Text

[

(Cniral b lfl p rseug'o-UNITED STATES 8(

NUCLEAR REGULATORY COMMISSION o

j W ASHINo T ON, D. C. 20%5 October 28, 1992 Docket No.52-003 Mr. Nicholas J. Liparulo Nuclear Safety and Regulatory Activities Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, Pen 1sylvania 15230

Dear Mr. Liparulo:

SUBJECT:

REQUEST FOR ADDITIONAL INFORMATION ON THE AP600 As a result of its review of the June 1992 application for design certifica-tion of the AP600, the staff has determined that it needs additional informa-tion in order to complete its review.

The additional information is needed in the areas of emergency preparedness (Q100.6),* instrumentation and control systems (Q420.7), source term application (0470.1-0470.2), and probabilistic risk assessment (Q720.57-Q720.58).

Enclosed are the staff's questions.

Please respond to this request within 120 days of the date of receipt of this letter.

You have requested that portions of the information submitted in the June 1992 application for design certification be exempt from mandatory public disclo-sure. While the staff has not completed its review of your request in accordance with the requirements of 10 CFR 2.790, that portion of the submitted information is being withheld from public disclosure pending the staff's final determination.

The staff concludes that this request for additional information does not contain those portions of the information for which exemption is sought.

However, the staff will withhold this letter from public disclosure for 30 calendar days from the date of this letter to allow Westinghouse the opportunity to verify the staff's conclusions.

If, after that time, you do not request that all or portions of the informa ion in the enclosures be withheld from public disclosure in accordance with It CFR 2.790, this letter will be placed in the NRC's Public Document Room.

• The numbers in parentheses designate the tracking numbers assigned to the questions.

\\I m

l L;f

/k 9301190128 921028 l

a# - *

~",

u PDR ADOCK 05200003 A.

PDR

Mr. Nicholas J. Liparulo October 28, 1992 The reporting and/or recording requirements contained in this letter affect fewer than ten respondents; therefore, OMB clearance is not required under P.L.96-511.

?

If you have any questions regarding this matter, you can contact me at (301) 504-1120.

Sincerely, (Original signed by)

Thomas J. Kenyon, Project Manager Standardization Project Directorate Associate Director for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation

Enclosure:

As stated cc w/ enclosure:

See next page DISTRIBUTION:

• Central File PDST R/F TMurley/FMiraglia DCrutchfield

• NRC PDR WTravers RPierson RBorchardt TKenyon RHasselberg GGrant, EDO JMoore, 15B18 ACRS (10)

HLi, 8H7 MChiramal, 8H7 AEl-Bassioni, 10E4-RPalla, 7E4 JLee, 7E23 TEssig, 1004 JHayes, 10D4 EFox, 9H15 FKantor, 9H15 MSiemien, 15B18 PShea MPohida, 10E4 0FC:

LA:PDST:ADAR PM:3D5T:ADARPM:PDST:ADAR-SC:PDjT:ADAR TKh/M:sg RH

$Irg RBo[ardt NAME:

PShea 10/h/9h 10/[/92 10/t,8/92 10/M/92-DATE:

0FFICIAL RECORD COPY:

DOCUMENT NAME: LETTER.V

• To be held for 30 days

Mr. Nicholas J. Liparulo Westinghouse Electric Corporation Docket No.52-003 AP600 cc:

Mr. B. A. McIntyre Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit Box 355 Pittsburgh, Pennsylvania 15230 Mr. M. D. Beaumont Nuclear and Advanced Technology Division Westinghouse Electric Corporation One Montrose Metro 11921 Rockville Pike Suite 350 Rockville, Maryland 20852 Mr. Daniel F. Giessing U. S. Department of Energy NE-42 Washington, D.C.

20585 Mr. S. M. Modro EG&G Idaho Inc.

Post Office Box 1625 Idaho Falls, Idaho 83415

ENCLOSURE REQUEST FOR ADDITIONAL INFORMATION ON THE WESTINGHOUSE AP600 DESIGN EMERGENCY PREPARE 0 NESS 100.6 Section 13.3 of the SSAR indicates that emergency planning is not within the scope of the AP600 design certification application.

Additionally, the SSAR states that communi:ation interfaces between the plant control room and the emergency planning centers discussed in NUREG-0696 are outside the scope of the AP600 design certification application.

The staff agrees that emergency planning will be addressed by the utility applicant referencing the AP600 standard design and will significantly depend on plant and site-specific characteristics.

However, the SSAR further states that there are design features, facilities, functions, and equipment necessary for emergency planning that interface with the AP600 design scope.

Section 7.5 of the SSAR identifies plant variables that are provided for interface to the emergency planning areas.

The staff cannot identify any other references to features, facilities, functions, and equipment necessary for emergency planning in the SSAR.

The Technical Support Center (TSC) is identified in figure 1.2-25 of the Annex I and 11 Building General Arrangement Plan (elevation 117' 6") as the Main TSC Operations Area (40406).

The TSC is designated as an onsite facility located adjacent to and within two-minutes walking time of the control room. The design provides for a TSC; however, no information is provided regarding the availability of specific _ plant data, plant records, or size.

The staff concludes that the design considerations for emergency planning specified in the AP600 SSAR are not sufficient because the facilities and equipment necessary to support operations in the TSC are not specified as recommended in Supplement I to NUREG-0737 and NUREG-0696.

In addition, the design should include an Operations Support Center (OSC) that should be located onsite with communication links to the control room.

Therefore, provide a description of design considerations for onsite emergency response facilities (such as the Emergency Operations Facility, TSC, OSC, and Onsite Decontamination Facility) as part of the AP600 design.

The emergency preparedness regulations and supporting documents identified below contain the requirements and guidance for these facilities and functions. Address in detail the design-of the facilities listed below by (1) providing a description of the pertinent design considerations that would enable these facilities to meet the referenced requirements or guidance, (2) citing the location of these descriptions-in current or projected design documents, or (3) describing or identifying how the equivalent function is contained in the design considerations of another facility.

Facility-Referencu Emergency Operations Facility 10 CFR 50.47(b)(8)_

10 CFR.50, Appendix E, IV.E.8 NUREG-0654, Paragraph II.H.2 NUREG-0696, Paragraph 1.3 NUREG-0737, Supplement 1 Paragraph 8.4 Technical Support Center 10 CFR 50.47(b)(8).

10 CFR 50, Appendix E, IV.E.8 NUREG-0654, Paragraph II H.1 NUREG-0696, Paragraph 1.3.1 HUREG-0737, Supplement 1, Paragraph 8.2 Operations Support Center NUREG-0654, Paragraph II.H.9 NUREG-0696, Paragraph 1.3.2 NUREG-0737 Supplement 1, Paragraph 8.3 Onsite Decontamination Facility 10 CFR 50, Appendix E, Paragraph-IV.E.3 10 CFR 50.46(b)(8)

INSTRUMENTATION AND CONTROL SYSTEMS 420.7 The AP600-I&C system uses a microprocessor-based distributed digital system to perform plant protection.and safety monitoring as well as for plant control functions. The use of digital computer technology in protection and control systems raises a concern that the software and hardware for these computer systems could be vulnerable to design and programming errors that could lead-to safety-significant common-mode failures.

Provide detailed information to address the following-concerns regarding the quality and diversity of the I&C system design; a.

Assessment Of Diversity (1) Assess-the defense-in-depth and diversity of the proposed

~ instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have been adequately addressed.

The staff considers software design errors to be-credible common-mode failures that must be specifically included in the evaluation. An acceptable method of performing analyses is described in NUREG-0493. Other methods proposed will be reviewed on a case-by-case basis.

(2)

In performing the assessment of defense-in-depth and diversity of the I&C system requested in (1) above, each postulated common-mode failure for each event that is 4

2 m

1 evaluated in the accident analysis section of the safety analysis report should be analyzed. Demonstrate adequate diversity within the design for each of these events.

(3)

If a postulated common-mode failure could disable a safety.

function, then a diverse means, with a documented basis that the diverse means is unlikely to be subjected to the same common-mode failure, should be required to perform either the same function or a different safety function that provides adequate protection. The diverse or different safety function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary I

function under the associated event conditions.

Diverse i

digital or non-digital systems are considered to be acceptable means. Manual actions from the control room are acceptable if time and information are available to the operators.

The amount and types of diversity may vary among designs and will be evaluated on a case-by-case basis.

How does the AP600 design address this position?

(4)

In the draft Commission paper, " Design Certification and j

Licensing Policy Issues Pertaining to Passive and Evolutionary Advanced Light Water Reactors," dated July 6, 1992, the staff concluded that a set of safety-grade displays and controls, independent of the computer system (s) and located in the main control room, should be provided for system-level actuation and monitoring of criteria safety.

functions and parameters. The staff further stated that the displays and controls should be provided for those system-level actuations for critical safety functions and parameters that are required by control room operators to place the reactor plant in a hot shutdown condition.

The displays'and controls should be conventionally hardwired in the system architecture to the lowest level practicable.

The staff stated that each set of equipment required will be evaluated individually.

The hardwired system-level controls :and displays provide the plant operators with unambiguous information and control capabilities.

These. hardwired controls and displays are required to be in the main control room to enable the

-operators to expeditiously mitigate the effects of the postulated common-mode failure of the digital I&C system.

The control room would be the center of activities to safely.

cope with the event which could also involve the initiation and implementation of the plant emergency plan.

After a review of the comments. received from the ACRS,-EPRI, and the industry, the staff has modified-its position on this matter..The staff is considering allowing more flexibility in implementing the independent set of displays and controls.

The amount of flexibility would depend on the specific

• . equipment and design features of the 1&C system and would be evaluated individually with each vendor.

This would permit using digital equipment that is not affected by the identified common-mode failures and " duce the complexity of the design.

The staff is considering allowing simple digital equipment in lieu of only analog equipment in such a system.

Safety parameter displays may include dedicated digital components.

The system-level actuation controls that are

" hardwired" to the lowest level practicable in the I&C architecture may use dedicated and diverse digital equipment.

The staff is aware that Westinghouse has proposed a diverse actuation system (DAS) which is a nonsafety-related digital system to protect against common-mode failures in the protection system.

However, Westinghouse has not provided detailed information to demonstrate the quality of the DAS design that includes the hardware and software verification and validation process.

Provide information to justify the safety qualification of this design.

(5) Westinghouse submitted fault tree analyses for the protection system in Section C-20 of the PRA submittal.

Section 3.5.4.3 of the EPkl Requirements 00cument for passive plants states that a failure mode and effects analysis (FMEA) can also assist in the identification and elimination of common-mode failures and may suggest areas where improvements in reliability can be achieved.

RG 1.70, " Standard format and Content of Safety Analysis Report for Nuclear Power Plants,"

states that an applicant should submit failure mode and effects analyses for the protection systems and components.

Supplement the fault tree analyses with additional FMEA, as specified in IEEE 352, which is required by ILEE 603, or provide a method for obtaining FMEA-type information from the PRA and other sources of information, b.

Dnineerino Activities in SEf_tEELandj]EdWRLQevelopment Because the hardware and software design of the AP600 I&C systems have not been finalized, the staff will use the two-part approach stated in SECY-92-053, "Use of Design Acceptance Criteria (DAC).

During 10 CFR Part 52 Design Certification Reviews," in the review of the AP600 l&C system. The first part of this approach involves a detailed functional review at the level of design provided in the safety analysis report to ensure that the design meets the Commission's requirements related to postulated single failures, appropriate signal isolation, and other aspects of the staff's review that are typical of a corresponding analog system review.

This review will establish the detailed functional requirements for the 1&C system.

The second part of this approach (the DAC) will address the adequacy of the digital control system implementation with respect to the functional system requi,ements.

i5 This will rely upon a formal design implementation process with phased inspection, test, analysis and acceptance criteria (ITAAC) for design development.

Westinghouse submitted a pilot ITAAC program for the man-machine interface system, but it does not contain computer hardware and software development aspects. Address the engineering activities throughout the sof tware life-cycle ITAAC.

A software life-cycle ITAAC should include the following stages:

planning a

requirements a

design a

implementation integration e

validation installation e

operation and maintenance Also, provide information regarding the previous development activities related to the nuclear plant protection system hardware and software.

c.

Or ign Imnlementa11p_0 The staff's consideration of the design acceptance criteria (DAC) also includes the design implementation phase of the advanced light water reactor.

Westinghouse's DAC and ITAAC program should include steps that will allow the NRC to verify conformance with the requirement through the life-cycle phases of design, manufacture, installation, operation, maintenance, and modification of the 1&C system.

Provide such inforn.ation in the DAC and ITAAC program for the AP600 1&C system.

d.

Classification of the 1&C System As discussed in SECY-91-292, " Digital Computer Systems for Advanced Light Water Reactors," the staff is continuing to develop safety classification criteria for the 1&C systems in the ALWR desiens. The staff will consider the positions being developed by the international technical community in the draft International Electrotechnical tommission standard and EPRI's position paper for passive system classification, as well as the information provided in the AP600 SSAR in the consideration of the necessary classification criteria.

The AP600 submittal includes probabilistic risk assessments for the protection and safety monitoring system, the plant control system, the diverse actuation system, and many other plant systems (total - 21 systems). The traditional Class IE 1&C and non-Class IE 1&C classifications used to describe systems important-to-safety is too limited to properly account for the significant

., contribution to safety from traditional non-lE systems, as evidenced in the PRA results. The staff is considering a graded tpproach based on system importance-to-safety to establish specific requirements of active nonsafety systems to ensure their capability and availability.

This graded approach will require an applicant to submit the evaluations and analyses of those nonsafety systems to help verify that the capability and availability of each system is commensurate with its safety importance.

How does the AP6001&C design address this issue's The staff will evaluate Westinghouse's methodology and criteria used to establish the relative importance of those nonsafety systems, and will evaluate the applicant's proposed system requirements during its review of the AP600 design.

SOURCE TERM 470.1 Westinghouse has proposed a new reactor accident source term in the SSAR to be used in evaluating the radiological consequences of design basis accidents for the AP600 design.

The SSAR references EPRI's

" Passive ALWR Source Term" paper, dated February 1991, that was submitted on the EPRI docket (Project No. 669) to provid2 technical justification for EPRI's physically-based source term proposed in Chapter 5 of Volume til of the EPRI ALWR Utility Requirements

Document, in addition to the EPRI document, review NUREG-1465,

" Accident Source Terms for Light-Water Nuclear Power Plants," that was issued for public comment in June 1992, and provide the following information:

a.

List any deviations from the source term guidelines provided in NUREG-1465.

Each deviation should be supported by appropriate technical justification, b.

Describe the assumptions and parameters used in the assessment of the offsite and control room radiological consequences due to design basis accidents (DBAs) and corresponding technical justification for each assumption and parameter used, c.

Describe the fission product transport models and fission product removal mechanisms within the containment.

d.

Describe how the post-LOCA pH of the water in the in-containment refueling water storage tank will be controlled.

e.

Provide the computer input and output sheets showing computed offsite and control room doses, f.

Provide sample dose calculations for primary nuclides in each chemical species nuclide group to verify the computer outputs.

It 9 Provide the accident dose calculation code (s), along with the user's manual, on IBM PS 2 compatible 3.5" computer disks.

470.2 The reactor accidents selected in Chapter 15 of the SSAR are generally consistent with the postulated design basis accidents described in Chapter 15 of the SRP.

The reactor accidents that are unique to the AP600 design are included in Appendix L, " Severe Accident and Fission Product Source Term Analysis," and A)pendix M " Dose Evaluation Methodology," of Volume 3 of the proaabilistic risk assessment for the l

AP600 submitted on June 26, 1992.

The offsite radiological consequences due to these reactor accidents unique to the AP600 design were analyzed using the MELCOR Accident Consecuence Code System (MACCS). Reanalyze these unique reactor accicents using the source term guidelines provided in NVREG-1465 for the assessment of-the offsite radiological consecuences for the AP600.

The results of these analyses should be includec in Chapter 15 of the SSAR.

PROBABILISTIC RISK ASSESSMENT 720.57 Confirm that the June 26, 1992 PRA reflects all of the changes made to the AP600 design, as presented in the SSAR submitted on June 26, 1992, or identify the differences between the design assumed in the PRA and that of the design application.

720.58 To perform confirmatory analyses of the Westinghouse AP600 PRA results, the staff is planning to upload the Westinghouse AP600 PRA onto the IRRAS computer program.

To upload the Westinghouse PRA onto IRRAS, the staff needs to have the following files on electronic media in ASCll format, unless otherwise stated.

Provide this information.

For all of _the fault trees generated from Grafter, the staff needs a.

to have all of the treename.txt and treename.dat files converted to SETS input using the SETSIN2 program as described in the GRAFTER Users Manual (WCAP-ll693).

The subtrees designated as SUB-XXXX also need to be converted to SETS input. The staff also i

needs a copy of all of the fault tree output files from GRAFTER (treename. cut), including the SUB-XXXX subtrees.

b.

The staff needs the Master Data file from GRAFTER used to quantify the basic events that are described in the fault trees. The staff believes that the file is called SIMON.DAT or SIMON.CVT.

3 1

Based on conversations with Westinghouse, the GRAFTER computer c.

output given to the staff contains incomplete system cutsets and incomplete system unavailabilities.

These systems may contain basic events that are designated as SUB-XXXX that represent smaller subtrees that are given dummy probabilitics.

The. staff understands that these system fault trees are reduced (the SUB-XXXX basic events are replaced with cutsets) in the SUBA option in the WLINK computer code. Therefore, the staff needs the fault trees output after the.SUBA option is used in WLlNK that reduces

k 8-all of the SUB-XXXX events. The staff believes that these are treename.wlk files. The staff also needs to have a copy of the accident sequence output files from the SEQ OPTION in WLiliX.

The staff believes that they are called XXXX.out files.

G 5

-n

..w

, ~.

, _ _