ML20076E305
| ML20076E305 | |
| Person / Time | |
|---|---|
| Issue date: | 05/31/1983 |
| From: | Edison G Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-0999, NUREG-999, NUDOCS 8306010018 | |
| Download: ML20076E305 (95) | |
Text
-
NUREG-0999 Sizewell B-Analysis of British Aaplication of U.S. PW'R Technology U.S. Nuclear Regulatory Commission Offica of Nuclear Reactor Regulation G. E. Edison Project Manager
,s ** " %,,
s i
m =R 0999
NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The NRC/GPO Sales Program, U.S. Nuclear Regulatory Commission, Washington, DC 20555
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the NRC/GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free upon written request to the Division of Tech-nical information and Document Control, U.S. Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes ano standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
GPO Printed copy price: _
_$5,50_
NUREG-0999 Sizewell B-Analysis of British Aaplication of U.S. PW'R Technology l
Minuscript Completed: April 1983 Dits Published: May 1983 G. E. Edison Project Manager Division of Licensing Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission W=hington, D.C. 20666 l
ABSTRACT This report provides information on the staff's evaluation of major design differences and issues developed by the British in their application (Sizewell "B") of U.S. PWR technology.
One design change, the addition of steam-driven charging pumps, was assessed to have a relatively high value compared to the other changes.
However, the assessment-is based on a number of assumptions for which inadequate data exist to_make an unqualified judgment.
Other changes to the U.S. design (as typified by the SNUPPS design) were found to have relatively low or moderate safety benefits for U.S.
application.
l
SUMMARY
In its Pre-Construction Safety Report for the Sizewell B plant, the British Central Electric Generating Board (CEGB) made a number of design changes to the basic U.S. PWR (SNUPPS) design which they earlier selected as a basis for developing a more detailed design.
The NRC staff selected those changes which appear to be most significant and assessed their safety benefit as applied to a U.S. PWR.
The most significant changes for preventing a core melt accid?nt, and the staff's assessment of them, are summarized in Table A.
One feature, the addition of steam-driven charging pumps, was assessed to have a relatively high value compared to the other changes.
However, the assessment is based on a number of assumptions for which inadequate data exist to make an unqualifiedjudgment.
The attraction of the steam-driven charging pumps is that they can provide cooling water to the Reactor Coolant Pump seals thereby preventing a reactor coolant pump seal LOCA, even when the component cooling water system is unavailable, or when all ac power is lost (station blackout).
Thr.ee of the design changes were assessed to have a relatively moderate safety benefit.
These are (1) the addition of a fast-acting Emergency Boration System to protect against ATWS, (2) the addition of a turbine-driven Auxiliary Feed-water train (for a total of four trains) to add reliability to the Auxiliary Feedwater system; this protects against loss of main feedwater transients and station blackout, (3) the addition of two diesel generators (for a total of four) to protect against a loss of onsite emergency ac power.
Other changes to the SNUPPS design were assessed to have a relatively low safety benefit for U.S. application.
In addition to the design changes which protect against the occurrence of cere melt accidents, the staff assessed the safety benefits of design changes to the containment (larger primary containment, addition of a secondary containment, additional pumps for containment fan coolers). While some reduction in risk is seen to result from the changes, it does not appear to be a major safety benefit in U.S. applications.
v
TABLE A Safety Significance of Each Design Change If'That Change Alone Were Made to the SNUPPS Plant Design Change Safety Significance i
Addition of steam-driven High*
charging pumps Upgraded isolation between Low Reactor Coolant System and RHR Improved ECCS system Low Addition of Emergency Boration Moderate System Addition of Backup Reactor Low Protection System Four segregated AFWS pumps Low to Moderate **
CCW, ESW, dry cooling towers Not quantified; see text, not expected to be high Four segregated 100% diesel Moderate generators
- This relative value is predicted on the assumption that reactor coolant pump (RCP) seals will fail after about one-half hour without seal injection flow and component cooling water flow to the thermal barrier; this assumption is consistent with assumptions made by the French (see Ref. 2), and the assump-
]
tion made in the Zion and Indian Point Probabilistic Safety Studies, but further analysis may show this assumption to be conservative.
Also, further study would be needed to determine if the operator could take actions to rectify some faults in the component cooling water system or provide other means for RCP seal cooling prior to seal failure.
Delayed seal failure would also affect the frequency of core melt for loss of all ac electric power.
Westinghouse has presented test'results and analysis (Ref. 3) from which they conclude that the mean time to failure for the reactor coolant pump i
seals, under conditions of loss of seal cooling, is considerably greater than 30 minutes and the probability of significant seal leakage after a one hour period without seal cooling is small.
The staff is currently evaluating the Westinghouse analysis; appropriate revision of the estimate of the safety benefit of the steam-driven charging pumps will be made after the staff evaluation is complete.
If the staff evaluation confirms the Westinghouse analyses, the safety benefit of this design modification would not be characterized as "High."
- If bleed and feed.is not a viable option, then moderate reduction in core melt frequency may be achieved with the addition of fourth train.
vi
TABLE OF CONTENTS Page Abstract.................................................................
iii Summary.................................................................
v Introduction............................................................
1 I.
Major CEGB Changes to the SNUPPS Design.............................
3 MC-1 Use of a secondary containment...........................
3 MC-2 ECCS modifications.......................................
5 a.
Two segregated steam-driven emergency charging pumps with separate water supply and not used for SI...........................
5 b.
Upgraded isolation between RCS and RHR.............
10 c.
Four 100% HPIS pumps with larger capacity and lower shutoff head..................................
11 d.
Larger-(50%) SI accumulators........................
13 e.
Four 100% RHR pumps, two for LPSI, two for CSS with automatic switchover...........................
14 MC-3 Two additional cooling water pumps for containment fan coolers..............................................
16 MC-4 Emergency boration system................................
17 MC-5 Increased containment diameter and lower design pressure.................................................
19 MC-6 Backup reactor protection system.........................
21 MC-7 Increased equipment redundancy...........................
24 a.
Four. segregated 100% AFW pumps (two electric, two steam)..........................................
24 b.
Four 100% CCW and ESW pumps (also emergency dry cooling towers)................................
27 c.
Four segregated 100% diesels........................
30 MC-8 Vessel and piping manufacture and inspection.............
35 MC-9 Layout and ALARA changes.................................
40 MC-10 Redesigned control room..................................
43 II.
Open Issues in the NII Review......................................
44 01-1 External hazards - man-made events, earthquakes, and fires....................................................
44 01-2 Fuel clad ballooning.....................................
55 01-3 SG tube integrity and multiple SG tube failures..........
58 01-4 Integrated and secondary protection system reliability..............................................
62 01-5 Scope of safety analysis.................................
68 vii
-TABLE OF CONTENTS (Continued)
P_ age 70 I I I. NI I Co n f i rmato ry I s s ue s -............................................
CI-l Human factors analysis...................................
70 71 CI-2 Quality Assurance........................................
CI-3 Reactor pressure vessel and reactor coolant system failure incredibility.............................
73 CI-4 Seismic classification and applicability of construction codes and standards.........................
75 CI-5 Extension of approval for non-remote sites...............
77 CI-6 ALARA strategy and occupational exposure.................
80.
84 References..............................................................
1 1
viii
l INTRODUCTION Purpose The objective of this effort is to perform an NRC review of the major issues raised by the British in their application of PWR technology and of the design changes that resulted from this application.
Background
The Central Electricity Generating Board (CEGB) of Great Britain recently applied to its Secretary of State for Energy for approval to build a nuclear power station at Sizewell in Suffolk, England.
The Nuclear Installations Inspectorate (NII) is in the process of reviewing this application.
The Size-wel'1 B reactor, which will be the first British nuclear power station to employ a PWR design, will be similar to the Westinghouse SNUPPS reactor design.
How-ever, CEGB has incorporated into the design of the Sizewell B plant several safety-related systems that differ significantly from SNUPPS and other U.S.
PWRs.
Further, NII has identified certain areas where they are dissatisfied with the application or where they require further information.
Accordingly, the NRC staff decided to perform a review of the Sizewell B design differences from U.S. PWRs (as typified by SNUPPS) so that the differences between the U.S.
and British PWR reactor practice and acceptance criteria are identified and the basis for their adoption understood.
Scope of Review and Limitations of Analysis The Sizewell B design reports were reviewed by the staff and design changes from the U.S. PWR (SNUPPS) design were identified.
The Sizewell reports that were reviewed included:
(a) the Pre-Construction Safety Report (April 1982),
(b) the Reference Design Report, (c) the CEGB Statement of Case (July 1982),
(d) the NII report entitled " Safety Assessment Principles for Nuclear Power Reactors" (April, 1979), (e) the NII report entitled "A Review by HM Nuclear Installations Inspectorate of the Pre-Construction Safety Report" (1982).
I addition the staff reviewed the National Radiological Protection Board report entitled "An Assessment of the Radiological Consequences of Releases from Degraded Core Accidents for the Sizewell PWR" (July 1982) and the Sizewell B Probabilistic Safety Study (WCAP-9991, Rev. 1, undated).
The CEGB informed the NRC staff that the latter two reports (the NRPB report and WCAP-9991) are not part of their application for a license for Sizewell B.
The changes to the basic Westinghouse PWR design were made on the basis of CEGB and NII safety principles and criteria.
The basis for the NII review is the CEGB Pre-Construction Safety Report (P;SR).
CEGB has informed the staff that the work in WCAP-9991 has not been adequately checked and confirmed by CEGB, and it is pcssible that in due course some modification may be required.
There are dif-ferences in the faults considered, the assumption made, the data and parameters used, and the methodology, compared with the PCSR work.
CEGB further notes 1
that the WCAP-9991 work was undertaken to provide source terms and probabilities for the Degraded Core Analysi; work which illustrates the likelihood and con-sequences of large scale ace.idents.
The major design changes (from U.S. PWRs) made by CEGB were identified for further evaluation.
These are listed in the Table of Contents of this report and are designated throughout the report as MC-1, MC-2, etc. The NII findings of most interest to the NRC staff are also listed in the Table of Contents as Open Issues (01-1,...,) or Confirmatory Issues (CI-1,...,) and were evaluated by the staff.
The evaluation of each major change or' issue is presented in the text in the following standard format.
Description (A detailed technical description of the design change or issue.)
j SNUPPS Description (A description of the equivalent design or position taken in U.S. PWR applications as typified by SNUPPS.)
U.S. Acceptance Criteria (The basis on which the equivalent U.S. PWR feature was found acceptable.)
Analysis (An analysis of the safety benefits the CEGB change was intended to achieve, or of the safety concerns underlying the NII open issue.)
The staff evaluation included deterministic analysis and a probabilistic approach. These resulted in a staff judgment of high, moderate, or low for the safety benefits of each major design change (see Summary).
The reader is cau-tioned that the probabilistic numerical estiinates of core melt probability have large uncertainties and should not be used for absolute value estimates.
Rather the quantitative estimates were used to give insights on the relative importance of various design changes.
Each major design change was evaluated as though it were the only change being made to a U.S. PWR at a typical U.S. site.
The benefits gained from each change are not additive.
For example, the safety benefit of adding diesel generators is less if one adds steam-driven charging pumps than if the steam-driven pumps are not added.
The validity of the probabilistic estimates depends on the assumptions made in
'the analysis.
The data used in the Sizewell Probabilistic Safety Study (WCAP-9991) were assumed to be valid for the most part.
However, large uncer-tainties are expected to exist in such things as the timing and magnitude of seal failures, ability to take corrective actions, the probability of LOCAs, the probability of common cause failures and human error.
The reductions in core melt probability are predicated on the validity of assumptions regarding test and nintenance unavailability described in the Sizewell Probabilistic Safety Stut f.
2
I.
MAJOR CEGB CHANGES TO THE SNUPPS DESIGN MC-1:
USE OF A SECONDARY CONTAINMENT Description The SNUPPS design does not employ a secondary containment, while the Sizewell design does.
The Sizewell secondary containment consists of the auxiliary building (as in a SNUPPS plant), the enclosure building, and the emergency exhaust system.
The auxiliary building is a structural steel and reinforced concrete structure which encloses the area of the primary containment wall containing the' majority of the primary containment penetrations.
The enclosure building, a steel framed structure with metal siding, encloses the primary containment above ground level, including the containment dome.
The emergency exhaust system would be initiated following a LOCA to control and process the small leakage from the primary containment.
In meetings with CEGB, they indicated that the purpose of the secondary contain-ment is to reduce offsite radiological consequences from all releases occurring within the primary containment.
At low wind speeds, when leakage through the secondary containment will be negligible, it is planned to show a reduction in releases to the environment of about an order of magnitude (apart from noble gases).
At high wind speeds, when leakage from the secondary containment may be relatively high, the additional dispersion offsets the effect of leakage.
The CEGB also noted that the secondary containment is required for public safety and is effective in certain design basis faults, e.g. RCCA ejection, in reducing ground deposition effects.
It assists in all accidents involving leakage from the primary containment, except those in which the primary con-tainment is actually breached.
SNUPPS Description The SNUPPS primary containment and associated system have been designed with adequate margin.
SNUPPS plant siting considerations do not require a secondary containment.
U.S. Acceptance Criteria Although SNUPPS has no secondary containment, such a design feature is possible.
For a U.S. reactor having a secondary containment, the following design areas would be addressed:
1.
The pressure and temperature response of the secondary containment to a loss-of-coolant accident within the primary containment.
2.
The effect of openings in the secondary containment on the capability of the depressurization and filtration system to accomplish its design objec-tive of establishing a negative pressure in a prescribed time.
i 1
3-
3.
The pressure and temperature response of the annular region between the primary and secondary containment to a high energy line rupture within the secondary containment.
4.
The functional design criteria applied to guard pipes surrounding high energy lines within the secondary contair. ment.
5.
The primary containment leakage paths that bypass the secondary contain-ment.
6.
The design provisions for periodic leakage testing of secondary contain-ment bypass leakage paths.
7.
The pressure response of the secondary containment resulting from inadver-i I
tent.depressurization of the primary containment when there is vacuum i
relief from the secondary containment.
8.
The acceptability of the mass and energy release data used in the analysis
{
of the secondary containment pressure response to postulated high energy l
line breaks.
l 1
I Because the Sizewell secondary containment is only intended to provide additional margin for fission product retention and control (i.e., no direct credit is taken for its functional performance in mitigating offsite radiological con-sequences), the design would not have to meet all of the U.S. acceptance cri-teria prescribed by 10 CFR 50 and the General Design Criteria.
However, for the Sizewell plant, it seems prudent to address the above Items 3, 4 and 8 to ensure that the pressure response of any high energy line break inside the secondary containment would not exceed the primary containment design external differential pressure, which is 3.5 psi for the Sizewell containment design, or to preclude the need for high energy line break considerations in the secondary containment.
Analysis The function of the secondary containment is to process any outleakage from the primary containment that may occur under design basis accident conditions; its intended function does not. include protection against beyond-design-basis accidents (such as a degraded core). The Sizewell plant will be provided with a secondary containment in anticipation of future siting of similar plants near higher population centers.
The Sizewell secondary containment, if properly designed, would function to further reduce any activity release to the atmosphere following an accident.
If functioning properly, the reduction in the activity release could be more than an order of magnitude for all isotopes except noble gases.
However, in the Sizewell containment design evaluation, no credit has been taken at this time by the British for dose reduction capability of the secondary containment.
Therefore, the Sizewell secondary containment appears not to be a design feature required for public safety, and need only be viewed as providing additional margin for accident mitigation.
4
1 i
MC-2:
ECCS MODIFICATIONS In meetings with the CEGB, the staff noted that many of the safeguard systems in the Sizewell 'B' design are based on four sets of components, e.g. there are four diesel generators and four high head safety injection pumps.
The reasons for making this choice were broadly described by CEGB as presented in the fol-lowing four paragraphs.
The CEGB Design Safety Guidelines set very stringent targets on the reliability to be achieved by the safeguard systems.
These are such as to demand substan-tial redundancy of safeguard plant, and for the more probable faults and fault sequences they demand diversity of plant as well.
The reason for the diversity requirements is that addition of more and more sets of redundant equipment results in diminishing returns due to the risk of common mode failures in that plant, recognized by the Design Safety Guidelines cut off rules with respect to the reliability which may be claimed of redundant systems.
In optimizing the safeguard plant equipment to meet the Design Safety Guideline targets, if it had been possible to ignore the design problems of matching pipe-work and electrical distribution systems with four primary circuit coolant loops, in some instances three sets of redundant plant would have been appro-priate.
In general, two sets would not have been sufficient.
However, taking into account the problem of matching into four loops, the most economical system was generally found to be four sets of redundant plant.
In some cases it was sufficient to provide four virtually identical sets, e.g. the diesel generators and the high head safety injection pumps; in other cases it was found most appropriate to provide diversity, e.g. - the auxiliary feed pump system and the charging pump system where provision for total loss of ac power had to be made in order.to meet the reliability targets.
In the case of the RHR and spray pumps, it was found that an economical compromise could be made in which four pumps of identical design could be used to supply both systems, with arrange-ments for any pump to serve either system.
One of the benefits associated with this arrangement is that in the event of a major accident such as a LOCA requiring longer term use of the RHR system, any of the four pumps could be used thereby reducing the potential problems of pump failure and urgent repair action in difficult and hostile conditions.
It should be noted that an important factor in the CEGB Design Guidelines is the requirement where reasonably practicable that there should be sufficient redundancy of plant to permit on-line maintenance of safeguards equipment.
This was a substantial factor leading to the choice of four trains of much of the safeguards equipment.
The CEGB further noted that in general, with four sets of equipment it is pos-sible to remain safe with one set under maintenance, one set to fail and still have a comparatively reliable system of plant available for operation.
(a) Steam Driven Emergency Charging Pumps Description The Sizewell design has an Emergency Charging System (ECS) having two steam-driven positive displacement charging pumps with a maximum operating pressure 5
of 3100 psig.
This system complements the normal CVCS charging system which has two motor-driven centrifugal charging pumps (maximum operating pressure of about 2500 psig).
Both systems are designed to provide seal injection to the Reactor Coolant Pumps (RCPs), provide normal shutdown boration capability, and provide normal Reactor Coolant System (RCS) makeup.
CVCS is isolated upon receipt of a safety injection signal, but ECS is initiated to provide seal injection while taking suction from its independent dedicated source of borated water.
The Emergency Charging System operates when the normal CVCS is unavail-able for any reason, and during (1) ECS testing, (2) cold hydrotesting of the RCS, and (3) low RCP seal flow or pressure.
It can be used to pressurize the RCS for hydrotest purposes, and can function following a total loss of all onsite and offsite ac power, drawing its power for system control and operation from dc battery sources.
SNUPPS De:cription The SNUPPS normal CVCS charging system has two centrifugal charging pumps and one positive displacement pump.
The pumps have performance characteristics similar to the respective pumps in the Sizewell design.
The charging functions of these pumps are similar to those of the Sizewell design pumps except that the SNUPPS pumps require ac power from either the offsite source or from the station diesel generators, and therefore will not function following a total loss of all offsite and onsite ac power.
Unlike the Sizewell design, SNUPPS uses the two centrifugal charging pumps as high head safety injection pumps upon receipt of a safety injection signal.
U.S. Acceptance Criteria U.S. criteria do not identify a safety requirement for the charging pumps while in a normal full power operating mode.
The criteria do, however, require the capability from the control room to achieve and maintain a cold shutdown con-dition (temperature less than 200 F and subcritical) for normal operating con-ditions with the complications of using only offsite power or using only on-site power, using only seismically (SSE) qualified equipment, and in spite of a single failure.
Feasible operator actions outside the control room are per-mitted to remedy single failures.
This requirement entails two functions (boration and makeup) normally performed by the charging pumps.
In the review of the SNUPPS design, a " safety grade" path from the RWST through the centrif-ugal charging pumps to the RCS was identified to provide the required boration and makeup capability.
In the SNUPPS design, the centrifugal charging pumps are also part of the ECCS and inject water drawn from the RWST to the RCS upon receipt of a safety injec-tion signal.
Design criteria for the ECCS are contained in 10 CFR 50, Appendix A.
The'SNUPPS ECCS design has been shown to meet the applicable design criteria (e.g., seismic, power supplies, environmental, etc.) and to perform its safety function despite a single failure.
Performance criteria for the ECCS are governed principally by two events:
Loss of Coolant Accidents (LOCAs) and Steam Line Breaks.
Specifically, for the LOCA, these criteria are:
1) the calculated (using an approved 10 CFR 50, Appendix K model) maximum fuel cladding temperature does not exceed 2200 F, 6
2) the calculated total local cladding oxidation does not exceed 17% of the total cladding thickness before oxidation, 3) the calculated total core-wide hydrogen generation does not exceed 1% of the hypothetical amount that would be generated if all fuel cladding were to react, 4) the calculated resultant core geometry remains amenable to cooling, and 5) long-term cooling is maintained.
For large and intermediate sized breaks in which the RCS depressurizes to operating levels for lower pressure higher capacity ECCS equipment (HPI pumps, LPIs, Cold Leg Accumulators), the ECCS function of the charging pumps has been shown by LOCA analyses to be unnecessary for satisfying the above criteria.
For smaller breaks (about 2 to 3 inches) in which the pressure remains above the HPI shutoff head, analyses show that the charging pumps provide sufficient makeup to relieve the necessity of decreasing the RCS pressure via PORVs, Pres-surizer Spray, or Steam Generator heat removal.
For Steamline Break, the criterion is that the calculated amount of fuel fail-ure shall not exceed that which produces acceptable dose.
As part of the ECCS, the charging pump function in a steamline break scenario is to provide sufficient boration to keep core power levels acceptably low (as governed by resultant fuel failures).
Steamline break analyses for SNUPPS show that although the core returns to critical, the ECCS (with charging pumps con-tributing) provide sufficient boration to limit criticality and fuel failure.
The charging pumps at SNUPPS have been shown to be capable of satisfying makeup and boration functions for non-accident emergency shutdown situations such as fires and control room uninhabitability.
Analysis The CEGB has introduced three principal changes to the original SNUPPS charging system design:
- 1) addition of an extra positive displacement pump, 2) provision for the two positive displacement pumps to be steam driven instead of motor driven (to operate with loss of all onsite and offsite ac power) to form an
" Emergency Charging System," and 3) upon receipt of a safety injection signal, isolation of all normal charging system functions and initiation of the ECS to provide seal injection for the RCP.
The reasons stated for these changes are:
- 1) and 2) "The required reliability is achieved by using a diverse power source for backup (positive displacement) pumps." 3) " Charging pumps can be omitted from ECCS because of increased capacity of high head (safety injection) pumps.
Deletion also reduces the chance of overpressurization of the primary circuit while at low temperature."
Of the above reasons, the stated basis for omitting the charging pumps from the ECCS could be expanded into a more precise statement of the basis; that is, for very small breaks (less than three inches) in which the charging pumps would be required to provide makeup, in the Sizewell design, the steam generators (and auxiliary feedwater) complement the ECCS in energy removal and depressurization to operating pressures for the ECCS; for larger breaks, charging pumps are not 7
required.
In regard to this topic, Sizewell is analogous to Indian Point 2 which also does not take credit for charging pumps to mitigate LOCAs.
The risk reduction from the use of steam-driven charging pumps arises primarily because reactor coolant pumps seal cooling can be maintained even with failure of component cooling water (CCW) and even when all offsite and onsite ac electric power is lost.
Without pump seal cooling, the reactor coolant pump seals are expected to eventually fail, leading to a small LOCA.
At a SNUFPS plant, the loss of component cooling watar is expected to fail the charging pumps, which require component cooling water for the charging pump lube oil coolers.
Reactor coolant pump seal injection flow and component cooling water to the pump thermal
^
barrier heat exchangers are also lost, with consequential degradation and ulti-mate failure of the reactor coolant pump seals.
The resulting small LOCA cannot be mitigat9d because both the high-head safety injection pumps and the charging pumps will fail without component cooling water.
In the Sizewell Probabilistic Safety Study (WCAP-9991), the probability of loss of component cooling water is taken as 10 5 per reactor trip for most trips (the probability of loss of CCW function, given a reactor trip, is higher for the small fraction of trips in which AC power is not available to all. emergency buses, or for a medium or large LOCA, or for a main steam line break).
In the absence of definitive data, the staff assumed the same probability for a SNUPPS plant.
The WCAP-9991 analysis also assumed 13 reactor trips per year for the Sizewell plant (mostly direct reactor trips, turbine trips, or loss of main feedwater trips). Although there are indications this number averages around 10 trips / year at U.S. plants, the staff assumed the same trip frequency (13/yr).
for a SNUPPS plant.
With these assumptions, the frequency of loss of component cooling water at a SNUPPS plant is given by:
Event Event frequency or probability Plant trip 13/yr j
Loss of CCW 10 5/ trip Sequence frequency
- 1 x 10 4/yr i
The WCAP-9991 analysis assumes the reactor coolant pump seals will fail (with a leak of 300 gpm per pump) within one-half hour, without seal injection flow and component cooling water flow to the thermal barrier.
With this assumption, the loss of component cooling water at a SNUPPS plant leads to a core melt l
sequence with probability 1 x 10 4/ry, assuming a low probability of recovery of component cooling water within the one-half hour period.
This assumption that the reactor coolant pump seals will fail within a half hour was also made in the Indian Point and Zion Probabilistic Safety Studies.
A similar assumption (failure of the seals in about an hour) was made by the French (See Ref. 2) in their analysis of the Fessenheim reactor.
However, further analysis may show this assumption to be conservative.
Moreover, the frequency of loss-of-component cooling water may be conservative by an order of magnitude, since a single pipe break will not fail the CCW system.
If so, this sequence has a probability of 1 x 10 5/r yr.
Westinghouse has presented test results and analysis (Ref. 3) 8
from which they conclude that the mean time to failure for the reactor coolant pump seals, under conditions of loss of seal cooling water (i.e., loss of seal injection flow and CCW flow), is much greater than 30 minutes.
According to the Westinghouse analysis, after a period of one hour without pump seal cooling, the probability of pump seal leak rate of-100 gpm is 7 x 10 2, and of 1200 gpm is 4 x 10 3 The probability of a given size leak is expected to increase linearly with time for the first few hours.
The staff is currently evaluating the information Westinghouse has presented and will appropriately revise the estimate of the reduction in core melt probability due to the addition of steam-driven charging. pumps when this analysis is complete.
At Sizewell, the above sequence additionally requires failure.of the steam-driven emergency charging pumps.
According to the Sizewell Probabilistic Safety Study, these pumps have a failure probability of about 2 x 10 3 per demand.
Thus, at Sizewell, the frequency of core melt due to loss of component cooling water would be estimated-to be 2 x 10 3 lower than above, or about 2 x 10 7 per reactor year. Of course all of the same assumptions must be made to achieve this estimate.
The event which is partially mitigated by the steam-driven charging pumps is the total loss of offsite and onsite ac electric power to the plant (Station Blackout).
For a SNUPPS plant, loss of all ac power will cause loss of compo-nent cooling water flow and loss of reactor coolant pump seal injection flow, resulting in a small LOCA which cannot be mitigated.
For a SNUPPS plant with two diesel generators, the unavailability of the onsite electric power system is estimated to be about 2 x 10 3/ demand (see Accident Precursor Study, NUREG/CR-2497, Table C.1).
(The Zion Probabilistic Safety Study gave a mean probability of 3 x 10 3/ demand for failure of power at emergency buses 148 and 149 given loss of offsite power.) Because of the reactor coolant pump seal failure, station blackout for a sufficiently long period of time is likely to cause a core-melt accident. The probability of such an accident is estimated to be about 6 x 10 5/r yr as follows.
First, it is assumed that an interval of about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> without ac power will result in core melt.
The probability.of losing offsite power without restoration for more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is estimated to be 0.034/yr at an average U.S. site (see Ref. 1).
This is then multiplied by the failure probability of the two diesel generators, at a probability of 2 x 10 a/ demand, and the probability of non-recovery of any diesel generator which is assumed to be 0.8.
At Sizewell the steam-turbine-driven charging pumps would mitigate this sequence, reducing its probability by a factor of about 2 x-10 3 The frequency of station blackout is assumed to be less at Sizewell than at a U.S. SNUPPS plant for two reasons:
(1) the frequency of momentary loss of offsite power (at least, as assumed in WCAP-9991 and in the Pre-Construction Safety Report) is less (about 0.035/yr instead of 0.1/yr), and, (2) the failure probability of the diesel generators is expected to be less at Sizewell than at SNUPPS because there are four diesel generators instead of two. The Sizewell Probabilistic Safety Study (WCAP-9991) assigns an unavailability of 10 4/ demand to the onsite ac system based on enamon mode failure of the diesel generators.
Thus, the frequency of station blackout at Sizewell, as calculated in WCAP-9991, is about 3.5 x 10 2fyr x 10 4 = 3.5 x 10 s/yr instead of about 2 x 10 4/yr at a U.S. SNUPPS plant.
However, because of the steam-turbine-driven charging pumps, extended station blackout does not lead directly to core melt at Sizewell.
9
In summary, the steam-turbine-driven charging pumps, if added to a SNUPPS plant at an average site in the U.S., would reduce the core melt probability by an
- amount ranging from 7 x 10 5 to 2 x 10 4/ year, subject to the many assumptions already noted, and depending on whether the frequency of loss of component cooling water at Sizewell is conservative by an order of magnitude.
In addi-tion, other uncertainties may exist which have not been identified.
(b) Upgraded Isolation Between RCS and RHR Description This includes " extension of the high pressure piping on the RHR suction lines to the outside containment isolation valves, to reduce the probability of a LOCA outside containment."
("High pressure" piping implies 2500 psi, austenitic stainless steel, Nuclear ASME B&PV Code,Section III, Class 1; "other" implies i
4 600 psi, austenitic stainless steel, Huclear ASME B&PV Code,Section III, Class 2.)
SNUPPS Description ~
"High Pressure" piping extends to the second isolation valve (inside contain-ment); piping outside of that is "other" piping, per description above.
U.S. Acceptance Criteria Piping outside the second isolation valve is not part of the " pressure boundary,"
because more than one failure is required to allow this piping to be exposed to primary system pressure during normal operation. As such, this piping is clas-sified by Regulatory. Guide 1.26 within Quality Group B, including systems or portions of systems important to safety that are designed for (1) reactor shut-down or (2) residual heat removal.
Analysis The Sizewell design feature introduces a factor of conservatism proportional to-the reliability of the third isolation valve (outside containment) in the reduc-tion of the risk due to LOCA outside of containment.
In a SNUPPS plant, there are two motor-operated valves in series in the Residual Heat Removal (RHR) System suction path from a hot leg to the RHR pump.
There are two such sectior paths-one for each RHR pump.
If there is simultaneous failure in the open mode (or disc rupture) of both valves in either' suction path, a LOCA can be expected outside containment, and possibly can lead to core melt.
At Sizewell, however, there are three motor-operated valves in series, so that the probability of this failure sequence is less. The first valve in series cannot fail open (i.e., fail to close) after refueling, because it would be detected.
The only pertinent failure mode for this valve is disc. rupture.
The failure probabilities' calculated for Sizewell in WCAP-9991 for a motor-operated valve for the failure modes of rupture and failing open are:
10
P (rupture)
= 1.17 x 10 4 (Sizewell value based on yearly test interval)
P (disc fails open) = 1.38 x 10 4 (Sizewell value)
At Sizewell, rupture of the first valve disc followed by common mode failure (probability of 1 x 10 5) of the other two valves is the dominant mode of i
failure for this path.. Since there are two suction paths, one obtains 2 x 1.17 x 10 4 x 1 x 10 5 s 2 x 10 9/yr for core melt due to failure of the valves in RHR suction paths.
At a SNUPPS plant, neglecting common mode failure and assuming the failure rates from Sizewell, one would obtain:
2 x 1.17 x 10 4 (1.17 x 10 4 + 1.38 x 10 4) = 6 x 10 8/yr There is, however, the possibility of common mode failure of the two valves -
e.g., on rupture of the first valve disc,'a slug of water may fail the second l
valve.
This introduces an uncertainty in the estimate.
Moreover, uncertainty in the valve failure probabilities also add to this uncertainty.
To illustrate the effects of this latter uncertainty, we note that the variance of the proba-bility of disc rupture is 8.3 x 10 8, and the variance of a valve disc failing open is 3 x 10 7, as given in the Zion Probabilistic Safety Study, p. 1.3-77.
If both the probability of disc rupture, and the probability of a valve failing open, is increased by one standard deviation, then the probability of disc rupture becomes 4 x 10 4, and the probability of disc failing open becomes 6.9 x 10 4 The failure of either of the two RHR suction paths becomes:
2 x (4 x 10 4) (4 x 10 4 + 6.9 x 10 4) = 9 x 10 7/r yr.
If only the disc rupture probability is increased, one obtains:
2 x (4 x 10 4) (4 x 10 4 + 1.4 x 10 4) = 4 x 10 7/r yr.
Thus, the benefit appears to be the reduction in uncertainty.
The central estimate of the probability of core melt in the SNUPPS design, due to failure of either of the two RHR suction paths, is 6 x 10 8/r yr, but it.is uncertain, both because of the uncertainties in the valve failure rates and because of the possibility of common mode failure.
In addition, one notes that this core melt sequence is one which bypasses containment, so that it is a relatively high release type of sequence.
CEGB has noted that they have reservations about the totality of the data base for analyses.of the above type.
They also have noted that provision of 3 valves enables some improved diversity of safety interlocks to be engineered to pre-vent inadvertent opening of valves when pressures in the RCS are high.
(c) Four 100% HPIS Pumps with larger Capacity and Lower Shutoff Head Description The Sizewell design features four high pressure injection pumps, each powered from a separate emergency power train.
The four HPIS pumps at Sizewell each have a separate flow path to the reactor vessel, whereas in the SNUPPS design the delivery is manifolded using piping headers.
These pumps characteristically have a lower shutoff head (about 1800 psi) and higher maximum flowrate (about 11
1600 gpm)-than the SNUPPS charging ECCS pumps (about 2500 psi, 550 gpm).
The capacity of three Sizewell HPI pumps is roughly equivalent to that of one LPI and can substitute for LPI if LPI is delegated another backup function in a LOCA scenario.
All four pumps can take suction from the ECCS sump during the long-term recirculation mode.
SNUPPS Description SNUPPS ECCS high pressure injection features two HPI pumps and two centrifugal charging pumps.
The HPI pumps are roughly equivalent to Sizewell pumps (about 1500 psi) but with lower capacity (about 650 gpm).
These pumps are powered by two emergency power trains (one charging pump and one HPI pump each) and must be " piggy-backed" to the discharge of the LPI in the recirculation mode since the design does not provide for direct suction from the sump.
U.S. Acceptance Criteria The SNUPPS design has been shown to meet the requirements of the General Design Criteria of 10 CFR 50, Appendix A, and the performance criteria of 10 CFR 50.46(b) (see earlier discussion under item 2(a), steam-driven emergency charg-ing pumps) for a full spectrum of LOCAs and steamline break events.
Analysis The stated reasons for providing four safety injection pumps instead of two are:
"Four pumps are provided to improve the reliability of safety injection.
Increased pump capacity reduces peak clad temperatures and makes core uncovery less probable in the event of a small LOCA."
As discussed earlier under item 2(a), steam-driven emergency charging pumps, there is a range of very small breaks (and isolable breaks) for which steam generator heat removal (using auxiliary feedwater) may be necessary regardless of the number of safety injection pumps available.
There is also a range of intermediate and large size breaks for which neither safety injection pumps nor charging pumps are given credit in licensing analyses.
In these cases, the added capacity would not prove to be a substantive benefit.
However, for a certain range of break sizes, and for events in which no low pressure injection pumps inject (either because of pump failure or because of valve alignment), the increased " reliability" may prove of benefit.
In addi-tion, for certain small to intermediate breaks, the higher delivery flow should be bsnefit in reducing peak clad temperature.
The stated reason for the feature of all safety injection pumps taking direct suction from the containment sump is "... approach simplifies arrangement of equipment and improves reliability."
In its analysis the staff also focused on how the ECCS design changes affect the LOCA core melt contributions at Sizewell B and SNUPPS.
The noted differences in emergency core cooling system (ECCS) designs between Sizewell B and SNUPPS result in each design having different ECCS su,.csss criteria for loss-of-coolant accident (LOCA) mitigation.
Table I compares ECCS success criteria.
The rele-vant accident sequences are those in which the emergency core cooling systems 12
fail, given the availability of component cooling water.
ECCS success criteria vary according to the size of the LOCA (see Table I).
The LOCA success criteria reflect the fact that one accumulator and one HHSI pump (and possibly one LHSI pump) will feed the loop in which the break occurs and is therefore not as effective as the other pump trains.
TABLE I ECCS INJECTION COOLING SUCCESS CRITERIA SNUPPS SIZEWELL B Large Break 1 out of 2 LHSI pump trains 2 out of 3 accumulators plus:
LOCA and 3 out of 3 accumulators (a) 2 out of 2 LHSI pump trains or l
(b) 1 LHSI pump train plus 1 out of 3 HHSI pump trains or (c) 3 out of 3 HHSI pump trains Medium Break 1 out of 2 LHSI pump trains 1 out of 3 HHSI pump trains LOCA and 1 out of 2 HHSI pumps plus 2 out of 3 accumulators and 1 out of 2 centrifugal charging pumps Small Break 1 out of 2 HHSI pump trains, 1 out of 3 HHSI pump trains LOCA or 1 out of 2 centrifugal charging pumps The staff estimates the medium LOCA core melt frequency for Sizewell B design-change-affected sequences to be 1 x 10 7/ry.
For the SNUPPS design, a medium break LOCA core melt frequency of 3 x 10 7/ry is estimated for the ECCS-design-affected sequences. There is little difference between the unavailability of the SNUPPS and Sizewell B mitigation ECC systems for a medium break LOCA.
For Sizewell, the small break LOCA core melt frequency is estimated to be 1 x 10 7/ry for sequences in which ECCS design changes affect the outcome.
For SNUPPS the same small break LOCA frequency of 1 x 10 7/ry is estimate'd for the ECCS design-affected sequences.
The small break LOCA frequency used in WCAP-9991 (9.4 x 10 4/yr) appears to be somewhat lower than that currently used in U.S. risk assessments. Because of operating experience with reactor coolant pump seal LOCAs, a case could be made for an estimate as high as 2 x 10 2/yr.
The latter estimate does not take into account any benefit of the ECS at Sizewell; however, a large reduction in the estimate is not expected.
(d)
Larger (50%) SI Accumulators Description The Sizewell ECCS design has four 1425 ft3 (water) cold leg accumulators set at about 600 psi.
This deliverable water volume is about 50 percent higher 13
than the SNUPPS design.
It is implied that two Sizewell accumulators are, i
therefore, equivalent to three SNUPPS accumulators.
CEGB has indicated that the accumulator delivery pipework has been enlarged for Sizewell to maintain the SNUPPS total delivery rate.
SN_UPPS Description The SNUPPS design features four cold accumulators, each with a deliverable water capacity of about 1000 f ts of water. Administrative procedures assure that three accumulators inject to the RCS after a LOCA.
U.S. Acceptance Criteria Safety analyses per Appendix K demonstrate the adequacy of the ECCS design in meeting the performance requirements of 10 CFR 30.46(b).
3 Analysis The SNUPPS and Sizewell designs have both been analytically shown to meet per-formance criteria.
The safety benefit of changing the SNUPPS accumulator design is roughly esti-mated as follows.
The staff estimates a large LOCA core melt frequency for Sizewell B to be 1 x 10 8/ry for the ECCS design-affected sequence.
This is based on the LOCA frequency (9 x 10 4/ry) and component *or system unavailabili-ties reported in the Sizewell B Probabilistic Safety Study (PSS).
The unavail-ability of the mitigating ECC systems is dominated by common mode failure of the accumulators (assumed to be 1 x 10 5).
Based on the $NUPPS design and the frequencies and unavailabilities from the Sizewell B Probabilistic Safety Study, the staff estimates the large LOCA core melt frequency for SNUPPS to be about 1 x 10 8/ry for the ECCS design-affected sequences.
The reduction in core melt probability is about 1 x 10- due to the changed accumulator design.
The unavailability of the mitigating ECC systems at SNUPPS is dominated by the failure of any one train of accumulators, because 3 out of 3 are required.
Each train has an unavailability of 3 x 10 4, leading to an accumulator system unavailability of 9 x 10 4 The large break LOCA frequency reported in WCAP-9991 (9.4 x 10 4/r yr) is some-what higher than the staff would expect based on U.S. operating experience.
If the large LOCA frequency is lower, the reduction in core melt frequency from improving the accumulator system over that of SNUPPS would be less.
(e) Four 100% RHR Pumps, Two for LPI and Two for CSS with Automatic Switchover Description i
The Sizewell design features a system with four pumps of like performance characteristics (about 3000 gpm, maximum system pressure about 700 psig), two of which are dedicated to RHR and LPI (ECCS) duty, and two dedicated to con-tainment spray.
Any of these pumps may be interchanged and interlocks are pro-vided.
This option introduces a certain amount of flexibility in dealing with system failures or component outages.
1 14 1
i
SNUPPS Description The SNUPPS design features four pumps of similar design; two are dedicated to RHR/LPI duty, and two are dedicated to containment spray. However, in the SNUPPS design these pumps are not interchangeable.
The functional requirements of the SNUPPS pumps are generally the same as those at Sizewell, but the SNUPPS LPI pumps must also assume the added responsibility of providing-a suction source for HPI pumps during the recirculation mode by " piggy-backing."
U.S. Acceptance Criteria The SNUPPS pumps have been shown by failure modes.and effects analyses to.
accomplish the functions of RHR, LPI, and Containment Spray for all modes of.
operation, despite a single failure.
Performance criteria, principally governed by LOCA, Steamline Break, and Normal Cold Shutdown considerations, were shown to be satisfied analytically and by confirmatory tests (for cold shutdown).
Analysis Despite the greater flexibility of the Sizewell system, the two designs seem roughly equivalent.
One particular feature of the Sizewell design, four power sources (such that each pump--and each RHR suction isolation valve--is sepa-rately and independently powered relative to its like components) enables the Sizewell design to meet performance criteria with greater facility (less reliance upon the operator to correct failures). Additional analysis is pro-vided in the discussion of item 2(c), high pressure injection.
15
MC-3:
TWO ADDITIONAL COOLING WATER PUMPS FOR CONTAINMENT FAN COOLERS Description Cooling water for the Sizewell containment fan coolers is supplied by the CCW system, whereas the Essential Service Water (ESW) system is used for this pur-pose at a SiiUPPS plant.
In order to assure that. the containment fan coolers will operate, even with the loss of all CCW cooling, two additional pumps and air cooled heat exchangers were added to the SNUPPS design by CEGB.
These additional design features, together with associated piping, valves and compo-nents make up the Reserve Ultimate Heat Sink System (RUHS).
Further discussion of them and evaluation of their benefit is provided under item MC-7(b), the CCW and ESW discussion.
SNUPPS Description Essential cooling water to the containment fan coolers at a SNUPPS plant is supplied by the Essential Service Water (ESW) system, which draws its water from a retention pond.
Furthermore, the ESW system, which consists of two 100%
capacity trains, is only used under accident conditions.
U.S. Acceptance Criteria For a U.S. reactor, acceptance criteria for containment heat removal system design are based on meeting the requirements of GDC 38, " Containment Heat Removal."
In particular, the containment heat removal system should be of safety grade design; i.e., the system should have suitable redundancy of compo-nents and features, and interconnections, to assure that for either a loss of onsite or offsite power, the system function can be accomplished, assuming a single failure.
Common mode failures are not a design basis consideration.
Analysis The addition of the RUHS provides mitigation against the consequences of two design basis accidents for the Sizewell plant.
First, the air cooled heat l
exchangers operating in conjunction with the component cooling water pumps provide an alternative ultimate heat sink in the event of loss of the essential service water system due to an earthquake.
Second, the RUHS pumps provide l
i protection in the event of loss of the component cooling water system (common mode failure) during refueling by enabling heat to be extracted from the con-tainment when the steam generators are unavailable.
A further benefit in addition to the above is that in accidents beyond the design basis involving a loss of component cooling water, the fan coolers can continue to function as a containment heat removal mechanism.
The risk reduc-tion in light of the diverse containment heat removal capability of the spray system and the pressure retention capacity of the containment structural ele-ments has not been quantified by the CEGB.
For a SNUPPS plant, cooling water is supplied to the containment fan coolers by the ESW system, not the CCW system.
Therefore, the addition of pumps to the ESW system would not appreciably reduce risk; i.e., a degraded core accident stemming from the loss of CCW would not affect the availability of the fan coolers.
There is probably a greater safety benefit in providing the RUHS pumps at Sizewell than at a SNUPPS plant.
16
MC-4:
EMERGENCY B0 RATION SYSTEM Description The Sizewell design has added an Emergency Boration System (EBS) whose sole function is to provide the rapid and limited boration of the RCS in the event of an Anticipated Transient Without Trip (Scram), ATWT (ATWS).
Initiated by a reactor trip without rod drop, all valves isolating the system from the RCS open, and boric acid solution (5000 ppm) is injected, using as impetus the Ap across the RCS pumps.
SNUPPS Description The SNUPPS design currently provides no such system.
Administrative measures are taken to reduce the likelihood of an ATWS occurrence and to increase the reliability and effectiveness of mitigating actions.
U.S. Acceptance Criteria Anticipated Transients Without Scram have been addressed by the NRC staff in generic Task A-9.
The Commission has undertaken rulemaking that will likely end in the summer of 1983 and for Westinghouse plants require the provision of a diverse scram system and automatic, diverse trip of the turbine and initiation of AFW.
In the interim, until the rulemaking is complete, the staff has found the administrative measures implemented for SNUPPS to be acceptable.
Analysis The reason for including an EBS in the Sizewell design is that it provides a means of borating the RCS in the event of an ATWT.
CEGB has indicated that this limits the post-ATWT power level and limits the RCS pressure and temperature excursions, and ensures essentially single phase conditions in the RCS when the SG tubes are, or may be, uncovered on the secondary side.
Details of verifica-tion of design performance are not given.
An analysis of the benefit of the EBS is given below.
Two separate systems are available to perform the function of immediate post-trip reactivity control at Sizewell.
The first of these is the control rods, or rod control cluster assetblies (RCCA).
The second of these is the EBS.
The EBS injects boron into the reactor coolant following a transient in which the RCCAs fail to drop into the core.
The design performance of the EBS requires the operation of any 3 reactor coolant pumps.
In transients involving the loss of more than 1 reactor coolant pump and in loss of offsite power transients, the EBS performance will be degraded.
For sequences not involving loss of offsite power, the dominant failure mode of the RCCAs is that of common mode f'ilure of the reactor trip breakers, assigned a
a probability of 2 x 10 5/ demand in the Sizewell PSS (WCAP-9991).
However, on loss of offsite power, power to the electromagnetic coils holding up the rods 17
is cut off, even if the trip breakers remain closed.
According to WCAP-9991, the probability of failure of the RCCAs is 3 x 10 6/ demand for loss of offsite power transients.
For transients in which neither the RCCAs or the EBS system can perform the reactor trip function, the probability of failure of the reactor trip function is taken as 1 x 10 7 per demand and is considered to result from failure to generate a trip signal from the integrated (and backup) reactor protection system.
The following table describes the estimated probability of reactor trip function for the various transients:
Reactor Trip Transient Type Failure Probability 1.
All, except loss of primary 1 x 10 7/ demand reactor coolant flow, or loss of offsite power 2.
Loss of flow in any two reactor 2 x 10 5/ demand coolant loops 3.
Loss of Offsite Power 3 x 10 6/ demand Rough estimates of core melt probability for the three transients above can be made as follows.
For type 1 transients, according to the Sizewell analyses, there are about 13 transients per year in the above table..Therefore, the annual frequency of transients of type 1 with failure of reactor trip is 1.3 x 10 6 reactor year.
If, in addition, the reactor power level is above 80% and there is failure of the turbine trip, and if the resulting pressure spike severely deforms the ECCS injection valves (not expected) to disable this function, core melt would be expected.
The probability of a power level above 80% is assumed to be 0.5, and the probability of failure of turbine trip is assumed to be 0.2.
For Sizewell, this core melt scenario has a probability of roughly 1 x 10 7 per year.
Since SNUPPS has no EBS, the probability of failure of reactor trip for transients of type 1 is based on common mode failure of the RCCA reactor trip breakers, or about 2 x 10 5/ demand.
For SNUPPS, with the above assumptions, the probability of the corresponding core-melt scenario would be 13/yr x 2 x 10 5 x.5 x.2 = 3 x 10 5/ reactor year In sequences of types 2 and 3, the EBS would appear to be of considerably less help.
Therefore, the addition of the EBS to a SNUPPS plant ec;1d reduce the core melt probability by about 3 x 10 5/ reactor year, subject to the noted assumptions and unquantified uncertainties.
CEGB has stated the PCSR assumes failure of the reactor trip breakers to be beyond the design basis due to the provision of two diverse sets of breakers operated by the diverse protection systems (primary and secondary).
Also, CEGB indicates the 1 x 10 7 failure to generate a trip function on demand tn be of the correct order but notes that no information on this evaluation is available in the PCSR. They further note that reliability figures quoted above vary somewhat from those quoted or inferred in the PCSR for Sizewell.
18
i MC-5:
INCREASED CONTAINMENT DIAMETER AND LOWER DESIGN PRESSURE Description The internal diameter of the Sizewell containment differs from the SNUPPS design in that it has beta increased to 150 feet.
The increase in internal diameter is necessitated by the need for additional space to accommodate larger sized pump motors and accumulators, and additional features to reduce occupa-tionalradiationexposure(manrem)duringplantoperation.
The free volume of the Sizewell containment is 3.02 x 106 ft, as opposed to 2.5 x 108 fta for a SNUPPS plant.
The maximum calculated containment pressures are lower, i.e.,
41.3 psig and 45.4 psig for the design basis LOCA and MSLB, respectively, i
versus corresponding pressures of 47.3 psig and 48.1 psig for a SNUPPS plant.
As a result of the lower calculated containment pressure, the containment de-sign pressure for Sizewell has been reduced to 50 psig, as opposed to 60 psig for a SNUPPS plant.
SNUPPS Description The SNUPPS containment consists of a prestressed, reinforced concrete, cylin-drical structure with a hemispherical dome and a conventionally reinforced con-crete base slab.
The internal diameter of the SNUPPS containment is 140 feet.
The interior of the concrete containment is lined with carbon steel plates 0.25 inches thick and has an internal free volume of 2.5 x 108 fta.
The maxi-mum calculated containment pressures for the LOCA and MSLB are 47.3 psig and 48.1 psig. The containment design pressure is 60 psig, which provides more than a 20% margin above the peak calculated pressure.
The NRC has reviewed the SNUPPS containment design and has found it acceptable since there is sufficient design margin to withstand the worst postulated design basis accident conditions.
U.S. Acceptance Criteria U.S. reactor containment design criteria require sufficient design margin for plants at the construction permit (CP) stage of review.
The containment design pressure should provide at least a 10% margin above the accepted peak calculated containment pressure following a LOCA, or a steam or feedwater line break.
For plants at the operating license (0L) stage of review, the peak calculated con-tainment pressure following a LOCA, or a steam or feedwater line break, should be less than the containment design pressure.
However, unless appropriately justified, the peak calculated containment pressure should be approximately the same as at the CP stage of review.
The SNUPPS containment design pressure of 60 psig provides more than a 20%
design margin above the peak calculated pressure, and was found acceptable by the NRC.
The Sizewell containment design status is equivalent to the CP stage of review.
Its containment design pressure, 50 psig, provides a 10% margin above the peak calculated pressures.
Analysis Based on the staff review of the Sizewell containment design criteria, no ap-parent safety benefit could be identified from the increase of containment 19
- s 1
^
size, espec1 ally when one' considers that the increase is primarily based on equipment space. requirements and the ccntainment design pressure has been lowered.
However, an, increased containment size could reduce the radiation exposure to operations and maintenance staff by providing easier access to equipment insice containment and thereby reducing repair and maintenance times.
The NRC staff has reviewed the SNUPPS design against ALARA considerations ~and has found that the SNUPPS containment is large enough to provide convenient access to equipment inside containment.
4 t
9
?
20
1-MC-6:
BACKUP REACTOR PROTECTION SYSTEM Description The CEGB's Design Safety Criteria and Guidelines for the design of protection systems includes numerical requirements for system reliability.
In contrast, U.S. requirements for reliability are primarily addressed by the Single Failure Criterion and the principle of Defense-In-Depth.
The dominant factor in pro-tection system reliability is established in British licensing criteria by the limits placed on common mode failures.
The CEGB Design Safety Guidelines require that the common mode failure probability shall not be assumed to be less than 10 5 failures on demand.
The design goal is 10 7 per reactor year for any single accident which could result in a large uncontrolled release of radioactivity to the environment.
This value is a product of the initiating fault frequency and the probability of failure to control the accident.
Having established a lower limit of 10 5 for common mode failure of the protection system, this leads to the requirement that a second protection system be pro-vided which is independently capable of mitigating the consequences of all events which have a combined frequency of 10 2 per reactor year or greater.
These requirements are satisfied for the protection systems by the provision of a Secondary Protection System (SPS).
The SPS is a protection system which initiates a reactor trip and initiates those engineered safety features required forthemoreprobabledesignbasisevents,i.e.,individualfaultswitha frequency in excess of 10- per reactor year.
The intent is that protection system failures should not be a dominant contribution to the cumulative frequency of beyond-design-base faults.
Common mode failures also apply to safety system equipment.
For reactor trip, the common mode failure is classified as an Anticipated Transient Without Trip (ATWT), which is the failure of control rods in the withdrawn position to insert on the initiation of a reactor trip.
The ATWT issue is therefore not resolved by the provision of the SPS, but rather by other protective features.
These include the Emergency Boration System and Engineered Safeguard Features which are initiated by the Primary Frotection System (PPS).
The SPS is a hardwired system which uses 2-out-of-4 logic to initiate safety nction.
The design and hardware aspects of the system have evolved from British gas cooled reactor technology.
As such, the SPS is composed of components which are diverse from the PPS.
By contrast the PPS is a Westinghouse Integrated Protection System (IPS) design which incorporates in m ted circuit and micro-c processor technology.
The IPS design has not been t.w any U.S. reactor a
to date.
To the extent practical, the SPS initiates safety actions using independent and diverse sensing of measured parameters.
The SPS uses the intermediate range flux measurements which are the same as those used by the PPS.
However, a degree of diversity is provided by the fact that the PPS uses the power range nuclear measurement for the overpower trip while the SPS provides an overpower trip based on measurement signals from the intermediate range nuclear instru-mentation. The protection for loss of reactor coolant flow is based on reactor coolant pump underspeed for the SPS and based on direct flow measurement for the PPS.
The remaining reactor trip parameters of the SPS are high and low primary pressure and steam generator level and high reactor inlet temperature.
21
The other actions taken by the SPS are turbine trip and feedwater isolation on high steam generator level and initiation of auxiliary feedwater on low steam generator level.
In addition, the SPS starts the emergency charging pumps on sensing low flow in the CVCS seal water injection header.
The SPS is supplied power from four batteries and inverters which are indepen-dent of the electrical power sources for the PPS.
SNUPPS Description The protection system for the SNUPPS design includes the reactor trip system (RTS) and the engineered safety feature actuation system (ESFAS).
The RTS utilizes redundant logic with various combinations of 1 out of 2, 3 or 4 coin-cidence to initiate reactor trip.
Because a number of different parameters are monitored, diverse protection is provided for many design basis events.
An overriding design principle of the RTS is its inherent fail-safe nature which initiates channel and logic trips on the loss of electrical power sources.
The use of built-in features which permit periodic testing of operating components during plant operation, combined with technical specification surveillance requirements, has been assumed to assure a system which has a high degree of reliability.
Failure modes and effects analysis is the principle means used to assure that the potential for common mode failures is reduced to a minimum so that they should not be a direct result of inattention to design details.
It should be noted, however, that the SNUPPS reactor trip system design is basically the same as that at Salem Nuclear Generating Station, Unit 1.
Recently, the redundant reactor trip circuit breakers at Salem failed to automatically open following receipt of valid trip signals on February 22 and 25, 1983.
Generic actions which may have a future affect on the SNUPPS design as a result of the Salem events will be delineated in NUREG-1000, " Generic Implications of ATWS Events at the Salem Nuclear Power Plant" which is now in preparation.
The ESFAS is designed to the same principles and criteria as the RTS with the exception that the logic is based on the principle of " energize to actuata" in order to reduce the potential for inadvertent actuation.
U.S. Acceptance Criteria The U.S. acceptance criteria for protection system design and reliability are embodied in the Code of Federal Regulations 10 CFR 50.
The principle criteria are described in IEEE Standard 279 which is codified by Section 50.55a(h) and the General Design Criteria of Appendix A to 10 CFR 50.
Guidance for interpretation of the regulatory requirements is provided by Regulatory Guides and the Standard Review Plan which includes staff technical positions on specific aspects of safety system design.
Analysis The Sizewell approach appears to set forth numerical guidelines for the reli-ability of protection systems which are used to assess the potential risk to public health and safety.
For protection systems the analysis of overall system reliability is bounded by limits irtposed when addressing common mode failures.
With regard to the reactor trip safety action, the concern for potential common mode failures is being addressed in the U.S. through the unresolved safety issue for Anticipated Transients Without Scram (ATWS).
22
Probabilistic risk assessments have been conducted in the U.S. for a number of plants either operating or under construction.
The conclusion of these studies is generally that the probability of a severe ATWS at a plant is about 3 to 6 x 10 5 per year. With regard to the potential for common mode failures which could negate automatic safety actions, the contribution of protection system failures to severe accidents has not been quantified in the analyses of overall plant risk which have been conducted to date.
l i
23 l
1
MC-7:
INCREASED EQUIPMENT REDUNDANCY (a) Auxiliary Feedwater System - Design Difference Associated with the Sizewell B Use of Four AFW Pumps Instead of the SNUPPS Three-Pump System Description The Sizewell B AFW system consists of four AFW pumps (two motor driven, two turbine driven) that comprise two independent subsystems of the AFW system; these are the motor-driven subsystem and turbine-driven subsystem.
Each sub-system normally takes suction from its own condensate storage tank (each of which is the same capacity as SNUPPS) during normal operation and, as in the case of SNUPPS, each pump is capable of discharging to any combination of one to four steam generators.
However, the Sizewell motor-driven pumps discharge to their own dedicated nozzles in the steam generators, while the turbine-driven pumps discharge to the main feedwater system piping in the same fashion as all l
three pumps (two motor driven, one turbine driven) at SNUPPS.
Normally, each i
pump is lined up to feed two steam generators automatically via the same ini-tiating signals as SNUPPS.
Each of the pumps at Sizewell is rated at 100%
while at SNUPPS the motor-driven pumps are each 100% and the turbine-driven pump is 200%.
Each Condensate Storage Tank (CST) at Sizewell B is protected against natural phenomena including earthquakes, and a backup unprotected long-term water supply (dedicated to AFW) is available to each pump via manual valving.
The SNUPPS design has an unprotected CST with a protected automatic long-term supply which is the essential service water system.
Another difference in the two systems is the AFW flow control valves.
At Size-well, the flow control valves are semi-automatic in that after system initiation they will cycle full open or closed using steam generator high and low level setpoints as inputs.
This continues until the operator intervenes to take manual control to maintain specified level.
At SNUPPS the valves do not cycle open or closed but remain at a preset throttled position until the operator takes control to maintain the specified level.
The final major difference in the two systems is AFW flow following a main steamline break or main feedline break that results in an unisolatable steam generator.
Sizewell B includes a " feed only good steam generators" system similar to the U.S. Babcock and Wilccx designs that automatically terminate AFW flow to the faulted steam generator.
The SNUPPS design relies on flow limiting orifices (similar to other W designs) to limit the flow to the faulted steam generator thereby assuring sufficient AFW flow to intact steam generators.
The SNUPPS design requires operator action within 10 minutes to secure flow to the faulted steam generator.
SNUPPS Description The SNUPPS Auxiliary Feedwater (AFW) system consists of three AFW pumps (two motor driven, one turbine driven) taking suction from one condensate storage tank during normal operation, with each pump capable of discharging via the main feedwater system piping to any combination of one to four steam generators.
Normally, one motor-driven pump is lined up to automatically supply water to l
24
two steam generators while the other motor-driven pump is lined up to automati-cally provide water to the remaining two steam generators.
The turbine-driven pump is normally lined up to automatically supply water to all four steam generators.
U.S. Acceptance Criteria The SNUPPS AFWS meets the requirements of the applicable General Design Cri-teria, Branch Technical Positions and recommendations of NUREG-0737.
The SNUPPS AFWS is protected from the effects of natural phenomena and the effects of pipe breaks since it is located in the seismic Category I, flood, missile,
and tornado protected auxiliary building and eich pump and the associated active valves are located in separate cubicles, thereby satisfying GDC 2 and GDC 4.
The AFWS is not shared between units at SNUPPS; therefore GDC 5 is not applicable.
The system can be controlled from the remote shutdown panel and is automatically initiated, thereby satisfying GDC 19.
GDC 34 and 44 are satisfied by adequate isolation from non essential systems and by providing suitable redundancy in components and power sources.
The AFWS can be inspected and tegted, thereby satisfying GDC 45 and 46.
The system has diverse power sources (steam driven and electric motor driven) in accordance with Branch Technical Position ASB 10-1.
It can operate independent of ac power for at least two hours.
The AFW system has the capability to permit operation at hot shutdown for at least four hours followed by cooldown to the RHR cut-in temperature from the control room using only safety-related equipment and assuming the worst-case s' ingle active failure.
This is assured by virtue of safety-related atmospheric dump valves and a safety-related long-term source of water from the EFW system.
Thus, the requirements of Branch Technical Position RSB 5-1 with respect to AFW are met.
NUREG-0737 specified short-term and long-term recommandations for increasing the reliability of auxiliary feedwater systems.
The SNUPPS AFWS meets all these recommendations which include limi.tations in the technical specifications on outage time, adequate switching capability (including indication) between water sources, no single valves whose incorrect positioning could result in loss of AFW flow and safety-related automatic initiation and flow indication.
Analysis Apparently, the CEGB design change (4 pumps) was intended to achieve 100 percent redundancy in each of the AFW subsystems, i.e., motor-driven and steam-driven subsystems, and to allow sufficient redundancy of plant with one pump train out for maintenance.
The design change results in an increase in reliability that is mainly noticed following a complete loss of ac power.
The semiautomatic AFW flow control valves (open-close) were added to decrease reliance on operator action and provide the operator with more time to perform other actions that may be necessary following an event.
This is also true for the F0GG system that was added to the design.
This may decrease the probability of operator error since the operator will have more time to assess certain situations.
It is possible that the changes have been made to increase the reliability of the system for unanticipated or unanalyzed events, to allow the operator more time to evaluate such situations.
25
An evaluation of the benefit of adding an additional AFW pump to the SNUPPS design is given below.
In a carefully designed and tested three-train auxiliary-feedwater system (AFWS) with two motor-driven AFWS pumps and one turbine-driven AFWS pump, as in the SNUPPS design, one would expect an unavailability in the range of 10 5 to 10 4/ demand; the staff has assumed the unavailability is about 5 x 10 5/ demand for comparison with Sizewell. The Sizewell Probabilistic Safety Study (WCAP-9991) states that the unavailability of the Sizewell AFWS is 4 x 10 7 for the support state where offsite power is available and component cooling j
water is available.
However, to take into account the fact that all loss-of-
'l main-feedwater events are not total loss-of-main-feedwater events, the unavail-ability of the AFWS is reduced in the Sizewell analyses by a factor of 3, to 1.33 x 10 7 For a support state in which no component cooling water is avail-able, only the two turbine-driven trains are potentially available; their unavailability (reduced by the same factor of 3) is stated to be 2 x 10 4 in the Sizewell study.
In the support state where there is no loss of offsite power and component cooling water is available, bleed and feed of the primary coolant system is considered to be a viable option for cooling the core in the Sizewell PSS (WCAP-9991).
The unavailability of bleed and feed is estimated to be 6 x 10 3 in WCAP-9991.
The staff notes this estimate may be optimistic if early operator action is required.
For a SNUPPS plant, the staff has also assumed bleed and feed cooling is a viable option for cooling the core with the same unavailability of 6 x 10 3, There is only one turbine-driven pump in the AFWS at a SNUPPS plant; its unavailability is about 0.02 according to the data of WCAP-9991 (or, for that matter, according to the Accident Precursor Study, NUREG/CR-2497).
4 The safety benefit that would accrue to the SNUPPS plant for this loss-of-feedwater transient, if the AFWS design of SNUPPS were like that of Sizewell, 3
i.e., an additional turbine-driven AFW pump is estimated below.
If the SNUPPS design is only changed in this one way, then the major benefit comes from the reduction in probability of the following core melt sequence.
Event Frequency of Probability Loss of Main 5.17/yr x 1/3 Feedwater Loss of AFWS 5 x 10 5/ demand Failure of Bleed and Feed 6 x 10 3/ demand Sequence frequency = 5 x 10 7/yr Note that the conservative assumption has been made above that no restoration or recovery is made for the Main Feedwater or AFW functions for about an hour or two.
If Bleed and Feed is not a viable option for cooling the core, then the proba-bility of Bleed and Feed failure is unity, and the sequence has probability 9 x 10 5/yr.
However, a more realistic assessment which includes the capability of 26
condensate pumps and possible AFW recovery would likely reduce this probability by a factor of 5 to 10.
The station blackout scenario should also be considered.
If one does not add steam-turbine-driven charging pumps to a SNUPPS design, a better AFWS may not help much in loss of offsite power sequences because failure of all onsite and offsite AC power could lead to an unmitigated RCP seal LOCA even if AFW func-tions properly.
If steam-turbine-driven charging pumps were added to the SNUPPS design, then a sequence consisting of (1) loss of offsite power for a period greater than about an hour (frequency about 0.06/yr)
(2) failure of both diesel generators (probability 2 x 10 3 per demand)
(3) failure of turbine-driven AFWS pump (probability about 0.02) co"ld lead to core melt at a SNUPPS plant with frequency of 2 x 10 8/yr and may hife an order of magnitude lower probability at Sizewell, because Sizewell has two turbine-driven AFWS pumps.
-(b) Design differences between the SNUPPS and Sizewell B Component Cooling Water (C"W) System and Essential Service Water (ESW) System.
Description The CCW systems for both plants are basically the same with two 100% trains each of which has two 100% pumps.
The major differences are:
(1) the Sizewell B CCW design is allocated more loads because the ESW system uses seawater, and (2) there is a forced-air (radiator) heat exchanger that can be used to remove heat from the CCW system as a backup to the ESW system.
The teckup heat exchanger is necessary since the Sizewell B ESW system is not seismically designed.
The SNUPPS CCW system has only one main heat exchanger (cooled by ESW) since it is capable of maintaining CCW temperature within design limits under all conditions.
The Sizewell B CCW system has two heat exchangers cooled by ESW because, given the higher heat load of the Sizewell design, the main heat exchanger cannot maintain CCW water temperature low enough to cool contain-ment air coolers, pump room coolers, and pump lube oil heat exchangers.
Conse-quently, an auxiliary heat exchanger automatically supplements CCW cooling under accident conditions.
At SNUPPS, the ESW supplies cooling water for many of these heat loads.
An added feature at the Sizewell B plant is the addition of two reserve ulti-i mate heat sink (RUHS) pumps that have only one function:
to provide CCW flow to the containment air coolers in the event that all CCW pumps are not available.
The pumps are manually started and stopped and are not designed to handle full accident loads such as a large LOCA.
The RUHS heat exchangers associated with the CCW system are automatically switched into the system on loss of ESW system flow due to common mode failure of the ESW pumps such as screen blockage or a seismic event.
Iney are not designed to handle the design basis LOCA heat laads since a large LOCA concur-rent with a design basis earthquake is considered beyond the design basis.
Although a large LOCA concurrent with an SSE is also considered to be beyond 27
the design basis for SNUPPS, the ESW system and UHS for SNUPPS is designed for the SSE.
The ESW system at Sizewell has four 100% pumps while the SNUPPS ESW system has two.
However, at Sizewell two of the pumps are necessary for normal operation, while the SNUPPS ESW pumps are used only during emergencies.
During normal operations at SNUPPS, the ESW system heat loads are supplied by two out of three (50% capacity each) station service water pumps.
At first glance the ESW systems appear to be quite different for Sizewell and SNUPPS, but further inspection shows they are very similar since each plant has two 100% headers with each header having two pumps capable of supplying water with one of the two pumps normally operating.
The ESW system at Sizewell B is not designed to remain functional following a seismic event since it is backed up by the seismically qualified RUHS.
At SNUPPS the ESW system is designed to remain functional following a seismic event.
SNUPPS Description CCW The CCW system at SNUPPS consists of two separate 100 percent trains, each capable of being supplied by two 100% pumps (four pumps total).
Each train has one surge tank and one CCW heat exchanger cooled by the ESW system.
A common nonseismic header is used to supply nonsafety-related loads during normal operation.
This common loop is connected to both essential trains via automatically operated safety grade isolation valves that close upon receipt of a safety injection signal, surge tank low level, or high flow indicative of a pipe failure.
Redundant safety related components cooled by the CCW system are the RHR heat exchanger, RHR pump seal coolers, centrifugal charging pump bearing oil coolers, SIS pump bearing oil coolers, and the fuel pool heat exchangers.
During normal operation one pump in one of the safety-related loops is operated with the redundant safety-related train isolated from the system.
If the pump should fail, the remaining pump in the same operating loop automatically starts.
Upon loss of offsite power one pump in each of the safety-related loops auto-matically starts when sequenced onto the diesel generator buses.
The remaining pumps stay in auto-standby.
ESW The ESW system at SNUPPS consists of two independent 100% trains, with one
{
100% pump per train; each pump is in standby during normal plant operation.
During normal operation the ESW loads are supplied cooling water by the nonsafety grade station service water system consisting of three 50% capacity pumps.
The ESW pumps take suction from the seismic Category I UHS retention pond.
Locked isolation valves separate the two ESW trains.
28
Each train of the ESW system is interconnected with the nonsafety-related sta-tion service water (SSW) system.
However, after a SIS, AFW low suction pressure, or loss of offsite power, the ESW system is automatically isolated from the SSW system.
The ESW system heat loads are all safety related except for the air compressors and include the diesel generators, safety-related air conditicn:ng systems, ali safety-related pump room coolers, and the containment air coolers.
The non-seismic air compressors have seismic Category I isolation valves separating the essential and the nonessential portions of the ESW system.
U.S. Acceptance Criteria Both the CCW and ESW system at SNUPPS are protected against natural phenomena.
The systems are designed to seismic Category I requirements and are located in seismic Category I wind and tornado missile protected structures which also provide protection against the design basis flood.
All connections to non-essential portions of the systems are isolatable by seismic Category I auto-mat'ically operated isolation valves such that a single failure following any natural phenomena will not prevent either system from performing its safety function.
Each of the two trains of CCW and ESW (pump and all necessary piping and valving) are located in separate rooms or cubicles such that flooding, harsh environmental conditions, pipe whip and jet impingement due to a pipe break, or internally generated missiles could only affect components in that particular room or cubicle.
Therefore, both the CCW and ESW systems at SNUPPS satisfy GDC 4.
There is no sharing of the CCW system or ESW system between units, so that GDC 5 is not applicable.
For both the CCW system and the ESW system component redundancy is such that their safety function can be performed following a loss of offsite power coin-cident with any single active failure.
Automatic isolation valves are provided to isolate non-essential portions of the system from essential portions of the system.
The combination of the CCW and ESW systems have adequate capacity to transfer heat loads, including decay heat, from safety-related structures, systems, and components under normal operating and accident conditions.
The ESW and CCW systems are inspected and tested periodically in accordance with plant Technical Specifications and the requirements of GDC 45 and GDC 46.
Analysis The only changes of significance in these system designs are the addition of l
the reserve ultimate heat sink (RUHS) and RUHS makeup pumps.
The RUHS was l
added to ensure operation of the CCW system in the event of a common mode failure of the ESW system such as a seismic event, clogged screens, or corro-sion of CCW heat exchanger by corrosive sea water.
The RUHS makeup pumps were l
added to assure a supply of cooling water to the containment air coolers in the event of a common mode failure of the CCW pumps during shutdown with the reactor vessel head off.
Both of the above changes appear to be intended to increase the overall reli-ability of the system by protecting against common mode failures.
29
Other changes in the systems' designs were apparently made only as a result of the ESW system at Sizewell using sea water and the desire to limit the amount of sea water within the plant. This may be another reason for adding the RUHS which can operate independently of corrosive sea water.
The major advantage of adding the RUHS makeup pumps seems to be that in core melt sequences caused by loss of component cooling water, the fan coolers will continue to function as a heat removal mechanism.
The risk reduction has not-been quantified. At a SNUPPS plant, containment fan coolers are supplied water from the Station Service Water (SSW) system (normal operation), or in emergen-cies from the seismically qualified Essential Service Water (ESW) system, not the component cooling water system.
Since the SSW and the ESW have different water sources and different pumps, two additional pumps to the fan coolers would likely not appreciably reduce the risk.
The use of the RUHS as a backup to the essential service water system at Size-well is useful in case of common mode failure of the ESW or of the CCW heat exchangers.
These failures may be more likely at Sizewell-(where sea water is used for ESW) than at a SNUPPS plant (where the ESW source is river water).
There is probably a re safety benefit in the use of this system at Sizewell than there is at a SNUPPS plant using river water as the ultimate heat sink.
(c) Use of Additional Diesel Generators in the Plant Electrical Systems.
Description The Sizewell design uses four diesel generators to supply emergency onsite ac power, while the SNUPPS design has two diesels. This design change is described below against the background of the plant electrical systems in the two designs.
The Sizewell B vital ac electrical system consists of four essential buses, each of which feeds one of the four emergency load groups.
The four essential buses receive offsite or station power through the nonessential station buses.
A normally open bus tie between essential buses 1 and 4 and 2 and 3 is used to provide an alternate source of offsite power to an essential bus.
The standby I
power sources to the four essential buses are four independent diesel gener-ators, each of which is rated 5500 kW and supplies only one of the essential buses.
4
{
The Sizewell B vital de electrical system consists of eight independent bat-teries, each with its own battery charger, distribution boards and inverter.
Four of the batteries provide power through the inverters to the primary protec-tion and instrumentation system while the other four power the secondary protec-tion and instrumentation system.
The batteries also provide power to other I
essential equipment such as the steam-driven auxiliary feedwater pumps, the i
steam-driven emergency charging pump, main and emergency control room lighting, I
and control and switching power for essential equipment.
Section 15.5.2.1 of the Pre-Construction Safety Report indicates the batteries will have capacity to power the steam-driven feedwater pumps and charging pump for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
In meetings with the CEGB, the staff was informed that the exact size of the batteries was not yet specified.
Current plans call for "special" high-capacity batteries'in only two de electrical trains, and these would include the two steam-driven AFW trains among their loads; it is likely that these two special batteries will not have all of the loads of the other batteries.
30
The four de power trains are electrically independent.
The four ac power trains are electrically independent except for the common sources of offsite power to the buses and the crossties between buses which are only enabled when on off-site power.
The four ac and dc electrical trains are physically separated for fire protection purposes either four ways or two ways.
In meetings with the CEGB, the staff was informed that the Sizewell design has four-way separation for electrical purposes and two-way separation for fire protection purposes, except at hot shutdown when four-way fire separation exists.
CEGB has noted that since the PCSR was published, further detailed considerations of potential effects from fire have led to the introduction of four way segregation for the primary protection system and two way segregation for the secondary protection system. Where there is two-way separation, the equipment associated with trains 1 and 3 is separated from equipment on trains 2 and 4.
Within these pairs of safety trains, it appears the physicas separation generally follows that of IEEE Std 384.
The primary and secondary reactor protection system batteries are located in separate buildings; hovever, within the auxiliary building and reactor building, primary and secondary cables of the same channel will be run together.
SNUPPS Description The SNUPPS vital ac electrical system consists of two essential buses, each of which feeds one of the two completely redundant emergency load group:.
The two essential buses receive both the normal and alternate source of offsite power directly from the offsite power supplies.
No bus ties exist between the es-sential buses.
The standby power sources to the two essential buses are two independent diesel generators, each of which is rated 6200 kW and supplies only one of the essential buses.
The SNUPPS vital dc electrical system consists of four independent batteries, each with its own battery charger, distribution boards and inverter.
The bat-teries provide power though the inverters to the four channels of the reactor protection and engineered safety features systems.
The batteries also provide power to other essential loads such as the steam-driven auxiliary feedwater train, main control room emergency lighting, and switching power for essential equipment.
The batteries have sufficient capacity to power their loads for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and 20 minutes.
The four dc power trains are electrically independent.
Tne two ac power trains are electrically independent except for the common sources of offsite power to the buses.
The dc and ac power trains maintain physical separation between redundant divisions in accordance with the criteria contained in IEEE Std 384.
U.S. Acceptance Criteria The U.S. acceptance criteria used by the staff for the vital onsite ac and dc distribution systems are contained in Table 8-1 of the Standard Review Plan and are based primarily on the General Design Criteria.
The criteria require that the onsite power systems have redundancy, meet the single failure criterion, be testable, and have capacity and reliability to supply power to all the required safety loads.
The onsite ac power system at SNUPPS meets the redundancy and single failure criterion by utilizing two independent, 100% distribution system divisions, 31
f each of which is powered by an independent diesel generator or by one of two offsite circuits.
The diesel generators and offsite circuits meet the capacity and capability requirements by having sufficient capacity to sequentially start and operate all of the safety loads connected to them.
The diesel generator in addition has demonstrated the required reliability and capability by meeting the requirements of 1EEE Std 387 and Regulatory Guide 1.9 for automatic sequen-tial loading, load rejection, light loading, reliability qualification testing, margin test, and load capability qualification tests.
The onsite dc power system at SNUPPS meets the redundancy and single failure criterion by utilizing four independent distribution system divisions, each of which is poweret by an independent battery and battery charger.
Each division meets the capat.;y and capability requirements by utilizing battery chargers sized with sufficient capacity to supply the largest combined demand of all the steady state loads connected to it.
Although no specific criteria exist for battery endurance (following completion of Station Blackout, USI A-44, specific criteria will be developed), it is required that the turbine-driven AFW train be available for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> assuming a total loss of ac power.
The SNUPPS batteries, which support the turbine-driven AFW pumps, have a 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and 20 minute endur-ance which meets this requirement.
The redundancy and reliability requirements are further met by the ac and dc vital onsite systems at SNUPPS by physically separating the power supplies to the redundant divisions in separate rooms in a Seismic Category I building and
~
physically separating switchgear and cabling of redundant divisions according to IEEE Std 384 and Regulatory Guide 1.75 requirements.
Analysis The four ac electrical distribution systems, including four diesel generators, appear to simply follow the four-train mechanical systems' design philosophy.
The basic reason for the four-train electrical system is probably a desire to maintain the redundancy and independence of the four mechanical trains by sup-porting them with four electi cal trains which are also redundant and indepen-dent.
The Pre-Construction Safety Report indicates that the safety design basis for the electrical systems is that they be able to sustain a single failure and still perform their safety function "taking due account of plant out on mainte-nance." Separation for fire protection purposes for some ac systems is only two-way (four-way at hot shutdown).
The two four-train de electrical distribution systems, including eight batteries, are apparently used to provide as much independence between the primary and secondary instrumentation systems as possible.
The instrument cables of these two systems, however, are not separated from each other in some areas.
Sepa-ration between divisions for fire protection purposes for some de systems is only two ways similar to the ac systems.
A rough analytical estimate of the safety benefits of providing extra diesel generators in a U.S. SNUPPS plant is made below.
The unavailability of onsite electric power at Sizewell is assumed to be 10 4, limited by common mode failure of the four diesel nenerators.
At SNUPPS, a value of 2 x 10 3 for the simultaneous unavailability of both diesel gen 6rators 32
on demand seems to be a resonable estimate (Accident Precursor Study, NUREG/
CR-2497, estimate).
At a SNUPPS plant, without steam-turbine-driven charging pumps, and placed at an average site in the U.S., the accident of most concern from the standpoint of extra diesel generators is evaluated below.
Event Frequency or Probability Loss of offsite power for 0.034/yr more than 2 hrs Failure of both diesel 2 x 10 3 generators (leads to RCP l
l seal failure) i Failure to recover any diesel 0.8 generator Sequence Probability = 6 x 10 5/R yr The' sequence probability is about 6 x 10 5/yr, subject to the previously stated assumptions about seal failures.
It would be decreased by a factor of 20 if the four diesel generators of Sizewell were used; the validity of this reduc-tion factor depends on whether the assumptions concerning diesel generator maintenance made in the Sizewell Probabilistic Safety Study are correct.
In particular, the Sizewell PSS assumes only one diesel generator will be out for maintenance at any one time, and that the average unavailability of a diesel generator due to maintenance is 0.01.
Perhaps the assumptions on test and main-tenance unavailability made in the Sizewell PSS would be used as a guide in the construction of the limiting conditions of operation guidelines to be used for the Sizewell PWR.
CEGB has indicated that it intends to develop a computer-based model to assist the operators to determine maximum permissible plant outage in terms of numbers of items and time.
One also notes that even with the steam-driven charging pumps a station blackout could lead to difficulty because of eventual draining of the station batteries.
The batteries for two de trains at Sizewell are planned to have the capacity to last 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; it is expected they will not have the same emergency loads as at a U.S. SNUPPS plant.
It is not known how long the batteries at a SNUPPS plant can last beyond their design basis, but if it is only 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then even with steam-driven charging pumps, the core melt frequency caused by station blackout would be about 4 x 10 5/yr, as is discussed below. The SNUPPS utility (Callaway) has indicated their batteries will last as long as 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> with load shedding.
l For a SNUPPS plant a scenario of interest is the sequence consisting of loss of offsite power, failure of both diesel generators, and failure to recover off-site power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
The probability that offsite power is lost and not recovered in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is estimated as about 0.03, according to reference 1 under item MC-2.
This scenario could result in draining of the station batteries and failure of flow control of the steam-turbine-driven auxiliary feedwater pump, as well as other instrumentation and control such as steam generator level.
Moreover, it is likely that loss of all de power would delay the recovery of power to onsite loads, once offsite power were recovered, because manual switch-ing operations would be required.
If it is assumed that the SNUPPS station 33
batteries would only last 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the sequence probability can be estimated as follows:
Frequency of Loss of Offsite Power, with failure to recover in 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />s:
0.03/yr Probability of Common Mode Failure of Diesel Generators:
2 x 10 3 Probability of failure to recover any diesel generator:
0.7 in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Sequence probability:
4 x 10 5/yr The probability of core melt would depend on the ability to obtain another dc source of electric power or to manually control heat removal without de power.
1 i
34
MC-8:
VESSEL AND PIPING MANUFAC1URE AND INSPECTION A.
Manufacture Description In general, the only differences in steam generator, pressurizer, and accumula-tor design and inspection relate to providing more assurance of integrity.
Basically, the design rules are the same, because the Sizewell B design also uses the ASME Code.
Sizewell proposes to augment Code requirements for all compo-nents whose failure is to be deemed incredible in several ways:
Additional stress analysis, using methods such as finite element analysis.
Additional fracture analysis, using both ASME Code Linear Elastic Fracture Mechanics (LEFM) and the newer Elasto-Plastic Fracture Mechanics (EPFM).
Additional toughness testing of materials, specifically developing J-Resistance curves for use in EPFM analyses.
Aaditional in process and final shop inspections, using diverse and redun-dant approaches to provide greater assurance of original defect-free condition.
The design of the Reactor Vessel is essentially the same as in SNUPPS.
Some differences, all intended to provide more assurance of integrity, are:
The part of the vessel shell directly surrounding the core is made of a one piece forged ring.
SNUPPS vessels are made of welded plates, sc the core area of the shell contains both circumferential and vertical welds.
As weld joints are more likely to contain flaws, the use of a monolithic construction reduces the probability of having flaws in the irradiated portion of the reactor vessel.
The top and bottom heads are also of one piece construction, and the lack of welds furnishes more assurance of flaw-free construction.
It also improves the ease and effectiveness of inservice inspection of penetration welds.
A more complete and sophisticated fracture analysis is performed, including materials testing vs J-R' curves, and the use of EPFM.
I More extensive in process and final shop inspections are performed, giving more assurances of freedom from defects.
L The Sizewell vessel radiation surveillance program augments our standard requirements by including Charpy Tension (CT) toughness specimens in addition to the regional Charpy and tensile specimens.
As this is a sta'ndard Westinghouse practice, it is also included for SNUPPS.
The basic material used in SNUPPS for main coolant piping is centrifugally cast stainless steel.
Although stainless steel will be used for Sizewell, it is stated that forged material is preferred, because nondestructive test procedures 35
?
i are more difficult and less effective on cast material.
However, forged mate-rial is also used on some U.S. Westinghouse plants, so there appears to be no basic difference in design philosophy. The actual material selection has not been made.
SNUPPS Description Assurance of adequate fracture toughness of ferritic materials in the reactor coolant pressure boundary is orovided by compliance with the fracture toughness testing requirements of NB-T.300 to Section III of the ASME Code and Appendix G, 10 CFR Part 50.
Compliance with Appendix H, 10 CFR Part 50 The materials surveillance program at SNUPPS will be used to monitor changes in the fracture toughness properties of ferritic materials in the reactor vessel beltline region, resulting from exposure to neutron irradiation and the thermal environment.
Under the SNUPPs surveillance program, fracture toughness data will be obtained from materials specimens that are representative of the limit-ing base, weld, and heat-affected zone materials in the beltline region.
These 3
data will permit the determination of the conditions under which the vessel can be operated with adequate margins of safety against fracture throughout its service life.
The fracture toughness properties of reactor vessel beltline materials must be monitored throughout the service life of the reactor vessels by a materials surveillance program that meets the requirements of ASTM Standard E-185-73,
" Standard Recommended Practice for Surveillance Tests for Nuclear Reactor Vessels," and Appendix H of 10 CFR Part 50.
The SNUPPS reactor vessel surveillance program uses six specimen capsules.
The schedule for removal of each capsule and postirradiation testing will conform with the requirements of ASTM E-185-73 and Appendix H, 10 CFR Part 50.
Pressure-Temperature Limits Appendix G, " Fracture Toughness Requirements," and Appendix H, " Reactor Vessel Material Surveillance Progrzm Requirements," 10 CFR Part 50, describe the con-ditions that require pressure-temperature limits for the reactor coolant pres-sure boundary and provide the general bases for these limits.
These appendices specifically require that pressure-temperature limits must provide safety margins for the reactor coolant pressure boundary at least as great as the safety margins recommended in the ASME Boiler and Pressure Vessel Code,Section III, Appendix G,
" Protection Against Nonductile Failure." Appendix G, 10 CFR Part 50, requires additional safety margins whenever the reactor core is critical, except for low-level physics tests.
The following pressure-temperature limits imposed on the reactor coolant pres-sure boundary during operation and tests are reviewed to ensure that they pro-vide adequate safety margins against nonductile behavior or rapidly propagating failure of ferritic components as required by General Design Criterion 31:
36
preservice hydrostatic tests, inservice leak and hydrostatic tests, heatup and cooldown operations, and core operation.
The SNUPPS operating curves including pressure-temperature limitations are calculated in accordance with 10 CFR Part 50, Appendix G, and ASME Code, Sect. ion III, Appendix G, requirements.
Changes in fracture toughness of the core region plates or forgings, weldments, and associated heat-affected zones due to radiation damage will be monitored by a surveillance program which conforms with ASTM-E-185, " Recommended Practice for Surveillance Test for Nuclear Reactor Vessels," and 10 CFR Part 50, Appendix H.
The evaluation of the radiation damage in this surveillance program is based on preirradiation testing of Charpy V-notch and tensile specimens and postirradiation testing of Charpy V-notch, tensile, and 1/2 T compact tension specimens.
The postirradiation testing will be carried out during the lifetime of the reactor vessel.
U.S. Acceptance Criteria General Design Criterion 31, " Fracture Prevention of Reactor Coolant Pressure Boundary," Appendix A, 10 CFR Part 50, requires, in part, that the reactor coolant pressure boundary be designed with sufficient n rgin to ensure that, when stressed under operating, mainten:Ince, and testing conditions, the boundary behaves in a nonbrittle manner and the probability of rapidly propagating frac-ture is minimized.
General Design Criterion 32, " Inspection of Reactor Coolant Pressure Boundary," Appendix A, 10 CFR Part 50, requires, in part, that the reactor coolant pressure boundary be designed to permit an appropriate material surveillance program for the reactor pressure bounoary.
Materials selection, toughness requirements, and extent of material testing were reviewed in accord-ance with the above criteria subject to the rules and requirements of 10 CFR Part 50, Paragraph 50.55a- " Codes and Standards," 10 CFR Part 50 Appendix G--
" Fracture Toughness Requiremer s," and 10 CFR Part 50 Appendix H- " Reactor Ves-sel Materials Surveillance frogram Requirements."
Analysis See comments in description above.
B.
Inspection Description The main design differences in vessel and piping inspection between the SNUPPS design and Sizewell B are that:
(1) Access provisions are being considered for Sizewell B to allow for non-routine inspection of the reactor pressure vessel (RPV) nozzle-to-safe-end welds from the vessel external surface.
Access to the safe-end welds is obtained by removal of the reactor cavity access port covers.
Volumetric and surface inspection of the nozzle to safe-end welds is achieved by the use of track mounted, remotely operated devices capable of carrying out ultrasonic scans of the entire weld.
The track is intended to be perma-nently installed but readily removable.
37 l
(2) Provision is made in Sizewell B to allow access to the RPV lower vessel head in order that ultrasonic examination of the ligaments between instru-ment penetrations may be carried out; this would be accomplished from inside the vessel.
CEGB has indicated that they have not yet made a commitment to undertake this.
(3) Access is also provided in Sizewell B for ultrasonic examination of the pressure-retaining pipe welds from external surfaces by means of removable insulation, removable shielding, and permanent tracks for remote inspection devices in areas where eersonnel access is restricted.
SNUPPS Description The SNUPPS design or licensing position on the vessel and piping inspection is that the inservice inspection of RCPB components and engineered safety features system components will be in accordance with the requirements of the applicable edition and addenda of the Section XI Coda as specified in 10 CFR 50.55a(g).
To achieve this goal, adequate access provision will be made for plant inspec-tion at an early stage in the design.
U.S. Acceptance Criteria Regulation 10 CFR 50.55a(g), " Inservice Inspection Requirements," require that ASME Code Class 1, 2, and 3 components (including supports) should be designed and be provided with access to enable the performance of inservice examination of such components and shall meet the preservice examination requirements set forth in the applicable edition of Section XI of the ASME Code.
The SNUPPS design (Callaway Unit 1) has committed in the SAR to comply with the above 10 CFR 50.55a(g) requirements.
The applicant has submitted a preservice inspection program based on the 1977 Edition through the Summer 1978 Addenda of Section XI of the Code.
The staff has reviewed the selection of Code Class 1, 2, and 3 component welds subject to examination and finds the examination sample to be acceptable.
The initial inservice inspection program for Callaway Unit 1 has not been sub-mitted by the applicant.
We will evaluate the program after the applicable Code Edition and Addenda can be determined and before the first refueling outage when inservice inspections will be performed.
Analysis The safety improvement that was intended by the CEGB design change appears to be the following:
(1)
Inspection Capability of RPV Lower Head Ligaments between Instrument Penetations:
The present Section XI Code does not require any inspection of the ligaments between instrument penetrations at the lower vessel head.
The only inspection specified by Section XI of the Code is the visual examination of the instrument nozzle welds during the pressure testing of the RPV.
Therefore, it appears that the Sizewell B requirement might increase the plant safety to some limited extent.
38
I (2) Remote, Permanent Track Inspection Capability of Piping Welds:
Assuming the same effectiveness between the manual (SNUPPS design) and automated (Sizewell B) inspections, there does not appear to be a significant in-l crease in plant safety that can be gained from the Sizewell B design change.
The main safety benefit that can be realized is the reduction in radiation exposure to inspection personnel and perhaps some saving in time.
The reproducibility of the examination is probably enhanced.
l 39
MC-9:
LAYOUT AND ALARA CHANGES Description (a) The Addition of Some Permanent Sub-Change Rooms, Barrier and Work Facilities in Containment Permanent sub-change roons would be provided for areas that are designated, for design purposes, as petalitial contamination areas under normal or maintenance
(
conditions.
These arear are beyond the main change rooms.
Barriers are used for access control into creas where the radiation levels exceed 50 mr/hr.
(b)
Improvements to the Ventilation and Air Filtration System for the Containment Sizewell B will use on interna? ileanup system for containment whose operation, af ter about 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.; of use, wo.
allow entry into containment without the need for respiratory prctedion.
Th-system enables the activity of iodines and tritium to be reduced to less thr.n 0.1 MPC using 0.02% failed fuel as the source terms for airborne concentratior, calculations.
(c) Adoption of a Narros Vessel Cavity The design with a restricted gap between the RPV and the biological shield should reduce localized dose to workers during refueling because of reduction in induced 4
radioactivity and during entry into containment at power since it would reduce neutron and gamma-ray streaming.
(d)
Larger Containment Internal Diameter The Sizewell B containment internal diameter is 10 feet greater than SNUPPS.
This larger diameter is required to accommodate larger pump motors and accumu-lators.
It will also reduce man-rem by providing adequate space for portable shielding, anticipated maintenance, testing and inspection, and to accommodate safe personnel movement during replacement of components and material handling.
SNUPPS Description (a) The Addition of Some Permanent Sub-Change Rooms, Barrier and Work Facilities in Containment SNUPPS does not incorporate such areas at Callaway but uses their main change room where personnel put on required anti-contamination clothing before entering the Controlled Access Area.
Barriers are used where the radiation levels exceed 100 mrem /hr in accordance with 10 CFR 20 ana di.a dard Technical Specifications.
(b)
Improvements to the Ventilation and Air Filtration System for the Containment SNUPPS does not use an internal cleanup system for reducing the concentration of activity in containment when entry is required.
Prior to entry, airborne radioactivity measurements are made to determine the need for respiratory pro-tection.
Since entry stay-time into containment, while the reactor is at power, is restricted by the dose from neutrons and gammas streaming, protection from 40
V airborne hazards, while of lesser importance for entry stay-time requirements, are nevertheless controlled to assure ALARA exposure.
l (c) Adoption of a Narrow Vessel Cavity SNUPPS, using the wider gap, has the option of ISI internal or external inspec-tion of the reactor vessel.
They did not want to preclude either option.
The wider gap would give them room to lower equipment for inspection of flaws in vessel walls or cladding.
The design also considered pressure build-up during a LOCA as does the Sizewell design.
(d) Containment Internal Diameter SNUPPS has also described features including design for filters, demineralizers, evaporators, pumps, tanks, heat exchangers, remote instruments, valves, piping, etc., using space for ease of changeout, repair, replacement, etc., to reduce exposure during maintenance of this equipment.
Space is also provided, as required, for temporary shielding.
U.5, Acceptance Criteria (a) The Addition of Some Permanent Sub-Change Rooms, Barrier and Work Facili-ties in Containment It is standard practice to use one main change room prior to entry into or exit from radiation controlled areas.
NRC has not required use of sub-change rooms as means of control of spread of contamination.
It is common practice for in-dividuals exiting from contaminated or potentially contaminated areas, to egress through a designated control point where they remove contaminated protective clothing and use G.M. friskers for self-examination for contamination.
(b)
Improvements to the Ventilation and Air Filtration System for the Containment NRC allows containment purging, prior to entry, if the licensee can stay within the limits of Appendix I and the limits for the number of hours for purging.
Some plants use internal cleanuu (kidney) systems, based on their own require-ments, but it is not a U.S. requirement.
(c) Adoption of a Narrow Vessel Cavity Staff acceptance is based on neutron and gamma streaming into containment with the reactor at power.
SNUPPS is planning placement of a neutron shield over the cavity to reduce exposure to ALARA levels whenever containment occupancy is required with the reactor at power.
Exposures to workers from activation of vessel internals during refueling can be reduced to ALARA levels by removal and shielding of the vessel head, and administrative controls used during operations adjacent to the cavity.
(d) Containment Internal Diameter SNUPPS has met NRC criteria based on conformance with Regulatory Guide 8.8 which specifies station layout features that incorporate consideration of space for 41
1 ease of servicing activities to reduce radiation exposure time and commensurate potential dose.
The staff has not reviewed SNUPPS evaluations of specific costs / benefits for particular designs for ease of maintenance.
Analysis (a) The Addition of Some Permanent Sub-Change Rooms, Barrier and Work Facilities in Containment All access control to radiation and/or contamination areas or potential con-tamination areas is through Radiation Work Permits (RWP).
These RWPs outline the work to be performed in the relevant area and specify all the protective clothing, including respiratory protection, that will be required prior to the work being performed.
Sizewell B has sub-change rooms to don those protective devices (e.g., respirators, breathing apparatus) that are not stored in the main change room.
(b)
Improvements to the Ventilation and Air Filtration System for the Containment We have reviewed the source terms for airborne radioactivity concentrations for containment, at power, for SNUPPS, using their value of 0.12% failed fuel, and for Sizewell B, using their value of 0.02% failed fuel.
We found that for tritium, among many other radionuclides including corrosion products, the con-centrations are the same, and for iodines, the concentrations track well with the ratio of failed fuel (i.e., 0.12/0.02 = 6).
That is, SNUPPS concentrations for iodines are six times greater than Sizewell's, exactly the ratio of source terms.
(c) Adoption of a Narrow Vessel Cavity The man rem exposure for refueling SNUPPS is stated to be 24.1 compared to Sizewell's stated 16 man rems to perform this work function.
The staff expects that some fraction of this 8 man rem difference is attributable to the dif-ference in vessel cavity size, the narrow cavity design giving less exposure.
(d) Containment Internal Diameter The man-rem savings from a 15% increase in containment area is an unknown factor and, in the U.S., the additional cost should be balanced against the estimated man-rem savings.
42
MC-10:
REDESIGNED CONTROL ROOM L
Details of the Sizewell design, which are not yet available, are needed to evaluate changes from the SNUPPS design.
These include layout, panel drawings to the component level with labeling, display. faces, annunciator tiles with individual tile labels, coding standards (color, shape, location), and list of abbreviations.
In meetings with the CEGB, the staff was informed that the control room design philosophy for Sizewell would be an extension of that used in their gas cooled-reactors modified for use in a PWR.
Some of the expected changes include dif-ferent voltages, different terminology on some labels and annunciator panels, and fewer annunciator windows.
t I
L i
L r
i L
43
II.
OPEN ISSUES IN THE NII REVIEW OI-1:
EXTERNAL HAZARDS (a) External Hazards Due to Man-Made Activities (Airplane Crash, Gas Cloud Explosion, Toxic Gas Release, and Other Industrial or Transportation Hazards)
Description The man-made activities in the vicinity of each SNUPPS site in the U.S. were found to be of little significance in terms of external hazards to the Sizewell B site, although the NII findings with respect to airplane c, ashes and gas cloud explosions point to the need for additional studies to ta made by CEGB.
In both plant designs, external hazards due to man-made activit.'es do not ap-pear to dictate specific plant design features.
In either case, specific pro-tection measures, such as redundancy, separation, or barriers, were not needed (other than what was already provided in the plant design for other reasons).
However, there are notable differences in the safety guidelines and acceptance criteria with respect to external hazards due to man-made activities.
These differences have the potential for requiring design modifications for each site to be considered.
Specifically, the differences include the following:
1.
The CEGB design safety guidelines dismiss aircraft hazards for sites which are over 10 km (6.2 mi) from the nearest airfield or military low-level flying areas, as long as plant redundancy and separation is already pro-vided.
This is a " standoff distance" criterion which decouples plant risk assessment from air traffic level considerations.
The corresponding NRC criteria relate both, distance and traffic level, to the estimated air-craft crash risks.
Consequently there may be other U.K. sites where the aircraft activities beyond 10 km would necessitate design modifications according to U.S. criteria, but not necessarily with regard to U.K.
criteria.
In meetings with the CEGB, they indicated to the staff that a new study is being prepared which will consider. probabilities which may vary from site to site depending on the air traffic.
Within 10 km, the CEGB probabilistic criterion is that following an air-craft crash, or control room damage, the system unreliability should not exceed 10 3 per demand.
If the assumption were made that one or more safety-related systems would be called upon in the event of an aircraft crash, then the above criterion would be equivalent to an acceptable crash frequency of 10 4 per reactor year (10 7 being the target level for a single accident leading to a large uncontrolled release). This appears to differ from the NRC licensing practice wherein 10 7 is applied to the aircraft crash frequency (the assumption being that system unreliability is about 1).
However, CEGB has indicated that in the Sizewell
'B' design, following the CEGB Design Safety Guidelines, the 10 3 f/d criterion for shutdown and cooling is taken to apply to natural phenomena where the design basis hazard has a frequency of occurrence of 10 4 per annum, but it is not taken to mean that a crash frequency of 10 4 per reactor year is a'cceptable.
44
In the case of aircraft crash, CEGB notes that their position is not greatly different from that of NRC.
In the safety case for Sizewell
'B', CEGB calculates a probability of an aircraft crash upon potentially vulnerable buildings to be 4 x 10 7 per year for an aircraft with a mass of 2.3 tonnes or greater.
Qualitative arguments are used (as a numerical assessment is virtually impossible) to the effect that the probability of an unacceptable release following such an aircraft crash is well below unity to "show that both the probability and the release are acceptably low."
2.
The CEGB indicates the need to consider offsite explosions and sources of noxious (toxic) materials.
However, it is not clear which specific guide-lines are used.
For example, minimum distancas or toxicity criteria did not appear to be specified for noxious substances.
A minimum shipping frequency in the case of transportation sources was not clearly apparent.
For explosions, the guidance is limited to a 10-km standoff distance.
Within 10 km, it does not appear that there is any guidance on acceptable overpressure levels, or, in the case of vapor cloud explosions, guidance on TNT equivalency.
In the absence of specific guidelines, an evaluation may be required with respect to noxious substances and explosions at other U.K. sites.
CEGB has indicated the following position:
"The approach to offsite explosions and sources of noxious (toxic) mate-rials is basically the same as for aircraft.
If the results of the CEGB investigation on shipping (and accident) frequency turn out to be unaccept-ably high, then it will be shown that the probability of unacceptable damage to the station is acceptably low.
Historically, it has been stand-ard practice to agree such evaluation techniques (i.e. acceptable over-pressure levels and TNT equivalent methods) with the CEGB and not to lay them down in " evaluation manuals" the reason being that the state of the art of the techniques constantly changes and improves."
3.
There is a fundamental difference in the way an external hazard due to man-made activities is dealt with in the U.K.
In the U.S. these hazards are usually accommodated through plant design provisions or modifications.
This approach is due to lack of any significant authority on the part of the utility or the NRC to control the offsite man-made activities.
This is not the case in the U.K., where local authorities have some authority to control the development or conduct of various man-made activities.
Because of this difference, there may be plants in the U.K. potentially sited near hazardous man-made activities without the requirement for any specific plant design modifications.
The hazard would be maintained at an acceptably low level by controlling its source.
A specific example of this type of control is control of industrial development in agreement with local authorities.
CEGB has indicated that in principle, the U.K. position is similar to the U.S.
Existing hazardous sources are taken into account in the choice of site location, and in the design if necessary.
Future hazardous sources 45
\\
are beyond the controlling authorities of CEGB and NII, but either.could oppose the introduction of new hazardous installations in the vicinity of the site.
SNUPPS Description The U.S. SNUPPS design was reviewed for external man-made hazards on a site-specific basis for the Callaway, Sterling, Tyrone, and Wolf Creek sites.
Re-view of the nearby industrial, military, and transportation activities for each of these sites led to the finding that the hazards were in-ignificant and that the plant was adequately protected against their effects without any specific design provisions.
U.S. Acceptance Criteria Acceptance of the SNUPPS plant design at each of the U.S. sites with respect to hazards due to man-made activities was based on the following considerations:
1.
Each site was reviewed and independently verified with respect to indus-trial, transportation, and military activities in the vicinity.
2.
Each hazard was evaluated on the basis of distance from the plant, or severity, or probability of occurrence, or a combination of these param-eters.
For example, with respect to aircraft hazards, the screening cri-teria (0 to 5 miles, 5 to 10 miles, and beyond 10 miles) of Standard Review Plan (SRP) Section 3.5.1.6 were applied to any airports identified in the site review.
Judgment and past review experience was used to a la.ge extent with respect to industrial and transportation routes for evaluating fire, explosion, and toxic gas hazards.
3.
The review findings consisted of comparing the estimated risks for each identified hazard with respect to the risk acceptance guidelines described in SRP 2.2.3.
The value of 10 8 per year was applied to risk estimates derived from conservative analysis, whereas 10 7 per year was applicable to estimates based on realistic analyses.
The above acceptance values are identified with the entire hazard seqtance, from the initiating event (e.g., probability of an aircraft crash on the site, pipeline rupture near the site, etc.) to the ultimate consequences (i.e. exceeding 10 CFR Part 100 dose guidelines).
Analysis Currently there are na design changes between the U.S. and U.K. SNUPPS plants attributable to external man-made hazards.
With respect to the Sizewell B site, there is a potential for design modifications by CEGB in view of the re-maining NIILeoncerns regar! Jing aircraft and gas cloud explosion hazards.
NII has requested CEGB to do a statistical analysis of the probability of a sig-nificant aircraft crash onto the Sizewell site.
Presumably, if the findings indicate that the combined probability of an aircraft crash and the release of radioactivity in the range of_1 to 10 of ERL is greater than 10 7 per year, either design modifications or' hazard' control measures "at the source" might be considered.
CEGB has noted that'hazarc contro! measures "at the source" are not considered for existing hazards.
Similarly, the NII has asked CEGB to look 46
into the probabilities associated with potential tanker mishaps involving the spill, ignition, and detonation of LPG or LNG near the site.
As in the case of aircraft crashes, unfavorable findings could impose plant design modifications.
Beyond the above considerations, other sites may have man-made hazards which could impose design modifications owing to the differences between the U.S.
and U.K. safety guidelines and acceptance criteria.
(b) External Hazards - Earthquakes Description 1.
There is a difference between the CEGB and the NRC in the definition of the Safe Shutdown Earthquake (SSE).
In the CEGB PWR Design Safety Guide-lines, the SSER ground motions were " selected to correspond to the vibra-tory motion expected to occur at the site selected at random within the land area of Great Britain with a cumulative probability of exceedance less than, or equal to 10 4 per annum." CEGB has also carried out a regional seismicity assessment for Sizewell.
In contrast, 10 CFR Part 100 Appendix A describes the selection of the SSE as a deterministic process in which maximum earthquakes are selected on the basis of historical and seismotectonic data for each tectonic province, tectonic structure or cap-able fault.
The probabilistic method assumes a iandom distribution of earthquakes.
For each tectonic province, earthquake frequencies are based on historical data and probabilities calculated for various levels of exceedance.
Although the NRC staff considers probabilistic information relevant, probabilistic procedures have not been used to directly deter-mine design ground motion levels for new plants due to the lack of numer-ical guidance in the regulations.
2.
There is a difference in the SSE for the SNUPPS sites versus the Sizewell site.
The standardized portions of SNUPPS plants have a 0.20g Regulatory Guida 1.60 design spectrum.
In meetings with the CEGB, they indicated that the Sizewell B plant is being designed to a different spectrum from SNUPPS, and a value 0.25 g even though recent analysis of the Sizewell region l
concluded the value would be about 0.17 g.
l 3.
NII considers one of the main safety issues to be agreement on a compre-hensive definition of the external hazard design levels.
The CEGB agreed to deal with this point in their Pre-Construction Safety Report, by tech-nical discussion or by correspondence.
4.
NII also needed to be satisfied that there is no sudden detrimental change in the risk / damage relationship for earthquakes beyond the SSE.
The feasibility of conducting sensitivity studies to explore that question has not yet been established by CEGB.
l 5.
NII accepted the zero period acceleration (ZPA) of 0.25g assigned to the j
SSE as corresponding approximately to the expected excitation at the 10 4 event / year level, based on U.K. seismicity.
However, significant earth-l quakes have occurred offshore and NII asked for assurance that no offshore j
tectonic features (faults) exist which would affect the selection of the SSE.
Subsequently, NII indicated that their recent analyses (puolished in Supplement 7 to their review of the PCSR) show that this is no longer a Concern.
47
r
,.+
i 1
F a
6.-
NII has taken issue with the following CEGB position with regard to seis-1 4
mically included stress limits:
i Where the seiss(ic requirement is only that the item must retain its integ-rity, then stress limits permitting yield are used.
f
- 1-Where the item is required t'o function actively during or after a seismic event in order to' supply its ~ safety function (active components) or where safety could be jeopardized by deformation of the item, then stress limits are adjusted appropriately.
This generally requires stresses to remain in-1 the elastic region.
i
)
NII has expressed two concerns on this position.
The first concern deals with the-definition of' active components.
For example, it is not clear whether CEGB considers supports of the reactor vessel as active components.
i Thessecondfconc_ernarisesfromthefactthatstresslimitstoyieldare permitted shile SSE and LOCA loads are not combined as it is done in the U.S.' practice (also see differences between CEGB and SNUPPS criteria O
bglow).
7.
NII has expressed concern regarding the CEGB position of not combining SSE and LOCA loads.
Because of this concern, the NII needs evidence from the CEGB to show that the design bases for the containment and for the.ECCS in particular are unlikely to be exceeded in earthquakes or:other external hazards.'
j<
/ li t
4 fi.
NII suggests that earthquake events of a lower level of excitation than the SSE. (equivalent,to the' 0BE in U.S. practice) should be factored into M
theanalpsis,soasnot.toshutdown-andre-validatetheplantafterany 3
,f L
9.
NII has requested'that, consideration'be given to.'a trip, controlled by; excitstion from external hazards, to provide automatic shutdown of the reactdriin the event that the external hazard e'xceeds that level against which the plant is prequalified (for example, the OBE level).
r_
_.Y The';SNUPPS desigri has consi(ered the occurrences of OBE and SSE events,-
10.
I while CEGB only 6msiders the SSE event.
i 11.
The load combinat dn's used in the design of SNUPPS Category I structures includeloadjasesinwhichSSEandLOCAloadshavebeencombined. The CEGB has elected to disperse with such load cases.
o 12.
The soil-structure interaction (SSI) analysis of SNUPPS plant structures has been carried out using both finite element method and the compliance function approach.
CEGB has indicated that compliance methods alone are.
being used for Sizewelf soil-structure interaction.' -It appears that CEGB
,[
has given a more detailed and vigorous look at the sensitivity of param-s
~
eters involved in the, seismic design by extensive parametric studies (Section 3.3.2.2.1(viii)(c) of Chapter 3 of the PCSR).
[
13.
With regard to control room notification during an earthquake event, the CEGB measures are not apparent.
The SNUPPS design has provided audio and visual indicators in;the control room.
l L
48 p._
s
SNUPPS Description for the SNUPPS SSE is 0.20, which is a design snvelope resulting The ZPA value 9
from site-specific studies for several SNUPPS sites in the Central U.S.
The NRC staff has accepted 0.20g anchored to a Regulatory Guide 1.60 design spectrum as conservative for those SNUPPS sites reviewed to date.
In addition, each SNUPPS site has a site-specific SSE for the non power block seismic Category I portions of the facility.
The SNUPPS design has not been evaluated for an earthquake event larger than the SSE event.
In the SNUPPS design of Category I structures the LOCA and SSE loads have been combined by the absolute sum procedure.
The NSSS supports are designed in accordance with the ASME Section III, Divi-sion I, Subsection NF.
For these supports, SSE and LOCA loads have been combined.
The'SNUPPS plants have been designed considering an OBE event.
The OBE des-ign response spectra values were taken as 60% of the SSE values.
The SNUPPS design considered the occurrence of 20 OBE events over the life of the plant to esti-mate the number of maximum stress cycles.
Using this approach, 10 maximum stress cycles were considered for flexible equipment and 5 maximum stress cycles for rigid equipment for each of 10 OBE occurrences.
The SNUPPS design has not provided a trip mechanism, controlled by the excita-tion of external hazards, for an automatic shutdown.
The SNUPPS plants have been evaluated for soil-structure interaction effects by considering both the finite element method and the soil-spring method.
U.S. Acceptance Criteria The SSE values for the SNUPPS sites meet the U.S. criteria by the following procedures:
(1) Select conservative regional tectonic models.
(2) Determine maximum historical earthquakes for each tectonic province and maximum credible earthquakes for tectonic structure.
(3) Determine the vibratory ground motion at the site due to the maximum earthquake associated with each tectonic province and tectonic structure.
(4) The SSE free-field response spectrum is at least as conservative as that which would result at the site from the maximum earthquake (s).
The seismic design of SNUPPS plants (with respect to issues discussed above) meet the U.S. criteria by the following procedures:
(1) LOCA and SSE loads have been combined in the design of Category I struc-tures, systems, and components 49
-~
= - -
N i
(2)' An OBE, at the level of 60% of SSE, has been considered in the design.
Multiple occurrences of.0BE have been considered for fatigue evaluation.
i (3) Seismic instrumentation and control room notification measures have been provided in accordance with Regulatory Guide 1.12.
c l
(4) Two methods have been considered in the soil-structure interaction analy' sis.
(5) The U.S. licensing criteria do not require a consideration for events greater than SSE event and also do not require automatic shutdown.capa-l bility for external events.
Analysis 1.
CEGB does not specify the basis or the safety benefit for the SSE design 4
change.to probabilistic methods. The level.10 4 per annum was chosen for the design because CEGB finds "it is. extremely unlikely that the station.
3 will be exposed to a more onerous condition during its life." - Comparison 1
of the Sizewell SSE was also made with deterministic methods.
External hazards are not analyzed as part of the probabilistic risk assessment (PRA) studies for the Sizewell site.
Seismic risk is however included in some PRA studies for U.S. sites.
2.
Differences in design ZPA and response spectra depend on regional sefimi-city and local site conditions in addition to the definition of the SSE.
3.
No implications for U.S. practice could be drawn at this time from the U.K. open issue on definition of external hazard levels.
4.
The NII open issue on the possibility of sudden detrimental change in the in the risk / damage relationship for design earthquakes may be similar to j
the evaluation of margins conducted by the NRC staff.
I' 5.
The former issue of offshore tectonic features is not relevant to the SNUPPS sites, which are located in the Central U.S.
Offshore geophysical and seismicity data are, however, considered for coastal U.S. nuclear power plant sites.
NII has indicated that this is no longer an issue and is resolved in Supplement 7 of their review of the PCSR.
6.
The U.S. licensing criteria do not require the consideration of events beyond the SSE, although this is a topic of ongoing discussion.
- Further, the. risk assessment approach is generally not a basis for making licensing-decisions.
However, considering the conservatisms involved.in the struc-tural analysis procedures, actual material properties versus nominal prop-erties, OBE considerations which may dictate the design of some structures ~,
and the simultaneous consideration of SSE and LOCA. loads, some assurance is available that there is no sudden detrimental change in the risk / damage j
relationship due to the occurrence of an event slightly larger than the i
SSE (provided there are no sub-soil failures).
i In several recent probabilistic risk assessment (PRA) studies, the extern &l events were considered in the analysis.
The Indian Point and Zion studies indicate that the seismic event could be a major contrib'utor to the total risk.
However, there,have been some serious concerns regarding assump-tions made in the studies.
Both hazard and fragility aspects need further a
50
+
n
.w---,-
examination. The state-of-the-art for conducting PRAs for external events is still far from maturity.
7.
With regard to load combinations and allowable stress limits, the U.S.
acceptance criteria appears to be more conservative than the CEGB criteria.
In addition to the requirement of considering combined effects of LOCA and SSE loads, consideration of the combined effect of LOCA and OBE is also required in U.S. practice.
CEGB has indicated that for Sizewell, SSE loads are to be combined with faulted transient loads due to failure of plant which is not seismically qualified (i.e. SSE is not combined with LOCA or main stearcline break).
In some cases, because of the factored loads or lower stress limits, the load combination involving OBE loads may govern the design of a structure, system, or a component and provide additional margin.
In U.S. practice, ASME level
'D' limits are used to ensure structural integrity.
To assure functional capability, lower stress limits are specified depending on the piping material, configuration, and seismic requirements.
The currently proposed stress limits for Sizewell mechan-ical components under seismic loads are:
(a) to ensure structural integ-rity, ASME level
'D' limits are used, (b) to assure functional require-ments where distortion could affect operability, level 'B' limits are used.
This lower limit may also be applied to pipework required to transmit full design flow during or after an SSE.
This is under review by CEGB, (c) RCS supports will also be checked against level 'B' limits under seismic loading.
The issue of combining SSE and LOCA load effects is a subject of currently ongoing NRC sponsored research at the Lawrence Livermore Laboratory.
8.
In U.S. practice, consideration of the OBE event is required.
CEGB has no OBE requirement.
As noted earlier, in many cases the design of a structure, system, or component may be governed by OBE considerations, providing additional margin over a design which results from SSE con-siderations only.
Further, the plant is required to be shut down and inspected prior to startup when an event equal to or larger than the OBE occurs.
9.
The issue of automatic shutdown capability for the seismic event has been debated for many years in the U.S. ACRS meetings and other places.
The U.S. NRC has also sponsored a study to evaluate the effect of providing automatic seismic scram.
In Section 3.3.2.2.2 of the PCSR, the CEGB has indicated that a level will be established such that seismic excitation greater than this level would require the shutdown of the plant, but this level will not constitute load-ing in the design.
10.
Because of uncertainties and controversy involved in the soil-structure interaction (SSI) analysis methodologies, inappropriate data base to evaluate the reduction in the seismic motion (resulting from the use of 51
1 I
h deconvolution techniques), and 'the involvement of a large number of param-eters with considerable uncertainties, the current U.S. NRC practice requires that the plant structures, systems, or components.should be.
designed to an envelope of results obtained from using two separate SSI methods. These methods are referred to as.the finite element method and the compliance function method.
CEGB has stated that for Sizewell,-
compliance methods are to be used.
CEGB states that SNUPPS experience-i and studies for Sizewell have indicated that this' method is significantly more conservative than the finite element approach; CEGB further claims l
that the staff practice of enveloping the results-of both methods'will therefore not be more conservative.
j Considering a very shallow embedment of Sizewell structures, the use of the computer program FLUSH could pose'some concern.
The input motion at j
the foundation level at Sizewell is not being reduced by deconvolution.
l (c) External Hazards-Fires Description The NII has identified a number of issues with respect to the CEGB approach to fire protection.
Specifically, they are as follows:
1 1.
Not all areas where a fire could cause serious radiological consequences i
have been identified (for example, the areds used for resin encapsulation j
of solid radioactive waste, and waste processing and storage).
A room-by-room fire hazards analysis will be carried out when the plant and room layout-and the detailed system design _are' completed.
2.
Personnel safety aspects of fire protection have not been adequately-con-sidered.
3.
It is not clear that the separation of. fire zones is adequate when provided by either of the following:
(1) A one-hour fire-rated physical barrier plus automatic' fire detection and suppression.
I i
(2) A spacial separation of at least 6 meters plus automatic. fire detec-tion and suppression.
i-4.
Any three-hour fire barriers separating-fire areas shouli. be imperforate so far as-is reasonably _ practicable, with all penetrations justified on an
)
individual basis.
l S.
Cables should not be routed via corridors and plant rooms.
6.
It is not clear that the reactor coolant pump oil collection system is sufficiently effective to preclude a fire involving the pump's lube oil and that an exposure fire will not affect the pump's oil system.
i 52 1
SNUPPS Description The U.S. SNUPPS design has the following features with respect to the NII con-cerns on fire protection:
1.
Personnel safety aspects of fire protection are not described in the NRC licensing process.
2.
No limits are placed on the quantity of penetrations.
However, all pene-trations must be sealed to provide fire protection equivalent to the bar-rier in which they are installed.
Penetrations are sealed with fire doors, fire dampers, piping and electrical penetration seals, for the rating of the sealing device is the same as that of the fire barrier.
The staff places no restriction on the number of penetrations in a three-hour fire barrier.
The staff requires that all penetrations be sealed.
3.
There are no restrictions on routing cables via corridors and plant. rooms.
4.
Each of the four reactor coolant pumps (RCFs) are provided with an oil collection system that consists of splash guards, catch basins, and enclo-sures assembled as attachments to the RCP at strategic locations to pre-clude the possibility of oil making contact with hot surfaces.
Two collec-tion tanks (each tank serves two RCPs) have a capacity of about 300 gal (i.e., about 110% of the oil in one pump).
The collection tanks are located on the containment floor such that if the leakage exceeds the capacity of the tanks, the overflow would go through drainage trenches to the normal sumps.
This oil would not come in contact with hot surfaces and would not pose a significant hazard.
The oil collection tanks and piping are being designed to maintain their-integrity following an SSE.
The design is being evaluated by the licensee to determine its capability to remain functional following a seismic event.
U.S. Acceptance Criteria l
1.
All fire areas of the plant must be defined and analyzed for the potential to damage redundant shutdown systems and to release radioactive material.
2.
The fire and fire-suppressant damage to shutdown capability for any fire is limited so that one train of shutdown capability is free of damage.
3.
Fires involving radioactive material are analyzed to show that the releases from such fires are small.
4.
The staff accepts routing cables via corridors and plant rooms.
The staff accepts a single division of cables in any room or corridor.
5.
Where redundant shutdown systems are in the same fire area, the staff requires automatic fire suppression and separation of the divisions by a one-hour fire barrier or 6 meters of spacial separation free of combustibles.
i 53
m
~
i 1
6.
With respect-to the reactor coolant pump oil. system, the staji does not review the licensee's evaluation of seismic capability.
Usually the' oil is contained ~in the pump / motor assembly.
If the' oil system extends'to other parts of the containment it should be considered also, t
7.
With respect to separation of fire zones,.the staff accepts either of the following:
a.
A one-hour. fire-rated physical barrier.plus automatic. fire detection and suppression.
b.
A spacial separation of at least 6 meters plus automatic fire.
I 1
detection and suppression.
Analysis I
)
It is not clear that-a practical design can.be developed in which an imperforate fire barrier separates redundant divisions.
It is clear that fire barriers separating fire areas containing the same division cannot be imperforate in all cases. The staff is not aware of any design attempts to achieve imperforate-fire barriers.
1 NII is concerned that design will be effective and that the entire oil system has been considered.
This can be accomplished easily in the final. design.
The staff has no restrictions against routing cables in corridors or plant rooms.
In the older designs,-redundant cables were placed in the same cable i
tray or same room.'.In the newer. designs,' redundant cables are being run in separate corridors or rooms.
The two fire protection options described in U.S.. Acceptance Criterion 7 above are viewed as reasonable alternatives to a three-hour barrier for plants well i
along in design and construction.
It is desirable in a new plant design to obtain more separation by three-hour rated physical fire barriers and reduce the dependencies on fire suppression systems.
However, it is not clear that a practical design can be~ achieved that completely eliminates such dependence.
~'
i 1
4 i
l i
54
01-2:
FUEL CLADDING BALLOONING Description In some LWR LOCA scenarios, the fuel cladding will balloon and rupture due to the depressurization of the primary coolant system and the associated rise in-cladding temperature, which results from the reduction in cooling.
The balloon-ing is characterized as circumferential swelling that axially propagates along the fuel rod until strain instability occurs rupturing the cladding.
The super-plastic ballooning behavior of Zircaloy fuel is not linearly dependent on tem-perature (Ref. 4).
Evaluation models used for Appendix K analyses are constructed to artificially-generate maximized cladding temperatures for maximum power conditions.
- However, such conservative modeling practice does not necess vily result in the maximiza-tion of cladding ballooning and flow blockage.
The ballooning issue is whether more realistic evaluation models using average-rated fuel rod powers would lead to greater flow blockages and poorer ECCS per-formance.
In order to investigate the effect of severe blockages that result from fuel rods whose cladding temperatures remain within the low-temperature, high-ductility' region for extended periods of time, Westinghouse'and NNC have planned a joint analytical program.
The analysis from this program can be con-sidered as a supplement to the completed Sizewell standard Appendix K-large-break LOCA analysis, which was performed with the NRC-approved Westinghouse 1981 ECCS Evaluation Model (Ref. 5).
The objective of this joint program is to show for the most pessimistic thermo-mechanical conditions conducive to the generation of ballooning and blockage that (a) the number of fuel assemblies affected is small, (b) cladding tempera-ture gradients will be sufficient to preclude long balloons that could result in wide-spread coplanar blockage, (c) the severe deformation calculated is amenable to cooling, and (d) no ECCS performance criteria are. violated. -In the program, the additional.LOCA analyses are being performed with standard codes used for Appendix K analyses and two new mechanistic codes, BART and TAPSWEL.
Preliminary BART/TAPSWEL analyses indicate that the' program objective will likely be achieved in the final analysis.
The final analysis is expected'to rely heavily on test results that have recently become available from the l
British-sponsored NRU experiment MT-3 (Ref. 6), which was performed in Canada.
CEGB submitted the safety case to NII in September, 1982.
The.NII assessment was released in early 1983 as Supplement 2 to the NII review of the PCSR.
SNUPPS Description Fuel cladding baliooning as a result of a LOCA was analyzed for SNUPPS.using i
Appendix K types of codes.
The specific British concern of severe ballooning and blockage was not addressed on the SNUPPS docket.
However, there have been two internal workshops (Refs. 7 and 8) and several trilateral (U.K., FRG, U.S.~) meetings (Refs. 9 and 10) held explicitly for the purpose of discussing the likelihood of such deformation occurring in the 55
..~
1
~
reactor core.~ The impetus for these earlier discussions arose as a result of UKAEA published experiments (Ref. 11) by Hindle..In his out-of pile, single-rod i
experiments,. stylized " flat-topped" transients were. simulated via joule heating I
of the cladding.
The large axially extended deformations produced were: char-acterized as " sausages." A subsequent theory (Ref. 12). set forth, also by i
Hindle, suggested that rod-to-rod interactions might, under appropriate condi-tions, result.in " strain stablization," a phenomenon that could assist in propa-gating the deformation (due to stress reduction as rods balloon into square 4
shapes) and hence increase the probability of achieving core-wide coplanar blockage.
2
[
As discussed in NUREG-0536 (Ref. 13), NRC concluded that such extensive balloon-ing was an artifact of the experimental techniques employed and that the occur-i rence of this type of ballooning in LWRs was unlikely.
However,.later more prototypical tests have produced some axially extended ballooning, though of
~
less severity than that reported in Reference 11.
U.S. Acceptance Criteria As stated in 10 CFR 50.46, the ECCS analysis is to be performed with evaluation models conforming to the requirements of 10 CFR 50, Appendix K.
And, as delin-eated in Appendix K, to be acceptable, the swelling and rupture' calculations shall be based on applicable data in such a way that the degree of swelling and incidence of rupture are not underestimated.
The underlying intent of the regulation is to ensure that the predicted cladding temperature and embrittle-ment are not underestimated, thus assuring coolability.
In brief, the accept-3
]
ance criteria are the following:
i 1.
Peak cladding temperature less than 2200*F.
1 2.
Local cladding oxidation less than 17%.
3.
Total hydrogen generation less than 1%.
l 4.
Core geometry amenable to cooling.
5.
Long-term core cooling capability.
i These criteria have been accepted by CEGB for the Sizewell B analysis.
In
(
meetings with-NII, the staff was informed that as of December, 1982, NII had-accepted criteria 4 and 5 and requested more justification for criteria 1, j
2, and 3.
The LOCA analysis for SNUPPS was performed with the 1978 version of the Westing-house ECCS Evaluation Model (EM).
However,.in order to resolve fuel modelirg non-conservatisms in the 1978 EM that were previously identified (Refs. 4 and 4
- 14) by both Westinghouse and NRC, a supplemental ECCS calculation was performed.
l This calculation (Ref. 15) was reviewed and found acceptable.
Therefore, the staff concluded that (a) the applicant satisfied the require-ments for a supplemental ECCS calculation and no reduction in operating limits were required and (b) the SNUPPS ECCS performance complied with the acceptance criteria. The applicant, however, was not required to submit a best estimate 1'
56 1
i
~.
. ~
J t
type of analysis that' demonstrated that the ballooning of average-rated rods would not create severe flow blockage.
Analysis The safety concern is that' conditions might be. produced during a LOCA which
~
would invalidate the claims to conservatism of the evaluation models.
Specif-ically, if large-scale, core-wide, coplanar flow blockage should be formed, then core coolability could be jeopardized.
The CEGB has presented a strategy for analytically demonstrating'that such'a hypothetical event will not occur for a design-basis LOCA in Sizewell B, and the NII has accepted their proposed course of-action.
Furthermore, the NII believes that should.an acceptable safety case not be achieved, then alterna-
-tive measures are possible.
The alternative measures (originally. proposed by the UKAEA) are not entirely attractive though they are feasible solutions to the ballooning concern.
They include both (a) fuel rod design changes (i.e.,
cladding material, prepressurization, internal void volume,.etc.) and (b) reggtor power reduction.
The staff believes that such measures will not be necessary.
'F-r l.
i 57
+
01-3:
STEAM GENERATOR TUBE INTEGRITY AND MULTIPLE STEAM GENERATOR TUBE FAILURES Description Westinghouse steam generators in operating reactors have experienced tube degradation by corrosion or mechanical damage caused by a complex interaction of water chemistry, thermal-hydraulic design, materials, fabrication methods and secondary side materials, design, and operations.
Earlier Westinghouse models using "all volatile treatment" for their secondary water experienced corrosion-related degradation described as denting and intergranular corrosion; i.e., intergranular attack (IGA) and intergranular stress corrosion cracking (IGSCC).
Air and cooling water inleakage combined with buildup of corrosion products (e.g., copper) from the secon61ary circuit materials are basic constituents contributing to the corrosion-induced degradation observed in operating plants.
The Westinghouse Type Model F steam generator and its secondary system being considered by CEGB have new materials and design features and proposed operating modes which are intended to eliminate the corrosion-induced degradation of the steam generator tubes experienced in earlier models.
CEGB analyses of Sizewell steam generator tube rupture events evaluate only the rupture of a single steam generator tube.
Multiple tube ruptures are being evaluated by means of a sensitivity study.
SNUPPS Description The SNUPPS design uses Westinghouse Model F steam generators.
Improvements over previous designs include the following:
1.
The tube support plates will be manufactured from ferritic stainless steel material, which has been shown in laboratory tests to be corrosion resis-tant to the operating environment.
The tube support plates will be designed and manufactured with broached holes rather than drilled holes.
The broached-hole design promotes high velocity flow along the tube, sweeping impurities.away from the support plates' locations.
2.
The crevice between the tube sheet and the inserted tube will be expanded to the full depth of insertion of the tube in the tube sheet.
The tube expansion and subsequent positive contact pressure between the tube and the tube sheet will preclude a buildup of impurities from forming in the crevice region and reduce the probability of crevice boiling.
3.
The Inconel tubing of the SNUPPS steam generators received a special thermal treatment that has demonstrated improved resistance to stress-corrosion cracking.
For the Callaway plant only the inner 10 rows received the special thermal treatment.
4.
Secondary system improvements include corrosion-resistant tubing in the main condenser, ability for condenser deaeration, and the use of a conden-sate cleanup system with filtration and demineralizers to remove solid and dissolved impurities from the feedwater system.
The Callaway plant differs 58
from the Wolf Creek plant in that the condenser tubes are copper-nickel at Callaway and stainless steel at Wolf Creek.
U.S. Acceptance Criteria GDC 14, 15, and 31 of 10 CFR Part 50 require that the Reactor Coolant Pressure Boundary (RCPB, of which the steam generators are a part) must have an extremely low probability of abnormal leakage and must be designed with sufficient margin to ensure that the design conditions are not exceeded during normal operation and anticipated operational occurrences, and that the probability of rapidly.
propagating failure of the RCPB is minimized.
The following describes how these criteria are met for the SNUPPS design.
Tube failures (i.e., tube leakage that exceeds the technical specifications) will be minimized with the improvements inherent in the SNUPPS use of Model F steam generators and secondary systems modifications.
Tube denting which results in leakage from primary side stress-corrosion-cracking will be eliminated since the new stainless steel support plates will not corrode in the manner which produces a nonprotective buildup in the tube-to-support plate annulus and causes the local constriction known'as denting.
In addition, the broached holes (i.e., Quatrefoil design) will not permit impurities to build up in the support plate annulus and, hence, denting or out-side surface attack due to impurity buildup will also be minimized.
In order to control the mechanical and flow-induced vibration, adequate supports along the tube length and antivibration bars in the region of U-bends have been provided.
The full-length hydraulic expansion of the tubes into the tube sheet will eliminate the crevice between the tube and tube sheet.
Such crevice has allowed impurities to concentrate due to boiling, and is linked to inter-granular attack and intergranular stress corrosion cracking depending on the impurities present and metallurgical condition of the tubing in those locations.
The use of stainless steel and copper-nickel alloy tubing in the main condenser will eliminate condenser-water inleakage due to corrosion-initiated failures of condenser tubing.
The condensate cleanup system has six demineralizers which are capable of handling full condensate flow and is therefore capable of removing contaminants from the full condensate flow during normal operation and operational occurrences to produce the feedwater purity necessary to minimize corrosion of the steam generator tubes.
The staff currently requires analyses of a double ended guillotine break of a singie steam generator tube. Multiple tube rupture analyses are not required.
Analysis The CEGB's Sizewell plant will have Model F steam generators and a secondary system with additional features which will further insure the integrity of the steam generator tubes.
59
4
?
d f
As with the SNUPPS steam generators, all the tubes in the Sizewell generator are thermally treated in order to improve resistance to stress-corrosion crack-j ing and intergranular attack.
Furthermore, the Sizewell tubes with small radius U-bends are given an additional heat treatment after the bending operation _to reduce residual stresses and improve resistance to stress-corrosion cracking.
The Sizewell steam generators also have additional-antivibration bars in'the U-bend areas to ' educe potential for vibration-induced wear at those locations.
r 1
T' Sizewell main condenser will use titanium tubes and have a double tube
~
theet arrangement. -Titanium has excellent corrosion resistance; but more important it eliminates copper from the secondary circuit. -Copper has been implicated as one of the contributors towards some form of corrosion-attack in_
combinations with an acidic chloride environment.
The double tube = sheet con-cept for the condenser is an additional barrier against leakage which usually
' initiates at the tube to tube sheet interface.
i i
The NII raised a concern relative to the possibility of intergranular attack of-the steam generator tubing in the 0.14 inch average, 0.25 inch maximum, crevice depth which remains at'the top of the tube sheet after.the full hydraulic expan-
~
i sion of the tube into the tube sheet.
Their concern was heightened by the fact that intergranular-attack may go undetected by present eddy current techniques.
~
Concern for intergranular attack in the crevice at _the top of the tube sheet-i may be unfounded in light of the improvements inherent in the Model F steam generators and the secondary system of the Sizewell plant.
Corrosion tests have shown that the: thermal treatment given to the Inconel 600 tubes is effec-
?
tive in reducing the probability of intergranular attack.
Increased flow within the tube bundle, an improved design feature of the Model F's, will reduce the tendency for impurity buildup in the crevice region.
Improved sludge lancing i
and blowdown capability.in the Model F's will also minimize buildup in the tube sheet crevices.
The inherent integrity of the titanium condenser in i
minimizing inleakage of secondary-coolant, air, and copper impurities will l
further reduce the tendency for crevice corrosion to occur.
1 As far as eddy current capability for detecting small vo'lume defects' such as intergranular attack, a program-addressing this concern is under way at.0ak Ridge National Laboratory under sponsorship of NRC's Office of Research; advances in detecting intergranular attack are anticipated.
This program is
[
directed at improvements in probe design for detecting small volume flaws.
With regard to the issue of multiple tube failures, neither the SNUPPS design I
nor Sizewell B considers this particular concern a design basis event.. Based on operating experience, the staff has concluded that simultaneous ruptures of I
multiple tubes are not likely to occur during normal steady-state operating j
i conditions.
However, because of a combination less than 100% eddy current testing (ECT) of steam generator tubes at each-inspection, ECT uncertainties, and potentially higher than anticipated tube degradation' rates, there is a low, finite probability that more than one tube with flaws which could rupture in the event of an MSI3 could exist in one or multiple steam generators.
The staff believes that the question of whether or not multiple tube ruptures ~ and H
tube ruptures in multiple steam generators should be made a design basis event could better be addressed by a probabilistic risk assessment (PRA).
If the l
60 i
results of such a study indicate that the risk for such an incident is accept-ably small, multiple tube ruptures need not be postulated as a design basis event.
The staff review of the criteria for steam generator tube rupture events includ-ing PRA is not complete.. In the interim, the staff continues to require the analysis of only a single tube rupture.
CEGB has indicated that sensitivity studies are being carried out to determine the consequences of more than one steam generator tube rupture associated with secondary circuit depressurization.
.ll l
61
1 OI-4:
INTEGRATED AND SECONDARY PROTECTION SYSTEM RELIABILITY Description Those NII issues relating to the integrated and secondary protection systems are as follows:
1.
The issue is that NII does not consider the single failure criterion pro-posed in the Pre-Construction Safety Report (PCSR) to be acceptable in-that it does not adequately address passive failures.
The examples given are the single refueling water storage tank and parts of the emergency charging and baron injection systems.
It is noted that a systematic analysis is required to show that each system meets the single failure criterion and justification and agreement are required for exceptions.
2.
NII has established that many protection system sensors share common tappings and this it finds unacceptable, since any sensors claimed to be-independent should have separate tapping points on the plant.
A further concern is that these sensors are not fully testable, i.e., for accuracy and response time, with the plant in operation.
So far as reasonably practical, arrangements should be made for fully testing sensors on a regular basis.
3.
NII notes that a number of considerations are omitted from the PCSR fault table showing the situations to be protected against and protective actions claimed.
These are:
(a) No fault studies are presented for reactor operation with less than four coolant loops.
In the absence of such studies, it may be necessary to prohibit operation with less than four loops operational.
(b) Failure of control and instrument supplies including the instrument air system are not included.
(c) The analysis of common mode failures of sensors ignores the possibil-ity of stuck or out-of-tolerance transmitters.
(d) In the case of reactor coolant pump (RCP) flow faults, the RCP speed trip should not be claimed for one, two, or three RCP failures.
An alternate line of protection should be claimed.
(e) The analysis should include spurious actuation of each protective action and logical combination including those caused by fires.
(f) The analysis does not take account of essential control room indications required by an operator to meet technical specifications or deal with fault situations.
4.
In addressing the IPS, NII noted the following examples as concerns about the functional aspects of the system:
62
(a) The use of bypasses to cover sensor failures taken together with the two-zone segregation provided for the station does not give adequately reliable protection following a fire.
(b) NII assumes that application of the bypasses will be compulsory following any sensor failure to preserve the intended logic.
It wishes to know what limitation will be placed on the use of the.
bypass system.
(c) NII expressed reservations about the "P Blocks" bypass function derived within the system which are used to bypass functions not required by the operational state.
An analysis should be provided to show that common mode effects do not degrade the reliability of the protection provided.
(d) NII remains to be convinced that the boron injection signal derived from control rod positions will be adequately reliable and diverse from possible causes of control rod failure.
This concern on reliability arises from the fact that the signal is derived from information within the IPS which is not intended to indicate individual control rod positions.
5.
NII expressed concern at the use of common sensors for control and protection.
It has concluded that sensors may be used for both control and protection function provided the protection claimed against any par-ticular control faults employed different sensors, i.e., another line of protection.
6.
NII notes that there appears to be the potential for fires and power supply failures to give multiple control faults which are beyond the design basis of the protection system.
SNUPPS Description 1.
The design basis for the SNUPPS plant does not include random passive failures of safety systems which are provided for accident mitigation.
As an example, passive failures of the reactor vessel or the refueling water storage tanks are not assumed from the standpoint of accident initiation or mitigation, respectively.
i l
2.
The concerns related to common sensing lines for redundant safety system l
sensors have been addressed for equipment such as steam generators and-I pressurizers which have been fabricated and pressure tested with limited sensor taps.
The approach taken to address such concerns has been to require licensees to perform an analysis of the consequences of failures in common sensing lines and to confirm that such failures do not result in r
consequences more severe than those analyzed in the plant safety analysis.
Such analyses were performed for the SNUPPS plant and were found acceptable during the staff review.
It has been accepted that the potential for blockage of those sensing lines would be a very low probability event due to the stringent water purity for both primary and secondary coolant sys-tems and the extensive use of noncorrosive materials.
Further, it is con-cluded that normal variations in process measurements would most likely reveal blocked sensing lines through the comparative readings of redundant 63
'l channels, which are. required on a frequency of once per. shift by technical specifications.
In general, failures of common sensing lines will lead to early protection system trips by the associated sensors or they are of a nature such that diverse protection by other protection system channels i
exists to mitigate the consequences of a sensor line failure accident.
With regard to accuracy and response time measurements, plant technical specifications require that these measurements-(calibration and response l
tests) be conducted on a refueling outage interval.
As noted above, cross channel comparisons performed each shift assures that an individual channel-which deviates from the remainder will be identified and appropriate reme-dial action taken. The staff concludes that.the calibration and response time tests conducted during refueling outages and other in operation I
l testing requirements for channel checks and function channel tests.do satisfy the NII position of reasonably practical. testing provisions.
3.
(a) The technical specifications for the SNUPPS plant precludes plant operation with less than all loops operational.
(b) An analysis of the consequences of control system failures due to the loss of any single power source, sensor, or individual sense line for multiple sensors was performed for the SNUPPS plant to demonstrate that-the consequences of such failures would not result ~in plant conditions which exceed the bounds of safety analyses.
These analyses were found to be acceptable by the'sta'ff during the SNUPPS review.
(c) Stuck or out-of-tolerance transmitters'are conditions which are bounded by the application of the single' failure criterion for the i
SNUPPS plant.
However, such. failures are not assumed to be a common i
mode failure consideration as a design basis.
Verification of the operability of safety system sensors are addressed by technical specification surveillance requirements.
l (d) Diverse protection for reactor coolant pump faults in the SNUPPS design is provided by the reactor trips 1 initiated on low flow and on underfrequency or undervoltage as sensed at the high voltage power buses.
(e) The spurious actuation of each safety system protective action-is not I
specifically analyzed in the SNUPPS safety ~ evaluation report. 'Those
(
actions which have a major effect on plant operation are analyzed for l
their consequences and have been demonstrated to not exceed the bounds j
of the accident analysis ~.
As an example, inadvertent feedwater isola-1
-tion is bounded by the. analysis of the total' loss of feedwater event, Inadvertent closure of the main steam isolation valves is bounded by.
l the analysis of turbine trip without steam dump.
H (f) Instrumentation to deal with' fault situations in the SNUPPS design is provided in that all channels of sensors used by the protection
~
system are provided with control room indication.
Further, additional instrumentation is provided specifically for post-accident monitoring and includes the capability to display parameters over a full range of post-accident conditions.
Additional modifications, including a safety parameter display system will be provided with future changes' to upgrade emergency response capabilities.
)
64
i 4.
The NRC staff has not conducted an indepth review of the Westinghouse IPS since this system has not been proposed for any U.S. application.
There-fore, the following comments on the Inspectorate concerns are discussed in comparison to the SNUPPS design.
(a) Plant technical specifications require that inoperable sensor channels be placed in a tripped condition rather than to permit them to be bypassed.
Thus, the configuration of the logic reverts from the normal 2 out of 4 coincidence to a 1 out of 3 coincidence, rather than a 2 out of 3 coincidence with one channel bypassed.
Therefore, this concern is not applicable to the SNUPPS plant.
(b) This comment is not applicable to the SNUPPS plant since bypassing of sensor channels is not permitted.
(c) The block permissive (P-Blocks) for the SNUPPS are designed to assure that a single failure will not defeat a safety function.
The design basis does not assume common mode failures of independent redundant components.
(d) The SNUPPS design does not initiate any safety actions based upon measurement of control rod position.
The Inspectorate concerns deal with aspects of the protection system design which are unique to Sizewell.
5.
The SNUPPS design utilizes common sensors for control and protection.
The design was reviewed for conformance to the regulatory requirements of IEEE Std 279 with regard to the sharing of measured parameters for control and protection system use. The design basis does not assume common mode fail-ure of independent redundant-protection systems channels.
Based on the staff's review, it was concluded that the regulatory requirements were l
met.
6.
The review of the SNUPPS design with regards to power failures was con-ducted as noted in item 3(b) above. With regards to fires, the design basis for the SNUPPS plant is to assume that the plant can be shut down safely by systems which are independent of those which may be damaged by fires in any area'of the plant.
Safe shutdown is achieved by manual operator action.
The fire hazards analysis considers spurious action of equipment as a consequence of fire damage to assure that safe shutdown conditions can be attained.
The design basis does not assume any accident coincident with a fire.
U.S. Acceptance Criteria 1.
The licensing requirements for the assessment of passive failures in the U.S. do not require that random passive failures be assumed coincident with accidents wherein such passive failures by themselves do not initiate an accident.
Those passive failures which could render engineered safety features inoperable would be a condition under which technical specifica-tion would require a rapid orderly shutdown of a unit until such time that the system or component were returned to full operational status.
The NII position would appear to consider rational justification for some excep-tions to its position.
65
?
l
2.
Common sensing lines for redundant safety system sensors are acceptable; where it can be demonstrated that the required safety action will be initiated as a consequence of sensor or line failure or where the systems not affected by such failures can provide adequate protection ~even when degraded by a random single failure.
Testing for response time and accuracy are required only during refueling i
. outages by plant technical specifications.
However, functional testing of protection system channels during operation is a General Design Criteria requirement.
3.
(a) The U.S. practice has been to preclude plant operation with less than all coolant.. loops operable as a condition of the operating license.
(b) The U.S. practice has required that single failures in control 4
systems and supporting systems such as electrical power and air supplies be analyzed to demonstrate that such failures do not cause conditions beyond the design basis of the safety systems for antici-pated operational occurrences.
(c) The U.S. practice does not assume common mode failure of independent 4
redundant components as a design basis.
(d) The General Design Criteria requires that design techniques, such as functional diversity or diversity in component design and principles of operation shall be used to the extent practical to prevent loss of the protective function.
(e) The U.S. acceptance criteria do not specifically address analysis of spurious actuation of protective actions.
Such considerations are considered where it is obvious that such actions would produce a major plant upset.
4 (f)
Instrumentation for fault situations is addressed in Regulatory Guide 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident."
In addition a number of the TMI Action Plan Requirements address emer-gency response capabilities.
4.
(a)
U.S. acceptance criteria with regard to fires and consequential damage is addressed in Appendix R to 10 CFR Part 50.
(b) Current U.S. practice embodied in Technical Specifications restricts the use of bypasses as appropriate.
1 i
(c) The U.S. practice does not assume common mode failures of independent 1
redundant channels as a design. basis.
4 (d) The U.S. practice does not specifically address the Inspectorate's concern.
5.
The U.S. requirements with regard to the use of protection system sensors for control does not require the consideration of common mode failure of redundant sensor channels.
Section 4.7 of IEEE Std 279-1971, " Criteria 66
i for. Protection Systems for Nuclear Power Generating Stations," sets forth the requirement for Control and Protection System Interaction.
This standard requires that the transmission of signals from the protection system equipment for control system.use shall be through' isolation devices l
.such that failure at the output of an isolation device shall'not prevent t
the associated protection system channel from meeting the minimum per-formance requirements specified in the design basis.. Further, the standard requires that where a random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection system channels shall be-capable of providing the protective action even when degraded by a second random failure.
It was on this basis that the SNUPPS' plant was reviewed and found acceptable.
Common mode failure of protection system sensors, which may or may not be used for. control, is not a design basis in the U.S.
6.
The analysis of control faults due.to power supply failures was addressed-under item 3(b) above. With regard to control system faults due.to fires, U.S. practice does not require that events such as fires, earthquakes, or other natural phenomena be analyzed in a mechanistic manner as'those anticipated operational occurrences and accidents identified in the standard format for plant safety analyses.
It is generally accepted that such events will proceed in either a rapid or relatively. slow manner.
For.
the former case a reactor trip is-probable consequence and engineered safety features should be capable'of mitigating the consequences of con-trol system failure.
For slower developing events such as fires, operator action would be taken to effect plant shutdown.
On a broader basis, the safety consequences of multiple control system failures is being addressed.
through the program on unresolved safety issues _under A-47, " Safety Impli--
cation., of Control Systems."
Analysis At this point _in time it is difficult to assess what improvements in plant 1
safety would result based on the concerns and open issues identified in the l
Inspectorate review of the Sizewell design.
Until such time as plant-specific modif_ications are-incorporated into the design, it would be impractical to, it assess just what'the improvement in safety.may be.
In general it is believed that passive failures in safety systems have a small overall contribution to the risk of serious accidents.
L Although it is difficult to fully assess the contribution of common mode failures to overall risk, the philosophy of frequent surveillance'and testability during plant operation significantly increases the ability to detect such failures before accidents place a demand on safety systems.
Thus, it is concluded that resolution of these open items will not result in j
significant reduction of safety risk.
I.
67 r
l'
.. =
=.
__~
I 01-5:
SCOPE OF SAFETY ANALYSIS t
i Description l
To be acceptable to the NII, the safety case for a nuclear power station site license must include a comprehensive safety analysis of the critical fault conditions and'of the performance and standard of the equipment provided to I
give protection against design basis faults.
l In their document, " Design Safety Criteria for CEGB Nuclear Power Stations,"
- CEGB has provided explicit guidelines that the accident frequency for a large uncontrolled release of radioactivity to the environment should be less than 10 7 per year, and the total frequency of.all accidents leading to an uncon-trolled release should be less than 10 8 per year.
For certain accident sequences, diverse preventive systems are required, since for most systems the lower bound common mode failure probability is assumed to be 10 5 per demand.
The CEGB has used an emergency reference level of dose (ERL)-defined by the i
National Radiclogical Protection Board below which countermeasures are unlikely to be justified. When the dose seems likely to exceed the.ERL, countermeasures should be undertaken if a substantial reduction of dose is likely to be achieved and if the countermeasures can be carried out without undue risk to the community.
The predicted accident frequency for doses of 1 ERL (e.g., 10-rem (100 mSv).
whole body dose, see Table II) should not exceed 10 4 per reactor year.
Acci-dents resulting in lower doses are acceptable at higher frequencies (Table II).
In determining system reliabilities, the additional protection provided by the primary coolant containment boundaries may be invoked, provided:
(i) Any analysis of the boundary fault is based on well understood physical processes.
2 (ii) The number of faults in this category is limited.
TABLE II i
PERMISSIBLE FREQUENCY OF ACCIDENTAL RELEASES i
Total Permissible Accidental Release, Frequency, in units of ERL*
per reactor year i
10 3 to 10 2 10 2 1
10 2 to 10 1 10 3 10 1 to 1 10 4
- The ERL (Energency Reference Level) as used in the CEGB design criteria is defined as 10 rem whole body dose, 30 rem dose to the thyroid, lung or other single organ, or 100 rem to the skin.
i 68 l
j
Sufficient control room equipment should be provided to permit safe automatic reactor shutdown and cooling without operator action for 30 minutes after a l
reactor trip for those faults where the main control room remains intact, and without operator action for 60 minutes when the emergency control room is required.
The NII also requires that an applicant takes its safety analysis beyond the design basis.
First, this is to explore the potential ~for any sudden unaccept-able increase in the predicted consequences.
Secondly, this gives the NII an appreciation of the comparative risk from possible faults beyond the design basis, and enables the power plant risks to be put into perspective in terms of other population risks.
Estimates associated with such remote probabilities-are recognized as imprecise and the results have to be treated with caution.
l U.S. Acceptance Criteria All credible accidents fall within the scope of the design basis safety review.
The design basis includes transients and accidents representative of classes of-events that have been judged to be of significant severity and sufficient like-lihood to require consideration in the plant des'ign. -The analysis methods and acceptance criteria for the design basis accidents are conservative, or bounding, representations of actual or expected conditions.
The U.S. position on doses is stated in 10 CFR 100, not in terms of specific numerical probabilities.but in terms of the concept of what is or is not credible." The dose guidelines of 10 CFR 100 are not be exceeded in any accident considered credible.
For various design basis events, the acceptance criteria for mitigative features of the plant are based on the dose guidelines of 10 CFR 100, with provision for reduced calculated doses for the higher probability events.
The guidelines in 10 CFR 100 are 25 res whole body and 300 rem to the thyroid from iodine exposure.
As in the U.K., some consideration is given to events beyond the design basis.
For example, analyses assuming various event sequences (including multiple failures) that could occur and fall outside of the required design envelope have been utilized in the preparation of the emergency operating procedures.
~
This approach for the plant operators is a result of the lessons learned from the TMI-2 accident.
Its objective is to further assure that the operator is l
able to respond to the complete spectrum of possible events.
It would be l
impossible to assume that an operator could memorize all multiple failure sequences, and rapidly diagnose the actual, specific event.
Therefore, the l
approach we use is to guide the operator to recognition of certain symptoms of I
events, and to respond to symptoms rather than to a specific event.
This
(
involves "all" events being broken down into categories that are all inclusive, e.g.,
loss of heat sink, overcooling, loss of inventory, and reactivity. We I
train operators and write procedures to treat symptoms of these categories and gain control of the plant no matter what combination of failures caused the particular event.
69
III.
NII CONFIRMATORY ISSUES CI-1:
HUMAN FACTORS ANALYSIS Description The NII indicated that the human factors issue is not adequately considered in the PCSR, but CEGB has committed to consider it.
SNUPPS Description The primary human factors effort in the SNUPPS design is in the detailed design of the control room layout, panels, annunciators, including'the Safety Parameter Display System.
In other systems, selected valves or electrical breakers are identified for locking in position or racking out in-order to prevent human errors.
Emergency procedures are also reviewed.
U.S. Acceptance Criteria Human engineering discrepancies were identified by a site audit team which reviewed the SNUPPS control room.
The applicant is in the process of addressing l
these deficiencies which have been documented in the Control Room Design Review /
Audit report.
This is part of TMI Item I.D.1 in NUREG-0737.
Analysis The human factors issue at Sizewell could not be evaluated because information was not available at this early stage of the Sizewell design.
70
t CI-2: QUALITY ASSURANCE 4
Description The PCSR (Sections 3.9 and 3.4) indicates that a QA program shall be applied to all structures, systems, and components during all activities performed on these items in a manner consistent with their importance to safety.
The QA programs for items in Safety Classes 1,'2, 3, and 1E and those in Seismic Class Y (i.e.,
seismic Category I) are to be compatible with the requirement of BS 5882.
The various organizations involved in the design and construction phase and opera-tions phase are identified and will have appropriate QA programs which have not been made available at this time.
The. plant items are identified and classified as "Q" for the most important (safety-related per U.S. definition, which the British call,important to safety) and as "N"
for the others.
t CEGB plans to appoint an Independent Third Party Inspection Agency to subject certain items within the nuclear island to independent design appraisal, inspec-tion, and test.
The specific responsibilities of the agency are not defined at this time.
However, in meetings with CEGB, the staff was informed that the independent third party agency will be required to assess the design as well as inspect fabrication.
SNUPPS Description The SNUPPS applicants have committed to establishment and implementation of a QA program for safety-related items in accordance with Appendix B to 10 CFR 50.
They have also committed to a QA program for remaining plant. items that are important to safety consistent with their importance to safety in_accordance with GDC-1 of Appendix A to 10 CFR 50 (actual conformance to this regulation is l
problemmatic at this time).
Based on commitments made by the applicant in the PSAR, all organizations involved in the.dasign and construction process should have appropriate QA programs.
The QA programs for the applicant and its prin-cipal contractors are described in the PSAR.
U.S. Acceptance Criteria Criteria for determining acceptability of the SNUPPS-QA programs and their appli.cability are given in the regulations (Appendix B to 10 CFR 50 and GDC-1 of Appendix A to 10 CFR 50 and 10 CFR 50.55a) and in the Standard Review Plan (Sections 17.1 and-17.2) including the various QA regulatory guides and endorsed industry standards referenced therein.
The SNUPPS applicants addressed their conformance to these criteria in the PSAR by describing their proposed QA pro-grams and listing safety-related structures, systems, and components to which they applied.
Staff review of the PSAR confirmed that the applicant's and principal contractor's QA programs, and the listing of safety-related items to which they apply, are in conformance with NRC requirements.
Analysis Based on the staff review of the information provided to date, the QA programs and their applicability appear to be consistent with U.S. requirements.
A de-j tailed comparison of specific QA programmatic requirements was not possible i
since the PCSR was lacking the QA program descriptions that are normally pro-vided in the PSAR.
This fact was noted as an.open item by the NII. Whether 71 r
,n n--
NII reviews QA programs for plant items identified and classified as "N" is-indeterminable.
Some minor differences in the listing of structures, systems, and components were noted.
The appointment of an Independent Third Party Inspection Agency (see "Descrip-tion" above) appears to be an added feature to the British overall QA program that may go beyond U.S. requirements.
Although not well defined at this time, it does not appear to replace the U.S.. third party approach under the ASME Code.
The British apparently also intend to conform to ASME requirements, although manufacturers are not required to have an ASME Code stamp except for components for which failure is deemed to be incredible (pressure vessel and much of the primary system).
f 4
4
)
I 72
CI-3:
REACTOR PRESSURE VESSEL AND REACTOR COOLANT SYSTEM FAILURE INCREDIBILITY Description A stated goal of the design and construction of the Sizewell reactor coolant pressure boundary is that a rupture that would prevent satisfactory cooling of the core is so unlikely as to be deemed incredible under all anticipated loading conditions.
This goal is being met by utilizing the recommendations of the
" Marshall Report" (Ref. 16) in defining the construction and~ inspection require-ments for these components.
Some of these requirements have been discussed in item 8 under " Major CEGB changes," but certain construction features will be highlighted in this discussion of reactor vessel integrity.
Of principal interest are the steps taken in the Sizewell design to minimize neutron embrittlement and the potential for fabrication flaws and, hence, crack initiation under severe transient conditions, in the reactor vessel beltline.
These steps go somewhat beyond those taken for SNUPPS.
By using a single ring forging, which extends the entire height of the core, longitudinal welds are eliminated and the circumferential welds are located where the neutron flux levels are expected to be only one-tenth of the peak flux.
This design reduces the possibility of having flaws in the more highly irradiated material.
It, also reduces the need for tight control of the chemical composition of the welds.
Nevetheless, the copper content is to be limited to 0.10% maximum for both weld and forging materials, which is highly desirable and is consistent with the SNUPPS design.
In addition, the initial RT f these materials is NDT to be less than 10 F.
SNUPPS Description The SNUPPS design has provided a welded reactor vessel of low copper content which has been found by the staff to be of an acceptable design.
Appropriate protection against overpressure is provided for low temperature events.
U.S. Acceptance Criteria With regard to maintaining reactor vessel integrity during normal operation, the Sizewell report states that pressure-temperature limits will be calculated assuming a period of reactor operation such that the beltline will be limiting.
This is certainly acceptable practice.
It requires that the designer also con-sider the more highly stressed regions, i.e., regions of structural disconti-nuity.
The possibility exists that the controlling location at low pressure may be the flange regions in the head and shell where bending stresses caused by boltup may be relatively high.
These are locations 4/2 and 4/3 in Figure 5.3/5.
Boltup stresses are of course present at the low temperature and pres-sure conditions of startup and shutdown.
This problem is addressed in Appendix G, 10 CFR Part 50, paragraph IV.2.C in a general way.
In the revision of Appendix G that is now awaiting Commission approval, the staff is considering specific requirements for the flange areas as follows:
"In addition, when pressure exceeds 20 percent of the preservice I
system hydrostatic test pressure, the temperature of the closure l
flange regions that are highly stressed by the bolt preload must exceed the reference temperature of the material in those regions by at-least 120*F (67*C) for normal operation and by 90 F (50 C) for 73
. ~
A %.
\\
\\
\\c
~
'[\\ %
hydrostatic,]<pryssure tests and leak tests;. unless a lower temperature T
.ls
' an be justifiql by showing that the margins of safety for those c
re'glo'ds wht n-they are controlling are equfvalent to those required s for th4 beltline when it is controlling."
~
m.-
s These proposed requirsents are most likely tid control the pressure-temperature-limits at low pressure for plants that have small amounts of radiation damage in the beltline. The philosophy back of this requirement-is very'much like that expressed.in the Marshall report and is utilized for' the Sizewell vessel design. The~ vessel should be at " upper shelf" temperature whenever there are significant pressures.
^
Analysis The result otstpe design and material selection features described above is lifeRT@materialsurveillanceprogram,whichwillprovidea tnat the end of for the reactor vessel beltline is expected to be'
\\
approximatel'y 10@F.
T A
check on the,J1uence predictions and the response of the beltline materials';
7 s
includes all of the features of the SNUPPS surveillance program plus more e
extensjve use of fract3re toughness test specimens.,
(
7 J'
a~
,s,
..With vegard to mai taining raactor vessel integrity 'under accident conditions,-
n
' the Sizewell vessel dauld appear to.be, quite resistan't to pressui52ed thermal s
shock.
Staff evaluali0nst reveal. that'cooldowns that terminate-e.bove RT are notlikelytocausecrackinitiaRon,assumingpre-existingcfacks.
Sebce 4xp'erience has shown tnt rapid'cooldowns to the 200*F levebare of very low
' girobability.
Thus, with an eM cf ^ life RT-of 4pproximat'ely '100 F,.the C Sizewell vessel should be tesi5 tant t.o pre b' rized' thermal shock.
- d i:
m The'Sizewell report has addressed all(of'the concerns with regard to reactor i
vessel integrity that the U.S. would consider for a new plant in this country.
Their stated goal.was to insure that othe possibility that the vessel will suffer a disruptive failure without forewarning is so unlikely-as to be
" incredible."
It would appear that they h' ave taken steps to achieve that goal.
'}
iw N-4
~
N y;
(
/
T_'
(
%)
s s
^ -
y rx
.s
' 'R ' s y
(
S s
s,
~
- ~=
v.
gg p
s.
m 1
~
r
- 3
%k
\\
?-
y g;
1s\\
s y
1
(
g
.j s
m
%1 s
- s 4
~'
..,'z
' yQ "
y-v x
\\
- p s
I k
(d l
k
.h A
(
s e
~CI-4:
SEISMIC CLASSIFICATION AND APPLICABILITY OF CONSTRUCTION CODES AND 4
(
STANDARDS-Description Atmajor' design difference between the SNUPPS and Sizewell B plant-designs is 7
with respect to those safety-related systems and components'that are designed ito withstand the effects of the Safe Shutdown Earthquake (i.e., seismic Cate-igory I) and remain functional.
In the Sizewell B design CEGB has not designed all safety-related systems and components for the SSE and this is a significant
_departurn f rom U.S. practice.
The systems or portions of systems in the Size-well B design that are functionally similar to.the SNUPPS des gn and are not i
classified seismic Category I are:
- 1.. Accumulators and safety injection pumps 2.
Containment cooling system 3.
Additive tank, metering pumps, spray headers, and nozzles of the contain-ment spray system 4.
Containment gas mixing and combustible gas control system Auxiliary building HHSI pump room coolers 5.
The NII has expressed reservations about the above approach and noted that the f
safety classification should be based on more. comprehensive analysis of the i.y.
-role of the component in mitigating the consequencesiof other faults.
~
In addition to;the systems or portions of systems identified above, two safety-
, m related systens which are not in the SNUPPS design but have been added to Size-well B, that is, the emergency boration system and the emergency charging system, are not classified seismic Category I.
The essential service water system for Sizewell'B is a safety related system but is not designed to seismic Category I requirements as it is not required following an SSE.
In the event of an SSE and the.; subsequent loss of ~ ESW flow, the Reserve Ultimate Heat Sink Subsystem -
is automatically initiated to provide the cooling function.
This design approach would be acceptable in the U.S.
~
~
4 Q'
s SNUPPS Description The five systems or portions of systems identified above are classified seismic
{
Category I in the SNUPPS design.
- '\\,
g' Analysis 1_
In Table 3.-4-1, CEGB has-identified Section III, Division 1 of the ASME Boiler N
and PressureiVessel Code for the constructioni of safety-related pressure-s reta'ining components of Sizewell B.
However, CEGB is 'apparently intending to
+
-.y.
2Constructedt as used herein, is an all-inclusive term comprising materials certification,Ldesign, fabrication, examination, testing, inspection,and 3
certificatiori: required in the manufacture and installation of components.
4.
3
\\
(
4 d s
t u
s c
75
\\
. Ax
I 4
use the Code selectively and may take exceptions to the requirements of the.
Code in areas.such as, mater.ial certification, N stamping, and using U.K.
standards' where these are catsidered equivalent.
The U.S. practice is to adhere,to the Articles of each Subsection of Section III.
s U.S. Accepdance Criter.ia i
The principal acceptincd criteria,used for structures, systems, and components in the SNUPPS review' was the guidance provided by Regulatory Guides 1.26,
" Quality Group Classification and Standards," and 1.29, " Seismic Design Clas-s i ficati on. " In addition, where ASME Code Cases were used in the construction of safety-related pressure-retaining components, SNUPPS followed the guidance of Regulatory Guides 1.84, " Code Case Acceptability, ASME Section III Design and Fabrication,""and 1.85, " Materials Code Case Acceptability, ASME Section III, Division 1."
CEGB has utilized ANSI N18.2-1973, " Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants," as the basis for classifying the structures, systems, and components of Sizewell B.
While this document has-also been referenced in Section 3.2.3 of the SNUPPS FSAR with respect to the,
classification of structures, systems, and components, it is not a document
approved by the Commission and is not used by the staff to determine the accept-ability of the seismic or quality group classification of plant features.
The staff only accepts the classification system of " Safety Classes" in ANSI N18.2-1973 as an alternate method of classifying structures, systems, and components.
Thus, CEGB has placed greater emphasis on ANSI N18.2-1973 than SNUPPS which also conforms to the appropriate Regulatory Guides.
During' plant operations certain pumps and valves in safety-related systems are tested for: operational readiness in accordance with the requirements of Sub-j section IWP and IWV of Section XI of the ASME Boiler and Pressure Code.
This program includes baseline preservice testing and periodic inservice testing.
l The program provides for both functional testing in the operational state and for visual inspection for leaks and other signs of distress.
Both the Sizewell B and SNUPPS designs will be in accordance with Section XI.
t 6
I i
\\
76 l
CI-5:
EXTENSION OF APPROVAL FOR NON-REMOTE SITES Description Although the Sizewell site represents a remote site for the U.K., as is British practice.and policy for a prototype of a new reactor design, the CEGB has expressed its wish that the Sizewell B design might also be eventually sited at other sites in the U.K. that are considered to be non-remote.
.SNUPPS Description The SNUPPS design contains no specfic reference to any given site, but was intended to fit within a site envelope characteristic of many U.S. sites..The-SNUPPS engineered safety features considered in evaluating site suitability include a single low leakage (0.2%/ day) containment plus a spray system for fodine removal. A secondary containment is offered as an option, although none s
of the U.S. applications of the SNUPPS-design have employed this option. With the single containment the SNUPPS design was intended to be capable of being sited at locations with an exclusion area distance of about 0.4 mile or greater (although, depending on actual site meteorology, this cr eld require a reduction l
in the containment leak-rate down to as low as 0.1% per 7y), and with a low l
population zone (LPZ) of about 2'to 3 miles. With the use of a secondary con-tainment, somewhat smaller sites could be found suitable. The SNUPPS design is not related to any specific requirements on population density around the site, i
t U.S Acceptance Criteria f
The U.S. acceptance criteria are contained in 10 CFR Part 100, and include L
Regulatory Guides 1.3, 1.4, 4.7 and others plus Standard Review Plan Sec-tions 6.5.2, 15.6.5, and others.
Under Part 100 an applicant is required to define an exclusion area immediately around.a reactor and an LPZ outside the exclusion area.
There are no minimum size requirements on these; rather, the combination of site characteristics and plant design features intended to miti-gate the consequences of an accident dictate the requirements and must provide assurance that a hypothetical individual located at the nearest exclusion area boundary for a period of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> or at the outer radius of the LPZ for the duration of the accident, would not receive a radiation dose in excess of the guideline values given in Part 100 (25 rem whole body, 300 rem thyroid) in the event of a postulated fission product release to the containment "not exceeded...
from any accident considered credible."
Part 100 also requires that the distance to the nearest population center must be at least one and one-third times the LPZ outer radius. The population center distance requirement was added in recognition of the fact that " accidents of greater potential hazard than those commonly postulated as representing an upper limit are conceivable, although highly improbable." Hence, this constitutes a recognition of the need to account for what has been referred to as " Class 9" accidents in siting considerations.
Although Part 100 contains no specific limits on population density or distribu-tion, Regulatory Guide 4.7 states that if the population density is not suitably low (500 persons /mi2 out to 30 miles at plant startup, and 1000 persons /mi2 at i
end of life), then the applicant will be required to give consideration to alternate sites having' lower population density. The population density values 77 i
l I
i of Regulatory Guide 4.7 are " trip" levels which trigger an additional level of review; they are not upper limits o" acceptability.
j r
1 For each individual SNUPPS application (Callaway, Wolf Creek, Tyrone, and Sterling) the applicant defined an exclusion area, LPZ, and. nearest population center and determined that these met the criteria of-Part 100. -This involved 3
using the meteorological characteristics of the site together.witn the above-i mentioned SNUPPS accident mitigation features-to determine that the doses were 1
acceptable.
The staff, by means of independent analyses, verified these for each case.
For Callaway, for example, the applicant defined an exclusion area j
whose minimum distance to the boundary is 1200 meters, while the LPZ outer radius is 2.5 miles.
The distance to the nearest population center is 25 miles, and the population density within 30 miles is less.than about 50 persons / mis, The staff determined the design-basis LOCA to be the most limiting design-basis accident, and the staff-calculated doses at the exclusion area boundary were 1
106 rem and 2.2 rem, thyroid and whole body, respectively.
The doses at the LPZ' outer boundary were 70 rem and 0.8 rem, thyroid and whole body, respectively.
l Analysis j
A difference analysis between siting for Sizewell B and U.S. SNUPPS applications l-involves a consideration of a number.of factors. These are discussed below:
L 1.
Sizewell Site vs " typical" SNUPPS site.
4 The Sizewell site appears to have a smaller exclusion area than a typical site referenced in a U.S. SNUPPS application.
For example, the_ distance from the Sizewell reactor to the nearest offsite boundary. appears to be about 350 meters; the corresponding distances at both Callaway and Wolf Creek are 1200 meters.
The LPZ for Callaway and Wolf Creek is 2.5 miles for each.
There is no LPZ, is j
such, defined for Sizewell.
The British do require only a few isolated dwellings be located within 1/3 mile and only a few hundred dwellings within 1-1/2 miles.
j Emergency planning considerations, in regard to evacuation are planned in detail for about 2 to 3 km, with a capability for extension of evacuation beyond this distance if necessary.
i The population density of Sizewell is such that it is considered a remote' site.
There are 28,000 persons within 10 miles of the site. There is no information given on population density beyond 10 miles or how this value compares with other U.K. sites.
The population densities of the SNUPPS sites are lower than average compared to other U.S. reactor sites.
It must be emphasized, however, that the SNUPPS design was envisaged as one which could be licensable at sites both smaller in size and having higher population densities than those repre-sented by Callaway or Wolf Creek.
The exclusion area distance could probably be reduced from 1200 meters to 600 meters and still meet the dose guidelines of 4
Part 100 with no changes in the SNUPPS design.
Similarly, the population density could be as high as 500 persons per square mile (157,000 person within l-10 miles) and still be within the " trip" levels of Regulatory Guide 4.7.
2.
Sizewell design changes affecting siting.
4 I
The major Sizewell design feature change from SNUPPS which appears to affect j.
siting is the addition of a secondary containment. The CEGB has stated that 78 1
4
?
this has been added to " provide additional margin," although no credit has been i
c given in the analyses presented in the-PCSR.
The SNUPPS design offers a second-ary containment'as an option, however, none of the U.S. applications have made
.use of it.
In view of the relatively large U.S. sites and the fact that the dose consequences were well within the guideline values of Part 100,~a judgement may have been made that a secondary containment was unnecessary under these circumstances.
Sizewell has also reduced the containment leak rate from 0.2%.
per day given in SNUPPS to a target level of 0.1% per day.
3.
Differences in U.K. and U.S. siting practices.
1 U.S. and U.K. siting practices appear to' differ in a number of significant
. areas.
As regards postulated accidents, the U.S. practice is to require the.
analysis of design basis accidents and to require that the dose values meet the guidelines of the Standard Review Plan..These guidelines are based on the t
probability of occurrence and vary from 10 to 100 percent of 10 CFR 100 values.
CEGB practice also requires a demonstration of postulated accidents and dose values at the site boundary and involve probabilistic criteria.
The U.K. dose acceptance criteria are typically lower than in the U.S. (10 rem whole body and 30 rem thyroid) but the fission product release postulated is also considerably lower (typically about 1% of the total core inventory of iodine in the U.K.
vs 25% in the U.S.).
Emergency planning considerations in the U.S., originally limited to the LPZ distance, have been extended as a result of the TMI accident out-to distances of about 10 miles.
In the U.K., detailed evacuation plans are made out to dis-tances of 2 to 3 km (with a capability for extension if necessary), with other actions such as control of consumption of food stuffs extending out to perhaps about 5 miles.
l The consideration given to accidents beyond the design basis (so-called
" Class 9" accidents) in siting is also an important difference.
U.S. practice, as indicated above, requires that the nearest population center be at least one and one-third times the LPZ outer radius, and further guidance out to 30 miles is provided by Regulatory Guide 4.7.
U.K. practice appears to have no such I
requirement as far as population, but CEGB invokes the probabilistic criterion that individual large accidental releases must be shown to be less frequent than 10 7 per year, and that the totality of such releases must be shown to be less than 10 8 per year.
Also, the U.K. has developed a graded list of potential sites using health effect analysis for a stereotypic release; this list rates sites in four categories with Sizewell being of the most remote class.
Sites are selected from this list based on the novelty and intrinsic risk associated with a given reactor type.
Finally, there is no post-licensing control of residential and industrial development in the U.S., as exists in the U.K. out to distances of about 5 miles.
i 4
I 79
CI-6: ALARA STRATEGY AND OCCUPATIONAL EXPOSURE Description 1.
Use of Multi-Stud Tensioner Detensioning and tensioning reactor pressure vessel studs by hydraulic multi-stud tensioners, controlled from a local position to the machines, to reduce the time required to remove and replace the pressure vessel head and thus reduce occupational exposure.
2.
Fuel Storage Pool Sizewell B will design their spent. fuel pool (SFP) to accommodate storage of seven reactor cores based on high density storage racks.
3.
Improved Inservice Inspection (ISI)
In the ISI and Maintenance safety design approach, Sizewell uses the following ALARP dose-reduction techniques.
(a)
Inspection of safe-end welds in the RPV nozzles and head dome to flange welds are performed by a track-mounted automatic machine without an operator present.
(In the Westinghouse report WCAP-8872, Westinghouse addresses this in Section 5.1.2 by saying " Westinghouse has developed an inspection tool for examining the reactor vessel nozzle welds by position-ing the ultrasonic crystals remotely and providing readout of the signals in a low radiation area.")
(b) Steam generator shell welds by UT scanner are on permanently installed rails.
(c) Steam generator manway opening and closing will be done by use of a hydraulic torque wrench.
(d) Eddy current probe wire will be inserted in tubes using a remote control positioner.
(Westinghouse reports on this type of tool in the WCAP-8872 report, Section 5.1.1.)
(e) Visual inspection of the reactor coolant pump (RCP) bowl internals can be made using remotely controlled viewing equipment that is mounted on the underside of a shielding plug.
A shielded floor is provided in the RCP motor compartment to reduce the radiation levels while this operation is performed.
A vertical shield is also provided between the steam generator and pump motor compartment to reduce the dose rate during ISI and reactor coolant pump seal maintenance from regions of the steam generator, pump Dowl, and loop pipework subject to LOCA venting requirements.
(f) Machines are available to automatically inspect pipework butt welds.
4.
Design Target Collectives Doses of 240 Man-Rem and Individual Dose of 1.0 Rem 80
- - - - _ _ =
The Sizewell B station is designed so that the target annual radiation dose resulting from work functions such as normal operations and surveillance, routine and non-routine maintenance, radwaste processing, refueling, and inservice inspection will be 240 man-ress with individual doses at 1.0 rem.
These values are considered by CEGB to be as low as is reasonably practicable.
SNUPPS Description i
1.
Use of Multi-Stud Tensioner SNUPPS does not address this feature in their FSAR.
2.
Fuel Storage Pool SNUPPS can only accommodate 1.6 reactor cores based on use of low density fuel racks.
3.
Improved Inservice Inspection (ISI)
SNUPPS does not address these items in their FSAR per se. Therefore no compari-son can be made.
4.
Design Target Collectives Dosas of 240 Man-Rems and Individual Dose of 1.0 Rem SNUPPS has reviewed their design criteria and analyzed each of the operational exposure considerations as stated above.
Their conclusion is that their cumu-lative annual dose equivalent for these operations will be about 365 man-rems.
Individual dose assessment is not given, but the staff expects that it will be similar to radiation dose from operating PWRs which average less than 1 rem per year.
U.S. Acceptance Criteria 1.
Use of Multi-Stud Tensioner
~
Regulatory Guide 8.8 recommends use of equipment that permits rapid removal and reassembly of material from equipment to reduc'e exposure to personnel.
Westing-i house, in their report WCAP-8872, addresses the design of the pressure vessel head closure system to reduce the time required to tension and detension the reactor vessel studs using quick connect and disconnect stud tensioners.
2.
Fuel Storage Pool None i
3.
Improved Inservice Inspection (ISI)
The Sizewell B innovations are not specifically addressed with respect to radiation protection in Regulatory Guide 8.8 which is the staff's position with respect to ALARA design, radiation protection procedures, preparation and planning, and facility and equipment.
l l
81
,w w-
. =. - - -
1 4.
Design Target Collectives Doses of 240 Man-Rems and Individual Dose of 1.0 Rem t
NRC, in its review of applicants' dose assessment, would regard the SNUPPS estimate of 365 man-rems for their annual collective dose as being acceptable and ALARA, since it results from a design review that considered application of dose-reduction measures outlined in Regulatory Guide 8.8, applied dose-reduction measures found reasonably achievable, and is less than the average for operating PWRs in the U.S.
Analysis i
1.
Use of Multi-Stud Tensioner CEGB has indicated that a multi-stud tensioner (MST) could save as much as 8 man rem on the refueling of a narrow cavity plant.
SNUPPS would have the j
option of using the Westinghouse MST recommendation as stated above.
s 2.
Fuel Storage Pool Many operating reactors have had to submit to the NRC requests for technical specification changes to modify their spent fuel pools in order to increase the capacity of their SFPs to accommodate them with high density fuel racks to allow long-term storage of irradiated fuel on site.
The result of this request i
for the change has been the cause for costly hearings.
Additionally,.expendi-i ture of man-rems.to perform the modification is required.
From the standpoint of ALARA exposure to workers, it is important that applicants carefully consider the implication of the likelihood of need for these modifications in their I
final decision in SFP requirements.
7 I
3.
Improved Inservice Inspection (ISI)
The ISI items described above should provide dose savings.in man-res but the amount of savings vs dollar cost are not specified.
A numerical estimate would be difficult to evaluate at this time since crud buildup, which influences occupational exposure assessment, will be carefully controlled by primary I
coolant chemistry.
The results of this control could ultimately influence the occupational exposure estimate of Sizewell B.
4.
Design Target Collectives Doses of 240 Man-Rems and Individual Dose of 1.0 Rem It should be noted that individual items in the collective dose assessment for each category of work, as mentioned above, and as viewed by Sizewell are based on experience of work completed at operating reactors.
The Sizewell B analysis l
~
breaks down specific operations of a category of work into different functions than SNUPPS.
Consequently, it is difficult to identify specific items in the special (non routine) maintenance category that affects the man-rem differences tabulated in the Sizewell B PCSR and the SNUPPS FSAR.
For example, for steam generator tube plugging, Sizewell B estimates 4.7 man-rems, whereas SNUPPS shows 20 to 200 man rems.
SNUPPS estimate is taken from operating PWRs.
Size-4 well B states that their data is based on observations at all U.S. plants up to 4
1978.
The dose savings for Sizewell are estimated on the assumption that they 82 rv w=v w<ww--w
-m v
mww
- um wem yor
,p-r,y
+ww--
- w
--ge-
- vv t ww
-fr*
- w-w 4 e en a--
-v Fr wa a ervef r
9-p " - ' ' -
wg ~-
'm t---
will have equalled the lowest doses achievable on present plants.
A breakdown of doses for all work functions of Sizewell B versus SNUPPS for occupational exposure in equivalent categories is as follows:
Operation Sizewell (man-rem)
SNUPPS (man-rem)
ISI 34 29 Routine Maintenance 55 104 Non-routine (Special) Maintenance 67 145 Refueling 16 24 Radwaste Processing 24 24 Operations & Surveillance 35 38 231 364 The NII was concerned that Sizewell B might not achieve the collective-dose target of 240 manrems per year, and considered that the design was concentrat-ing too heavily on the layout provisions, the use of remote handling, inspection and repair devices, plus an expectation that it would be able to achieve the lowest doses arising from present U.S. plants.
Therefore, NII asked CEGB to carry out a systematic design review of all the important factors which influence the optimization of' occupational exposure and demonstrate the extent to which each aspect has in fact been optimized.
This optimization review has been published in "The Application of the ALARA Principle to Sizewell B" PWR/RX 646, January 1983.
83
REFERENCES 1.
Loss of Offsite Power at Nuclear Power Plants:
Data and Analysis, EPRI-NP-2301.
2.
M. Llory and B. Gachot, "Probabilistic Analysis of Systems Related to PWR Safety-Synthesis of E.D.F. Studies," in:
Proceedings of the ENS /ANS Topical Meeting on Probabilistic Analysis of Nuclear Reactor Safety at Los Angeles, California, May 8-10, 1978, Paper XII.3.
3.
G. E. Edison to B. J. Youngblood, " Summary of Meeting with Westinghouse on Reactor Coolant Pump Seal Performance (Generic)," January 21, 1983.
4.
D.A. Powers and R. O. Meyer, " Cladding Swelling and Rupture Models for LOCA Analysis," NUREG-0630, April 1980.
5.
J. R. Miller (NRC) letter to E. P. Rahe (Westinghouse), " Acceptance for Referencing of the 1981 Version of the Westinghouse Large Break ECCS.
Evaluation Model," December 1, 1981.
6.
A. T. Donalson et al., " Pre-Test Prediction and Post-Test Analysis of PWR Fuel Rod Ballooning in the MT-3 In-Pile LOCA Simulation Experiment in the NRU Reactor," CEGB Report TPRD/B/010/N82 WR/FBWG/P(82)69, June 1982.
7.
M. L. Picklesimer (NRC) memorandum for File, " Minutes of Workshop on Simulation of Nuclear Fuel Rods in LOCA, National Bureau of Standards, Gaithersburg, Maryland, November 11, 1977," March 31, 1978.
8.
J. Rixxon (UKNII) letter to Delegates, " Notes of a meeting on Axially Extended Fuel Clad Ballooning Held at the UKAEA Springfields Nuclear Laboratories on 30th June 1978," September 15, 1978.
9.
P. S. Check (NRC) memorandum for D. Ross, " Meetings with UKAEA and UKNII Regarding Fuel Clad Ballooning," July 13, 1977.
10.
D. A. Powers (NRC) memorandum for K. Kniel, " Foreign Travel Trip Report,"
August 7, 1978.
11.
E. D. Hindle, "Zircaloy Fuel Clad Ballooning Tests at 900-1070K in Steam,"
UKAEA Report ND-R-6(S), September 1977.
12.
E. D. Hindle, " Mechanisms of Interaction of Zircaloy Cladding in Multi-Rod Array LOCA Swelling Experiments," UKAEA Proprietary Report ND-M-482(S),
September 1978.
13.
D. A. Powers and R. O. Meyer, " Evaluation of Simulated-LOCA Tests that Produced Large Fuel Cladding Ballooning," NUREG-0536, March 1979.
14.
T. M. Anderson (Westinghouse) letter to D. G. Eisenhut (NRC), November 16, 1979.
15.
N. A. Petrick (SNUPPS) letter to H. R. Denton (NRC), "CPB (Reactor Fuel)
Review," August 31, 1981.
84
16.
W. Marshall, "An Assessment of the Integrity of PWR Pressure Vessels,"
United f.ingdom Atomic Energy Authority, March, 1982.
t i
4
[
85
U.S. NUCLEAR REGULATORY COMMIS$10N REG-0999 BIBLIOGRAPHIC DATA SHEET 4 7ITLE AND SUBTsiLE (Add Volume No,if approproan)
- 2. (Leave bimkl Sizewell B-Analysis of British Application of U.S. PWR Technology
- 3. RECIPIENT *S ACCESSION NO.
- 7. J'UTHOR (Si
- 5. DATE REPORT COMPLETED G. E. Edison and others wo=Ta lve^a APRIL 1983
- 2. PERFORMING ORGANIZATION NAME AND MAILING ADDRESS (/nclude le Codel DATE REPORT ISSUED Division of Licensing wo~Ts lvE*R Office of Nuclear Reactor Regulation MAY loin U. S. Nuclear Regulatory Commission 6- (t**** o'aa*/
Washington, D. C. 20555
- 8. (Leave blank)
- 12. SPONSORING ORGANIZATION NAME AND MAILING ADDRESS (/ncts dr IW Codel
- 10. PROJECT / TASK / WORK UNIT NO.
Same as 9. above
- 11. CONTRACT NO,
- 13. TYPE OF REPORT PE RIOD COVE RE D (/nclusive dams)
Technical Regulatory Report
- 15. SUPPLEMENTARY NOTES
- 14. (Leave c/mkJ
- 16. ABSTRACT 200 words or less/
This report provides infonnation on the staff's evaluation of major design differences and issues developed by the British in their application (Sizewell "B")
of U. S. PWR technology. One design change, the addition of steam-driven changing pumps, was assessed to have a relatively high value compared to the other changes.
However, the assessment is based on a number of assumptions for which inedequate data exist to make an unqualified judgement. Other changes to the U. S. dsign (as typified by the SNUPPS design) were found to h 'e relatively low or moderate safety benefits for U. S. application.
- 17. KEY WORDS AND DOCUMENT ANALYSIS 17a DESCRIPTORS 17b. IDENTIFIE RS/OPEN ENDED TER*.8S
- 18. AVAILABILITY STATEMENT
- 19. g h<s report 1 21 NO. OF PAGES UNLIMITED 20 SECURITY CLASS (Thispage)
- 22. PRICE flNelA99TFTrn S
NEC FORM 33$ (7-77)
.. ~.. _ _..
. -, ~.
UfelTED STATE 3
,,, u, c g
peUCLEAR REGULATORY COIMetSSION Postest a seas eso c
n $".o e WASHINGTON, D.C. 20506
.it n m g
0FFICIAL suSINESS PENALTY FOR PetNATE USE. 4310 i
t 4
4
=
i 1 1AN 120555078877 l
US NRC i
ADM OIV CF TIOCC PUB MGT BR-POR NUREG POLICY W-501 DC 20555j
=
WASHIhGTCN l
l
.i g f
t O
I
=
. -