak pressurization, (c) the initial and final quenched corium temperature, (d) the amount of steam generated for a unit mass of corium quenched, (e) the initial coolant temperature in the cavity, (f) the hole size selected for the vessel failure location, and (g) the peak containment shell temperature predicted as a result of this transient temperature excursion.
720.231 The lack of penetrations in the AP600 reactor vessel lower head could result in a relatively higher incidence of creep-rupture failure of the reactor vessel (in contrast to local failure in connected
l I
! i piping), and an increased frequency of the " rocket" containment j
failure mode. This failure mode was treated in NUREG-1150, but was not considered for the AP600. Although Westinghouse believes the probability of high pressure vessel failure for the AP600 design is negligible, this view is based in part on full credit for creep rupture as a mechanism for precluding high pressure failures. The staff view is that creep rupture is not assured, and that high pressure vessel failure can occur in some fraction of the core damage sequences.
In this regard, provide an assessment of the significance of the " rocket" containment failure mode for the AP600 risk profile.
As part of this response, provide ~an assessment of the impact that creep rupture failure of the reactor vessel lower head would have on i
(a) motion of the reactor vessel and/or failure of the vessel restraints, (b) the possibility of direct failure of the containment or piping penetrations, and (c) the conditional' containment failure probability.
j l
FCIs l
i 720.232 Provide an assessment of peak pressures that could result from re-i i
flooding the reactor vessel when the vessel contains a molten debris bed. This should include the contribution from in-vessel hydrogen production, rapid steam generation, and in-vessel steam explosion.
l This assessment should either be bounding in nature, or, alternatively, consider the full range of uncertainty in related processes and parameters, in which case a range of credible pressures and associated degrees of belief should be provided.
j 720.233 In view of the fine debris fragmentation typically associated with ex-vessel steam explosions, and the reliance on low differential i
pressures for maintaining containment cooling in the AP600 design, provide an assessment of the potential for finely fragmented debris t
to effectively block the IRWST and containment sump recirculation
'i line.
Hydrogen Combustion j
720.234 An AP600 demonstration calculation using SCDAP/RELAPS has been completed by the NRC Office of Research. This calculation was performed for the steam generator tube rupture sequence modelled in the AP600 PRA. One of the differences noted is that the quantity of i
hydrogen produced in-vessel in the MAAP calculation is about one-half l
that predicted in the staff's calculation.
In order to better i
understand the capabilities of the MAAP 4.0 code to predict hydrogen production, provide the following information:
a.
a description of the differences between the MAAP 4.0 and 3.0B hydrogen generation model, b.
major input assumptions that influence hydrogen production, i
including one-sided versus two-sided oxidation, cladding relocation parameters, and core blockage parameters, and l
q
.~
d 1 1 c.
a comparison of the MAAP 4.0 hydrogen production benchmark.
}'
calculations with the CORA experiments that.had a heatup rate of
- around 0.3*K.
-t 720.235 Sequences in ~which the core degrades at high pressure can~ result in i
either creep rupture of the hot leg / surge line or-failure of the.S/G i
tubes. Once depressurization begins, the accumulator and CMT coolant 1
is injected.into the vessel. This coolant injection into the core's~
degraded geometry results in significant hydrogen generation.
.l Identify operator actions that might be taken in response to this.
event, and provide an assessment (e.g., sensitivity analyses) of.the 1
impact of these actions on hydrogen production.
l 720.236 It has been noted that in some sequences, automatic' ADS operation'can i
result in localized hydrogen concentrations (in and above the IRWST) j above 10%. Because these concentrations could lead to large deflagrations and potentially local detonations, measures to prevent such an accumulation of hydrogen warrant consideration.
In this regard,. identify and discuss any measures that might be taken to prevent the IRWST hydrogen concentration from exceeding 10% (such as early operator actions to depressurize the RCS), and the desirability.
of these measures.
l 720.237 The response to Q720.20 provided only a. general discussion of l
criteria that'might form the basis for operator actions to activate
.l the hydrogen control system. Provide more. specific information.
l regarding the procedures and criteria for. actuation'of the hydrogen ignition system. As part of this response,. specify the set points-1 for alarms or decision points (e.g., hydrogen' concentration values),
or' describe how these will be-established..Also, provide an estimate of the' time available to actuate this system for each accident class in which it would be used.
l t
720.238 It is argued in.the PRA documentation that igniter-induced hydrogen
~ detonation is prevented due to high steam concentrations in those cases'in which high hydrogen concentrations are predicted to occur in
-(
and above the IRWST volume.
It is the staff's view that, even though t
directly initiated detonations may be precluded in a source compartment, deflagration-to-detonation transition (DDT) in that compartment or adjacent compartments.is still possible, and should be l
considered in the PRA unless ruled out on the basis of a more systematic analysis.
In this regard, provide additional i
justification.for excluding DDT from consideration in'the PRA. This-should be based on a systematic assessment of representative '
sequences with regard to (a) time windows in which detonable mixtures are predicted to exist, (b).the compartments in which' the detonable
.l mixtures occur (this may require a more finely nodalized model' in the
~
vicinity. of the source), and (c) the. local' effects within these compartments that influence the probability of detonation (including geometric confinement and local temperature).
t I
i
s 1
, 4 720.239 Discuss the effect that hydrogen-related failure of the IRWST would have on the containment's passive heat removal performance.
i 720.240 Provide an assessmert of the impact of the hydrogen igniters in t
limiting the peak pressurization predicted for the base case (BCI).
Core Debris Coolability 720.241 The CETs take full credit for the ability of reactor cavity flooding to prevent molten core concrete attack.
Based on review of the results of recent experimental programs, the staff concludes that core debris quenching by overlying water pools is not assured.
For example, the MACE experiments indicate a reduction in the amount of erosion but not concrete erosion termination. Accordingly, submit.
modified CETs that represent the potential for continued CCI in the presence of a flooded reactor cavity. The uncertainties associated with the major parameters governing CCI should be considered and encompassed in stablishing and quantifying this CET.
720.242 In view of the significant uncertainties regarding the coolability of ex-vessel core debris by overlying water pools, provide an assessment of the extent of axial and radial ablation of concrete when key parameters governing CCI are varied over their maximum credible ranges singly, and in combination (the WCAP report referenced in response to 0720.28 is considered an inadequate basis for precluding continued CCI). As part of this assessment consider the impact of variations in the following parameters:
(a) mass of participating core debris, (b) composition of debris, (c) initial debris superheat, i
(d) concrete composition / type, (e) timing of water / mass addition (debris into water; water on debris), (f) upward heat flux, and (g) axial to radial ablation ratio.
720.243 Provide a discussion of the recent EPRI MACE experiments and how these tests support Westinghouse's modeling of CCI in the presence of an overlying water pool.
720.244 The distance between the reactor vessel bottom head and the floor of the reactor cavity is about four feet.
In view of this short distance, justify why concrete ablation by a jet of molten core debris exiting the reactor vessel is not explicitly considered in the containment analysis. As part of this response provide an assessment of the jet fragmentation / breakup and cooling that would occur before the jet reaches the reactor cavity floor.
720.245 For the case in Appendix L entitled " DRY", provide the peak containment steel shell temperature and the corresponding containment pressure.
Long-term Containment Cooling 720.246 Provide a listing of the major sequences in which the containment fails due to loss of passive containment cooling.
j l
.e
. 720.247 In response to Q720.23, Westinghouse indicated that natural convection cooling is sufficient to prevent containment failure.
In view of this, provide an assessment of the impact of the system on the AP600 risk profile. This might be addressed via sensitivity analyses using the modified CETs. Also, describe the trade-offs that were considered between the containment design pressure and design leak rates, and the need for the passive cooling system.
720.248 An accident management procedure is called out in the PRA that can be used to prevent containment overpressure failure as a result of non-condensible gas generation.
Provide a discussion of the options available to permit containment venting. Discuss how these procedures and systems would be utilized to prevent containment failure.
Source Terms 720.249 The representative sequence used to establish the source term for each release class was selected based on consideration of the contribution of the various sequences to core damage frequency. An alternative, and more defensible, approach is to select the representative sequence based on consideration of the sequence contribution to risk rather than core damage frequency.
Identify the most risk significant sequences within each release class, and provide an estimate of the source terms for these sequences. For each release class, justify that the source term used to represent the release class adequately' represents all of the sequences assigned to the release class.
720.250 The fission product release fractions in the AP600 are significantly lower than expected by the staff.
In this regard, for each release class, identify and discuss the impact of those MAAP models and input assumptions that Westinghouse believes have the greatest influence on fission product release estimates.
720.251 NUREG-1150 and supporting technical documents include an assessment of the range of uncertainty associated with fission product releases for various release classes for PWRs and BWRs. Although this information was developed on a plant-specific basis, it can be applied to the AP600 design on an approximate basis.
In this regard, provide a comparison of the AP600 source terms (point estimates) for each release class, with the range of releases estimated in NUREG-1150-for the closest matching plant and release class.
Discuss the reasons for any major differences.
720.252 Provide clarification' as to how the transfer of condensed steam from the containment shell and structures to the sump is handled in the MAAP 4.0 calculations which establish source terms for each release class.
In particular, discuss whether the condensate is assumed to drip off and form a " rain", and whether any credit is taken for R
o
. I fission product removal by this rain.
If credit is taken, justify this treatment in view of the results of scale tests, which the staff understands do not show the formation of this rain.
l 720.253 For each of the sequences presented in Appendix L of the PRA, provide a summary of the following:
(a) expected vessel failure times, (b) the time to containment failure, and (c) the time required to release the bulk of the noble gases to the environment.
720.254 One of the Commission's containment performance goals is to prevent r
uncontrolled radionuclide release to the environment for time periods in excess of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The PRA does not provide sufficient information in this regard.
In order for the staff to conclude on the adequacy of the AP600 design in preventing long-term releases, i
identify and discuss the actions that would be required to prevent or mitigate uncontrolled fission product release due to (a) long-term j
non-condensible gas generation, (b) impaired decay heat removal capacity resulting from a depleted coolant inventory (due to leakage of steam from containment), and (c) late containment bypass l
(temperature-induced SGTR) resulting from long-term retention of molten fuel pools within the reactor vessel.
j 720.255 Identify specific procedures and equipment that would. be required to perform the actions identified in response to Q720.253, and any corresponding COL-action items, including actions that the COL-applicant should address in its accident management program (such as l
procedures that the COL-applicant would need to develop).
Offsite Consequences 720.256 Provide a list of major sequences in which the dominant containment challenges occurs outside of the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time selected for the PRA analysis.
720.257 In order for the staff to characterize the impact of severe accident phenomena and related assumptions on the AP600 risk profile, provide an assessment of the impact of major assumptions in the Level 2 analysis on offsite consequences (site boundary EDE dose). This can be done via sensitivity analyses using modified CETs which include explicit treatment of the major severe accident phenomena. As a minimum, address the impact of assumptions in the following areas:
(a) core melt arrest by reactor cavity flooding, (b) temperature-induced SGTR, (c) direct containment heating, (d) hydrogen deflagration / detonation, and (e) ex-vessel core debris coolability.
720.258 The AP600 PRA selected the "CI" release category to model the risk j
associated with shutdown containment bypass sequences. The LWR shutdown risk studies (NUREG-1449) indicate a much higher whole body i
dose than predicted by this ALWR calculation.
Justify the present treatment or provide an alternative containment bypass source term for the shutdown risk assessment.
f
.h a 720.259 A review of the shutdown CET indicates-that a large fraction of the shutdown sequences have been grouped.into the endstate identified as "OK".
Based on review of the supplied documentation, the staff is unable to determine the rationale for this-classification.
Accordingly, provide additional details regarding the binning process and criteria used.
Severe Accident Mitigation Design Alternatives-l 720.260 Provide a capital cost estimate for implementing the following accident-management-related items:
(a) emergency trip bypass for NRHR and CVCS pumps, (b) emergency access to allow external charging of the plant's DC batteries, (c) emergency bypass of MSIV closure signals, (d) emergency trip bypass of the diesel generators, (e) emergency access to allow external charging of the plant's air systems, and (f) emergency containment penetration bypass to provide alternate sources of coolant injection to containment.
?
?
i t
l
=
I r