ML20127P465
| ML20127P465 | |
| Person / Time | |
|---|---|
| Issue date: | 01/26/1993 |
| From: | Hiltz T Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| PROJECT-669A NUDOCS 9302010292 | |
| Download: ML20127P465 (46) | |
Text
.
s
(
psA tbAr.
~g UmTED STATES f) g NUCLE AR REGULATORY COMMISSION aa w ASHING T ON. D. C. 20555 f
- e..*
January 26, 1993 Project No. 669 APPLICANT:
Electric Power Research Institute (EPRI)
PROJECT:
Advanced Light Water Reactors (ALWRs)
SUBJECT:
SUMMARY
OF MEETING (VIDEO CONFERENCE CALL) TO DISCUSS THE REGULATORY 1REA1 MENT OF ACTIVE NONSAFETY SYSTEMS IN ADVANCED LIGHT WATER REACTOR (ALWR) DESIGNS On January 15, 1993, members of the U.S. Nuclear Regulatory Commission (NRC) staff and representatives of the Electric Power Research Institute (EPRI) conducted a video conference call to discuss the regulatory treatment of active nonsafety systems in ALWR designs.
The video conference call originated from the EPRI effices in Washington, D.C. and from the CPRI cffices in Palo Alto, California. lists those personnel present in the video conference facilities during the conference call. contains copies of the material presented during the conference call.
A representative from Brookhaven National Laboratory (BNL) presented results of its ongoing NRC-supported efforts to identify key systems and phenomena and develop associated performance objectives for ALWR designs.
The BNL representative indicated that c ' safety case' should be developed for systems in terms of a specific set of complete success paths.
This ' safety case' can indicate which systems would require regulatory oversight and can demonstrate the options for vendors when eonsidering performance goals.
A simplified importance ranking is not sufficient.
Potential containment performance objectives were discussed.
The NRC staff discussed its position on regulatory oversight and clarified its intent for considering the scope of regulatory i
oversight for nonsafety syst>ms and equipment.
EPRI representatives indicated that they wanted to ensure that-the staff and EPRI were trying to meet the same criteria.
EPRI representatives provided an example, derived in part from staf f requests for additional information from its review of a vendor application, comparing requirements for active and passive containments.
EPRI noted that it appeared that the staff may require passive plant conta.inments to have a spray system, even if all current
'icensing and calculated dose criteila were found to be acceptable.
2800G3 QRGQ m 10W GIR U
/,Q W4/ i
- j l
M / V) F 9302010292:930126
~~
PDR PROJ l _
f bb9A PDR L
.~
4
% January 26, 1993 Representatives from EPRI, GE Nuclear Energy, and Westinghouse addressed questions to the staff regarding the staff's proposed approach for developing performance objectives and providing regulatory oversight.
Several questions dealt with ongoing policy issues and were deferred for further discussion until the NRC/ALWR Steering Committee senior management meeting which is scheduled for January 22, 1993.
1 (Original signed by)
Thomas G. Hiltz, Project Manager Standardization Project Directorate Associate Directorate for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation
Enclosures:
As stated cc w/ enclosures:
See next page DISTRIBV110f4 w/enrJ1_osures:
Central File PDST R/F TMurley/FMiraglia DCrutchfield PDR WTravers JNWilson EJordan, 3701 PShea JHWilson HGraves ACRS (11)
GGrant, EDO JMoore, 15818 JPartlow SBajwa, 12G18 QLSTR1WJ10N w/o enclosures:
AThadani, 8E2 RBorchardt THiltz MRubin, 8E23 YGHsii, 8E23 1Kenyon 0FC:
LA:P T:ADAR PM:P J : DAR SC:PDST:ADAR NAME: P iea THil 1 RW8prihardt DATE: 0 01
/
Olpp/93 0FFICIAL RECORD COPY: MTGSMll5.TH l
l
.-.-=
a g
i i
ALWR Utility Steering Committee EPRI Project No. 669 cc:
Mr. E. E. Kintner Chairman Utility Steering Committee Bradley Hill Road Post Office Box 682 i
Norwich, Vermont 05055 Hr. John Trotter Nuclear Power Division Electric Power Research Institute Post Office Box 10412 Palo Alto, California 94303 Mr. Brian A. McIntyre, Manager Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit Post Office Box 355 Pittsburgh, Pennsylvania 15230 Mr. Joseph Quirk GE Nuclear Energy.
Hail Code 782 General Electric Company 175 Curtner Avenue San Jose, Ca'iifornia 95125 l
Mr. Stan Ritterbusch I
Combustion Engineering 1000 Prospect Hill Road Post Office Box 500 Windsor, Connecticut 06095 Mr. Daniel F. Giessing V. S. Department of Energy _
NE-42 Washington, D.C.
20585 Mr. Steve Goldberg Budget Examiner 725 17th Street, N.W.
Room 8002 Washington, D.C.
20503 h
9 a
=y-
,we.
*r--
3m,.
+
7 y,-%e
--,-w.-, - - -
%-w,-,--.vy, w#,,,
v-
--wwr=,,-,%-.,,--,y,--ns-
---m-n-
--*--eyn-e-
1
's-
)
i list of Attendees NRC/EPRI Video Conference Call Regulatory Treatment of Nonsafety Systems in Passive Designs January 15, 1993 EPRI Offices - Washington, D.C.
Ashok Thadani NRC/flRR Mark Rubin NRC/flRR Tom Hiltz NRC/NRR Y. Gene lisii NRC/flRR R. W. Borchardt NRC/NRR T. J. Kenyon NRC/NRR J. P. Wheeler DOE W. T. Pratt BNL Bob Youngblood BNL Russ Bell NUMARC Andrea Sterdis Westinghouse
~
Cindy Haag Westinghouse Brian McIntyre Westinghouse Terry Schulz Westinghouse EPRI Offices - Palo Alto, California John Trotter EPRI Chuck Weltz-EPRI Ed Rumble EPRI George Bockhold EPRI Telmo Gabarain EPRI Jean-Pierre Berger EPRI Bob Berrykill EPRI Rich Burke EPRI Ted Marston EPRI Jeff Bacchler GE Nuclear Energy Bill fleming GE Nuclear Energy Sandra Dettin GE Nuclear Energy Doug Gluntz GE Nuclear Energy R. H. Buchholz GE Nuclear Energy
.i Identifying Key Systems and Phenomena And Developing Associated Performance Obiectives For Advanced Passive Designs R. W. Youngblood and W. T. Pratt Safety and Risk Evaluation Division Department of Nuclear Energy Brookhaven National Laboratory s'.
January 15,1993 2
~
Outlina of Balance Of Presentation Mention Selected Key issues What level of deviation is considered an initiating event for this purpose?
How much credit is given for future initiating event frequencies?
Why not just do importance analysis?
Basis for evaluation of containment response Steps in An Approach To Developing An Integrated Set Of Functional Performance Requirements Develop a model(essentially, a set of event trees) of the necessary scope (out to
" release")
Pick a set of success paths to rely on for achievement of CDF goal and large release goal.
For each system, structure, action, or phenomenon in the credited set, develop performance requirements For each system, indicate the appropriate level of ITAAC, RAP, testing, and oversight Key Phenomenological issues To Be Addressed
~
(
Formally, Simple importance Rankina_ is Not Enouah Critical Limitation of Oversimplified Applicalion of importance Analysis Choosing only "important" systems for f
attention does not lead to'a coherent.
policy: path sets may not be completed.
I l
It is difficult to make sense out of basing a safety case on fragments of path sets.
s Therefore, the complement of design elements should be specified in terms of 4
complete path sets, which implies the set of systems being considered.
if success cannot absolutely be guaranteed for some event in a path set for which j
credit is desired, then it is necessary at least to consider some programmatic activity to promote success of the event l
Even if some particular event in a path set is believed to be essentially certain, it is still useful to point out what path sets are being relied upon, in order to clarify the conditions under which other events in the path set are required to succeed.
i l
I
\\
-l L
Identifying Key Systems and Phenomena j
And Developina Associated Performance Objectives i
For Advanced Passive Desians i
i l
i t
R. W. Youngblood and W. T. Pratt 4
Safety and Risk Evaluation Division f
Department of Nuclear Energy
[
i Brookhaven National Laboratory l
'2 y January 15,1993 E
o i.
N I
i i
Focus of This Presentation Present an example of a logic structure for developing performance reauirements for a complement of systems, possibiv includina more than passive safety systems Previous work suggested that dependence on passives alone would lead to extremely stringent performance requirements Previous work was not sufficiently detailed to serve as an example of how to identify candidates for oversight, such as individual non-safety systems or areas in which safety systems might be challenged beyond their design bases A more detailed approach is needed, and one is outlined here Note: Sianificant aareements must be developed reaardina key ohenomenoloaical issues e
e
=
Outlina of Balance Of Presentation
/
Mention Selected Key issues i
What level of deviation is considered an initiating event for this purpose?
j How much credit is given for future initiating event frequencies?
Why not just do importance analysis?
4 i
Basis for evaluation of containment response Steps in An Approach To Developing An Integrated Set Of Functional Performance Requirements Develop a model (essentially, a set of event trees) of the necessary scope (out to
" release")
Pick a' set of success paths to rely on for achievement of CDF goal and large release goal.
(
I I
f For each system, structure, action, or phenomenon in the credited set, develop l
l performance requirements t
?
- For each system, indicate the appropriate level of ITAAC, R AP, testing, and oversight Key Phenomenological Issues To Be Addressed i
l t
Rx Trip 1
I I
Freq (small leak)
P(failure to maintain
- l P(failure to maintain P(Containment Failure j
inventory with I
inventory with ESFs l ESF Failure) non-safeties j small and/or low-pressure active systems i small leak) g leak, failure to maintain inventory 4
I I
with high-pressure
~Best Estimate" I
non-safeties)
Phenomenology i
r i
1 I
l 1
I I
i Credit not Credit for Credit not removed non-safeties removed i
i i
I removed I
Sensitivity study described in EPRI presentation ( systems in URD section 2.3.1) does not remove credit for containment systems, and only removes credit for non-safety makeup and non-safety DHR atter reactor trip.
}
t
=
s
~
~
+
\\
\\.
Formally, Simple importance Rankina is Not Enouah g
u I
.i Critical Limitation of Oversimplified Application of importance Analysis r
i 1
Choosing only "important" systems for l
attention does not lead to a coherent,,
j policy: path sets may not be completed.
it is difficult to make sense out of basing a safety case on' fragments of path sets.
Therefore, the complement of design elements should be specified in terms of complete path sets,which implies the set of systems being considered.
i l
l 1
If success cannot absolutely be guaranteed for some event in a path set for which credit is desired, then it is necessary at least to consider some programmatic
]
activity to promote success of the event i
Even if some particular event in a path set is believed to be essentially certain,it is still useful to point out what path sets are being relied upon, in order to clarify the cunditions under which other events in the path set are required to succeed.
P b
i-
}
4 Steos
- 1. Develop An Integrated, Complete, Realistic (Not Deliberately Conservative) Model Of Sequences Span Full Power, Shutdown, & In-Between Take Sequences initiated At Full Power Down To a Demonstrably Safe State (not just 24 hrs)
Integrate Treatment Of Containment & RCS Phenomenology include Designated External Events At All Modes include All Key Parameters Back To initial Deviation From Normal
- 2. Choose A Set Of dvent Tree Success Paths To Rely Upon The Set Should Be Redundant & Diverse This Choice Dictates A Set Of Parameters, Functions, Systems, i
Choosing Entire Success Paths Helps To Ensure That Contexts of System l
Challenges, Mission Success Requirements, And Prerequisites For System Operation Are Understood
=
u_ _ _
How To Choose The Set Of Success Paths An important Goal:The choice of success paths should lead to a collection of systems such that no one system is a " bottleneck" for any initiating event One formal approach to the selection problem is: Require No Single Sequence Be Dominant identify all accident sequences in terms of all systems under consideration Choose a frequency cutoff below which all individual sequences should fall f-or each sequence, determine which combinations of credited systems would make it fall below cutoff Logically combine all possibilities for all sequences, and rank the feasible combinations by cost A completely deterministic analog of this method could be applied; replace step 2 with Choose a deterministic paradigm such as "more than a single active failure,"
" Single active failure plus T-H anomaly," Double Active Failure,".
At this point, no basis has been developed for dictating any particular method for choosing the set of success paths.The goalof diversity is important.
e e
A Steps (continued)
- 3. Develop Performance Goals For Each Element Of The Set (including initiating Event Frequencies, Maintenance Unavailabilities)
The collection of goals is intended to promote fulfillment of overall core damage & large release goals l
This is where importance Ranking Comes In
- 4. For Each Performance Goal, Develop a (Graded) Review, Demonstration, and/or Monitoring Basis For Promoting The Fulfillment Of The Performance Goal No such thing as nq review / monitoring of a given element in a chosen success path But the approach to review! monitoring would be determined in part by the stringency of the performance goal developed for that element i
i Steos 3 & 4 could be done iterativelv. and level of credit taken for a collection of elements mioht be adiusted to reduce burden of demonstration. monitorino. review
Safety Systems Non-Safety Systems NS2 t
SS1 SS2 NS1 i-Success i
I I
I b
I I
I I
l 1
I l
l I
I I
I
- OK, Pure Safety A
Y I
Failure I
OK, Credit for NS1 B
g (IE, SS2) r F
l F(IE, SS2, NS1)
OK, Credit for NS2 C
Initiating Event Not OK D
m Marginal, Credit E
for NS1 F(IE. SS1)
Marginal, Credit F
F(IE, SS1, NS1) for NS2 Not OK G
L Pure Safety Case (Credit forsiissa ): Calculated OK = A; Calculated Core Damage = B+C+D+E+F+G Pure Safety + NS2 Assuming SS1 Success (Credit for numa + -): Calculated OK - A+C; i
Calculated Core Damage = B+D+E+F+G 1
t Importance-Based Rules Of Thumb For Choosing Performance Requirements Try To Choose System Failure Probabilities Such l
That No System Has Both A High Fussell-Vesely and a High l
Birnbaum Preferable Not To Have Any System With Too High A Fussell-Vesely High Birnbaum Corresponds To High Reliability Performance Requirement Compare P(X) with Goal /B(X). Generally, Want P(X) <<
Goal /B(X)
Otherwise, X is using up too muc! goal.
j
~
Example Of Choosing Success Paths: IORV in SBWR Initiating Makeup Containment Heat t
Removal Event i
" CRD I
f SPC I
aK I
+
lony n
I I
+ DPVs "GDCS + Equalizing i
- PCC r
The chosen (marked) success paths on.the ETs correspond to this.
t These are the items that need oversight.
Every ET can be marked up similarly, leading to a similar diagram.
I The diagram shows that there are no system bottlenecks, and j
d that there is diversity in each area.
Note that just taking credit for CRD (and not SPC) based on an
-l incomplete importance analysis would leave that path hanging.
Containment ETs (next portion of talk) are implicitly included here.
1 So far, this is actually deterministic.
~_ ~,
o 5A5113 Rev. A SBWR D
1
?
8 I
I a
- 8 8 Y
- 5 I
, g.
w y
3 1
I,T.
.r
,a.
a 8
g g h A
h 4
g a om.
g a : 4 a : a a _t 9
f f,
f a-E e.,,
tt<<33555< < < < <, s, m a
2 === = = = >
1-3 a a i 2 m a 9 a 3 3 3 - - - 2 7
7 3 3 3 2 i i 5553 i5 5a
=^
m
. S 5 - ya s
s
, s s s Y
I' q5
.b
__e a_u
__b
,_ G I
g p
umm H r
kIf__
E r._
l
. 4 g
2
,=
g d
L9 f
S E
l 8
r
.. c o
One N
we l
e g
t
$~-
at,
- 6 1].
<O I
w gN
$ 5 $.,
e 3
a ar b
o kb I
A-w
~
- ==
4.
k l e --
g' a
=#T o
e f
ena y
=
3.1, 1%
e y
m.
4
-;) 3
- E
([#~
..u.
aaeitunras.n 3 m.:
s a e = es.te-e esei 4 a s 6
19AD 109 4
- 5A5113 Rev. A Standard Safety Analysis Recon SBWR O,
d i
1 5
r i
x j
I I
k O**
4 a
g g
g I
y 4
q a
?
3 4
a Q
e i
1 g
a
=
b r
[
I
(
q s
a go 5
E E
5 E
E 5
2 2
E 5
3 d
1 a
a 1
1 2
1 3
y m
5 5j k
5 k
i i
2 k
i 5
3, i
j ie A wee I
o l
l
[,n.
q'I i
t fi b
L1 d
=
[
~
I s
I i
U i
e 4
g d
w ga I.
==
6 m
we I
- f. ((.k
.2 1
I
- 3 a
..{
.t t
==
e, 6
i mO J
C*
i a
=
l
-(
e es r.
j e
9_g
[
0
\\.
~,
he I d' IO OIO I E dO'YI O'e l !?ls5 3 0s6 h 3 M
>3'%3-4 J f' 06 T
4 4 h s-M* h4 4 4 4j seem it to a ** *g 64 4 e
- bl 19 A0 108 I
d l
r
{
SBWR, PRA CASE, LARGE RELEASE GOAL GE: isol.23, tw.12. ttbyp.67, losp.24 sw.049 SPC 1.0 0 E - 2 ORD a.0 0 E 1.309 Requirement Sav i.00E-3 4 50 E-7 I
1 1
i 00E-2
- 5.00E 4 *
- 1. OE-2 1.31 C + 0
- 7.0BE-6
- 1.19 E-1 4.4 9E-5
Deluge? Basically, ADS take theloads Challenge (Leakage + 1.0 0 E-2 reseat)*
,jg LPM with containment 4
failure afterwards Class 2 ATWS_ Sum:
FWRB+SRVs Open+
1.50 E-2 SLCS+ ADS Inh + IC ATWS either stays at HP or dilutes boron HPM 3.0 0 E-2
- 3.75E-1
- 1.00E-3
Chattenge 9
SBWR, PRA CASE, Core Damage Frequency, Internal Events:
i Need ADS INPUTS BBCaOSO...
Can't remove i
- 1. <l0E-3 1.50 E-3 1.56 E + 0 6,,70E-1 i
Tran:,ient init Fhl/PCS
)3.00E-2 C
GE number recovery RCSI.edece 7.02E-4 7.5 0 E-2
. (Credit for CRD Incipient '
r e.
Mitigation of ADS teakage)
Challenge LOCA initiator 2. '9 E-2 g
LOCA freq it' in-Containment, r
GE number
. incipient Failure 'of implies:
' ADS CRD*SPC I-Challenge.
path (input)
. ECC Sum Requirement-3.0 0 E *,
2.0 0 E-2 7.5 0 E-2
)
4.5 0 E-5 1
I I
I i
. 3.72 E-2,
3.72 E - 5.00E-4
[0.00E+0l Suppression Y DPV Failore Y~'FCC-Y: GCG
?
Pick System Performance Develop really
+ Considering Cost, etc.,
y Goals Which Satisfy complete ET Choose a Set of Success Overall Performance Paths For Which Credit is model Goals To Be Taken, and Corresponding Assurance Activities Undertaken h
g 4
F hh Are System Goals Credibly Satisfiable? ConsiderT-H i
Uncertainty, Component Reliability,.
Steps in identifying Yes i
Performance Objectives l
y l
L Determine Necessary Assurance Activities h
b e
Phenomenologicalissues I
What features / p.henomena could be credited in order to develop parallel success paths in containment-
~
i phenomenology?
For Example, in Class 11 sequences, what phenomena could be invoked to argue that Class 11 events will not lead to large release?
What design features, demonstrations, analyses,... need to be carried out in order to develop confidence?
The level of reliability achieved by these demonstrations is coupled to,
~
the reouirement on PCC reliability What features / phenomena must be credited in order.to l
allow containment to perform as required, given a low-pressure melt?.
Need to consider nerformance of containment heat removalin the nresence i
of non-condensibles. ex-vessel FCf. debris-bed coof abilltv....
c
~
Class 11 Sequences Failure of containment heat removal leading to containment overpressurization, core still being cooled-Previous presentations basically counted class 11 events 1
[
against Large Release Goal; containment failure assumed to lead to core melt The subsequent evolution depends on how the containment structure fails Can the upper drywell head be considered a kind of rupture disk?
What are the. requirements on inventory makeup after 4
drywell failure? What systems must be. invoked to meet this requirement?
Under what conditions could wetwell failure be tolerated?
O a
m Class 11 Seguences 4
(continued)
Previously ("SBWR, PRA Case, Large Release Goal"), PCC requirement was derived from 3E-2 incipient ADS Challenge, assumed 1E-2 performance of SPC, and Class 11 allocation of 1.5E-7 i
i 2
Credit for core cooling after containment failure could lead to relaxation of the requirement on PCC 4
l l
L a^
m
---v e
~
Containment Performance After Low-Pressure Melt 1
Previously ("SBWR, PRA Case, Large Release Goal"), the retention function was assumed to be challenged at the CDF goal rate (4.5E-5), and conditional failure probability under these conditions was allocated 3.3E-3, so that contribution of these sequences would be less than 1.5E-7 How to achieve 3.3E-3?
Can in-vessel retention be credited?
What extra challenges are posed to containment after core damage, even if it is retained in the vessei?
What extra challenges are posed to containment if core debris penetrates vessel?
e 4
Containment Performance After c
Low-Pressure Melt (continued) l 3.3E-3 =
t P (core in-vessel)
- P (containment failure degraded core)
+
L
+ P (vessel failure)
- P (containment failure core on the floor)
How to keep core in-vessel? Suppose that systems, demonstrations, etc. are developed such that-l l
P (core in-vessel) =.9,.
P (vessel failure) =.1-j i
t Keeping core in-vessel may well require active non-safety systems Q
t t
s w
a
+
w + +
w-e-
er.
,-1
3 Containment Performance After I
Low-Pressure Melt (continued)
P (containment failure degraded core in-vessel) f 1
in order not to threaten 3E-3, this needs to be < 1E-3 1
10CFR50 already requires demonstration of physical capability to achieve performance under these conditions
}
For this plant, the demonstration either involves passive systems meeting this requirement, or invoking non-safety active systems-e
+
~
p Containment Performance After Low-Pressure Melt 4
(continued)
P (containment failure l core on the floor) u
'In order not to threaten 3E-3,.since P(vessel failure) assumed.1, this must be ~ E-2 Issues:.
Performance of the flooding system
~
- Energetic FCI's -
Coolability of-core debris Non-condensible gas generation, effect on containment heat removal These mu'st collectivelyamount to E-2 chance of failure, or non-safety active system will be required.
1 6
'"d'
~-
4
Summary Safety case should be developed in terms of a specific set of complete success paths This dictates the systems which need oversight it shows what the options are for vendors to choose performance goals This allows for proper tradeoffs between different ways of accomplishing a function It places each credited function in the context of the scenario-specific phenomenological challenge which must be met Essentially all of the containment issues mentioned here arise beyond the existing design basis,in regimes of significant phenomenological uncertainty O
g
RE_GULATORY OVERSIGHT:
To ensure active system designs support identified needs and objectives.
Vendor's evaluation for selection, ranking and performance goals of important a.
active nonsafety systems.
Review PRA and relative importance and performance goals of both passive and active systems, including methods of analysis, accident and transient scenarios, event trees, initiating event frequencies, systems performance goals, importance measures, and evaluation of achievability of each system pe,rformance goal, etc.
- b. Active system, functional performance goals:
Review active systems / equipment design and arrangement for compliance with the performance reliability goals established based on their importance, challenges, and anticipated accident conditions and environment.
Review realistic thermal-hydraulic analyses to demonstrate active systems capabilities that are relied upon to provide protection against the challenges identified in (a).
Review testings demonstrating system capabilities.
Review ITAAC of important systems.
Active systems operational phase requirements:
c A QA program following the guidance of GL 85-06 and Regulatory Guide 1.155 for non-safety grade equipment used to cope with ATWS and station blackout, respectively.
A reliability assurance program for proper maintenance and surveillance, inservice inspection and testing, to ensure systems reliability is consistent with the determined goals.
Proper Technical Specification control for LCOs including allowable outage time, and surveilance requirements.
Proper configuration control for shutdown operations.
4 h
O 6
^
E EPRl/NRC r
Difference of Philosophy (RAI example)?
Passive Containment Heat removal by conduction & convection Source term reduction by entrainment & aerosol removal
~
Active Containment i
Heat removal by sprays or fan cooler units Source term reduction by sprays, entrainment & aerosol removal Will a passive plant apriori hava to have a spray system even if all current licensing & calculated dose criteria are found to be acceptable?
- Advanced LWR Program i
=
w a
4a em-4 J
4 4
O N
I I
f
~
EPRl/NRC n
r i
Regulatory Treatment of Nonsafety Systems Passive Plant Concept and Approach L
.c George Bockhold
'I Advanced LWR Program i
A.4A.+.
m wb a,e-4 sg 4q 4-e,s-A
--4i.ee 42.~
--4--
E-.
4-MaAemA4a*yteM W A h4a m
4'
.444a
,a 4
-m 44 -6 Mas
.w-JM h4 B 4 *bd 4-v_W-e 4 4.
aw.-*EJ#A.4-#
- .u wM-a*wa M
'. l,
.4 4-1 C
si g..
I k
H j
1 i
I i
4 4
4
?
I s
f'
'I t
J i
t
,N I, '
a 1
4 1
he-1 4
8 4
I k
9' 4
n i
3 4
4 0
5.
i l
i 4
. - -n
l EPRl/NRC -
7
(
1 ALWR Vision for Passive Plants (Cornmission briefing on 9/3/92)
Risk analysis of today's plants show:
Important dependence on complex safety systems and operator response Crucial dependence on AC electrical power For that reason, utilities require:
Simplicity and margin, cornerstones of new designs Sharply reduced need for operator action Protection of public health and safety using passive systems to meet existing NRC regulations and safety policy, without reliance on active systems Use of simple, active nonsafety systems to provide additional margin and investment protection We seek NRC agreement that such a plant is licensable, if performance requirements in Utility Requirements Document (URD) are met Advanced LWR Program 2
h
.9 4 -
4 -
.a l
. i e
1
.q
~
. EPRl/NRC Fundamental Elements for New Reactors s
- (Commission briefing on 9/3/92)
Passive systems alone meet all regulatory licensing design requirements for higher levels of safety 1
Three major purposes for nonsafety systems Complement safety systems to meet owner / investor I
requirements for higher safety 1
have economic utility and improve flexibility in plant operation Provide some temporary compensation when a safety I
system is in a limited condition for operation
+
The ALWR Reliability Assurance Program provides for maintaining both safety and nonsafety high performance standards with appropriate regulatory oversight Advanced' LWR Program 3
I
0 4
0 e
m
EPRl/NRC Passive ALWR Licensing Bases Address traditional deterministic licensing regulation modified by optimization subjects and enhancements such as severe accident requirements. Passive safety systems have robust performance requirements, a couple of examples are the following:
General Design Criteria are addressed including redundancy and single failure criteria Conservative analyses are preformed for licensing design bases (LDB) events Diversity for the Passive ALWR is similar to the Evolutionary ALWR licensing considera: ons Decay heat removal, inventory makeup and ATWS have similar diversity (diverse systems are required in the URD) l Designers must demonstrate that common mode failures do not compromise ALWR goals, CDF < 1.0E-5 per plant-year or 25 REM release < 1.0XE-6 per plant-year t
l Advanced LWR Program 4
Commission's Safety Goal Policy Statement 4
ALWRs address the Commission's Safety Goal Policy Statement by confirming that a probabilistic risk assessment (PRA) sensitivity study, assuming no credit for nonsafety defense-in-depth systems after trip signal meets this goal
(<1.0E-4 per. plant-year CDF, large release <1.0E-6 per plant-year)
Best estimate analyses are used for PRA goals Nonsafety systems reduce the risk of transient challenges 1
when they can be terminated by a controlled shutdown Best estimate credit is given to containment performance for severe accidents i
Method for determination of performance / reliability goals r
m l
l Test.and Analysis &
Adverse System Interaction Requirements Test (for code verification) and Analysis programs must
. demonstrate that the physical phenomena and safety systems /
components will function as intended for design basis accidents and transients Transients and accidents considered in PRA evaluations must be based.upon appropriate engineering analyses which provide justification that physical phenomena and systems /
components will function as intended
~
Evaluations of both design basis and beyond design basis (PRA)' transients and accidents will be made to investigate and address system interactions including operator response Requirements that the Designer must demonstrate compliance with for Design Certification
m e--u-t EPRl/NRC -
Regulatory Treatment of Nonsafety Systems URD requirements for defense-in-depth systems DSER issues concerning defense-in-depth systems l
PRA study to assess passive safety systems l
l 1
l E. Rumble Advanced LWR Program 7
EPRl/NRC Defense-in-Depth Systems Defined in Chapter 3, Section 2.3.1 Reactor coolant makeup function i
Chemical Volume & Control System (PWR)
Control Rod Drive System (BWR) 4 Reactor decay heat removal function t
Reactor Shutdown Cooling System (BWR & PWR)
Reactor Water Cleanup System (BWR)
Steam Generator Backup Feedwater System (PWR)
Spent fuel decay heat removal function Fuel Pool Cooling and Cleanup System (BWR &PWR)
Systems and structures needed to support the defense-in-depth missions of the above systems
- Advanced LWR Program #
~
b EPRl/NRC -
.l 1
Passive Plant ALWR Requirements for Defense-in-Depth Systems
- Arrangement and radiation shielding to permit access for operation and l
maintenance to permit recovery from non-accident events leading to operation,of the PSIS & PDHR systems t
Systems and required egiipment identified for use as part of the Severe j
Accident Management Program shall meet equipment survivability requirements specified in Chapter 5, Section 2.4.3.4 l
j Redundancy provided assuming a single active failure of equipment j
which must change state or position to perform its defense-in-depth j
function
[
Ensure that specified design limits for plant infrequent and Moderate i
Frequency events defined in Chapter 1, Section 2 are not exceeded without reliance on safety systems except the RPS l
l Chapter 3, Section 2.3 unless noted otherwise Advanced LWR Program i
2 1
i
EPRI/NRC Passive Plant 1
ALWR Requirements for Defense-in-Depth Systems *
(continued)
Employed to the extent necessary to ensure that depressurization is a very low probability event Serve as the first line of defense for pipe breaks for 3/8-inch or less inside diameter pipes Electric power availability from both normal station ac power and the i
on-site nonsafety ac power supplies Electric power to redundant equipment (or trains) should be separated t
to the extent practical (i.e., power from separate buses)
Redundant component protection against internal flooding and in-plant hazards (Also Chapter 9, Section 3 for fire protection)
Analysis and testing to demonstrate system capability to satisfy its
~
defense-in-depth requirements
- Chapter 3, Section 2.3 unless noted otherwise Advanced LWR Program w
EPRl/NRC Passive Plant ALWR Requirements for Defense-in-Depth Systems (continued)
Nonsafety structures and equipment designed for seismic requirements in accordance with the UBC of Zone 2A (Chapter 1, Section 4.3.2.3)
Nonsafety structures designed for extreme winds in accordance with Chapter 1, Table 1.2-6 and Section 4.5.2.1.2 Requirements specified in the URD are the minimum to be provided.
Plant Designer may add further requirements and features as determined by analyses and as necessary to meet ALWR Passive Plant safety and l
investment protection goals (Chapter 3, Section 2.3.3)
Design requirements throughout Chapters 1, 2, 3, 4, 6, 7, 8, 9,10 and 11 on the defense-in-depth systems and their support systems Advanced LWR Program u
EPRl/NRC 4
DSER issues i
DSER issues related to design requirements for defensc~in-depth systems Scope and degree of redundancy and separation Methodology to identify most limiting single active failure Degree of fire protection provided What initiating events and plant upsets considered to demonstrate that the non-safety systems meet their defense in depth roles Quality assuranco provisbns Reliability of support functions such as ac power Use of non-safety reliability data for the PRA l
Inservice testing requirements Staff evaluating functional performance requirements, acceptance criteria and other design guidance to assure systems available Advanced LWR Program u
1
EPRl/NRC Use of PRA to Support RTNSS Issue
Background
The basis for the RTNSS issue is defined only in general terms.
There are three elements to this issue.
(
Adequately demonstrating the functionality of the passive systems to the confidence level required Design and operations requirements for active defense-in-depth systems NRC irvolvement/ oversight for defense-in-depth systems Defense-in-depth (DiD) systems are designed for operational missions Their availability following the onset of PRA initiating events is a question of the NRC reviewers NRC reviewers indicated (DSER for Volume 111 of the URD) that they wish to review DiD systems for "1 E-like attributes" n
Advanced LWR Program k
S EPRl/NRC RTNSS & PRA (continued)
In response to the NRC approach to this issue, the ALWR Program provided the following at the Commission Briefing of September 3, 1992 1
" Safety. features ensure the protection of public health and safety consistent with the Commission's Safety Goal Policy Statement, and this is to be achieved without reliance on auxiliary (active nonsafety) systems. Probabilistic risk analyses demonstrate that passive designs meeting these requirements are consistent with this safety goal requirement."
Advanced LWR Program W -_---_
o t
EPRI/NRC i
i j
PRA Study to Assess Passive Safety Systems 4
Motivation for analyzing passive designs without credit for DiD systems l
Since the DiD systems are designed for operational missions, their
)
availability following the onset of PRA initiating events is a question of the NRC reviewers
)
To learn more about the response of the safety systems to PRA l
initiating events a study is defined where the DiD systems are not l
credited after trip PRA approach to assess designs without credit for DiD systems Start with a baseline Level 3 PRA that considers internal and l
i external events at power and during zero power operations Remove the effect of the DiD systems defined in Volume III, i
Chapter 3, Section 2.3.1 of the URD from the event tree models by l
setting their unavailability to 1 l
?
is Advanced LWR Program i
i
~
., - i
[r EPRl/NRC -
l PRA Study to Assess Passive Safety Systems (Continued) l
~
Initiating event frequencies are not altered since the DiD systems f
are available for their operational missions j
Analyze the Level 3 PRA models for internal and external events and power and zero power operations based on the revised event trees Study the defense-in-depth capability of the safety systems Assess the level of safety achieved without credit for the DiD systems Examine the need for DiD systems' missions to back up the safety systems after a trip Advanced LWR Program is R