ML20126H383
| ML20126H383 | |
| Person / Time | |
|---|---|
| Issue date: | 12/23/1992 |
| From: | Joshua Wilson Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| PROJECT-669A NUDOCS 9301050168 | |
| Download: ML20126H383 (59) | |
Text
_ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ - _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _. _
b,I % l
\\
/pece t
4 UNIT ED $T ATES
-r yn NUCLE AR REGULATORY COMMISSION
[C l
{
/
W ASWNOT ON, D. C. 20m December 23, 1992 Project No. 669 APPLICANT:
Electric Power Research Institute (EPRI)
PROJECT:
Advanced Light Water Reactor (ALWR) Utility Requirements Document for Passhe Plant Designs
SUBJECT:
SUMMARY
Of MEETING WITH EPRI HELD ON DECEMBER 17, 1992, CONCERNING PASSIVE SYSTEM RELIABILITY A public meeting was held on December 17, 1992, at the Nuclear Regulatory Commission (NRC") headquarters in Rockville, Maryland, to discuss )assive system reliability.
The handouts for presentations by EPRI and t1e passive plant vendors at the meeting are provided as Enclosure 1.
A list of attendees and their affiliation is provided in Enclosure 2.
At a previous meeting with EPRI on this subject (held on November 18,1992),
the staff identified the action items that EPRI needed to accomplish in order to justify its claim that all Commission safety goals are satisfied by crediting only safety grade systems. At the nieeting on December 17, 1992, while agreeing with the staff on certain issues, EPRI did not pursue the resolution approach suggested by the staff at the previous meeting.
EPRI restated their basis for having high confidence in passive system reliability, and acknowledged that the passive plants s[ist rely on certain aspects of active system operation (i.e., function before trin) in demonstrating compliance with the safety goal. This credits non-safety systems with minimizing passive safety system challenge frequency.
The staff agreed to try to set up a video teleconference for Friday, January 15, 1993, at EPRI's Washington, D.C. office. The staff committed to provide the following information to EPRI during the telecon:
- 1) list of agreements and disagreements from the staff's review of EPRI's proposed approach (see handouts from meeting);
- 2) criteria that should be applied in order to develop a list of active systems that should have some kind of regulatory oversight applied to them as a result of their safety importance;
- 3) better definition of what is meant by regulatory oversight.
Progress made in resolving the passive reliability issue during this meeting and its predecessor, coupled with understandings anticipated from the upcoming 310063
[h WW NUS$I0REGUUiG N
gg7g g
9301050160 921223 g
e
~_
m 4
4 December 23, 1992 telecon, are intended to lay the ground work for making this a fruitful topic for discussion at the senior management meeting in Palo Alto, California, on January 22, 1993.
(Original signed by)
James 11. Wiltan, Project Manager Standardization Project Directorate Associate Directorate for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation
Enclosures:
As stated cc w/ enclosures:
See next page QM18]Ey110N w/ enclosures:
Central file PDS1 R/f 1Murley/FMiraglia DCrutchfield PDR lililtz JilWilson JMoore, 15B18 GGrant, EDO ACRS (10)
PShea QlSTRIBUTION w/o enclosures:
Alhadani, 8E2 RPierson RBorchardt JNWilson RJones, 8E23 MRubin, BE2 EJordan, MNBB 3701 GHsil, 8E23 filasselberg MPohida, 10E4 AEl-Bassion) 10E4 TPolich, 10A19
%Db lit /s d.A AR SC:P ~T:ADAR OFC:
LA:PDS1:ADAR PM:PDST:
anwilsn<t+yi RBq ardt NAME: PShea DATE: 12/33/
12//f/9 fdv 12/,3f/92 OfflCIAL RECORD COPY: MTSM1217.JHW i
l 9
r-p J-
$p-w y
y w
--ws-
-~w 4
e ALWR Utility Steering Committee EPRI Project No. 669 cc:
Mr. E. E. Kintner Chairman Utility Steering Committee Bradley Hill Road Post Office Box 682 Norwich, Vermont 05055 Mr. John Trotter Nuclear Power Division Electric Power Research Institute Post Office Box 10412 Palo Alto, California 94303 Mr. Brian A. McIntyre, Manager Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit Post Office Box 355 Pittsburgh, Pennsylvania 15230 Mr. Joseph Quirk GE Nuclear Energy Mail Code 782 General Electric Company 175 Cprtner Avenue San Jose, California 95125 Mr. Stan Ritterbusch Combustion [ngineering 1000 Prospect Hill Road Post Office Box 500 Windsor, Connecticut 06095 Mr. Daniel F. Giessing U. S. Department of Energy NE Washington, D.C. -20585 Mr. Steve Goldberg
. Budget Examiner 725 17th Street, N.W.
Room 8002 Washington, D.C.
20503
(
l
4
.l.
c EPRtHRC --
Regulatory Treatment of Nonsafety Systems T U. Marston Director Advanced Reactors Development
- Advanced LWR Program EPRLWRC Agenda Int.oduction. Points of Agrooment & Disagreement Principles & Approach to Requirements Fundamental Safety Principles PRA, Performance and Reliabihty Shutdown Risk, Other lasues & Summary Design Spectic Comments AP 600, Westinghouse
+
SBWR, General Electric Discussion & Overall Summary Advanced LWR Program 1
3 EPRINRC Fundamentai Safety Principles George Bockhold Senior Manager Advanced LWR Progr.m EPRL'NRC ALWR Vision for Passive Plants (Commisobn briefN on 9/s12)
Risk analysis of today's plants show:
important dependence on complex safety systems and operator response crucial dependence on AC electrical power.
For that reason, utilities require:
Simplicity and margin, cornerstones of new designs Sharply reduced need for operator action
~
Protection of public health and safety using passive systems to meet existing NRC regulations and safety policy, without reliance on active systems Use of simple, active nonsafety systems to provide additional margin and investment protection We seek NRC agreement that such a plant le 1%ensable,if 6
performance requirements in Utility Requirements Document (URD) are met Advanced LWR Program 2
s 4
EPRL'NRC Fundamental Elements for New Reactors (Commis66on bristm0 06 STs2t Passive systems alone meet all regulatory licensing design requirements for higher levels of safety Three major purposes for nonsafety systems Complement safety sptoms to meet owner / investor requirements for higher safety
- have economic utility and improve flexibility in plant operaton Provide some temporary compensation when a saf ety system is in a limited condition for operation The ALWR Reliability Assurance Program provdes for maintaming both safety and nonsafety high performance standards with appropriate regulatory oversight Advanced LWR Program EP'11'NRC Passive ALWR Licensing Bases -
- Address traditional deterministic licensing regulation modified by -
- optimizaten subjects and enhancements such as severe accident requirements. Passive safety systems have robust performance requirements, a couple of examples are the following:
General Design Criteria are addressed including redundancy -
and single faifure criteria -
Conservative analyses are preformed for licensing design bases -
(LDB) events Diversity for the Passive ALWR is similar to the Evolutionary ALWR licensing consideratons Decay heat removal, inventory makeup and ATWS have similar dwersity (diverse systems are required in the URD)
- Designers must demonstrate that common mode failures do not compromise ALWR goals CDF < 1.0E 5 per l
plant year or 25 REM release < 1.cxE 6 per plant year
~
Advanced LWR Program 3
t l
l
Commission's Safety Goal Policy Statement ALWRs address the Commiss6on's Safety Goal Policy Statement by confirming that a probabihstic risk assessment (PRA) sensitrvity study, assuming no credit for nonsafety defense-indepth systems after trip signal meets this goal
(<1.0E 4 per plant year CDF,large release <1.0E-6 per plant year)
Best estimate analyses are used for PRA goals Nonsafety systems reduce the risk of transient challenges when they can be terminated by a controlled shutdown Best estimate credit is given to containment performance for severe accidents Method for determination of performance / reliability goals l Test and Analysis &-
. Adverse System interaction -
Requirementt -.
- Test (for code venfication) and Analysis programs must demonstrate that the physical phenomena and safety systems /
components will functon as intended for design basis accidents and transients -
Transients and accidents considered in PRA evaluations must be based upon appropriate engineering analyses which -
provide justification that physical phenomena and systems /
components will functon as intended Evaluations of both design basis and beyond design basis addre)ss system interactions (PRA transients and accidents will be made to investig Requirements that the Designer must demonstrate-compliance with for Design Certification l
4
N EPRL'NRC Utilization of Passive Systems After 72 Hours No 'citt!" at 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />
. Requirement is that no operator acten is required for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Passive systems continue to operate beyond 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (given simple, unambiguous operator actions)
Advanced LWR Program EPRl!NRC The Missions for Nonsafety Systems
. Have economic utility for electric production, improve flexibility in plant operation and provide investment protection -
Complement safety systems by providing investment protection to reduce the challenges to safety systems PWR charging & BWR CRD (also with off-site power,
' feedwater) pumps prevent small leaks from actuating depressurization systems and support normal shutdowns PWR NRHR & BWR CRD (also with off site power, feedwater) pumps prevent (full) depressurization for small to -
medium RCs breaks PWR backup feedwater prevents in most transients actuation of passive decay heat removal systems Advanced LWR Program 5
9 EPRPNRC The Missions for Nonsafety Systems-(Continued)
. Reduce risk of safety challenges when a safety systam is in a limited condition for operation, for example PWR backup iesdwater and BWR CRD pumps can compensate for unavailability of passive decay heat removal Advanced LWR Program J
EPRVNRC Key PRA Principles PRA techniques have traditionally used best estimate informaten to gain risk insights and the ALWR program is using this proven technology approach -
URD Chapter 1 A, Key Assumptions and Ground Rules,is our basis for performing PRA. NRC staff has accep... Inis approach for the Evolutionary ALWR URD On 6/11/92 we presented to the NRC staff our approach that
+
uses initiating transient and accident frequencies in the KAG based on the f act that nonsafety systems reduce challenges to safety systems Advanced LWR Program 6
1 1
EPRL%RC Passive ALWR Performance and Reliability Ed Rumble Manager, Utility Requirements Advanced LWR Program EPRLNRC Discussion Toples Performance and reliability
+
PRA sensitivity study Previous presentaten describing sensitivity studies
+
Risk goal allocation
+
Activities to close the role of the nonsafety systems issus I
Advanced LWR Program 7
9 EDRLRRC Passive System Performance & Reliability Safety system performance based on design basis and licensing defined events PRA not used as design basis for saf ety system performance PRA is used to understand, assess and help improve the design
- PRA perlormance best estimates obtained from all available sources Thus the key to safety system performance is in the capabilities of those systems to meet licensing requirements Safety system reliability best estimates based on attributes of the design, the engineenng activities conducted during the design process as well as analogous operating exponence Advanced LWR Program EPRLNRC PRA Approach '
- PRA supports determinist'c design engineering process improve design Assess weaknesses / problems in meeting ALWR Safety Goals Modify design as appropriate considering PRA as an input Perform successive Iterations as the level of detaillnereases
- Update PRA as engineering and site information become available PRA doesn1 describe alt facets of the ALWR safety approach Passive system performance robustness
- Reduced complexity and reduced operator involvement Increased margins Advanced LWR nrogram 8
h
,j EPRINRC PRA Impact Study
- Insights from impact study. input for assessing and managing role of defense in depth systems
- May lead to performance studies that otherwise would not be addressed Increase engineering understanding of passive safety systems' capabilities to prevent core damage and releases Help define missions of defense in depth systems for NRC review Assess risk without taking credit for nonsafety defense-in-depth systems after reactor inp signal
- Operation of some nonsafety systems is implicit in evaluation of initialmg events
- Appropriate credit for realistic capabilities of containment Advanced LWR Program EPRLHRC Defense in Depth Systems Defined in Chapter 3, Section 2.3.1 Reactor coolant makeup function
- Chemical Volume & Control System (PWR)
- Control Rod Drive System (BWR)
Reactor decay heat removal function Reactor Shutdown Cooling System (BWR & PWR)
Reactor Water Cleanup System (BWR)
Steam Generator Backup Feedwater System (PWR)
Spent fuel decay heat removal function Fuel Pool Cooling and Cteanup System (BWR &PWR)
Advanced LWR Program 9
r-4 I
j EPRLHRC l
Prototypical Analysis Presented to NRC on 6/11/92 Passive PWR model, starting from 100% power Sensitivity studies remove one or more system trains at a time Wide range of internal initiating events considered LOCAs Transients 1
Large Reactor 4urbine trip i
Medium Loss of fesowater Small Loss of off site power j
Steam generator tube rupture Loss of 4ky ac power bus j
Loss of CCW l
Loss of servce water 1
Main steam hne break j
l 1
6 l
Advanced LWR Program i
l EPRLNRO Functional Response for Small LOCAs l
/
AtaAeup provents DEPRESSURIZATION gg py cha#sope e passwe e
OF RCS & PASSIVE nonsar, wm e?tecaon systems SAFETY tNJECTM coc! O syswrt l
(as for medium LOCA) l l
~
Advanced LWR Program 10 L
4 Removal of Both Trains From A Nonsafety System
--Illllllllllli
+
~~ - {l111111111111111111 1111ll111ll11111 1
+
-i
--11111111111ll111111111ll
--illlllllllllllllllll ai*
+
~~~- 111111ll111111111111111111 w..e.e Core Damage Frequency per plant year EPRLNRC f(
Summary (6/92)
. Requirements on track to produce design which meets ALWR Program objectives
- Plant model for internalinitiators indicates a well balanced design Based on PWR study
+
- ALWR Saf sty Goals achievable if:
- passive systems unavailability in 1.0E-3 to 1.0E 4 range
- nonsafety systems unavailability in 1.0E-1 to 1.0E 2 range
- Expect to continue to address availabilit'! ssues with the i
Designers Advanced LWR Program 11
EPRI'NRC Rellability Goals
- Iterative use of PRA to meet core damage and release goals
- PRAs are used to confirm tha' higns are well balanced and robust
- PRA results from storative process provide baseline best estimate information During plant operation assure Pr.A modeling assumptions are not violated such that there is signifcant imaact on the PRA results
- Demonstrating compliance is not practcal for systems that are very reliable and seldom challengeo In conclusion, a bottom up approach is cred where the design and PRA evolve in an iterative manner instead of a s op down goal allocation process Advanced LWR Program -
EPRl/NP.0 ALWR Program Activitas To Close RTNSS* Issue -
ALWR Program working with Designers and other industry organizations is considering additional URD raquirements
- PRA impact study where credit is not taken for nonsafety defense in depth systems after a reactor trip signal
- Draft requirement:
3
- A PRA study shall be performed to assess the design's capability to meet the NRC Commission's Safety Goal (interpreted as a CDF < -
1x10-4 events / plant year and a large release < 10-6 events por -
plant year) without credit for nonsafety defense indepth systems defined in Chapter 3, Section 2.3.1 after a reactor trip signal" Nonsafety oefense in-depth system missions for NRC review Consider mission as
- reduce challenges to safety systems'
- Regulatory Treatment of Nonsafety systeme Advanced LWR Program -
12
- o n
EPRLHRC ALWR Program Activilles To Close RTNSS* Issue (cont.)
. ALWR Program working with Designers and other industry organizations to consider additional URD requirements (cont.)
- Analytical development and evaluaten of PRA success cineria and other modeling assumptions (DSER)
- Assessment of interactions of safety systems with nonsaf ety systems (DSER)
Define external events sensitivity study where credit is not taken for nonsafety defense in-depth systems defined in Ch. 3, Secten 2.3.1 D RAP and O RAP objectives and approach Detailed discussions of PRA issues should be done in the context of the
+
review of tne Designers' PRAs
- Regutatory Treatment of Nonsafety Systems Advanced LWR Program EPRLHRC Leaks Review of the 39 LERs from NRC for PWR teaks from 1 to 100 gpm:
Not Applicable *
- 26 Less than 1 gpm 3 Between 1 and 10 gpm 6 Detween to and 20 gpm 4 ALWR Program Review of leaks from over 800 PWR LERs (1987 - 1992)
+
- 1 significant additional leak from an instrument line about 50 gpm URD requirement that ADS is not actuated for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with a 10 gpm leak a
- Not an RCS leak, leak isolated, not applicable to AP600 design or leak during mode that would not require ADS Advanced LWR Program 13
. EPRL'NRC Summary George Bockhold Advanced LWR Program EPRLHRc Summary -
- 1. Let's first reach agreement on the fundamental approach and
- principles -
- 2. Let's add appropriate details
- 3. ALWR staff will update the requirements
- 4. NRC stati should document agreement in their Safety Evatuation Report
- 5. Plant designers should demonstrate that they can meet -
requirements before Rnal Design Approval Advanced LWR Program 14-
4 AP600 PRESENTATION TO THE NUCLEAR REGULATORY COMMISSION REGULATORY TREATMENT OF NON-SAFETY SYSTEMS t
l DECEMBER 17,1992 i
l i
WESTINGHOUSE ELECTRIC CORPORATION
c.;
-r JAP 600 l
TREATMENT OF NON-SAFETY SYSTEMS Approach to Passive Safety System Design e
v e
Reliability of Passive-Safety Systems Testing /: Analysis of Passive. Safety Systems e
e 'PRA-Results / Insights Approach to Non-Safety-System Design e
e. Comments on.NRC November 18,1992:
Presentation:
9 7.'
4 4
AP600 t
TREATMENT OF NON-SAFETY SYSTEMS Approach to Passive Safety-System Design e
o Reliability of Passive Safety Systems Testing / Analysis of Passive Safety Systems T. L..Schulz, Fellow Engineer Systems & Equipment Engineering
(
[
A3600 SAFETY SYS EVS Provide Passive Safety Systems Greatly simplified considering construction, maintenance, operation, ISI / IST Mitigate design basis accidents without use of J
NNS systems Meet NRC safety goals without NNS sys (EPRI)
Meet EPRI safety goals with NNS systems 1
Safety Systems Design Features Only passive processes; no " active" equipment Significant design margins Redundancy to meet single failure criteria PRA based redundancy / diversity Greatly reduced need for operator actions Safety Equipment Design Features Reliable / experience based equipment Improved inservice testing / inspection Reg Guide 1.26 Quality Group A, B, or C Seismic 1 design Qualified Equipment Availability controlled by Technical Specifications with shutdown requirements Reliability Assurance Program Tier i description and ITAAC TLS - 12/11/92
AP600 PASSIVE SAFETY SYSTEMS PERFORMANCE AND RELIABILITY i.: t PROGRAM ELEMENTS l
DESIGN / DESIGN FOAKE/ PROCUREMENT /
PLANT REQUIREMENTS CERTIFICATION CONSTRUCTION OPERATION -
GDCs.
System" Design Procurement Spec's Procedures
- PWR Reg'sl Testing Qualification Testing Maintenance.
NRC Safety. Policy Analysis ITAAC's >
Surveillance.
URD Performance PRA SSAR: Commitment
- Monitoring Requirements Tech Spec's Tracking Testing URD Safety. Margin DRAP.
Pre-Service Testing PRA j
Tech Spec's
! Basis -
ITAAC's-PRA NRC/ACRS Review of. SSAR Commit-Tech Spec's ORAP URD-ments
- DRAP -> ORAP-NRC/ACRS 1
NRC/ACRS Review NRC/ACRS Monitoring-Monitoring; 3
)
3 000RDemmaster 9.1993 /
r_
r v
v
-E' r
4 e
s n
- - - + 5
- +
- ~-
a.
.? :.
AP600 PASSIVE SAFETY INJECTION II
- ,
- e m: ~
Aos
( o 2) lip, M 3,
/
~
/!
N N
rw q
CORE MAKEUP l
TANK (1 OF 2) m
. i_
cAwiv 1
[
-A,, t1 i t seamrns PRESSURIZER (i w 2)
> *C V
toop mwST-4coupART. *
)
ACCUM.'
Aos
- p; ;p;
- (1 OF 2)
.. i r-li.
I!
6-suur
'8 ft or 2) g
'(
)
ruurs P
1.1 i-7 3
p
()
v i.i i
.LJ_.
-[-
x r
gp ow cow.
NRHRS CORE REACTOR.
.vCSSCL
..c
.._.g
.m.m
s
'A?600 ADS ~1EL AB LF Y ADS Redundancy Multiple lines / power supplies Single failures for DBA events Multiple failures for PRA events group 1 group 2 1st stage A
B 2nd stage C
D 3rd stage A
B 4th stage A or C B or D ADS Diversity Different valves designs / controls 1st stage 4" globe with DC motor 2nd stage 8" gate with DC motor 3rd stage 8" gate with DC motor 4th stage 12" gate with air piston Different controls:
Auto and manual via PMS (1E)
Manual via DAS (non 1E)
ADS is very reliable,2.9E-5 failures / demand (full depressurization following small LOCA) l TJ - 12 /13 /92
IJh AP600 ADS REDUNDANCY / DIVERSITY ADS GROUP 1 STAGES 1-3 GROUP 2 F" 8 #1 54*
4~5 I' 8 '"
CASE:
- 1
- i
- i
-OK:
h 72 72 EVENT:
Smotl LOCA TYPE:
DBA y #3 y 8" 8" - 83 FAILURE: Bottery A
~
RCSULT:
Successful IRWST gravity injection ir r
IRW5T IRyrST
\\
PRESSURfZER LOOP Loop COMPART. *
""** COMPART.
l
'7 ADS ADS STAGE 4 4
STAGE 4 GROUP 2 rm GROUP 1 ru h 12" h 12*
d P
HOT LEG 2 HOT LEG 1 REACTOR WCSTPtCHOUSE - 12/92 I
+
'AP600.
. ADS REDUNDANCY / ' DIVERSITY ADS GROUP 1 STAGES 1-3 GROUP 2 I
CASE:
- 2 72 qj) 3-EVENT:
Smoll LOCA TYPE: -
DBA FAILURE: Bottery C RESULT:
Successful IRWST gravity injection IRWST
'1RWST PRESSURIZER LOOP LOOP
- :COnsPART.
COMPART. *
- ADS ADS
. STAGE 4 l STACE 4 GROUP 2' d i GROUP 1 rm rm.
h 12". '
12"
.P d
HOT LEC 1 '
HOT LEG 2 REACTOR
.g g i
M - 12/92 ;
AP600. -
ADS REDUNDANCY / DIVERSITY
~..
T
. Aos CROUP i
' STAGES 1 GROUP 2.
4-CAGr.:
- 3
{[
EVEf9T:
4th' Stoge Volve RESUL7 Successfut IRwsT grovity injection it 1r, IRwST tRwST PRESSuf5ZER LOOP-LOOP
- COMPART.
COMPART.
- t ADS ADS 1r
~.5TAGE 4 k
y '
STACE 4 L
GROUP 2
'L Wt0UP 1
~ Fm rm k 12".
12*
K E
d
..i HOT LEC 1 HOT LEC 2 REACTOR-VESSEL
/'
'i
. j. :
utsimoMousE - 12/92 -
.+
.~
L.,
,:4-
AP600 ADS' REDUNDANCY / DIVERSITY T
ADS CROUP 1 STAGES 1-3 CROUP 2 Q'
- CASE: -
p4
'# $ U 4~
l EVENT:
@ #2 9 g-TYPE:
- 3 g 73 9;g-g.
0 FAILURE: Bottery A & C RESULT:
Successful IRWST _ gravity injection 4,
IRWST tRwST PRESSURIZER LOOP LOOP COMPART. *
" COMPAftT.
ADS AOS
%, r STAGE 4 STAGE 4 6
CROUP 2 rm d
k GROUP 1 rm
-k[12*
12" b
y t.
HOT LEG 2 HOT LEG 1 ACACTOR
~
VESSEL
.l l
WES1NCHOUSE - 12/92 =
AP600. -
ADS REDUNDANCY / DIVERSITY-
~
Aos CROUP 1
STAGES 1-3 GROUP 2 "V 0 - #_ '*
- E U #_ "
CASE:
- 5
- y #2 Rs" 8 g #2l 1 EVENT
~.
Q-03 f 8' 6* Q 13 Q FAILURE: All motor.oper ADS & 1 4th stage RESULT:
Successful IRWST gravity injection i
r i
r IRWST tRwST_
/
P*ESSURIZER LOOP LOOP
~-
- COMPART.
COMPART.
- ADS l.
ADS 3 r.
STACE 4
. STAGE 4- '% 6' GROUP 2
.rm
.. di GROUP.1
. pg h
1**
- h.12*
i 1
8 y.
HOT IIC 1
. HOT LEC 2 REACTOR VESSEL-MSTMCHOUSE - 12/92 }
e -
i
+Mw er v.
m t
e--=e E
9 s
v w
'++
~
AP600 ADS REDUNDANCY / DIVERSITY Aos CROUP 1 STACES 1-3 CROUP 2 m (p, O IS **
- ~y, U #, '"
CASE:
- 6 8-
- 2 EVENT:
Smott LOCA or Tronsient TYPE:
PRA FAILURE: All 1st, & 4th stoges 1 2nd stoge RESULT; Successful IRWST grovity in,'ection i
r IRwST 1RWST PRESSURtZER j
/
Loop LOOP COUPART.
COuPART. *
- 03 STAGE 4 i
E'n ADS r
STAGE
- CR M 2 L
GROUP 1 ru rn k[12" k
12~
L P
d HOT LEG 1 HOT LEC 2 REACTOR VESSEL WC$TNCHOUSE,12/92
- AP600 ADS REDUNDANCY / DIVERSITY
~
~~
ADS GROUP 1
- - STAGES 1-3 GROUP 2 4}@ #'
CASE:
- 8 y, #2 p,s-s*y, s2 p,-
EVENT:
Smoll LOCA or Transient p, 93 p_ s" s*p,93 ),
All AhS volves except 1 1st stage volve FAILURE:
RESULT:
Avoids high pressure core rnett l
i r
1r IRwST IRwST PRESSURIZER
~ t.00P LOOP COMPART.
COMPART.
% L STAGE 4 6-GROUP 2 dL GROUP 1 rm ru k[12" k[ 12" l
P d
' HOT LEC 1 HOT LEG 2 REACTOR
. VESSEL 14ESTWCMOUSE - 12/92 i
\\
+.
A3600 NSERV CE TEST \\lG ADS Valve IST Operability Tests All ADS valves individually stroked open / closed at power DP removed for test to reduce wear / chance of leak To't connections shown in SSAR St
- lalinterlocks prevent inadvertent ADS Functional Tests All ADS valves flow tested during cooldown to refueling shutdowns Significant DP initially put accross each valve Flow limited by test line to prevent adverse plant impact Same test connections as above Special interlocks prevent inadvertent ADS Testing Consistent With PRA & Tech Spec
'Its - 12/11/93
]
?
,r AP600 CHECK VALVES Current PWRs Use Similar Check Valves In Similar Conditions 1
Simple swing disk valve design RCS chemistry i
Stainless steel with stellite seats Infrequent use, normally closed i
Well Designed,. Simple' Check Valves Are-l Reliable In Nuclear Power Plant Service 1
Search of NPRDS failure records (1984 to 90) j indicate 4500 check valve fallures Of these only 87 were failuresLto open None of the failures was for a check valve with similar conditions to the IRWST valves No indica (lon of boric acid corrosion or self
. welding / corrosion was 'ound Check Valve Testing.
Performance. tests show AP600 IRWST in,ection and recirculation check valvas perform well; Further testing is being discussed In-plant testing:
. investigate: corrosive bonding-and other
'stickingLfailure mechanisms.
TLS - 12/13/92:
s___
\\
1
=
A3600 NSERV CE TEST NG IRWST Check Valve IST Operability Tests No IST performed at power High reliability Simple valve design Functional Tests Flow test during refueling shutdowns IRWST gravity drain lines used to in;ect water into RCS IRWST water is needed to fill refueling cavity Prototypical cpening pressures and flow rates Valve position sensors provided Back leakage tests after each shutdown Designed in test connections / instruments Testing Consistent With PRA & Tech Speo i
u - ntnuss
\\
5 A 600 SSAa TESTI\\G Determined need for system / equipment testing System Testing to support SSAR Examined key phenomena in accidents Assessed new AP600 features Determined if data exists for code validation Developed AP600 test if data was unavailable or insufficient Equipment Testing to support SSAR Assessed new AP600 equipment Determined if data exists for equipment characteristics used in SSAR analysis Developed AP600 test if data was unavailable or insufficient Equipment Qualification Testing To be performed after design certification when design details & equipment suppliers are known l
fts - 12/11/92 l
('.
AP600 TREATMENT OF NON-SAFETY SYSTEMS PRA Results / Insights s
D. R. Sharp, Manager Product Risk Analysis
.c PRA AGENDA
" Bottoms Up" Approach AP600 Systems Analysis Approach Example ADS System Analysis AP600 Safety System Unavailabilities Core Damago Frequency Release Frequency I
P W
, - ~,
s t
'A3600 31A ACTIV T ES PRA Has Been Used As Design Tool 5 ma.or PRA quantifications / design iterations Heavy interaction between plant designers and risk analysts Initial PRA study done in 1987 Latest PRA submitted to NRC June 1992 s
Each PRA included:
Plant design input / PRA model development Quantification / sensitivity studies Review / understanding of results Development of ideas to improve plant; analysis, procedures, and design Successive PRA studies became more detailed PRA Has Shown That AP600 Will meet NRC and EPRI PRA goals For both CDF and SRF considering internal (power & shutdown) and external events Not highly dependent on operators or nonsafety systems
/
wr w
'SYST E V A \\ A _YSIS A 3 3 30 AC H Fault trees constructed for all AP600 safety-related and nonsafety-related front line and support systems Fault trees conditional upon the initiator and success criteria s
s Equipment reliability data based on EPRI
" Advanced Light Water Reactor Requirements Document" Maintenance unavailabilities a factor of three higher for nonsafety systems Common Cause Failure Evaluated common cause failure at the component level MGL method used Factors from EPRI Requirements Document
_--_-m____-
_m__
_.m____.________
.m_.2_ _ _ _ _ _ _ _ _
_._-.___-__.__.-_.-_m._-_-_m__.______._____.-_
\\
ADS FAULT TREE CREATION Case:
Small LOCA, PRHR & CMT working Full Depressurization Fault Tree:
ADS s
Success Criteria:
3 of 4 lines Stages 2 & 3 OR 1 of 2 lines Stage 4 Input:
P&lDs/ System Descriptions Hardware failures Common cause failures
. Test / maintenance unavailabilities Operator actions Support. systems System Reliabilities Determined By Detailed, l
Systematic Interactions Between PR'A Analysts And-System Designers
~, _. _
s
'A3600 SA ETY SYS~EV U N AVAl _A 31LITI ES
.Snlem 11111!A101 VJ1ADJlahlll1Y (1)
CMTs Transients 9.0E 05 LOOP 6.2E 05 Small LOCA 6.4E 05 Accumulators Translents/LOCAs 6.4E 05 IRWST:
Injection Transients /LOCAs 1.6E 04 Recirc.
Transients /LOCAs/ LOOP 3.9E 07 Passive RHR Transients 7.7E 05 Small LOCA 1.2E 04 LOOP 7.7E 05 Automatic Depressurization System (2):
Full ADS Small LOCA 2.9E 05 LOOP 6.2E-04 Partial ADS Small LOCA 2.7E 05 LOOP 6.2E 04 Coltainment isolation (3)
Small LOCA 1.4E 03 Passive Contmt. Cooling (4)
Transients /LOCAs
(
Notes:
1.
All system unavailabilities include manual or automatic actuation and failure of support systems.
2.
Assumes PRHR and CMT are successful.
3.
Containment isolation failure does not result in core damage.
4.
Failure of passive containment cooling requires failure of the water cooling the shell (7E-4) AND failure of natural air circulation (c)
f AP600 CORE MELT FREQUENCY Events At Power Frequency Transients
. 7.1 E-08 Blackout 2.9E-09 l
SG Tube Rupture 2.6E-09 LOCA - Small 7.7E-08 j
LOCA - Medium 8.8E-08 LOCA - Large 1.6E-08 ATWS 4.5E-08 Loss of Cooling 1.6E-09 1
Interfacing LOCA E-09
- Vessel Rupture 3.0E-08 Base Case Total 3.3E-07. /yr a
Sensitivity Study Total 2.6E-06' /yr (w/o CVS, SFW, RNS) l
-1 9
4
-'i
--e y
'=-'w' W
g 4n,ry,
$r
.y-7y 1=
,g p.
g-,wym. wyy v.
gv.
-zy m & gg-wwgg 3---g-.3 w-meww-gpp---m-ir--g--
y-ww---9 ey-pb-y-a
--.-y*,a y
ywi---
/
/
AP600 NOX-SAF;ETY SYSTEM
~
SEI\\SITIVITY CASE Core Damage Frequency Intemal Release Total (1)
Events Only Frecuency (2)
(At Power)
(At Power) 1.
Base Case 4.3E-7 /yr 3.3E-7 /yr 2.0E-8 Iyr 2.
Sensitivity Case 2.6E-6 /yr 2.2E-7 lyr (w/o CVS, SFW, RNS)
NRC Goal 1.0E-4 /yr 1.0E-6 Iyr Notes:
1.
Total core damage frequency includes intemal and extemal events, at power and shutdown.
2.
. Release frequency based on intemai event at power.
i i
AP600 4
TREATMENT OF NON-SAFETY SYSTEMS 3
Approach to Non-Safety System Design Comments on NRC November 18,1992 Presentation b
9 4
T. L. Schulz, Fellow Engineer-Systems & Equipment Engineering
- i
.,-,4...
- ~.
.-,,--,,-c-
.,.,A.,-,_.E-,
-.,.m.
.. - ~,4,
,rm..
, -., --,-.. - -.... ~..... - _,,,,...
,EJ,,,,.--.
A 3600 N O N -S A E~~Y SYS~~ E V S Provide Non-Safety Systems Reliably support normal operation Minimize challenges to passive safety systems Not required to mitigate design basis accidents With safety systems, meet EPRI safety goals Non-Safety Systems Design Features Redundancy for more probable failures Connections to the non-safety diesels Automatic actuation and controls Separated from safety systems Separation within NNS systems not required Non-Safety Equipment Design Features Reliable / experienced based equipment Use Reg Guide 1.26 Quality Group D Uniform Building Code, not seismic 1 Availability controlled by plant procedures (50.59) without shutdown requirements Reliability Assurance Program Less detailed Tier I description and ITAAC TL4 - 12/8/92
s A3600 RCS LEA <
PRA Should include Events Resulting in RT/SI Leaks > 100 gpm likely to cause RT/SI For smaller leaks CVS prevents RT/SI Operator can conduct orderly shutdown Time is available to recover CVS s
NRC Has Over Estimated RCS Leak Probability Of 39 events listed, only 9 apply to AP600 The'se 9 events have low leakage 3 events were < 2 gpm Others were 10 to 20 gpm RCS Leak Event (20 gpm) 7 hr to recover CVS before ADS actuation Even if ADS fails; CMT / accum / PRHR HX provide extended core cooling, >> 24 hr More time to recover CVS or ADS TLS - 12/D/92
COV V ENTS ON N 3C 33ESENTATION
=
RCS Leak Probability in PRA Top Down Goal Allocation Leads to overly conservative design Not necessary since detailed, bottoms up PRA, has been completed as required by URD e
Design of Safety Systems s
Passive safety systems are designed and qualified for DBA events Best estimate credit should be given for these passive safety systems in severe accidents Hydrogen Igniter Reliability Hydrogen mixing analysis concludes AP600 containment is well-mixed Global burning of hydrogen from 75% cladding reaction plus LOCA loads results in pressures less than Service Level C limits Igniters not required to prevent containment failure
- m. nnw1
t COV V E\\TS ON h lC 33ESENTATION ADS Reliability vs HPME ADS is very reliable because of its redundancy, diversity, testing, and analysis Even if ADS falls, the HL nozzle is calculated to fall before the vessel falls If the HL doras not fail, the vessel is calculated to fail such that DCH does not occur A ADS reliability of 3E-6 / demand supports a significant release frequency of 3E-8 / yr Containment Isolation Reliability Containment isolation is not required to prevent core melt Credit is given to long term recovery actions to replenish water supplies (~ 72 hr)
Containment Cooling Reliability Water drain reliability will be ~ 3E-5 failures /
demand Other water supplies are available (onsite &
temporary offsite)
Air only cooling is sufficient to prevent containment failure Passive containment cooling is very reliable TLt.12/1692 1
O GENuclearEnergy l
Regulatory Treatment of Active Non-Safety-Related Systemsin SBWR Presentation to NRC Jack Duncan December 17,1992
v Regulatory Treatment of Active Non-Safety Systems in SBWR Three Mainissues v
=.
How to measure achievement of Safety Goals Reliability of Components in Passive Systems Uncertainty in Thermal-Hydraulic Phenomena of Passive Systems JDD -2 of 6 12/17,92 -
How to Measure Achievement of NRC Safety Goals GEagrees with ALWR URD conclusions l
PRA process is adequate for Internal Events (including flooding)
The PRA is much less useful forshutdown operations. GE's analysis intent is to provide the utility with many acceptable configurations and maximum flexibility. Numerical results depend on utility implementation plans.
Seismic margins approach is acceptable for Seismic Events.
JDD - 3 of 6 12/17/97
~.
l Comunents on NRC/BNL Logic Discussed Nov.18,1992 l
Focus of this presentation - Internal Events l
i'
, Inputs" leading to ADS challenge rate of 4.93E-2 are probably high,
.especiallyleakage:
Fault in " Logic? Normally running non-safety-related systems (e.g.,
i CRD, Feedwater) should not be assumed to be unavailable
~ ATWSCase with SRVfailure to reseat
. Continued CRO/Feedwater How likely to makeup for stemn How Related Point ATWS Mitigation Systems should be credited JDO - 4 of 6 -
12/17/92 1-
~ -,.
l
T i
Comments-Continued i
- PCCSample Goalof1.5E-6 c
- Class 2 Events do notinclude core damage
- Even if vacuum breaker failure should cause containment Y
failure, molten core is submerged as a result of drywell O
tiooding or equalizing line operation
- Long Term Makeup by Rrewater Addition System
- Credit for Rre Protection System is appropriate
(
- A SimplerPCCGoal:
i-
~
Core Damage Frequency x PCC Failure Frequency = Large Release Prehability i
4 I
l PCC Failure Frequency /Yacuum Breaker" Goal = E-2 i
f i ---
)
~
t l
i
.roo -s or a f
izii7a2 l
q i
e Comments On The General Approach k
- Top Level Goals are appropriate for the URD L.
l
- GEagrees with currentguidance
. *- Result of the PRA effortshouldbe:
- Key Reliability Assumptions -Input to Reliability Assurance Program
- laterface items for COL Applicant
- AllWillBe ProvidedforNRC/EPRIReview JDD - 6 of 6 I
12/17/92
O GE Nucient Energy SBWR
- Passive Systems Rellability Paul F. Billig Presentation to the NRC December 17,1992 i
A SEWR y
s i;
^t i
SfWR' Performance end Rollability requVemente w
k Key concerne:
. The ability of the key safety systems to satisfy their petformance '
s
't
. requirements depend on the following issues:
A.
Assuring the reliability of the components B. Quentdying the uncertainty in the phenomenon C, Understanding the interactions with the non safety active systems, '
+ These issues are or will be addressed by GE in the design of the
. SBWR.
-.{
4 N.'
~
'W
9 M
SBWR SBWR Safety Systems W
Key Passive Safety Systems:
ODCS Gravity Driven Cooling System. Core makeup ADS /DPV Automatic Depressurization System / Depressurtzation Vatvo. Vessel blowdown ICS isolation Condenser System. Transient oore cooling PCCS Passive Containment Cooling System. LOCA containment cooling SLCS Standby Liquid Control System. Dackup reactivity control Z',
a SBWR A. Component Reliabillry est
. To achieve credible rolleb?llty for aafety related mechanical components to perform on demand
. Six Key Elements:
(1) Define mission, and mission performance envelope.
. The component's required performance willbe specified precisely, including appropriate margin to provide reserve capacity to account for uncertainties in service conditions.
(2) Understand phenomena affecting component operation.
. This sometimes requires linking a mechanicalcompnent to a dynamic event scenario by testing a prototype in simulated event circumstances.
Esamples of key mechanical components for SBWR:
. DPV ICS and PCCS condensors O'.
rm l
i c5 A. Component Reliability (conl)
SBWR 5J
. Six Key Elements (cont.):
(3) Eramine threat spectrum.
. A Fallute Modes and Effecs Analysis (FMEA) teveals pathways by which intended performance can be defeated.
. Redundancies, dtversnies, etc. Ircreases ruggedness.
(4) Acceptable as produced (by vendor) produd quality,
. A Quality Assurance (OA) progtam during manufacture increases confidence that the as manufactured produd has every key asped, of every key part, of every key assemb% satisfactor$ inside a knoL', satisfactory standard (envelope) for acceptabilny, 0,'.
I"%
A. Component Rollability (cont.)
SBWR ft:
. Six Key Elements (cont.):
(5)
Acceptable as-installed (by designer, by pipe inters, etc.)
- quakty,
. A OA program during installation along with any that the component to systern coupling periormancenecessary pre requirements are met.
(6)
Acceptable as maintained (by plant operating staff) quality,
. Appropriate records are kept on O&M, survelliance tests, etc., to reduce the potential for reliabihty datoreration demand *, consequent to seryx:e hfe occurring prior to ' safety GE and the appfcant will take the necessary stops to ensure component rehability.
2,'.
i
.e
' y q
i R
C. SystemInteractlone
. Eliminate adverse interactione between passive aefety and active non safety systems Consider all possible automatic operations of non safety systems One exemple identified to date: shut off CRD pump before filling containment.
l Maintain goal of no operator actions required ior 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />
. Consider possible manual operations of non-safety systems Emergency Operating Procedures speelty allowable operatons, PRA studies investigate system interactions, a
p "I.
SfWR Concluelone inv
. Necessary steps ars taken to achieve credible reliability for safety related mechanical components to portorm on demand.
. Bounding analyses are performed to cover phenomenological uncertainties in thermal-hydraulic processes,
. Test programs are used to measure uncertainties, as necessary.
. Adverso interactions,If found between active and passive systems, r
will be identified and addressed.
Robustness of passive satoty system components along with bounding -
performance studies preclude any -
need for regulatory control of active non-safety systems beyond that of current plants.
4 M 99 t&194 -
.Y r
' h.. ';
...e--
.e,,r,
,-=..r.~,.e, c.nw
,+
c---
. g 3-.
~ye-
,,w-
1
'.o 49 SBWR B. Phenomenon UncensInty M
. Performance of the safety systems le based on the resulte from quallflod computer codea.
. Important steps to qualify computer codes:
Develop the Phenomena loontdication and Ranking Table (PIRT)
List of important processes and phenomena related to system performance (e.g., condensation heat transfer in the presence of non condensable gases)
Correlated against available test data (e g., UCB t eigte tube condensaton tests)
Review test databases Test programs measure margins and reduce uncertainties.
Scaling studies correlate test data to plant data.
Develop and test models to capture key phenomena identified by PIRT (e.g., condensaton correlation)
"ll.
45 SBWR B. Phenomenon UncensInty-(cont.)
W Sensitivity Study
. Determine limiting values for key plant variables Design requirement (e g., ADS flowrate)
Maximum or minimum operating point (e.g., water level)
Statisticallimits plus marD n (e g., decay heat) i Industry experience plus margin (e.g., condenser fouling iactor)
. Value represents upper 95% or higher probability Uncertainty Analysis
. Apply limiting (bounding) value from sensitivity study
. Redo analysis on most limiting scenarios Apply most limiting single f ailure (possibly operator action)
"J,'.
LIST OF ATTENDEES AT MEETING WITH EPRI HELD IN ROCKVILLE, MARYLAND ON DECEMBER 17, 1992 Name Affiliati20 A. Thadani NRC R. Jones NRC M. Rubin NRC G. Hsii NRC R. Pierson NRC R. Borchardt NRC J. H. Wilson NRC R. Hasselburg NRC A, El Bassioni NRC M. Pohida NRC T. Polich NRC M. Snodderly NRC G. Thomas NRC J. Ycungblood BNL T. Pratt BNL T. Marston EPRI G. Bockhold EPRI J. Trotter EPRI R. Berryhill EPRI J. Berger EPRI S. Lewis EPRI E. Rur.ble EPRI D. Sharp Westinghouse R. Vijuk Westinghouse B. McIntyre Westinghouse A. Sterdis Westinghouse T. Schultz Westinghouse J. Duncan GE P. Billig GE A. Rao GE J. Baechler GE D. Guntz GE I
-_______--_-_-______---_-__--___.________-.J