Forwards Comments on GE ABWR Tier 1 Certified Design Matl

ML20059L968
Person / Time
Site:	05200001
Issue date:	11/09/1993
From:	Boyce T Office of Nuclear Reactor Regulation
To:	Marriott P GENERAL ELECTRIC CO.
References
NUDOCS 9311180038
Download: ML20059L968 (26)
v • d • e

Text

{{#Wiki_filter:November 9, 1993 Docket No. 52-001 Mr. Patrick W. Marriott, Manager Licensing & Consulting Services GE Nuclear Energy 175 Curtner Avenue San Jose, California 95125

Dear Mr. Marriott:

SUBJECT:

COMMENTS ON GE NUCLEAR ENERGY (GE) ADVANCED BOILING WATER REACTOR (ABWR) CERTIFIED DESIGN MATERIAL Enclosed are staff comments on the GE ABWR Tier 1 certified design material dated August 31, 1993, revision 1 to the Tier 1 material submitted in a GE letter of September 17, 1993, and additional information contained in GE letters of September 30 and October 20, 1993. The staff's comments also reflect comments on the Tier 2 supporting information contained in Amendment 32 to the standard safety analysis report. Sincerely, Orig'nd En@- Thomas H. Boyce, Project Manager 4 Standardization Project Directorate Associate Directorate for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation )

Enclosure:

As stated cc w/ enclosure: l See next page DISTRIBUTION: Docket File PDST R/F TMurley/FMiraglic DCrutchfield PDR PShea JNWilson DTang CPoslusny SNinh RBorchardt TBoyce WTravers RJones, 8E23 AThadani, 8E2 GThomas, 8E23 TBoyce JMoore, 15B18 TGody, Jr.,17G21 BHardin, RES LShao, RES AVietti-Cook WRussell, 12G18 J0'Brien, RES CMcCracken, BD1 JLyons, 801 RPerch, 8E2 GBagchi, 7H15 DTerao, 7H15 MChiramal, BH7 DEckenrode, 10D24 REmch, 10D4 CGoodman, 10D24 GMizuno, 15B18 MFinkelstein, 15B18 TPolich, 9Al DThatcher, 7E4 TCollins, 8E23 MRubin, 10E7 CBerlinger, 7E2 RGramm, 9Al AThadani, 8E2 BBoger, 10H1 FCongel, 10E2 JWiggins, 7025 ACRS (11) (w/o encl.) 1 0FC: LA:PDSTrADfR PM:PDST: AQARyI".(

DST:ADAR D:

T:ADAR NAME: PShea(RL/ TBeyce:tz,(/ JNWi on RBo ddt DATE: ll/Qf93 11/f/93 11$/93 11/ /)( l \\ 0FFICIAL RECORD COPY: ABWRLTR.THB 9311180038 931109 j Q: PDR ADOCK 0520 1 uw

Mr. Patrick W. Marriott Docket No. 52-001 General Electric Company cc: Mr. Joseph Quirk Mr. Raymond Ng GE Nuclear Energy 1776 Eye Street, N.W. General Electric Company Suite 300 175 Curtner Avenue, Mail Code 782 Washington, D.C. 20086 San Jose, California 95125 Mr. L. Gifford, Program Manager Safety and Licensing Regulatory Programs AECL Technologies GE Nuclear Energy 9210 Corporate Boulevard 4 12300 Twinbrook Parkway Suite 410 Suite 315 Rockville, Maryland 20850 Rockville, Maryland 20852 Director, Criteria & Standards Division Office of Radiation Programs U.S. Environment:1 Protection Agency 401 M Street, S.W. Washington, D.C. 20460 Mr. Sterling Franks U.S. Department of Energy NE-42 Washington, D.C. 20585 i Marcus A. Rowden, Esq. Fried, Frank, Harris, Shriver & Jacobson 1001 Pennsylvania Avenue, N.W. Suite 800 Washington, D.C. 20004 Jay M. Gutierrez, Esq. Newman & Holtzinger, P.C. 1615 L Street, N.W. Suite 1000 Washington, D.C. 20036 Mr. Steve Goldberg Budget Examiner 725 17th Street, N.W. Room 8002 Washington, D.C. 20503 Mr. Frank A. Ross U.S. Department of Energy, NE-42 Office of LWR Safety and Technology 19901 Germantown Road Germantown, Maryland 20874 i

i l PROJECTS COMMENTS i l i 1. Section 1.2, General Provisions. In subparagraph (2), the first sentence j should read "...a combination of lyng tests and analyses..." a l 2. The staff will provide the Commission's guidance on the GE request to use Japanese metric units in a separate letter. l 3. Standard safety analysis report (SSAR) Table 2.0-1, the site parameter for ] tornado misslie spectra should match the site parameter listed in ] Section 5.0 of the Tier 1 material. The standard review plan (SRP) is not the correct reference. 4 j 4. Attached to this letter is a staff update of agreements reached on PRA l insights during the July 27 through 29 ITAAC Team Review at GE, as documented in a meeting summary of August 10, 1993. The update indicates staff suggestions as to where the probabilistic risk assessment (PRA) insights could be dispositioned in both the Tier 1 certified design material and the SSAR. The staff notes that important insights of PRA are already contained in f Table 19.2-1 of the SSAR, and important insights of PRA are already contained in Tables 19.8-1 through 19.8-7 of the SSAR. Further, important i insights for the reliability assurance program are already contained in Appendices K and Q to Chapter 19 of the SSAR. These sections of the SSAR are suggested to reflect the staff's update. The staff considers this 4 reconciliation to constitute the bulk of the Tier 1 and Tier 2 "roadmaps" l for PRA and severe accident insights, as documented in the NRC letter to j GE of August 26, 1993, discussing the format and content of the design control document. l i i 4 Enclosure i

) i REACTOR SYSTEMS TASK GROUP COMriENTS ON INSPECTIONS, TESTS, ANALYSES, AND ACCEPTANCE CRITERIA (ITAAC) AND AMENDMENT 32 The following are concents on the GE ITAAC submittal of August 31, 1993, standard safety analysis report (SSAR) Amendment 32, and GE's letters of September 30 and October 20, 1993. 1. Reactor core isolation cooling (RCIC) ITAAC Table 2.4.4, item number 3k refers to an analysis to verify that the RCIC system can operate for a period of at least 2 hours during station blackout (SBO). What changes have been made to the RCIC system or its supporting systems that resulted in a reduction in RCIC capability from 8 hours to 2 hours? 2. The following road map comments (Ref: NRC letter to GE dated July 9, 1993 comments number 4, 10, and 13) were not addressed during the ITAAC team review conducted July 27 through 29, 1993. (a) Road map page 19, Table 5, Turbine bypass capacity is not verified through ITAAC. It is the position of the staff that this should be included in ITAAC as a specified value since the bypass capacity is included in transient analyses. (b) Road map page 42, Table 10, It is the position of the staff that the anticipated transient without scram (ATWS) dome pressure time constant and the ATWS logic time delay presented in this table should be verified by ITAAC. Please update the appropriate ITAAC. (c) Road map page 45, Table 15, The startup range neutron monitoring system (SRNM) not downscale analytical delay time specified in this table is not verified by the specified ITAAC. This should be included in the ITAAC. 3. GE submitted the latest roadmaps in a letter dated September 30, 1993. The probabilistic risk assessment (PRA) roadmap is not included in the submittal. Confirm that the PRA road maps will be included in t!!e SSAR. 4. SSAR 14.3, Amendment 32 - Methodology for determining the contents of the design certification material. 14.3.1 Criteria, item number 1-Add Part 52 to NRC's regulations in addition to Part 50. l

RAD PROTECTION TASK GROUP COMMENTS 1. Page 12.3-22: sub-section 12.3.3.l(2) should reference the OAC Table 3.2(b). Suggest revising the penultimate sentence in this sub-section to state, "DAC Table 3.2(b) requires the COL Applicant to perform calculations for the expected airborne radionuclide concentrations to verify the adequacy of the ventilation system during the inspections, tests, analyses, and acceptance criteria (ITAAC) stage of plant construction." 2. The criterion for the minimum EAB distance in the site parameters lists far both Tier 1 (Section 5.0) and Tier 2 (Table 2.0-1) should be "300 meters from vital areas." Also, an explanation of the basis for this number should be included in the security section of the SSAR. e

i SEVERE ACCIDENT COMMENTS 1. In the GE letter of October 20, 1993, GE proposed to add an inspections, tests, analyses, and acceptance criteria (ITAAC) to Section 2.14.1, i Primary Containment System, to verify the wetwell-drywell vacuum breaker. The proposed ITAAC is acceptable if the words "An analysis report exists which concludes that..." are deleted from the acceptance criteria column. 2. Section 2.14.1, Primary Containment System. The Tier 1 information on the corium shield structure around the containment sump should be modified to only include a configuration check, and the sizing and material should not be included. The ITAAC should be modified to confirm the existence of the structure on a high level and the detailed design information should only i be included in the SSAR. This discussion reflects the agreements reached q in the October 14, 1993 senior management meeting. i i 3. The following comments pertain to.a GE letter of September 30, 1993, j discussing cross referencing material for the GE ABWR. a. Containment Pressure / Temperature Response Roadmap (Table 2) - GE should consider deleting the roadmap reference to the diameter of the t horizontal vents, as this value is not mentioned in the ITAAC. 1 i b. USIs/GSIs Roadmap (Table 9) - We have review responsibility for the i following items: A-7, A-8, A-39, A-48, B-10, and C-10. The roadmap is l acceptable for these items. c. TMI Issues Roadmap (Table 10) - The indicated ITAACs for II.B.8 are correct. However, the issue of equipment survivability is still being evaluated, and we do not have enough information to determine whether j changes to the ITAAC are necessary in this area. 4. The following comment pertains to a GE letter af November 3, 1993, discussir, cross referencing material for the GE, NR. Table 19.8 Comments Delow Wetwell compartmept volume should indicate 9585 instead of 585 Floor area > 79 m i s verified in ITAAC 2.14.1 l Suppression Pool Mass is verified in 2.14.1 r 4 P i i i l f w. , +.. . -, - ~,, n- .w,-,-.-.,,,-.--,,,.,..--.,r,... ---.w, w e-- -,.v..-,._.r--

v ELECTRICAL ENGINEERING (EELB) COMMENTS GE has provided acceptable draft responses to all EELB inspections, tests, analyses, and acceptance criteria (ITAAC) comments. I&C TASK GROUP COMMENTS GE has provided acceptable draft responses to all I&C ITAAC comments. HUMAN FACTORS (HHFB) TASK GROUP COMMENTS GE has provided acceptable draft responses to all HHFB ITAAC comments. l l ( - - -. - l

\\ + 1 i I STRUCTURAL TASK GROUP COMMENTS Include the following new statement in the Tier 1 Piping Design Description (Chapter 3.3): " Structures, systems, and components that shall be required to be functional during and following an SSE shall be protected against the effects of spraying, flooding, pressure, and temperature due to postulated pipe breaks and cracks in seismic Category I and NNS piping systems." i ) i i i i e p -e----

i PLANT SYSTEMS TASK GROUP COMMENTS 2.10.2 - CONDENSATE AND FEEDWATER Standard safety analysis report (SSAR) Figure 10.4-7 should reflect instrumentation and its corresponding locations as shown in inspections, tests, analyses, and acceptance criteria (ITAAC) Figure 2.10.2a. 2.10.7 - MAIN TURBINE The Design Description of ITAAC 2.10.7 should add "IVs" on page 2.10.7-2 for the " Actions for Protective Action." 2.11.13 - HIGH PRESSURE NITROGEN GAS SUPPLY SYSTEM ITAAC 2.11.13 (HPIN) states that if a low pressure condition is sensed in the safety-related portions of the system, the isolation valves which separate the safety-related and nonsafety-related portions close and the supply valve from the safety-related nitrogen bottles opens. In addition, if a low pressure condition is sensed in the nonsafety-related portion of the system, the isolation valves close. However, neither the SSAR nor the ITAAC state that the supply valves to the nitrogen bottles open in this case (which they should). GE should clarify this in both the SSAR and the ITAAC. 2.11.23 - POTABLE AND SANITARY WATER Modify SSAR Figure 9.2-9 to include the discharge from the nonradioactive drain system. This connection is downstream of the hypocontact tank in the figure. l 2.15.5 - HEATING. VENTILATION. AND AIR CONDITIONING (HVAC) SYSTEMS 1. SSAR Sections 6.4.2.1 and 6.4.2.4 should be revised to state that the positive pressure is maintained with respect to the surrounding spaces. l 2. Revise SSAR Sections 6.5.1.1.2 and 6.5.1.3.1 to state that the negative pressurization is maintained relative to the surrounding spaces. i 3. Revise SSAR Sections 9.4.1.1.3, 9.4.1.1.4, and 9.4.1.1.6 to state that the positive pressurization is maintained relative to the surrounding spaces. 4. Revise SSAR Section 9.4.1.2.6 to state that tests will be performed at a test facility to verify that the control room habitability (CRHA) HVAC l system fire dampers with fusible links close under anticipated air flow conditions. 5. Revise SSAR Section 9.4.1.1.4, stating that the unfiltered inleakage is controlled by the use of "All welded black steel ducts except galvanized steel used for outdoor air intake and exhaust." 6. Reconcile the differences between ITAAC Figures 2.15.5b, 2.15.5c and 2.15.5d and SSAR Section 9.4.1.2.3 and SSAR Figures 9.4-1 Sheets 3, 4, and 5 concerning the descriptions of the areas served. l

- _ _ _ _ _ _ _ _ _ _ _ _ 7. Revise SSAR Section 9.4.1.2.6 to state that the test will be performed at a test facility to verify that the CRHA HVAC system fire dampers with fusible links in HVAC ductwork are capable of closing under anticipated i air flow conditions. 8. Revise Design Description in ITAAC Section 2.15.5 the turbine building (T/B) HVAC system to state "T/B lube oil area exhaust system with two fans.". j 9. Section 9.4.5.1.1.2 should replace the words "outside atmosphere" by the words " surrounding spaces" in relation to the negative pressure of the 1 secondary containment. ITAAC Table 2.15.5 should also be corrected to use the words " surrounding spaces." i i l

10. SSAR Section 9.4.5.1 should state that fire dampers with fusible links in the HVAC ductwork are capable of closing under anticipated air flow j

conditions (ITAAC items). 1 l

11. The system capability to maintain the rooms other than the DG engine rooms below 40 *C identified in the ITAAC should be included in the SSAR section.

12. SSAR should state that the system has fire dampers with fusible links in i

the HVAC ductwork which are capable of closing under anticipated air flow conditions (ITAAC information).

13. Like the ITAAC, SSAR should identify 2 HVAC systems:

technical support center (TSC) HVAC system and controlled area HVAC system. Staff prefers Section 11.5.2.2.4 language, i.e., " controlled area HVAC system." (ITAAC which says that one of the service building HVAC system is service building HVAC system should be corrected.)

14. SSAR Section 9.4.8 should include the following ITAAC information:

a. High radiation mode of operation for the TSC HVAC system. b. Location of both the HVAC systems (ITAAC should identify the location of the controlled area HVAC system). l c. Supply fan and air cleanup unit (ACU) for the controlled area HVAC system. d. Toxic gas protection for applicable COL applicants (GE should provide COL license information). e. Provision of.' recirculation fans for the TSC HVAC system.

15. Both the ITAAC and Section 9.4.8.1.2 should state that the TSC and clean areas are maintained at a positive pressure with respect to surrounding spaces.

40$A!>~rW nytu LIST OF IMPORTANT SAFETY INSIGHTS I M'O kDd " Plant-Wide Insiahts in

1) The COL Applicant is,Ao perform a seismic walkdown following the procedures ef EPRI NP-E041. ~' -- ' to insure that the as-built plant matches the assumptions in the ASWR PRA-based seismic margins anal sis and to assure that spatial systems interactions do not exist.

[lTAAC ] g gg,

2) The integrity of divisions is a very important assumption in the ABWR PRA.

The PRA assumes that no high pressure of high temperature piping lines penetrate walls or floors separating two different safety divisions. Piping penetrations are qualified to the same differential pressure requirements as the walls or floors they penetrate. [ITAAC ] d. /f. /o r,t /5~./2.

3) To prevent inadvertent spray or dripping from failing equipment, electric motors are all of drip proof design and motor control centers : ave NEMA Type 4 enclesures.

[ Tier 2 SSAR Section ] cd c.LJ s%chde s n s;s A2.

4) The fire analysis assu'res that the routing of piping or cable trays during the detailed design phase will confirm with the fire area divisional assignrents documented in the fire hazard analysis.

[ITAAC ] d. /f /o r Z. /r / L

5) Subsection 9A.5.5 under "Special Cases - Fire Separation for Divisional Electrical Systems" lists the only areas of the plant where there is equipment from more than one safety division in a fire area. These should be the only areas where multiple divisions share the same fire area

[ITAAC ] d b 6.kfricd. ape b Corbustion Turbine Generator The combustion turbine generator (CTG), in conjunction with the ac-independent water addition (AClWA) system, have significantly reduced the estimated frecuency of core damage from station blackouts (the dominant contrib> tor to core damage in most BWR PRAs). In the ABWR SSAR, GE indicated that each of the emergency diesel generators (EDGs) and the CTG can be used to power any of the loads identified in the PRA success criteria by manually closing selected breakers (note: EDGs cannot power feedwater pumps). Even if offsite power is lost, the four onsite power sources can be used to power any safety or non-safety bus. This orovides significant flexibility which helps reduce the risk from station blackout and selected bus power losses. Procedures must be prepared by the COL applicant to direct this manual transfer of an EDG to a non-safety bus. [ COL Action item ] GE 36dd di Lca ik [An important assumption about the CTG is that no plant support systems are N needed to start or run the CTG The (TG starts automaticallyf and safety grade b c. ads are to be added manuall [lTA4C ] L rn s s o.2., o M lo cc u dew. p m e_ AC-Independent Water Addition System This system is one of the single most important systems in the ABWR from the point of view of prevention and mitigation of severe accidents, since the

accidents that have traditionally been identified in BWR PRAs as being the most challenging are station blackout and transients with failure of various ECCS or cooling systems. This system also provides benefits for fires, internal floods, shutdown events, seismic events, and events where containment cooling is lost. It can provide water (as vessel makeup or drywell spray) from a seismic category I diesel-driven pump or a fire truck. The use of the system as a backup source of water to the drywell sprays is perhaps the single-most important feature for reducing the consequences of severe accidents in the ABWR. In this role the system serves to: (1) reduce containment overpressure and delay the time to actuation of COPS, (2) eliminate the potential for drywell overtemperature failure in those events in which debris may be dispersed to the upper drywell, and (3) mitigate the consequences of suppression pool bypass by condensing steam produced in the sse drywell. g43 p, The following are important aspect s of the system, as representcJ in the PRA: 1. a fire protection pump -- ici =ic-eategory-i, diesel-driven pump (i.e., at-independent) [lTAAC }7 a.if G 2. connection providr:d outside of reactor building, which allows a fire truck to be used as a backup to the fire protection pumps [lTAAC V z.4.1 *8 i 3. system piping and valves configured to allow fire protection water to be j used for either vessel makeup or drywell spray, but not both simultaneously [ITAAC .}r

z. 4.1 *:

4. all valves and controls needed for system operatirn can be accessed and e manually operated in a straight-forward manner and can be operated successfully (including the environment the operator will be in) following an earthquake, internal flood, fire, or internal event {4MAC- ) ], c> P-._c.Q n.& iw cu & l -er*4c & s.L.J Ah cor 4 4a ~E4=- 5. check valves provided to prevent backflow from the reactor coolant system [lTAAC ], z A.i

• G b i
• g 6.

orifices installed in the associated piping to restrict the injection /' ], =de gM %*T

• rates to the vessel and drywell sprays [?

.C o

ci n c Cn e m ! gater supply independent of the suppression pool $,nd 7

the condensate storage tank [ITAAC -} :- 2.15. 6 j r ndsu % e L 6 4 -Q: Moas ><g, RCIC is at-independent and provides reliable high pressure injection. This makes RCIC particularly important in preventing station blackout from leading to core damage. In addition RCIC is very important for mitigation of control room fires or other emergencies that require the evacuation of the control room. The following capabilities are important for RCIC: s E k3 c 1. RCIC needs to be able to operate for 8 hours followino a station in ssA2 ~ lad et (mino steam and dc power) and fthe batteries at the end of Q mas. hours need to have sufficientgower in them to allnw for RCS .d_e_ pressurization by the ADS./ RCIC pump and turbine are assumed in the PRA to be able to operate for at least eight hours without room coolers. [ COL Actior item M.O.0) s s A2. f. 'L 's. a. For control room fires, the capability for local operation of RCIC g #3 2. outside the control room is very important. [lTAAC +(capability to

1. • g perform)][ COL Action item (existence of procedures)]

3. Sensitivity studies that increased SSC unavailabilities showed that an 1 l i ,__,j

t increase in RCIC unavailability would cause the greatest increase in estimated core damage frequency of any SSC. RCIC also was found to be the most sensitive system to increased outage time assumptions. [ COL Action item to be included in_Rg ] 4. The suppression pool temperature up to which RCIC can operate is important for Class 11 sequences. The ABWR PRA assumes that RCIC can operate up to a suppression pool temperature of 76.7 *C (170 F). [ITAAC ] L7 c,,c A l1 :-< U 4- - zwc. Reactor Builaina Coolina Water (RCW)/ Reactor Service Water (RSW) I The RCW and RSW systems are each designed with two parallel loops in each division. Each loop is capable of removing all component heat loads i associated with the operation of the ECCS pumps. The parallel loops within 1 each division substantially reduce he estimated core damage frequency.

• h MW
• O

[lTAAC }- 2. u. 3, A. lL % % 5 l Automatic Standby Liouid Control System (SLCS) and Recirculation Pumo Trio j The ABWR has a reliable and diverse scram system with both hydraulic and electric run-in capabilities to reduce the probability of an ATWS. SLCS and i recirculation pump trip provide backup reactor shutdown capability. Automatic initiation of SLCS avoids the potential for operator error associated with manual SLCS initiation. [lTAAC-_}_ z.2.4q -tA~4h 2 2.s W

tm RIP Desian and Maintenance Every shutdown, a selected number of RIPS must be maintained. Maintenance on the secondary RIP seals requires removal of the motor, impeller and shaft, and the temporary bottom cover. The plug on the impeller shaft nozzle is the only protection against a major leak.

If the operator were to remove the plug when the bottom cover was removed, the RPV would drain and recovery is improbable. GE has proposed that a new design of the plug be identified that will not allow plug removal with the bottom cover off. A design that solves this problem already exists overseas. [ITAAC er-htterface Item] 3

a.. 3 %

Reactor Buildina A flood in the reactor building could fail ECCS equipment and other important equipment. The following are assumptions in the ABWR internal flooding analysis that limit the chances and increase the mitigation capabilities of the ABWR design: 1. The volume of the reactor building corridor on level B3F that surrounds the three ECCS divisions is sufficiently large to handle the biggest break that can occur (water from the suppression pool). [lTAAC } W 30 2. Suppression pool flooding in an ECCS room will reach equilibrium level below the ceiling -3 v5'Jo Adrg &of the ECCS room in which the '+flooA occurred. [lTAACp - A : bWe ~ 5 rema P=l.c or wm 3. Floor drains direct potential flood waters to rooms where sumps and sump i pumos are located. The drain system is sized to withstand the maximum flood rate from a break in the fire water system. Sizing of the drain system is to include provisions for plutgin{of some drains by debris. LwM c %-edM

• +h, M

[lTAAC -}- bm ned rw pleJfew%5 f'- 5 e* k.s wo.) \\c yt ;3 m g4 % po M M il*odA. i

i l l 4. Non-divisional drains will drain to the non-divisional sumps on appropriate floors. [ITAAC -} z.9.1 i z. n.2 3 5. Floor Blf of the reactor building has overfill lines on the non- 'ssg s.W i divisional sumps outside secondary containment. If the sump pumps faile u.a or the flow rate exceeds the sump pump capacity, the lines will direct -.m% inside ac-water to the non-divisional corridor of the first floor d(B3F)M-fp p -* "9 - QLf+- secondary containment. [ITAAC 4 z.l f. e Eg W x " - 6. A water seal in the overfill line is provided to maintain secondary containment integrity. [ITAAC ] a a -- l 7. The ABWR PRA flooding analysis assumes that on the B3F level, all wall and ceiling penetrations are above the maximum water level of all potential floods. Doors communicating from the ECCS pump rooms to the corridor on the B3F level are water tight doors. [lTAAC -}- a.16./0 8. If a flood were to occur during shutdown, some of the ECCS rooms may be open for maintenance. ABWR procedures specify that one safety division will be maintained intact at all times during shutdown. [ COL Action Item 19_.9.11(10)] l Similarly, a fire in the reactor building could damage important equipment. l The smoke control system in secondary containment is important in helping to prevent the migration of smoke and hot gas layers from a faulted division to another. This is accomplished by pressurizing the surrounding areas so that the smoke will be contained. This capability and its adequacy should be confirmed. [lTAAC -} z 1s. s.f Control Buildina Flooding in the control room can lead to core damage. The following design features are important in preventing flooding in the control building: 1. The ABWR internal flooding analysis assumes that flooding of the control building from the UHS cannot be maintained by gravity alone. To limit the consequences of a RSW line break, the RSW system will be designed so that the VHS cannot drain into the Control Building)by gravity. [ Interface Requirement L? @ a.it.5 (r A h 4 t. 2. To limit the consequences of a RSW line break, there is a maximum of l 4000 meters of pipe (2000 each for supply and return) between the UHS and the RCW/RSW room, which can be discharged to the RCW/RSW room 7F -d J e following RSW pump trip. [ Interface Requirement IThkC-I I 5 T' l 3. Floor drains direct potential flood waters to rooms where sumps and sump pumps are located. The drain system is sized to withstand the maximum l flood rate from a break in the fire water system. Sizing of the drain system is to include provisions for plugging of some drains by debris. [ Interface Requirement ] Ep g mrC d Ms(roc 4 A/5~'Z-Service Water Pumo House Previous PRAs and reliability studies have shown that loss of service water can be an important contributor to core damage. The service water pump house. which is outside the ABWR certification scope, is a building that must be designed to remove the following concerns: i 1. Prevent fires or internal floods from impairing multiple safety trains. [ITAAC ] .J.H.?CZ,1% h GgYvha) gent ( WA. q A l l

2. Prevent common cause failures such as intake blockage from debris from affecting multiple trains. [ITAAC ]2.ll.9Q~n Q a L DM Q M fleed - ' ~ g 4---, c

• c '1 yf,,g,

A. m d COL Q, u ;11 L M8 A Circulatina Water System w rmewnLdw@d4 1 Flooding from the circulating water system (an unlimited water supply) can lead to flooding of other buildings that do contain safety related equipment. The following design features help reduce the chances that a circulating water system break will cause core damage: l 1. The circulating vater system (CWS) has three pumps and each pump has an I associated motor operated isolation valve. To limit the consequences of a circulating water system break in the Turbine Building, for cases where the heat sink is at an elevation higher than grade level of the turbine building, an additional isolation valve i insta) led in each r line. [ITAAC ]aso.u I M m Tla@ 1. M M *

• M-2.

Internal floods are prevented / mitigated in part by automatic actions and i operator actions. To prevent flooding of areas surrounding the condenser pit, there are to be water level sensors (two-out-of-four-3 i logic) to alarm to the control room if the water level gets too high in the pit and trip the circulating water and turbine service water pumps j and close isolation valves in both systems. [ITAAC ] Z.1 o t3 Turbine Service Water System t Flooding from the turbine service water system (an unlimited water supply) can j lead to flooding of other buildings that do contain safety related equipment. t The following design features help reduce the chances that a turbine service [ water system break will cause core damage: 1. The turbine service water syi, tem (TSW) has two pumps and each pump has an associated motor operated isolation valve. To limit the consequences of a turbine service water system break in the Turbine Building, for cases where the heat sink is at an elevation higher than grade level of the turbine building, an additional isolation valve is installed in each i line. [ITAAC ]> Cet A< A A N 9 E N 24 W 'P--* M % 2. Internal floods are prevented / mitigated in part by automatic actions and operator actions. To prevent flooding of areas surrounding the I condenser pit, there are to be water level sensors (two-out-of-four-logic) to alarm to the control room if the water level gets too high in the pit and trip the turbine service water and circulating water pumps and close isolation valves in both systems. -[ITAAC ] A/o A@ "* I Alcr de +'k T g 6tA gs4 - Reactor Service Water System Flooding from the Reactor Service Water (RSW) system (an unlimited water I supply) can lead to core damage. The following design features help reduce the chances that a RSW system break will cause core damos : j e 1. A break in the RSW system can cause a flood in the Control Building that j could lead to core damage. For this reason, an anti-siphon capability l t r

. ~ is installed in the RSW lines to prevent uncontrolled flooding of the Control Building should the RSW isolation valves fail to cic3e on a RSW pipe break. [ITAAC ] z.it. $ C I A h h @ ' D 2. Water level sensors will be installed in the reactor building cooling water (RCW)/ reactor service water (RSW) rooms in the control building. These sensors are used to alert the operators to flooding in the rooms and send signals to trip RSW pumps and close isolation valves in the affected system. The high and low level sensors are diverse from one [ITAAC-z.119 ] another and each set is arranged in a two-out-of-four logic. Reactor Water Cleanuo Svstem The Reactor Water Cleanup (CU9) System provides some benefit in the ABWR PRA by removing decay heat at high pressure. It would only be used in this mode if the containment cooling mode of the RHR system was disabled. [ Tier 2, SSAR Section g] y w w s5a The isolation valves in the RWCU system must be capable of isolating against a differential pressure equal to the operating pressure of the reactor coolant system in the event that there is a LOCA in the RWCU [ITAAC 2M)c. ,4 ca The reliability of these isolation valves should match the reliability assumed in the ABWR PRA [ COL Action item to include in RAP). Temperature sensitive equipment in the reactor water cleanup system should be able to remain functional or should be isolated when the CUW system is used as a decay heat removal path at high temperatures. Temperature sensitive equipment such as the resin beds is to be isolated automatically on high water temperature or manually by operator action. The entire CUW system is not to isolate on high temperature of the incoming water K OL Stica I t e"' ]. ssR revised -b is M % ksih Us. Ultimate Heat $ ink The ABWR PRA assumed that the service water system and the ultimate heat sink would work well in tandem to deliver adequate cooling to needed equipment. There was no detailed examination of these systems in the PRA since they are not in the Certification scope. The ultimate heat sink and the Service Water Pump house should be designed in such a manner so that common cause failure of service water is extremely low. A site-specific PRA must be developed by the COL applicant to show that there are no vulnerabilities (e.g., due to debris clogging of the intake, internal or external fires, external or internal floods) in the ultimate heat sink and the Service Water Pump House [ Interface 7 L b-Item] [ COL Action Item ]. 4.1 j A. t t. 9 L W u-5 Remote Shutdown Panel

1) The ABWR PRA fire analysis found that use of the remote shutdown panel is very important in mitigating fires in the control room. The design of the remote shutdown panel was enhanced by GE adding controls for a fourth SRV (three needed to depressurize, plus one for a single failure).

[ITAAC -F Lt 2- @28M

2) The ABWR decay heat removal reliability study found that operator actions making use of the remote shutdown panel were important during modes 3, 4, and 5.

[ COL Action Item (procedures)]

7 Residual Heat Removal System The Residual Heat Removal (RHR) system is very important for the removal of decay heat during normal shutdown and in its ECCS function as low pressure core flooder. The following design features and assumptions are important for assuring the RHR system is capable of removing decay heat in various modes and l for various accident and transients: 1. An important failure mode for beyond design bases earthquakes is the failure of the RHR heat exchanger in such a manner as to drain the suppression pool. In the ABWR PRA-based seismic margins analysis, the RHR heat exchanger is assumed to have a HCLPF of 0.7. [ COL Action item 9 to be added to ORAP _to check seismic capacity of equipment) 2. In modes 3, 4, and 5, the permissives and inhibits associated with the RHR Mode switch ensure that valve line ups are correct for most RHR functions, thereby helping to prevent inadvertent diversion of water from the RPV. [ITAAC ] 2.41 4Lb 3. The ABWR PRA and the DHR reliability study have shown that it is important for the RHR not to fail as an intersystem LOCA. The RHR system has the capability to withstand normal reactor system pressures without the piping reaching its ultimate capacity. The DHR reliability study indicated that RHR valve interlocks are important in preventing low pressure RHR piping from being inadvertently connected to systems at high pressure. [ITAAC ] tOf $ 3.3 4 The ABWR DHR reliability study determined a number of configurations of equipment for modes 3, 4, and 5 such that the estimated core damage frequency from decay heat removal failure conservatively was less than 1 in a million per year. An important assumption in this study was that the three RrlR trains would be configured as follows during modes 3, 4, and 5: One loop would be isolated, in standby, and operable with no equipment in maintenance; a second loop would be the operating decay heat removal loop; the third loop would be in maintenance. K OL Action. Item ] s/b m L W ' 5. Shutdown cooling piping connects to a nozzle in the RPV at an elevation that is above the top of the active fuel. This reduces the chances of i uncovering the core by vessel drain down. [ l T AAC --}-r

2.. t.1

• l

!Li_qh Pressure Core Flood System (1) HPCF pump B can be operated independently of the essential multiplexing system. This feature is an important factor in reducing the chances of the plant going to core damage since this design should reduce the chance of a common cause f ailure disabling all ECCS pumps. [ITAAC ] 33 g (2) The HPCF pumps will be able to pump water as hot as 171 C (340 *F). [ITAAC -}-> c,e s L. ta c h h :- ira Ac. Three ECCS Trains The barrier between each of the three safety divisions in the ABWR is at a minimum a 3 hour fire barrier that also resists internal flood pressures. This design assumption significantly reduces the chance of an internal flood or fire propagating and causing core damage. [lTAAC ].,t.15'.10 i 2 1512. Picino Uoorades to Prevent IJiLQC_A_1 w

l.., l l l In SECY 93-087 it was recommended that ALWR designers reduce the possibility of a loss of coolant accident outside of containment by confirming that all i systems (to the exte-t practical) and subsystems connected to the reactor coolant system (RCS) can withstand full RCS pressure. Intersystem LOCAs are a concern because many releases associated with them are not contained, held up, or scrubbed, but rather are released directly to the environment. GE has assured that the interfacing systems to the RCS can withstand full RCS k,u [ITAAC --b A h'u a W, H P c F, ac rc., c.n, t.wcu.. 'd a *~ pressure. ch. Lack of Recirculation Pio M

• 4
• g u _. A i m 2 w.br* b" b "

-T a for 9 'M "~^ There are no large pipes (i.e., > 2 inches in diameter) that penetrate the ABWR vessel below the level of the core. This has virtually eliminated LOCAs as a severe accident concern for the ABWR. [ Tier 2, SSAR Section L s].4. I Electrically Driven Control Rod insertion In many BWR PRAs, ATWS is a significant contributor to core damage frequency and risk. The diversity (electrically driven) of the fine motion control rod system is important in lowering tne estimated core damage frequency for ATWS events for the ABWR. [lTAAC ] z. 2. 2.

• J Electrical Wirina Penetrations Wiring penetrations between divisions should be rated as three hour fire barriers and should be capable of preventing water / oil from an internal flood from migrating to another division. [lTAAC t

z.as.io j z.iY.it l DC Power Sucolv I i The ABWR PRA expects that loss of all dc power will lead to core damage. In I the ABWR design, seismically induced failure of de power cable trays or the l batteries themselves will prevent the emergency diesel generators from starting and loading. Dc power cable trays and the emergency batteries are I i the only non-building SSCs that could, by themselves, decrease the HCLPF of i any accident sequence below 0.5. This would occur if the HCLPF of the dc l 9 power cable trays or the batteries were to fall below 0.5g./The dc caDDe ig4 ,g. rays and power supplies should be well anchored and caref ully designed 14 ~ handle a design bases 0.39 earthquakef the ABWR PRA-based seismic margins analysis assumed that the HCLPF of the de cable trays was 0.79 and the HCLPF of the dc power system (batteries and rectifier) is 1.lg (COL Action Item. k ]' A E s '* *M. '"W kh ss p. ( m The emergency batteries provide an important backup to the inverters for providing DC power. For this to be assured, the seismic failure modes of the inverters and their AC supply must not allow an electrical fault to be propagated to the DC busses. The reverse ca_se is also true f the invertars l provide backup should the batteries fail). H ar this to be assured, the l / seismic tallure modes of the batteries must not allow an electrical fault to (be propagated to the DC busses.f[ITAAC ] Qg, M U * "' ^ 'M '. 3.10 Safety System Loaic and Control t SSA2 l l 1 .O

There are four divisions of self-tested safety system logic and control (SSLC) instrumentation (two-out-of-four logic). The ABWR PRA assumes that this will be a highly reliable configuration to actuate ESF core cooling and heat removal system as well as actuating the CRD scram system for defense against ATWS events. Assumptions about SSLC reliability and redundancy in the PRA substantially reduce the estimated core damage frequency. [ COL Action item to be added to DRAP) Off-line testing for faults not detected by the continuous self-test feature were judged to be important in the PRA analysis [ COL Action item to be included in RAP). l Fire Truck The ACIWA makes use of a fire truck connection to provide water if the motor and diesel-driven pumps are unavailable. The PRA assumes the reliability of the fire truck is 0.99. [ COL Action item to include fire truck reliability 'in DE] i Reactor Pressure Ves el isolation on Low Water Level The ABWR shutdown reliability study indicated that the isolation of lines connected to the RPV on a low water level signal in modes 3, 4, and 5 prevents uncovering of the fuel for many potential RPV drain down events. [lTAACl-z.]4. 3 Operator Check That Watertiaht Doors Are Dooaed The internal flooding analysis assumes that all watertight doors are closed and dogged to prevent floods from propagating from one area to another. The watertight doors are alarmed to alert the control room operator that a watertight door is open, but will not alarm to indicate that a door is not dogged. To guard against a door being left undogged, operators should check the doors every shift to assure that they are closed and dogged. [ COL AcD on !ter ] hsm, f ee r chum sftM p {bJ per, AA. Suppression Pool Bypass The suppression pool is an important containment feature for severe accident progression and fission product removal, since releases from the reactor vessel are either directly routed to the pool (e.g., transients with actuation of ADS) or pass through the pool via the drywell-wetwell connecting vents. However, the suppression pool function can be compromised in the ABWR design in the following ways: a single failure of a wetwell/crywell vacuum breaker (i.e., a stuck open vacuum breaker), or by excessive leakage of one or more vacuum breakers unisolated main steam line breaks rupture of the SRV discharge line(s) in the wetwell air space inadvertent opening and failure to close sample lines, drywell purge = lines, and containment inerting lines unisolated LOCAs in the reactor water cleanup and RCIC systems The following are important to assuring a low risk from wetwell/drywell vacuum breaker bypass, as modelled in the PRA and are to be included in DRAP: 1. a low probability of vacuum breaker leakage (PRA assumes a leakage 2

1 i 1 i l probability of 0.18 per demand on system) 2. a low probability that the vacuum breakers fail to close (PRA assumes a failure to close probability of about 0.0005 per demand per valve) 3. a high availability of drywell or wetwell sprays (and ACIWA as a backup) to condense steam which bypasses the suppression pool. 4. a position indication switch on each vacuum breaker valve that will indicate the valve to be open should.the gap between the disk and seating surface exceed 0.9 cm. (A gap less than 0.9 cm is necessary to assure credit for aerosol plugging taken in the GE analysis.) [lTAAC 7,fi. ] 5. placement and shielding of the vacuum breakers such that pool swell associated with COPS actuation will not impact operation of the valves. [ITAAC ] pl. Aff (,,,7,r7A In addition, it is important to assure that the vacuum breakers are closed. To achieve this control room alarms will be installed to indicate if all the vacuum breakers are clo nd. (This reduces the potential for suppression pool bypass by assuring that the piant is not operated with a stuck open vacuum breaker, and that pre-existing leakage paths will be limited to small flow I areas.) [lTAAC ] - 2. M. \\ d e> l The following are important to assuring a low risk from unisolated main steam line breaks: l 1. two air-operated, spring close, failed closed isolation valves in each line [lTAAC ].

2... 2.

2. automatic MSIV actuation by redundant solenoids through two-out-of-four logic [lTAAC ---}, z. 4 3 The following are important to assuring a low risk from rupture of the SRV discharge lines, particularly in seismic events: 1. discharge lines are designed and fabricated to Quality Group C requirements [lTAAC ].

2. t t 2.

welds in the airspace region of the wetwell are non-destructively examined to the requirements of ASME Section 111, Class 2 [lTAAC --3--2..L1 3. discharge lines are capable of accommodating seismic events at an acceleration level of 0.6g with a high confidence that there is a low probability of failure (HCLPF) [ COL Action item to add to DRAPl. The following is important to assuring a low risk from suppression pool via the sample, drywell purge, and containment inerting lines: 1. lines will be sealed closed during power operation, and under administrative control -[ COL ktien Ite- ] %A 5 o.4 f The following are important to assuring low risk from LOCAs outside containment: 1. redundant and seismically-qualified CVW system isolation valves,6'" b"- qualified to close under postulated break conditions [lTAAC ] 2.61 2. blowout panels in the RCIC and RWCU divisional areas which prevent overpressurization and impacts on equipment in adjactnt areas and other divisions [ITAAC ] 2.1080 As lo M rWMA 3. reliable seating of redundant feedwater, SLC, and ECCS discharge check valves [lTAAC ] [ COL Action item to add to DRAP] z. t. L

a, - = - 4.- Ai_t;_ i i i j Lower Drywell Desion 1 I The design of the ABWR lower drywell/ reactor cavity is such that there is a j low probability that the cavity will be flooded at the time of reactor vessel j i failure, but a high probability that the cavity will be flooded subsequent to l l vessel failure. A dry cavity at the time of vessel failure reduces the l potential for large ex-vessel steam explosions, whereas the subsequent i flooding of the cavity helps ininimize the impact of core concrete interactions. ( i The following ABWR design features are important to assuring a dry cavity at 3 j the time of vessel failure: l 1. lack of any direct pathways by which water from the upper drywell (e.g., from drywell sprays) can drain to the lower drywell, ot i overflow of the suppression pool, [ITAAC PA.l.1 D@her than by ) I 1 2. negligible probability of premature or spurious actuation of the passive l flooder valves at temperature less than 500 F or under differential pressures associated with reactor blowdown and pool hydrodynamic loads l [ITAAC gen flooder configuration) [ COL Action Item to be added to i RAP),and A,H.I i l 3. a capability to accommodate approximately 2.0 E+6 kg of water in the suppression pool before the pool overflows into the lower drywell. 4 [ configuration ITAAC ]. The following features are important to assuring reactor pedestal and i containment integrity for beyond 24 hours following reactor vessel failure, and to rendering CCI-induced containment failure a relatively insignificant 3 contributor to risk. [ configuration ITAAC ] ) 4. a 1.7m thick reactor pedestal capable of withstanding approximately I j 1.55m of erosion from CCI without loss of structural integrity [ITAAC,7./Y.I ], 5. the use of basaltic concrete in the floor of the lower drywell, which 3 minimizes the production of non-condensible gases [ITAAC ], p. W, / t 6. a sump shield to prevent core debris from entering the lower drywell sump [ITAAC -},_4nd- - 2, W. I i 7. the lower drywell flooder system [ITAAC T"2.ll/ / l I Note: The lower drywell flooder system in the ABWR provides a passive means j of adding water to the lower drywell following reactor vessel breach. This water would cover the core debris, thereby enhancing debris coolability, cooling the drywell, and providing fission product scrubbing. The passive flooder system is a backup to other means of lower drywell water addition in the ABWP,, including: (1) continued water addition through the breached reactor J vessel and '(2) suppression pool overflow as a result of water addition from water sources outside containment. PRA-based sensitivity studies indicate that the incremental risk reduction offered by the passive flooder is system is minimal. This is because of credit taken in the ABWR for continued water addition using the ACIWA mode of RHR. Containment Ultimate Pressure Capacity The ultimate pressure capacity of the ABWR containment is limited by the i drywell head, whose failure mode is plastic yield of the torispherical dome. Subsequent to the original SSAR submittal, GE increased the ultimate pressure i

capability of the drywell head from 100 psig to 134 psig, and increased { COPS setpoint from the original value of 80 psig to the final value of e i psig. The strengthening of the drywell head increases the ability of the i containment to withstand rapid pressurization events, such as direct containment heating, without loss of structural integrity, and provides additional margin between the COPS setpoint and the drywell failure pressure, i thereby reducing the potential for drywell. failure prior to COPS actuation. The drywell head is the limiting component in the containment pressure boundary during slow overpressure events.g ITier SAR Section f ] Containment Overoressure Protection Sv$te(m,wm ---{fA M h lfol L. n % G~ COPS is part of the atmospheric control system in the ABWR, and consists of a pair of rupture disks installed in a 10-inch diameter line which connects the wetwell airspace to the stack. COPS provides for a scrubbed release path in the event thn containment pressure cannot be maintained below the structural limit of the containment. Without this systet., late containment overpressure f ailures wouM be expected to occur in the drywell, resulting in unscrubbed releases. COPS provides a significant benefit by reducing the source terms for late releases, and minimizing the potential for conti.inment-f ailure-induced loss of core cooling (e.g., in Class Il sequences). The following are important features of the system, as modelled in the PRA: 1. rupture disk actuation at 90 psig +/- 5% [ Tier 2, SS"? Scction ] s tr* 2A, 4# 2. piping (and disk) designed to flow steam at a rate equivalent to 2% reactor power, and accommodate peak pressure loads associated with system actuation [ITAAC ]

2. K L *#

3. no normally-closed or automatic isolation valves in vent path -[Ti e r 2, SS:n Sccticn ] rwc t 2.th %. 7. # 'M 4. two normally-open, fail-open isolation valves in the vent path, manually operated from the control room, with key-lock switches [ Tier 2, 55AR SeeMon ] zw e. m4L 'ei9 5. capability of related isolation valves to close against full vent pressure [T-is 2, SSAn-Scction i.

t nuc_.

z.H. 4 *I Containment inertina System + Because the ABWR containment will be inerted during power operation [lTAAC ], hydrogen combustion is not considered to be an important containment 7.lgt. Ab4M challenge, and was not modelled in the PRA. i.2.3 cw To assure the validity of this treatment, strict controls must be placed on the period of time that the reactor can be operated with the containment de-inerted [ Technical Specifications ]. Direct Containment Heatina (DCH) DCH is the only severe accident phenomena that represents a significant challenge to containment integrity (5% probability of containment failure given reactor vessel failure at high pressure). The impact of DCH is " controlled" in ABWR by reducing the frequency of high pressure reactor vessel failure using ADS (30% of vessel failures). The following aspects of ADS should be assured by ITAAC and RAP: 1. reliability / availability consistent with Level 1 PRA assumptions (DRAP), 2. no dependency on ac-power [ITAAC h z. i I-

3. availability of sufficient DC power to actuate ADS in a long term station blackout (following loss of RCIC due to battery depletion) [ Tier L c]d shta pcede.L.[ COL Action to add to DRAP) 2, SSAR Section There are no specific ABWR containment design feature to deal with DCH loads other than the general arrangement of the drywell and wetwell, and connecting vents, which provide for a series of 90-degree bends that debris must traverse in order to reach the upper drywell. [ configuration ITAACyd.*4( Important Human Actions Human actions with high risk impact for the ABWR were identified based on the PRA and supporting analyses. Section 19D.7 of the SSAR includes a listing of these actions, classified into three categories corresponding to the COL-actions necessary to assure the validity of the PRA treatment of the action: (1) critical tasks, (2) maintenance items, and (3) COL procedures and planning. 1. The items identified as " critical tasks" in 190.7, as well as actions to recover emergency diesels, have the greatest impact on cone damage 4edt cMfrequency and risk for the ABWR. Accordingly: N. 6 rrm_ these actions are to be addressed by the COL-applicant as part of (*"'g the detailed design of human-system interfaces %] f _, .__g 3) the following will be provided for each action: ' 440)

1. clear unambiguous indication of conditions requiring the action r(0 %

nCM

2. the operator must have the capability to perform the action in p a u),i

, (, a C 19 a straight forward manner U (d(b) 5

3. the operator must have clear written operating pr ocedures E Og' regarding the actions to be taken

4. the operator must have thorough training in the conditions requiring the action.

-ffet-Acti on its b dd a= 2ad sa C@ # 2. The probability of miscalibrating single and multiple sensors was assigned very low values on the basis that the COL-applicant would incorporate a special procedure governing calibration activities. At a minimum, the COL-applicants maintenance procedures for sensor calibration should require that whenever a sensor is found to be out-of-tolerance, before the sensor is recalibrated, the calibration instrument is first checked or an alternate instrument is used to confirm the g!l 54 I condition. 9'5 [ COL Action item RAP] 3. For items identified as " COL Procedures and Planni ms, the COL-applicant is to develop procedures to assure that se aHEfIDcan be effectively implemented. [ COL Action Item ] + rkis h s % R 4 mu.1. 4o c.Lp. G Imoortance/ Uncertainty Analyses Examination of the top ten events contributing to uncertainties in the estimate of the ABWR core damage frequency (CDF) revealed that nine of these events were identified by importance analyses as leading contributors to CDF. The highest contributor to uncertainties in the CDF as well as the CDF estimate was RCIC test and maintenance. The remaining top contributors to i uncertainties (and CDF) are listed in SSAR Table 19D.10-5. [ COL Action Item 4c a cQ h CELA?] l

.i } i* STRUCTURAL TASK GROUP COMMENTS Validation of Plant High Confidence Low Probability of Failure (HCLPF) l l 3 As part of the inspections, tests, analyses, and acceptance criteria (ITAAC) i process, the combined license (COL) applicant will be required to verify that key assumptions for systems, structures, and components (SSCs) considered in i the seismic margins assessment (SMA) are valid under the as-built plant 1 conditions. This verification process consists of steps as described below, { and is modeled after the EPRI and NRC SMA process. The analysis consists of i five steps. i } Step 1 - Preparation for Plant Walkdown i } Step 2 - Plant logic Model Validation Walkdown 1 l Step 3 - Assessment of As-Built SSC HC' PF Values l Step 4 - SSC HCLPF Validation Plant Walkdown i j Step 5 - Plant Damage State and Plant Level HCLPF Verification s 1 Those steps are discussed in detail in the remainder of this section. 1 l Step 1 - PreDaration for Plant Walkdown: The SMA presented in SisiM65D7??? i j of this SSAR contains seismic logic models for the plant. Thesis 5dkli~~~ include all of the seismic-induced failures that were considered necessary to 1 be evaluated as part of the SMA. These failures, and the associated HCLPF ~ f values are listed in TsbleL7????lS$ARftableW)'. The validation review must consider, as a minimuni, ~sil~ of the~fallseishown in this table. In preparing L for the plant walkdown, all appropriate information regarding these failures should be gathered. These would include, but not necessarily be limited to;

• piping & instrumentation drawings, j

= electrical one-line diagrams, l l = plant arrangement drawings, j

• detailed design drawings, procurement specifications, e

construction drawings (especially those concentrating on seismic j detailing and load paths), quality assurance records, seismic analysis used for defining floor response spectra, floor spectra used as required response spectra by vendors, 1 4 i engineering analyses of seismic performance (especially for i representative seismic anchorages), and equipment qualification data / material test data. = Step 2 - Plant Loaic Model Validation Walkdown: The walkdown will concentrate on the identification of potential systems interactions that could impact the i performance of the front-line and support SSCs included in the models. i Certainly, the original model included the most significant systems interactions (e.g., collapse of major buildings). However, it is necessary to assure that no other interactions exist in the as-built plant that were not i. ,, _. _ _ _ _ _ _ _. - _, _ -,, -,,, _. _. _ _ _,. _......, _ -.,,,. ~. _.,. _. -

T . included in the model. The walkdown should include a thorough examination of the SSCs included in the SMA, including piping runs, cable trays, etc. During the walkdown process, the team should identify the presence of any SSCs whose failure could impact the performance of the SSCs in the SMA. These could included such things as: . non-load bearing walls adjacent to SMA SSCs = non-safety components above or adjacent of SMA SSCs

• hard surfaces within deflection range of SMA SSCs flooding / deluge sources in the vicinity of SMA SSCs All such potential interactions should be identified, along with the failure mode that could impact the performance of the SMA SSCs. These are new failure modes based on as-built plant conditions.

This must be done for 100 percent of the SSCs included in the event and fault tree models. Limiting this process to only one or two potential success paths (as done in the EPRI SMA) is not acceptable for the PRA-based margins approach required for the ABWR design certification. These new failure modes should be added as basic events on the SMA fault / event trees as appropriate and be added to the list of SMA SSCs. In addition, the design information specified in Step 1 should be assembled for these new failures. Note that all future reference to SMA SSCs is intended to refer to the expanded list, including the newly added system interactions. Steo 3 - Assessment of As-Built SSC HCLPF Values: Each SMA SSC was analyzed by either the CDFM or FA approach in the SSAR to determine the actual HCLPF value. For each SMA SSC, a compilation of the design characteristics that control the HCLPF value should be prepared. These design characteristics can be one of two things: either they directly contribute to the dominant failure mode (s) or to failure modes that are close to being dominant. The dominant failure modes (s) is defined as the failure modes (s), from the list of all potential failure modes that will cause the SSC to be unable to perform its safety function, whose HCLPF value is the lowest (or equal to the lowest). Thus, the reduction of the HCLPF value of this failure mode would result in a corresponding reduction in the HCLPF of the SSC. This being the case, the design characteristics that would be compiled would include all of the specific design conditions that directly contribute to the dominant SSC failure mode (s). Another way to express this is that any change in any one of these design conditions that results in a reduction in seismic capacity will directly cause a reduction in the SSC HCLPF value. In addition, they would also include all such conditions that directly contribute to SSC failure mode (s), if any, that could become the dominant failure mode if it were to have a "somewhat" lower HCLPF value. For the purpose of this review, we will define "somewhat" as about a 10 percent to 20 percent HCLPF reduction. Thus, these failure modes are those whose calculated HCLPF value is only on the order of 10 percent to 20 percent higher than the dominant failure mode. I 1

, 1 The characteristics that would be identified could include such things as: size, type and number of anchor bolts, a size, type and orientation of support members, = distance between rigid pipe supports (allowance for differential a motion), distance between components. e The specification of these characteristics should be quite definitive (i.e., numerical where possible). Step 4 - SSC HCLPF Validation Plant Walkdown: Final validation that the as-built plant has the design characteristics required to meet the calculated HCLPF values is required. This should take the form of a final plant walkdown of the SMA SSCs. As a product of Step 3, a compilation of key design characteristics (those that control or could control the HCLPF value of the i SMA SSCs) was prepared. The plant walkdown is intended to verify that these l design characteristics exist in the plant. Each SSC should be inspected and the as-built condition compared with the key design characteristics. It is not required to perform a detailed walkdown inspection of 100 percent of i the SSCs, a 100-percent " walk by" is sufficient. The " walk by" is intended to i I assure that there is a reasonable basis for the assumption that the HCLPF of broad classes of SSC are essentially the same (i.e., that the SSCs are of similar design and manufacture and are similarly anchored). For each group of SSCs for which this condition of similarity can reasonably be established by j the " walk by" it will then be necessary to select one representative SSC from i each group to be subjected to a more rigorous inspection. This inspection will be conducted in such a manner as to demonstrate that the representative SSC is in full conformance with the assumed design characteristics compiled in Step 4. j It is understood that it will not always be possible to visually determine the existence of all the key characteristics, since some of them may be embedded within walls or in other inaccessible places. In such cases, it will be acceptable to use the construction QA records as adequate demonstration that the as-built SSC has the design characteristics required. In all cases, the result of the validation should be fully documented. Steo 5 - Plant Damaae State and Plant level HCLPF Calculations: The final step in the process is to determine HCLPF values for each event sequence, each ) plant damage state and for the overall plant. This should be done using the min-max approach and reported in the same form as in the SMA in this SSAR. .}}