ML20128E853

From kanterella
Jump to navigation Jump to search
Summary of 921112-13 Meeting W/Ge Nuclear Energy in San Jose,Ca Re Issues Related to ABWR PRA
ML20128E853
Person / Time
Site: 05200001
Issue date: 02/05/1993
From: Poslusny C
Office of Nuclear Reactor Regulation
To:
Office of Nuclear Reactor Regulation
References
NUDOCS 9302110106
Download: ML20128E853 (60)


Text

_ _ _ - _ _ _

February 5, 1993 l s f

Docket No.52-001 APPLICANT: GE Nuclear Energy Company (GE)

PROJECT: Advanced Boiling Water Reactor (ABWR)

SUBJECT:

MEETING WITH GE ON NOVEMBER 12 and 13, 1992 A public meeting was held between the Nuclear Regulatory Commission (NRC) staff and GE Nuclear Energy (GE) at the GE office in San Jose, California, on November 12 and 13, 1992. The purpose of this meeting was to discuss issues related to the ABWR probabilistic risk assessment (PRA). Areas of discussion included final safety evaluation report open issues, PRA-based seismic margins analysis guidance, PRA insights, inspections, tests, analyses, and acceptance criteria, internal flooding, fire water systems (including GE design changes),

reactor water cleanup loss-of-coolant accident (subcompartment analysis),

reliability assurance program, shutdown reliability study, and GE's submittal schedule.

The enclosures listed below are maintained in the project directorate file- and copies will be provided upon request.

This was a working level meeting which was used to clarify staff questions and c neerns.

Origixd Signed By-Chester Poslusny, Project Manager Standardization Project Directorate Associate Director for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation

Enclosures:

1. List of Attendees
2. AWBR Seismic Margin Analysis
3. Responses to NRC ABWR PRA Questions of October 29, 1992 4 Draft Appendix 19.K on PRA input into reliability assurance k

cc w/o enclosures: ,,

~~

See next page DISTRIBUTION w/o grtclo2!rM:

1 Docket Filew/el.' PDST R/F, w/ enc 1. TMurley/FMiraglia JPartlow PDR w/tel, DCrutchfield WTravers CPoslusny, w/ encl.

BHuffman GKelly, 10E4 EJordan, MNBB3701 JMoore, 15B18 SNinh PShea, w/ encl. SBajwa,12G18 GGrant, EDO ACRS (11)

  • See previous concurrence 3 0FC: LA:PDST:A R PM:PDST:ADA *ADT:SPSB [PD DAR NAME: PSheag ' BHuffman:tz//7 GKelly J ilson DATE: 02/t\ rir 02/4 /93 G we.g 02/01/93 02/{/43 0FFICIAL RECORD COPY: MTGSil23.BH 1

$k kSo g 4 ,p

GE ABWR PRA MEETING NOVEMBER 12 and 13, 1992 NAME 9RGANIZAT10ti G. Kelly NRR/ADT/SPSB J. Duncan GE L. Frederick GE A. McSherry GE B. Raftery GE S. Visweswaran GE

0. Gokcek GE ~

I Enclosure 1

f

- GE' Nuclear Energy _. Docket No.I52-001 cc: -Mr. Patrick W. Marriott, Manager- Mr.-Joseph Quirk Licensing & Consulting Services GE Nuclear Energy

--GE Nuclear. Energy General Electric Company 175 Curtner Avenue 175:Curtner Avenue, Mail-Code 782 San Jose, California 95125 San Jose, California 95125 Mr. Robert Mitchell General. Electric Company .

175 Curtner Avenue '

San Jose, California -95125 1 Mr. L. Gifford, Program Manager Regulatory Programs GE Nuclear Energy .

12300 Twinbrook Parkway Suite 315 Rockville, Maryland 20852-Director, Criteria & Standards Division Office of Radiation Programs U. S. Environmental Protection Agency 401 M Street, S.W. ,

Washington, D.C. 20460 Mr. Daniel F. Giessing U. S. Department of Energy i NE Washington, D,C, 20585 4

Mr. Steve Goldberg 1 Budget-Examiner

~

725 17th Street, N.W.

Room 8002 Washington, D.C, 20503 c

Mr. Frank A. Ross U.S. Department of Energy, NE-42 Office of LWR-Safety and Technology 19901 Germantown Road Germantown, Maryland 20874 5 Mr. Raymond Ng 1776.. Eye Street, N.W.

Suite 300 Washington, D.C. _20006 Marcus A. Rowden, Esq.

Fried, Frank, Harris, Shriver & Jacobson 10_01 Pennsylvania Avenue, N.W.

Suite 800. e Washington, D.C. 20004 Jay M. Gutierrez, Esq.

Newman & Holtzinger, P.C.

1615 L Street, N.W.

Suite 1000' Washington,_D.C. 20036

o.

A%W?. S E\S Mi L M A t.6ita AnAt.ysss Ac.cd d ust St.goencq. RC.LPF Hc.L9F ddbd T-P w'Ak T9 I o.60 0.60 J 0.45 6.3&

3 Q .9 \ o.Si 4 t .i s i .i s a s o .% 0. Ti a C 0. %3 0. ti 7 o.3) o.Si , ,

S \ .\ 9 t. \ %

4 3 0. 5 % 0 T1 ,

tb o.75 o *75 0 0.56 6.56

\2. 1. b % t.os 13 \ . b 2. ) . o s, 14 i.2 7 1. r7

.+ 15 1.65 \ . ts a 16 c . 9 3- 0.32 3 11 0,b S o.35

\1 -- ~

x e 0.h t - 0.15 x 2.0  ;. o,ca \ o. 5 o w 2_ t O . oJ1 o.77 22 - -

t la _ o. t_S 2/+ o 6i 0.61 '

As 0.7 b 0.~75 Enclosure 2

li it OV ABWR SEISHIC MARGIN ANALYSIG WITil RANDOM FAILt1RE WITl100T RANDOM F7 ILURE ACCIDENT CLASS llCLPF MED CAP. 14G STD. IICLPF MED CAP. 14G STD.

(in G) (in~G) (in G) (in~G)

IA 0.630 1.34 0.326 0.632 1.35 0.325 IB-2 0.603 1.31 0.334 0.604 1.31 .0.333 IC 0.816 1.32 0.206 0.832 1.34 0.204 e

ID 0.884 1.44 0.209 0.918 1.47 0.202 IE 1.03 2.13 0.313 1.03 2.13 0.313 IV 0.600 0.97 0.206 0.602 0.97 0.206 IA-P , IE-P 0.889 1.45 0.210 0.8t3 1.45 0.2S9

/

r :.

y qv H ,

-l

,o~ .

ABWR STRUCTURES, SYSTEM, AND COMPOWENT FRAGILITY SYSTEM / COMPONENT MED CP LOGSTD NCLPF FAIL. Pros.T (A;) (a,) (in a)

1. Plant Ess. Structures (AI) 2.s .45 .te 0.0

-Reactor Building 2.8 .45 .98

-containment. 4.3 .44 1.56

-RPV Pedestal 7.9 .44 2.84

-Control Building 2.8 .45 .98

.33 2.46 b -Reactos Pressure

\% 'IQvaVessel 5.3 ,

wkl 9m,A , W f'^ 0 ** * *} *

2. Support Systems (PW)

AnAC_Powu jAD1 11 .45 .39 1.GE-3 *

-Diesel Generator 1.5 .50 .47 c.it !, #v$ra $

_/ -Transformer (480 V AC) 1.1 .45 .39.

-Motor Control Center 1.5 .50 .47 i

-Cable Tray 3.0 .60 .74

( -Relay Switch 2.0 .50. .01  :

sv .se 50 k d an tu_Matar tsW) ta_ .45 .is 9.7E-5

\(/ -Transformer 1.1 .45 .39 g/ 5,li. tai %s

-Motor Control Center 1.5 .50 .47

-Pump (Motor Driven) 1.6 .45 .56 '

-Heat Exchanger 1.4 .45 .49

-Valve (Motor Operated) 3.0 .60 .74

-Check Valve _ 3.0 .60 .74

-Room Air Cond. Unit 1.2 .50 .38 ,

-Piping 3.0- .60 _.74 1.5 .45 .53 7.25-6-[

L_DS._Povey(DCP)ho

  • Batteries & h 1.5 .45 .53 5,,,fl%'t *
  • Inverter F 1.1 .45 .39 y (Ac[hi '

tc% 1

3. High Pressure Core Floder (UN) 1.5 .45- .56' 2.75-3

-Pump.(Motor Driven) 1.6 - .45 .56

-Injection Valve (Motor op) 3.0 .60_ .74

-HPCF Piping. 3.0 .60 .74

4. Reactor Core Iso. Cooling (UR) 2.0  :

.45 .70 5.0E=2'

-Pump (Turbine Driven)- 2.0 .45 .70

-SteamcSup. Valve.-(MO) .3.0 -.60 .74: e

-Discharge Valve (MO) 3.0 .60 -.74

-Min Flow Valve (MO) 3.0 - .60 .74

-Check _ Valve 3.0 - .60 .74:

-RCIC Piping- 3.0 .60 .74 i

t

4 U $ P' SYSTEM / COMPONENT MED_CP LOGSTD HCLPF FAIL. PROB (n ,) (B ,) (in G) 0

5. Low Pressure Core Floder (V) 1.6 .45 .56 3.1E-4

-Pump (Motor Driven) ^ 1.6 .45 .56

-Check Valve 3.0 .60 .74

-Injection Valve (MO) 3.0 .60 .74

-Discharge Valve (MO) 3.0 .60 .74

-LPCF Piping 3.0 .60 .74

6. P.HR Heat Exchanger (HX) 2.0 .45 .70 6.0E-5

-Heat Exchanger 2.0 .45 .70

7. Reactivity Control Sys. (C) 1.2 .35 .53 1.0E-8

-Fuel Assemblies 1.2 .35 . 5 3'

-CRD Guide Tube 1.7 .36 .74

-CRD Housing 3.9 .46 1.33

-Shroud Support 1.9 .36 .82

-Hydraulic Control Unit 2.0 .50 .63

8. SRVs Close (PC,PC1) 3.0 .60 .74 2E-3,1E-1

-Safety Relief Valve 3.0 .60 .74

9. Depressurization (904X) 3.0 .60 .74 6.2E-6

-Safety Relief Valve 3.0 .60 .74

10. Level & Press. Control (LPL) 3.0 . 6'O .74 1.0E-2

' -Safety Relief Valve 3.0 .60 .74

11. Standby Liq. Cont. Sys. (C4) 1.1 .45 .39 1.4E-2 i -

-SLC Tank 1.1 .45 .39

-SLC Pump 1.6 .45 .56

[

?I'd, 3.0 .60 .74

-Valve (Motor operated) -

g .74 g -SLC Piping 3.0 .60 N

69,4 ((p T

s

  • 12 . Fire Water System (FW) 1.6 .45 .56 1E-3,15-1 s -FW Tank 2.1 .45 .79 s_ -Pump (Motor Driven) 1.6 .45 .56

-Injection Valve (MO) 3.0 .60 .74

-FW Piping 3.0 .60- .74

-Valve (Manual) 3.6 .60 .89

13. Condensate Injection (V2) 1.6 .45 .56 1.0E -Pump (Motor Driven) 1.6 .45 .56

-Injection Valve (MO) 3.0 .60 .74

-Piping 3.0 .60 .74 Note HCLPF = A,*exp(-2.326*Bc)

erbran wo4+ c o r .t m o og

%t-a e t r. r. c. n r. r. v! n $ r m o,.

.rypa nsonbtq, oooo ooooo o6666 c-L Y

a

.e

@:f OsasiOetstetst

' 5 # 4 0 4 F F o 0 *~

d i 0 0$ 21 F l 'S E d $9w $

== == == - == ===. ,.

j ,

~ ~ '

$ N Y "$ $

k y

~

I b k.. [

S d j

2. o 3 y =g ],

,x .

r ( $

  • ls ti -

0 k

'l l

8 .

35 o o $

_=

@ i d a &

O $8 _

- ,{lN

,ga d 3 !v!! _

l 3

4 w a:

8* $

o.

{

Ef e

o e i 4

e O gE 4

u. ff oA E

A- g

.A % Y

.k j' '

w,--- m--' y y. -

lI!' Il l1l,l 1l )l.l,! l l  ! l 1i L

' . . r AgsU m43 4 u wJ2n -

7 4.

4 c.d " j gd<PuO

/9 a 0 0 o -

/, _

s .

o S

g@0 S

A L

Gii o 4 3 g

i 2

9 C 6 2-E 6 Y t -

A

  • I TN A m $

7

' W l - SIO 2 n 6 E NT V E r EC E A S. O. DEJ R o 1 N OIN T C T -

N ..

E V

E L 1 M

F V A 5 P R

- L C

0 S H

T T

R S

UN A, W P

4 SIO X ,, O 7 ET O

- RA L PZ I

0 E(

y$u D 2 E

R U

G I

6 F H F 3- C U 5 E- P H

B 'J 1

O 2_ C R i

. C U E R o O.

6 SS E C 4 3- VO P ~

7 E RL SC .

O 0 ,

1 H

F "W TM I

T P D% WAR E .

L .

PC c 3 OS M L 9% ,

Ju,,\ max -

f.j ie _;

i .

g l

.#. I incare 0.53 -0.33 0.74 0 ~74 < 034 o S6 0 70 g..

1 s I bdow

~

'd 8

-~

L4 E-f_ n. O E--2 1,4 E-3 2. 7 E-1

1. O E - 1 T1
E\P4 . 0, O E-1.

i

, d J.

s F LOP SLC LEVEL AND SRFS INHIBIT HPCF RCIC CLASS S

. . WITHOUT PRESSURE CLOSE ADS d <"

. SCRAM CONTROL #

e-t) -

f

ATWS C4 LPL PCI' PA ps UH j

UR p

is O.70

. BC lo y 03%

i JI O.74

. lC i

H y 034 AL y O.~14 i.

l[

i:

A* y O.55 15 BC 055 L

FIGURE 3 ' ATWS (WITH LOP) EVENT TREE 6-26-92 y , ,, y - 5 ri.i #-r,mo-- # y -

.svg.e.. eo w, , , +.s :gnw. v ., , - e3 = 1 y ,--w+ y e -tos re-** =v u--- * .- ++, =w s ee w ir e wr r - r-#

e 11/10/92 RESPONSES TO NRC AllWR PRA QUESTIONS OF OCTOllER 29,1992 Question la The A11WR Shutdown Risk Evaluation (SRE) stresses the importance of having at least one offsite power, one diesel generstor, and the gas (combustion) tuttiine available at all times. This string of s) stems has a 3E 6 per week failure probability. (a) What is the basis for assuming that the gas (combustion) turbine will be available, gis en it is not covered by Technical Specifications?

Response la The combustion turbine generator (CTG) availability will te assured by plant specific administrative controls The COL Applicant must' ensure diat, for the sptems to te credited during shutdown, that all support systems inchiding pdwer are available as required for operation of the selected systems.

Question Ib What does GE recommend a utility applicant do if the gas (combustion) turbine or one of the other splems in the ' string

  • tecomes unasallable7 Response Ib if the CTO or other power source is not available, alternate power supplies (e g , a second EDG)1nust be made available to ensure that the conditional CDF of IE.5 is met.

Question le Dunng a shutdown oflonger than one weck, what assures that this " string" of equipment is actually available?

Response It Adtninistrative controls will ensure diat the equipment is not in maintenance. The equipment can fait due to random causes but our analpis look this into account when calculating the conditional CDF. Normal surseillance testing of the equipment is adequate to ensure availability.

~

Question 2a li appears that maintenance of the suppression pool was not modeled in the SRE. (a)

Explain how the need for a utility to drain down the suppression pool when in Modes other than full power is modeled in the SRE.

Response 2a in the SRE, w hen a sy stem is considered available, its support sy stem is also assumed to be available. Thus, the SRE implicitly modeled the availability of the suppression pool in that u hen systems were credited for meeting the CDF goal, the suppression pool was assumed available ifit were

  • required as a water source. Suppression pool maintenance can be completed when it is not required as a source of water.

Question 2b Provide the COL applicant with guidance on w ben it is appropriate from a risk perspectise to drain down the suppression pool.

Response 2b The Technical Specifications control the availability of the suppression pool for all Modes in uhw 4 is required. In Modes 1 l, ECCS is required at all times and so the suppression pool must be avahaNe. In Mode 5 prior to Dooding up the reactor cavity, the suppression pool is also required to be available since one ECCS train rnust be available. In Mode 5 flooded up, no ECCS is required and therefore the suppression pool is not required. From a risk perspective, this would tw the appropriate time to drain the suppression pool.

l Question 2e Indicate specifically w hat GE is recommending, if anything, to limit the potential risk during the period the suppression pool is lowered.

i Response 2e When the suppression pool water level is lowered, only syst:m(s) that do not require the suppression pool as a source of w ater (c E., condensate, fire water, Hr'CF, CRD) should te included in the minimurn set of systems required to meet the safety Eoal.

I Enclosure 3

- ~ _ . _ _ _ _ __

=

I 11/10/92 Question 2d Although the SRE did not model suppression pool maintenance / failure, the dran NSAC study on shutdown risk at Grand Gulf reponed Otat medium and large LOCAs o erwhelming dominated the core damage risk during the RF04 outage. Twice during this outage, Grand Gulf entered a plant configuration in which the upper containment and suppression pools were drained. LOCAs during periods with the reactor casity and suppression pool drained could cause failure of all ECCS. (d) Address the extent to which loss of the suppression pool influences the conditional core damage frequency estimates during modes other than full power and discuss potential operator errors that could encettate or mitigate this event.

Response 2d As discured in the response to Question 2c, it is GE's recommendation that the suppression pool be drained only in Mode $ when the reactor casity is flooded up and then systems be made available that do not require the suppression pool as a source of water. If this recommendation is followed, loss of the suppression pool due to drain down should have negligible impact on CDF. The ABWR has *nultiple sources of water in addition to the suppression pool (e g , fire water, condensate storage taak, hotwell) that can be used to inject water into the RPV if the suppression pool is lost.

The Grand Gulf PRA made some assumptions that GE does not consider appropriate for shutdown The major assumption that may ha$e led to the high CDF due to LOCAs while shutdown is that the probability of a LOCA while shutdown is the same as at power. The lower pressure and temperature during most periods of shutdown should result in a lower LOCA frequency, Also, the ABWR design contains sescral interlocks that make the probabihty of RPV drain down negligible.

Question 3 The staff finds the use of a IE-1 screening value too coarse to preclude large releases

, occumng with a frequency higher than IE 6 per > car. (Note that all core melts occurring with primary containment open (e g-, when in mode 6) are considered to te large relases as fission products will not be scrubbed.) Revise the SRE using a screening value of IE $ or lower. The staff considers IE $ to te an geceptable screening s alue since u hen it is combined with an assumed loss of decay heat removal frequency of 0.1 per year, it leads to a large release frequency of no higher than IE 6 per year.

Response 3 GE has recalculated the minimum sets of systems required to meet a conditional CDF of IE $.

Question 4 GE should make the assumed failure frequency of a single decay heat removal train (i c ,

0.1 per > car) a RAP item and reliability target.

Response 4 The loss of DliR frequency of 0.1 per year will be included as a RAP requirement.

Question 5 Provide cutsets for the dominant sequences.

Response 5 The dominant cutsets for cases using the IE 5 screening criterion will be supplied to the NRC.

Question 6 Justify the assumed maintenance intervals in the SRE during shutdown. Operating

' experience indicates that operating plants have longer equipment outages during modes other than full power than assumed in the SRE. For cumple, GE assumed a 10 percent likehhood that DilR train B would be unavailable due to maintenance for shutdown cooling. However, the draft NSAC shutdown risk report concluded that, during Grand Gulf's RF04 outage, train A of DiiR was unavailable for nearly $0 percent of the time due to train A doisional maintenance.

Response 6 In the SRE, GE assumed that all train B equipment including RHR was always available. Train C was completely unavailable (i.e.,in maintenance) and train A was operating. Systems 2

l/lW92 w ere thus either unavailable (i c , in maintenance) or available (i c., not in rd.otenance) and no other intermediate states were modeled RIIR A was then assumed to fail with a frequency of 0.1 and the CDP was calculated assuming availabihty of certain train B nstems and some non safety systems. All combinations ht resulted in a conditional CDF of less that IE 5 were included as a minimum set for the purposes of this study, Question 7 AC power requirements described on pages fi9 and 73 of the SRE seem to imply that two divisions of RlIR in the shutdown cooling mode are required 'o 'e operable, it would require that all three diesel generators be as ailable. This is because an isolation valve in the suction line in shutdown coohng train A is powered by a source from another division. The same is true for trains B and C. So for trains A and B to be operable, power sources from divisions A, D, and C would need to be operable.

Notice that the first five minimal sets listed en Table 19Q7.2 all require three ac power divisions. This design appears on the surface to potentially increase the estimated core damage frequency, Has GE determined that the threat from a potentially unisoable line break is more significant than hasing to have three disisions of electric power operable during modes other than full power? GE should verify these minimum sets to sertfy that the support system requirements associated with the identified configuradons are correct and should clarify the need to have SDC suction line isolation valves powered as they appear in the current design Response 7 The basis for evaluating the minimal sets of systems that could be as allable to meet the condidonal CDF criterion is that one division is operating and all equipment in that division, with the esception of the EDO, will not be in maintenance. One other disision. including its EDG, will be held in standby (i c., not in maintenance). The third division is assumed to have all equipment in maintenance.

Therefore , only one EDG is required to not be in maintenance at any given time during the outage. The CTG is assumed to always be available dusing shutdown.

For minimum sets using the RHR system, the operating RifA is assumed to be powered by otTsite power and the redundant RIIR system can also be powered by offsite power (if available), the CTG, or the EDG anociated with that division. The shutdown cooling isolation valve in the redundant division not powered by that dhisional power can also be opened manually if ofTsite power and the CTO are both unasailable. Adequate time is available to complete this operadon and the vahe is readily a:cessible during shutdown conditions.

Question 8a The success criteria in Section 19Q7 and the coriesponding event trees include several paths One path is direct decay heat removal from the reactor vessel using closed loop cooling like DilR or rextur water cleanup (CUW). This path requires that level, as measured in the downcomer, is sufficiently hi Eh to allow adequate recirculation between the downcomer region and the core, (a) Either jusuf> why lesel control was not addressed in the event trees or modify the event trees.

Response 8a Recirculation in the downcomer during Mode 4 will be assured by operadon of the RIPS w hich are required by Technical Specifications. Level control will occur by automatic injecdon of LPCF on low RPV lesel, in Mode 5, level contrel is assured since the reactor cavity will be flooded to at least 23 feet above the TAF, Therefore, level control was not explicitly modeled in the event trees.

Question 8b A second path is via coolant makeup using either HPCF, LPCF, condensate pumps, or CRD For this path, lesel control was modeled, but the source of energy removal from containment was 3

11/12/92 I

not addressed. It appears that die analysis assumes that injection systems would be used to pass two phase or steam flow through the SRVs back to the suppression pool. Uds method of core cooling assumes that the SRVs are available, which is not true for the entire outage (To Good the refueling casity, the vessel head is removed and the steam lines are plugged, resuldng in the SRVs being unavailable). Uds mode of energy removal using the SRVs would seem to require some type of wnlainment cooling to prevent containment oserpressurization. (b) GE does not appear to have considered SRV availability in its event trees. Justify this omission or modify your tscea.

Response Sh Die SRVs are required to be available in Modes 13 per Technical Specifications, it is ,

reasonable to expect the SRVs are available in Mode 4 because they will lift in the safety mode against spring pressure even if the power for the SRVs was unavailable. Only one SRV has to lift and it is not ,

credible to assurne that all SRVs would fall to lift. When the RPV head is removed and the cavity flooded, decay heat removal is accomplished by either the CUW or FPC (depending on the heat load) or if these are unavailable, by boiling of water in the RPV and make up via available irdection systems. -

Question 9a The staff has identified human errors (lies) as perhaps the single most significant contributor to shutdown risks. (a) The statirequests GE to preside an estimate of the contributlon ofifEs to coro damage frequency in modes other than full power. This can be done by extending the sensidsity analysis to identify and characterir.c th- leading lies.

Response 9a Several lies during shutdown have been identified (e g., failure to recognize the loss of operating RIIR loop and failure to actuate systems manually such as condensate, fire water, and reactor water cleanup). Other !!Es could potentially occur that have not been identifled but the ABWR design contains multiple systems and paths for decay heat removal and makeup such that these IIEs could be a mitigated. The methodology used in the SRE to detennine the minimum sets of systems that, if made available, could result in a conditional CDF of IE 3 does not allow for an er.thna"Jon of the contribution of lies to CDF during shutdown. But based on the availability of automade actuation of makeup from a systems such as RiiR and IIPCF and multiple alarms to alert the operator to potentially unsafe conditions during shutdown (e g., high RIIR temperature, high water level in sumps, fire detection, low RPV level, high area radiation, high neutron flu), the contribution ofIIEs to CDF during shutdown is considered low, Question 9b GE should discuss the tolerance of the ABWR to IIEs during modes other than full power, Response 9h As discussed in the response to Question 16a, the ABWR is reladvly insensidve to lies during shutdown due to muldple systems and paths for decay heat removal and makeup.

Question 9c GE should provide COL applicants with guidance for modes other than fhl! power regarding administrative controls, procedures, and Techrdcal Speelfications based on assumpdons and insights from the ABWR SRE.

Response 9e The insights gained from the ABWR SRE have been reported in 19Q.12, "Results and Interface Requirements", Based on responses to Requerts For Information (RAls), this discussion will te - -

expanded to in:lude addidonal guidelines on fire and flood protection dunng shutdown.

. Question 10a This question is asked in parallel with the Reactor Systems Branch. GE's analysis assumes that steaming is an acceptable method of removing decay heat if there is makeup availab!c, (a)'

Where would the steam go in Modes 4 and $7 a

4

. . 11/10/92 not addressed. It appears that the analysis assumes that injecdon sy stems would te ur,e4 to put two phase >

or sicam flow through the SRVs back to the suppression pool. This method of core ecoling assumes that the SRVs are avallable, which is not true for the critire outage (To flood the refueling casity, the vessel head is temoved and the steam lines are plugged, resulting in the SRVs twing unavailable). Tids mode of energy removal using the SRVs would seem to require some type of containment cooling to prevent -

containment overpressurization. (b) GE does not appear to have considered SRV availability in its event trees. Justify this omission or modify )out trees.

Response ab The SRVs are required to be asalfable in Modes 14 per Technical Specifications. It is reasonable to expect the 3RVs are available in Mode 4 because they will lift in the safety mode against spring pressure es en if the power for the SRVs wws unavailable. Only one SRV has to lift and it is not credible to assume that all SRVs would fail to lift. When the RPV head is removed and the cavity flooded, decay heat removal is accomplished by either the CUW or FPC (depending on the heat load) or if these are unavailable, by bolling of water in the RPV and make up via available injecdon systems.

Question 9a The staff has identified human errors (lies) as perhaps the single most significant contributor to shutdown risks. (a) The staff requests GE to provide an estimate of the contribution ofIIEs to core darnage frequency in modes other than full power. This can be done by extending the sensithity anal) sis to identify and characterite the leading IIEs.

Response 9a For the ABWR design, lies are not significant contributors to risk during shutdown due to the many systems and make up sources available to remove decay heat. Failure to remose decay heat would involve multiple operator errors in addition to failures of automatic s) stems (e g.,11CF). As discussed in Attachment 19Q,12, the most important element to controlling shutdown risk is adequate outage planning to ensure that s) stems are available (i e., not in maintenance) such that decay heat removal capability is assured at all times. The minimum sets described in 19Q.7 are examples of s) stems that, if made available, will ensure that shutdown risk les els will be acceptably low.

The most important }{E during shutdown, as discussed in 19Q.12, is the opetalor failure to recognize the loss of the operating RiiR system In this case, even if the operator takes no correctht ,

action, the ECCS systems will actuate automatically on low RPV water level.

~

Question 9b GE should discuss the tolerance of the ABWR to }{Es during modes other than full power, Response 9b As discussed in the response to Question 16a, the ABWR is relativly insensidve to IIEs during shutdown due to multiple make up systems and sources of water to ensure adequate decay heat removal capability.

Question 9c GE should proside COL applicants with guidance for modes other than full power regarding administrative controls, procedures, and Technical Specifications based on assumptions and .

insights from the ABWR SRE.

Response 9c The insights gained from the ABWR SRE have been reported in 19Q.12, 'Results and Interface Requirements *. Based on responses to Requests For Information (RAls), this discussion will be expanded to include additional guidelines on fire and flood protection during shutdown.

4

.*

  • 11/10/92 Question los This question is asked in parallel with the Reactor $3 stems Dranch, GE's analysis assumes that steaming is an acceptable method of remosing decay heat if there is makeup available. (a)

Where would the steam go in hiodes 4 and 57 Response loa in hinde 4, the stearn would tv directed to the suppression pool sia the SRVs. In hiode 5, the steam would enter the $ccondary containment. If the secondary coritainment pessare limit is exceeded, the steam would te released to the atrnosphere.

Question 10h What equipment would te subject to this steam emironment? 1 Response 10b Equipment in the reactor building including: CRD,CUW, RilR, IIPCF, and FPC.

-r Question 10e Would the stearn fail any equipment needed to keep the core cool?

Response 10e Some of the equipment that would experience the steam environmemnt are qualified for post LOCA harsh etnironment (e g , RilR, liPCF). The CUW and FPC systems are not ge!ified for a harsh environment but if boiling wcre to occur, either these s) stems had failed presiously (i e., successful operation would hase precluded boiling) or the decay heat load exceeded their capacity. In either case, -e failure due to the sicam environment is a moot point.

The CRD system is also not qualified for a harsh emironment but would be expected to operate for some period of tirne due to its hardy construcdon. The asailability of CRD would depend on the time since shutdown. After 14 days, the minimum time to boil (assuming the reactor cavity is flooded)is approximately 26 hours3.009259e-4 days <br />0.00722 hours <br />4.298942e-5 weeks <br />9.893e-6 months <br /> which is teyond the inission time. Therefore CRD would not be affected by the

. steam environment during the mission time. After 4.5 days the minimum time to boilis 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />. After the initiation of boiling. it would take at least a few hours for the reactor building to completely fill with

\ team such that CRD operation may be irnpacted. As presiously mentioned, the hardy construcdon of the CRD pump and motor ghes assurance of operation for some period of time in a harsh emironment. It is espected that the CRD pump could te run intermittantly for a few hours to meet the mission Ume requirement. Therefore, the CilD sy stem can be expected to be available as a viable makeup source dunng the mdority of the outage even if all decay heat removal sources are lost and RPV boiling occurs.

During the first 4 5 days following shutdown, if the RPV head is removed (i e., hiode 5), it is good engineering praedce to delay maintenance on decay heat removal and makeup systems until the decay kat load is reduced Therefore sy stems such as CRD should not bc :elled upon for inakeup during this b>ief period ,

There would also be non safety related equipment in other buildings that would not experience the steam emironment and would be available for core cooling (e g., condensate,hre water, main condenser).

Adequate irijection and make up sources would be available for the ABWR following boiling in the RPV during hiode 5 to assure that the fuel in the core was covered with water at al! times.

Question 10(4) What areas, besides secondary containment, would the steam prevent operators from ,

entenng?

Response 10(4) There are no other areas in the plant that operators would have to enter to ensure continued decay beat removal that would contain steam caused by boiling in the RPV. -

Question 11a This quesdon is asked in parallel with the Plant S3 stems Branch. GE assumes that -

protection against floods is afforded during modes other than full power by keeping the watertight doors to 5

4

!!/10/92

?

one safety dhision closed As an example, Divisions B and C could have their doors at the +8200 level open, but Division A doors would have to be shut. Then a fimd occuring in B or C should only affect ,

these dhisions, and Dhision A should only be subject to random failures. (a) What are the consequences of a Hood beginning in Division A instead of B or C7 It is the strffs understanding that the water tight dwts are desif ned to open out under the head of water, allowing water to spill into the hallway common i to the safety divisions Would the water tight doors of Division A open as they are designed and flmd Dhisions B and C tm?

Response lla The waterught doors on the first Door of the reactor building that separate the three ECCS tmms are designed not to open under a head of water in the room and allow water to spill into the common corridct. The seals on the ECCS toom watenight doors are designed to seat with water pressure due to wster in the common corridor to ensure that flood waters will not enter the ECCS toom and damage safety related equipment.

For flooding in a dhisional room, the door seals may leak allowing a small amount of water (i e.,5 10 GPM) to enter the cominon corridor, but this small Dow rate would not be a flooding concern Upon detection of flooding in a divisional room, the operators would be required to restore the integrity of any open dhisional room barriers before attempung to open the door to the flooded dhisional room. This requirement will be listed as a COL Action item.

Question !!b If die flood were to occur in Dhision B or C, what asseres that the equipment in DMsion A is available. particularly since GE's analysis assumes om train of ac power is available?

~

Response !Ib As discusud in the ABWR Shutdown Rhk Evaluation (Attachment 19Q), it is GE's recommendation that equipment in only one dhision be scheduled for maintenance at a time. Therefore, one dhision would be operating with the RHR systera in the shutdown cooling mode, one dhision would be scheduled for mainter ance, and the third dhision would not be in maintenance. Thus two trains of ac power would be available (i c., the operating dhision and the dhision not in maintenance). This does not mean that two EDGs must be available. It is asrumed that the EDG for the redundant train is available but the EDG for the opere!!ng train can be in maintenance. The CTG is always assumed to be available during shutdown. This nms that during shutdown, four sources of power are normally available (i e.,

two from offsite power, one EDG, and the CTG).

If flooding were to occur in Division B or C (the non-operating dMsions), Dhision A equipment is assured of being available as they are part of the operating dhision and by administradve procedure would not be in maintenance.

Question 11e llow are the insights from the internal Good analysis Oed lato the ABWR shutdown T.S.7 Response lle The insights from the intemal Good analysis are intinded to aid the COL Applicant in preparing administrathe guidelines to ensure that the risks from internal flooding are negligible. The results from the internal flood analysis indicate that no add;donal T.S requirements are needed for the -

ABWR. The current T.S. are adequate to ensure that internal flooding can be mitigated for the ABWR.

Question !!d it is typical during shutdown operations far there to be increased wood, plastie, paper, st3 rofoam, and other Goatable objects in the reactor, turbine, arid contrc1 buildings. Describe how your intemal Gooding analysis has considered the increased possibility of drains becoming plugged or sump pumps becoming disabled from floating debris.

6

l 11/10/93 Response tid The analysis did not take eredit for operado.. of sump pumps. It was assumed that the ,

sump pumps did not operate. The turbine building is a large structure with many openings for water to Dow freely between floors. Floor drains are not typically required to mitigate flooding in the turbine building The control building does not contain any high now/la- . ms alde the ist l floor that could cause interdnitional flooding concerns if drains were to t,. ,ged. If4 rains were to become plugged, equipment mounted on pedestals, sills at entrances to dhistonal rooms, and floor drains in all rooms uould tw adequate to ensure that any potential flooding source would be directed to the first Door before equipment could be darnaged (i c., some back up of water may occur, but the water level would not nse high enough to affect safety related equipment)

In the reactor building, additional backup drains have teen installed, based on i.asights l from the flood PRA, to ensure that potential plugging of some drains would not result in damage to any safety related equipment Also, as is the case for the control building, equipment is mounted on pedestals so that small accumulations of water will not damage equipment.

Question 11e GE states on page 38 of the SRE that 'an analysis has been completed . . no more than one safer) division would be affected by water da nage from any posiuiated ficod " This statement contradicts other information GE has supplied the staff on internal floods. Please explain.

Response lle This statement applies to operation at full power. The internal flooding analysis shows that with all three divisions initially available, it is highly unlikely that any flood could alTect more than one safety division. The only possible exception would be flooding in the RSW/RCW room of the control building where multiple equipment and operator errors would have to occur over a period of more than

' one hour in order to Good more then one RSW/RCW toom. The probability of this occuring has been estimated to te less than IE 10 per > car and is thus a negligible contributor to plant risk.

, For shutdowin conditions, it is possible that flood barriers betwm two dhisions rnay be open such that flooding in one dhision could affect equipment in the other dhision, in this case though, ndministrathe controls would require that the third dhision be available and its barriers intact to ensure continued decay heat removal capability. If random failures were to occur for equipment associated with the intact dhision, other equipment such as the main condenser, condensate, or fire water could be used to assure continued decay heat removal, See the response to question 12 for additional discussion on systems available during shutdown to mitigate common cause initiadng events. '

Question 12 This question is asked in parallel with Plant Systems Branch. A probabilistic analysis of the risk of fire during modes other than full power was not included in the SRE. Provide a systematic, quantitative anal) sis of fires during shutdown similar to that requested for internal floods in question 11 above.

Response 12 During shutdown, it will te the responsibility of the COL Applicant to ensure that one dhision of safety equipment is available with its fire / flood barriers intact In addition, as discussed in "

t 19Q 7.9.1, a specified number and type of systems must be available to ensure that the conditional probability of core damage due to a loss of decay removal is lower than IE 5, Tables 19Q.7 2 through e

10Q 7-4 could be used as guidance to determine what systems could be made available to meet the IE 5 criterion for other postulated esents during shutdown. These Tables indicate that the safety criterion can be met if one RHP. loop and two additional injection sourecs are available.

l Ifit is assumed that the fire was in the intact dhision, the fire would be contained to that dhision and the i operating RHR loop, reactor water cleanup, and CRD would be available for decay heat removal.

7

f , , 11/10/93 If a fire occurs in one of the other two divisions and the barriernte breached, the Gre damage would depend on the location of the fire The worst case would be a nte in the common corridor of the first floor in the reactor building and the intact disition was "A". In.tfis case, the postulated Dre could damage not only RliR sy stems in two divisions, but may also damag/ reactor water cleanup and CRD. Herefore, RilRA would be the caly ECCS sptem available sincykCIC, which is the division A high presa injection source, is not available during shutdown One system that is alwa)s available is the fire wafer systern. Whlic fire water must be used in fight the fire, some water could be diverted as nec&d for core make up purposes. The make up requirements are small compared to the fire fighting necd and enough water is contained in the fire water tanks and fire tru;ks to perform toth functions. A COL Action item will be required to have a contingency action plan asailable to use fire water both for fighting fires and core injection as necessary.

The abose discussion assumes that no fire mitigation features exist in the affected fire areas (i c., all

' equipment in the fire area is considered damaged by the fire) A more detailed analysis of fire zones within each fire area would identify features that could protect equipment from the fire (e g., physical separation, ne intersening combustibles, suppression and detection). Therefore, this analysis is

- conservative.

In summary, if division 13 or C is the protected division, PSIR, HPCF, and fire water would be available to meet the safety goal if division A is the protected didsion, RiiR and fire water would be available but one other injection source (i e,, pump support systern(s), and watcr source) outside the reactor building would be required to meet the safety goal.

The CO'. Applicant needs to evaluate the risk potential for all shutdown conditions Ifit is decided to breach fire barners. compensatory measures must be taken. This can include actions such as stationing a fire watch but it also must include determining if the minimum set of equipment is sufficient given the potential fire damage. The minimum sets of equipment reported in 19Q.7 are just examples of systems that will meet the goal for an assumed loss of the operating RilR system. For other scenarios (e g., fire or flood following breaching barriers in more than one division), analyses must be completed to ensure that the safety goal can still be met with equipment that will be available following the postulated evcnt.

Question 13 This question is asked in parallel with the Reactor Systems Branch. Ilecause of the potential severity of a failure of the seals used during RIP pump and impeller replacement, the unsubstantiated statement that "the probability of a large leak through this path is small" is inadequate.

Provide an anai sis that addresses the probability of a LOCA through the impeller shaft nonle. This analysis should address both mechanical failures and the potential for procedural ertors in performing RIP maintenance (e g , incorrect sequence of, or missing, procedural steps).

Response 12 The procedure for nutintenance on the RIPS ensures that the probability of a large leak is minimind. The RIP is a wet motor design whic) does not have any shaft seals. The pressure boundrary is d e motor casing and motor cover. Reactor coolant is allowed to enter the motor casing during normal plac operation. The steps taken during RIP maintenance are as follows (see Figure 1):

1) ne power cable and terminal cover are remosed. This step dxs not change the normal operating configuration of the RIP seals (i e., motor casing and motor cover).
2) The motor elesation guide rod and main stud grapple are used to lower the RIP approximately 6 mm This causes the impeller blade to bad seat on to a metal sealing surface forming the primary seal for maintenance. During mosement of the motor and shaft, a set of sliding 0-rings prevents leakage of' reactor coolant down the 215 mm diameter pump shaft. The maximum clearance between the motor stator and the RIP internal housing is 1.5 mm Therefore the leakage potential with the motor installed is small.

8

,. . i1/10/92

3) The secondsry seals are engaged by irdecting water under pressure into the inflatable permanantly installed rutter seals.
4) Water inside the RIP is drained through a temporary drain line instal!:d on the bottom of the  !

RIP. The two seals prevent reactor coolant from leaking down the RIP shaft. The water drained from the RIP is measured to ensure that no leakage is occuring past the seals.

5) After draining the RIP, an auxiliary cover is removed to allow unbolting of the motor from the pump shan.
6) The lower motor casing bolts are then removed and the RIP motor is lowcred out of the RIP housing.

Up to the point of unbolting the RIP lower casing bolts, the potendal for leaksge is nef,ligible. Once the PJP motor is remosed, leakage is precluded by the primary and secondary seals previously discussed. An operator entor at this point in the procedure could lead to a majot leak. The probability of a major leak is low for the reasons discussed telow.

7) After the RIP motor is rernoved, a main aange cover is installed over the lower RIP casing.

Once the main Hange cover is installed, the probability for major leakage is again negligib!c. The malu Hange cover in conjunction with the RIP housing comprises a pressure tight structural in:rgrity boundrary. The time tetween RIP motor removal and installadon of the main flange cover is approximately one hour, t

8) The RIP housing is then filled with water, the secordary seal is depressurized, and the impeller shan is removed. ,
9) A temporasy plug is then installed over the RIP nozzel and the itIP casing is diajned After drainage, the main Dange cover is removed in order to complete maintenance inside the casing (e.g ,

replacing the secondary seal). Following maintenance, the main Dange cover is re installed.

After maintenance is comple:ed, the RIP is reassembled by following the above steps in the reverse order, From the above, it can be seen that the only times that a majcr leak could occur are during the two periods -

w hen the main flange cover has not teen installed over the lower RIP casing. 'lle two uses are:

1) Epl10aint removal of thc BIP motor but td01slutallal1911.olths.ma!ri fin _nsc.mtL -

The operator could ignore the operating procedure and engage the crane grapple to the imidler shaA and begin lining the impeller out. In this case, only small leakage could initially occur due to the close tolarances between the impeller diameter and the RIP casing. In addition, with the RIP housing not flooded, the head of water above the RIP would add approximately 1500 pounds to the approximately 1400 pound impeller shaft weight, During removal of the impeller shaft, the liRing force is monitored by a load cell attached to the crane. The operator would notice the increased force required to lift the impeller .

shaft and stop to investigate. Even if the load cell is miscalibrated, the inidal lifling of the impeller shan -

would allow only a small leak to occur and the op^rators under the RIP would notice the leakage and report it to the crane operator. The impeller could then te lowered to re establish the primary seal and the leakage would stop, Any leakage would also be detected by the sump level sensors and an alarm sounded ,

in the control room.

2) EhtILibdR.mQl0L!!Ddl!DPS!!CLhaXthta.Ltm01td and_ the mil lDJ1me cover is LtIn01td10L&lE(M!ntmainttantCL If the operator were to ignore the operating procedure and l'11 the plug off without first installing the main flange cover, a major leak could occur. As was the case above, lla head of water on the plug would require a lining force significantly higher than usual for the plug

, removal and the operator should recognize this. If the plug were removed, the inidal water leak of water 9

', . . , 11/10/93' would be noticed by the operator or detected by the sump alarm and the plug could te inmediately re.

Installed.

For a major leak during RIP maintenance to occur, mulupie operator errors would have to be made by ses eral different operators. The main flange cover snust not te installed w hen required, the crane ogerstor must start lining the impeller or temporary plug telore directed to do so, the load cell must be j miscalibrated or the operator falls to use it, and the initla' leakage due to impeller or plug removal must not tc noticed by the operators or detected by the sump level switches. In the case ofimpeller removal, the trane operator must continually lift the impeller approsimately eight feet to clear the impeller shaft of  ;

the RIP nor.zel in the bottom of the RPV for a major leak to occur. This gis es additional time for corrective action. The probability of the abose series of events occurring is coraidered negligible.

Approsimately 500 RIPS have been successfully maintained using the above procedure. The RIP  !

maintenance procedure is similar to CRD maintenance that has teen completed on all operating BWRs for over 30 3 ears. The accumulated experience of CRD and RIP maintenance ensures that AllWR RIP i maintenance can be completed with negligible risk.

9 10 eu y 3- , v* rr7ew T h e ++ f?M rw et -y Fr-y- g-- wr g

  • 7g

4

. . g

=-

E

_ E 5E e < M 4

2 d S gg m,  ; . -,

a

. _9 , ,-

g;@_w- t?gh ,

5 i " - - ,v, Oc&f- R J

- )t ;l 6y y%g .q,..- %.y-s - 9 es l c

. V, -(n ~

I g

G # .;

5, w

:.- e g

2 E

EE G B

=

0

= E w

A

~ A *

~" 02  :

\n. ee

\ =m E

-4 1

g .

o a zu C

__ . . -s :c u yk \I -

m ay , zr._

U 3- g r- -

d

_ / N

/ m ii  ::.:j

, ~

, J m

~

m

'T

)

1 I .

?

a

,a

.g, I

W f

^

I e.4 r

h n=-

Il e

-[N y

_h -- % ^' 3 "

p3_ .

g g

.b-1 .

  1. . u7 r(L Q 4 ]gG__

ow {.e 5

' s > >

0 ' [ Nb E

e- a

. ~

.9 E8 -

O

~

<n=

1 I

~. .

l.

DG

,u O Sd i GE

5=

5 2 'J G -

:. -z -

2 ; /

r-

. no $g

._t-q.m /nd;-

db

  • E t

a , .

-=d \nh--s -

AJ /=

4_Ju rb /

're 7

E

u pn 2 -
~

. w

\W.

  • g W
u g
- g -

m *

./ ~' 3 E3

=N su ,-

y

\ >

j ,-p

_ . . . > gg

( ~.~s%

x o g, 4

j -

g=

qs__m o y%,

=a pr.-

7 __g+_

l e_c_-k_r r ,

__., a.

n.

b so. -

- ) W e.c w'  ; g5

.. O t : a

E E

I / a a

I_ "

-_ --44=yB';-

o Ql o g i ._.

) -:

_., . h_

u

  • b h I  :- 5 a

i a  : :

h I i.

~

[NCLO5URE 1

$PSBQUCSTION$DNTHEAlWRPRA

' October 5, 1991 Reliability Assurance Program . 1) CE)ds fts intoindicated RAP if they an are intent 41 not readyto dupitente requests for inclusion (of )The staff considers it lepertant there from deteministic insights.r identify to the COL applicant the insights from the PM regarding $$Cs to be included in RAP. If the COL spplicant is not provided with PRA.

the appiteent may design and perform periodic tests based that do$$C not insights,hallenge fully c the $$C in trots necessary to assure it will perform during the events postulated in the PM (and for which it la

. The staff beltsves it is necessary for GE to Mke a cotwplete credited)f listinto SSCs to be included in RAP based on the insichts from the ABWR P u. (2) The attff continues to await a listing ed reliability and targets in table form for systems components identified for inclusion (train in the RA . or (3) At a func tion de sy> level) stem w level, there are several important systems that act as redundant in the aggregate rovide an important safety function, components but do not indiv that,iduallyJLu'i A.M cefasdeterminedbydainof itnoortance measures ixeitnd your to include a ginolo lne following systR)atpHPCF, RWCW R. LPF L R and electrucal ec. A walkdowninspectionofthesesystemsshouldbe$W.formedperiodically per

' (perhaps on a yearly basis to verify that no unnecessar comon etuse f ailures exist between the) independent divisions.A estlLbe provided to facilitate and guide the inspections. COL act For.

item to have the COL spplicant 1rovide a Itstintof dividus) barritti that should be included in the MP for fLre/"Taes5Mers thould include doors, separttien walls / floors batween safety divisions, and cenetrations between divisions.

thattheCOLapplicantreviewand(5)ExpandRAPtoincludearequirement exercise annually the er>ergency cperation procedure for operating the Remote Shutdown Panels and manually operating RCIC from outside of the control room in emergency situations. (6) Expsnd RAP to include fire dampers in the HVAC system.

  • $silmic Margins - (1) Explain why for sequences 15 16 17 and 18 the eventtraesdonotconsidstthepossibilityoffailure,ofkHRhett'
  • exchanger integri . (tDProvidethefrattlitydataforthecondensate in,jection (V2).

values were provi d) Expitin why no seism'c fault tross or fragilityfor depres and inhibit ADS. (41 Discuss the seismic capability of the isolation ValvesandtheirconbrollersintheOP3. What prevents the CPS line from becomin kinked or obstructed during a seismic event? (51 Your seismic anni sis assures that an otrthquake would not prevent 4he rupture disk s) from opening. Certainly, failure closed of one of the so would pressurisation of the inoittien vaives would fati the COP 3.

volume between the rupture discs. Provide a more complete diacussion of why Class 11 sequences do not need to be considered for seismic events.

(6) Discuss whether LPCF, RCIC, and HPCF tre capable of peping saturated fluids at 365'F. If not, what is the basis of taking credit if the rupture disc has not spanat' "for them in to for example Class a criep!! sequences,ine in the l or failure closed of an ircletion(due r valve) and the pressure in containment has increased to containut,t co a (g;g m m m tgg, ,,, 3,g ,,,,, ,,,,

w., , ,, ....... . .... ;,7:i.'r..iai- - ~ ~ - - - -~~-- .~i.., . 1, ,

i

. . Q ultimate.-(7)Discusstheimplicationsofsetanicfe19ure of the sRV dischaNie line,-With er without sprays available. We't d the ADS be compromused? It containtpent challenced? Are the SRV discharge lines modeled as part of the depressuritatLen systeet !f r.et Why nett Are'p'sequencestobeconsideredaslarpreleases,sIncetheydra(8) in the suppression pool? -!f not how should they be considered and whyt (f on page 8 ef our June il lift fax on leismic Margias Analysis eyou sho)uld include SR discharge ine failure under number 9 I (Depressurization . GE's er. containment LOCA subs.ittal indicated that these lines had a HCLPF of 0.7tg.

RWCU . (1) The $5AR needs to be modified to include a requirement that  ;

the COL applicant demonstrate that the proposed changes in the RWCW operating temperatures during severe accidents is accept 6ble durteg i emergency use.

where the RWCUneeded is(1) Intothe event tupply decay of heat a high pressure remova) Lt.o. LOCA er transient RHA has failed),discusswhenandifcontainmentisolationwouldavloettically  !

occur and how if at alle it would affect the uso of the RWCU.

PRA Requ'entification - BasedontheLOOPand$80eventtree(Figure 190.44),thesequenceinvolvingLOOP followed by successful screm and recovery of offsite power within 30 minutes, has a frequency'ef 5.7tE t/yr. In GE's original PRA submittal, this sequence was-  !

transferred to the Reactor siutdown-event tree (Figure 190.4 1). The staff has reconenended that tits seguance be transferred to the Isolstion In the revised submittal (May 4 11.1992)/LossofFWeventtreeinstead.this sequence was neither transferred to t

. tresnorlheIsolation/LossofFWtree. Please explain this discrepancy. ,

O 4 0 9 4

k

+ i'd (g;g m:58 2 AIM DW Leti vet Tec pysti test-se-01

3 (NCL05URE t  !

> A8WR DECAY HEAT REMOVAL RELIAs!LITY The ABWR $hutdown Risk Evaluation SRE stresses the isslortance of having 11)least at one offsite power, one diesel (gene)rator, and the gas turbine available at all tines. This string of systems has a 3E 6 per Week failure i probability. a Dat is the basis for assuming that the gas turbine will be i available, give(n)it is net covered by Technical Specificitlenst lb .

GE recommend a utility' applicant de if the ens turbine er one of the) Wh other systems in the 'steing becomes unavailablet  ;

thanoneweek,whatassuresthatthis' string'(chDuringashutdownoflonger 03 equipment is actually  :'

availablet Jt) the$RE.It appears fa that maintenance of the suppression pool was not modeled in pool when < n)raodos other than full power is.modeled in the SRE.Cxplain (b) 'rovide how the nee the COL applicant with guidance on when it is a ,

perspective to drain down the suspression pool.ppropriate Indicate specificallyfrom a risk '

to limit the(c)potential risk during ",he what periodGEtheissuppression recomending,pot if1anyt ting,d.

is lowere the-draft Although NSAC study theonFRE did not shutdown model risk suppression at Grand pool Gulf reported thatmaintenance estdium and /failurelarge LOCAs overwhelmingly dominated the core damage risk during the Rf04 eutsee. Twice during this outage, Grand Gulf entered a plant conf' guration in which the upper containment and suppression pools were drained. LOCAe during periods with the reactor cavity and suppression pool drained could cause failure of all Eccs. (d influences the) Address the extent to which less of the suppression poolconditio

than full power and discuss potentia operator errors that could exacerbate or mitigate this event.

4:3 The staff finds the use of a 1E 4 screening value too coarse to i

l ' ar)ge releases occurring with a frequency higher than it 6 per year. preclude I

thatallcoremeltsoccurringwithprimarycontainmentopen(e.g.!11notbe when(Noto in are considered to be large releases as fission products w Revise the SRE using a screening value of 1E 5 or lower.

~

mode staff ccns 6)d.)iders 1E 5 to be an acu; table screening value scrubbe The combined with an assumed loss of decay heat removal train frequency of G.1 ger ,

year, it leads to a large rolesse frequency of no higher than it 6 per year, ,

(4) CE should make the assumed failure frequency of a single decay heat removal-train (i.e. 0.1 per year) a RAP ites and reliabi ity target.-

(l) Provide cutsats for the dominant sequences.

(6) Justify the , , a d maintenance intervals in the SAE during shutdown. ,

Operating expericace indicates that operating plants have longer equ1l> ment outages during modes other than full power than assured in the SRt. Jor example, GE assured a 10 percent likelihood that DHR train I would be -

DRAFT i

l 50*d LETd 1NIN R11HM StN Ltti pes-19C LWi>1'E681-Se-et

N unavailable due to maintenance for shutdown cooling. However the draft NSA:

shutdown risk report concluded that, during Grand Gulf's Rf04, outage, train A of DHR was unavailable for nearly

  • 50 percent of the time due to train A divisional maintenance.

,(7) CE assumes that protection against floods is afforded during modes other than full power by keeping the water tight doors to one safety division closed. As an example Olvisions 6 and C could have their doors at the 8200 r.m level open, but Divlsion A doors would have to be shut. Then e flood occurring in 8 or C should only affect these divisions, and Division A should only be subject to random failures. a beginning in Division A instead of B(or) Cf What arestaff's It is the the consequences understandingof a flood that the water tight doors are designed to open out under the head of water, al19tng water to s1111 into the hallway connon to the safety divisions.

Would the water.tigit doors of Division A open as thiry are designed and flood Divisions what B andthat assures C toof the equ(b) If the flood were to occur in Division I or C,ince GE's analysis assumes one ipment train of inac Olvision power isA available?

is available,(particularly c) How are the s insichts from the internal flood analysis tied into the ABWR shutdown T.I.7 (d It is typical during shutdown operations for there to be increased wood, styrofoam, and other flottable objects in the reactor, ria)stic, turbine, and paper, con trol buildings.

Describe how your internal flooding analysis has considered the increased possibility of drains becomino plunced or sump pu?ps becoming disabled from floating debris. (e) GI stat W on pige 38 of the SRC that "an analysis has been completed ... no more than one safety division would be affected by water damage frors any postulated flood.' This statement contradicts other inf0rmation GE has supplied the staff on internal floods.

Please explain.

(8) A probabilistic analysis of the risk of fire during modes other than full power was not inclut!ed in the SRt. provide a systematic, quantitative.

analysis of fires during thutdown.

(9) In the SRE GE discounts the diffarences between the three divisions of the.

RHR system as being minor. Howevar, division A of the BIR system cannot provide cooling to the spe6t fec1 pool. Therefore, under conditions in which the RHR system is cooling one third of the core l pool, only two divisions of RHR are available for(or more) l cooling.in fuel poo This the spent fuel condition occurs every refueling outage. Because of the unique depeMance of the ABWR fuel pool cooling system on the RHR system during normal refueling operations, GE should provide a more thorough evaluation of the impact of loss of cooling to the fuel, whether it be in the reactor vessel or in the spent fuel pool. -

(10) Because of the potential severity of a failure of the seals used during the unsubstantiated statement that 'the Rip purrp and 3robability of impeller a large replacement,h leak throug this path is small' is inadequate.

>rovide an analysis that addresses the probability of a 1.DCA through the impeller shaft nozzle. This analysis siould address both mechanical failures and the potential for procedural errors in performing RIP maintenance (e.g.,

incorrectsequenceof,ormissing,proceduralstept).

DRAFT Do'd d id 1NUu 3 m M d M ttS Toc n ett cett-So-of

. S  :

In emi! orating BSAs, events have occurred during shutdown in which MR em  :

y alignment has resulted in partial draining of the reacter vessel, t i The ADWR design has ine v rated features to insure that the core cannet  !

become uncovered di'activ as s' result of MR misalienment (e.g., the suction  !

nozales are above tto cere). However such a missilenment could result in a  ;

commen made failure of the available M R divisions (including shutdown costing if rump damate occurs before the situation is corrected. 3 and It is not coreclear fleedine)bt th t event does appear in the te 3Rt MR has appropriately)considend (shutdown toeling fault trees for this. lowIthile RPVen level  !

(P 1E-5, it is not clear if this event is meant to include low level due te-RHR system misalignment?. clearly pump failure as a result of low level is not I considered in MR core Flooding mode. SE should defend not ans) ging this i common mode fallun er should modif,y the SRE to include its anal sis.

12 i AC power requirements described on pages 69 73 of the SRE seem to  :

1lmp y that minimal sets of equipment that includ we divisions of MR in the shu down coeling mede may requin that all three issel generators be ava lable, since the redundant division will require twe at power divisions end the operating division will require one, the first five minimal sets '

listed on table 19Q7.t all require three at aower divisions. This reauirsment does not 4Ppear cornet. GE should verify tgese minimum sets to verify that '

thesupportsystemrequirementsassociatedwiththeident1Nedconfigurations e are realistic. ,

413)Intheshutdownsafetyissuessectionofthe3RE(section19010).SE discusses delaying DHR maintenance vr.1 heat loads are reduced er the core  :

has been effloadea into the spent fuel pool. Since DHR system is required to provide spent fuel pool cooling for at least the first il days of shutdown,-  :

~

the overriding reason to delay maintenance is the reduced heat leads.

However, only two OHR divisions are capable of cooling the fuel peel. The -

staff recommends modifying the discusalen to pers accurately reflect the .

reasons for delaying maintenance.

jl4) In the event trees in the SRE. 8( apparently defined success as any .

sequence where systems are available to perform either the injection or heat removal functions.- In part this appears-to be the result of the assumption that a 14 hour1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> mission time for all events during shutdown is sufficient for the analysis and boiling to the containment is an acceptable heat removal -

mechanism even if no containment. heat removal mechanisms are available.

l Provide Justification for the decision that-eAly either injection er heat

, removal 13 needed.

Jil'l The success criteria in Section-19Q7 and the correspondine event trees ' '  :

inc ude several paths. One path is direct decay heat removal from the reacter i:

vessel using closed loop cooling like OHR er reacter water diennup (CW).

This high to path-requiresaliew adequate that recirculevel, latten between the downc6mer region and theas mea -

l core. Either justify why level control was not addressed in the event  !

trees or(4) mo dify the event trees. - ,

j L

A or CRD. second gor this path level cent ol was modaled, bug the s,ource of energ DRAFT l

Le'd u tal a l w m ti.n m N uit tes tec se wt rest-se-et I

, &.1. . . . . _ ..,-.-.-.s.. .-.----..e, .=^+-,-~-~.=-=----e=-, + - e - --s- --~~'=-===-ee**'e"==-""r--e+ "-'4'"-- -~*

removal froa containu nt tas not addressed. It appears that the analysis assumes that injection systems would be used to pass two phase er stess flew through the 3RVs back to the suppressten tool. This method of core cooling assumes that the 3RVs are available, whics is not true for the entire outsue (To flood the refueling cavity the vessel head is removed ar.d the st6am l'nes areplugged,resultinginthe$RVsbeingunavailable. This mode of energy removal using the 3RVs would seem to require some typ)e of containment ing too to prevent containment overpressurization. (b)CEdoesnotappeartohave considered 3RV availability in its event trees. Justify this emission er modify your trees. (c circunstancast (d) Can) theDess OPS be GEouttake credit for use for maintenance? of how If so the is CP8 this in these modeled in the $REf t During refueling when the head is off,the vessel and thesteamitnesarep'(ug)ged c flowexitthevesseldirectly.orecoolinginvolveshavingsteamertwophase Using HPcF, LPCF, etc. for core cooling would seem to require suppression pool makeup to maintain suppression pool jnventory. It does not appear that the event trees consider the need for

.nventory maktup in this situation, please explain er modify the avant trees.

,(16)ificantcontributortoshutdownrisk.Thestaffhasidentifiedhumanerrors4) sign I The staff reqVests GE to as perh provide an estimate of the contribution of N to core damage frequency 'n modes other than full power. This con be done b extendin the sensitivity analysis to identify and characterize the leadin HEs.

the tolerance of the ABWR to HE during modes et er than(b f 11cEpower.

should discuss should provide COL applicants with guidance for modes other than full owerp(c) GE regarding administrative controls, procedures, and Technical specifications

, based on assumptions and insights from the ABWR 3Rt. '

~ 117) GE's analysis assumet that steaming is in acceptable mthod of removing decay heat if there is makeup available. '

mods: 4 and 57 (b) What equipment would be(a) Where subject would to this steam the steam go in environment?

(c) Would the steam fail any equipment needed to keep the core coolt (4? What areas enter \ng?besides secondary containment, would the steam prevent operators From

(

0 8

l l

DRAFT l

l l

90'd LETd AN!*W 211m DWN LETT teS Tec attri c861-SO-of l _ , . -,_

[~ ' Ceneral Electric Company -

l ABUR ' '(4 " l ' ' 23A6100AS

itandArd _ElAnt Rev C 19K.1 Introduction In this appendix, the results of the PRA are reviewed to determine the appropriate reliability and maintenance actions that should be considered throughout the life of an ABVR plant .o that the PRA remains an adequate basis for quantifying plant safety. These actions comprise a part of the plant's reliability assurance program (RAP).

t Paragraph 8.6, " Maintenance and Surveillance", of the ABVR Licensin6 Review Bases (Reference 1), reads in part, "GE in to provide in the SSAR the reliability and maintenance criteria that a future applicant must satisfy to ensure that the safety of the an built facility will continue to be accurately described by the certified design." This appendix provides the PRA based reliability and iuaintenance actions which should be considored for incorpora-tion into the future applicant's (i.e., the applicant referencing the ABVR design) operating and maintenance procedures required by Standard Review Plan (SRP) Section 13.5.2. As indicated in Table 1.8 19, SRP 13.5.2 is an inter-face requirement to be provided by the utility applicant referencing the ABVR design.

f Amendment __ 11/11/92 19X 1 Enclosure 4

~_-_ - . --- . . - - . - - . - . - . - . - - - . - . - ..- _.. - - _ .. . - - . .-.

General Electric Company ABVR 23A6100A5 ELkndstd Plant Rev. C 19K.2 General Approsch 1

To determine the appropriate reliability and maintenance related i activities that should be considered to asture that plant safety is maintained as operation proceeds, results of PRA and other analyses were reviewed. The objective of the review was to determine the relative importance of prevention and mitigation features of the ABVR in Matisfying the l'*.y FRA-goals related to '

core damage frequency (CDF) and frequency of off site release. Also considered were the initiating events that had significant impact on CDF. '

From this review (Section 19K.3), the most important plant features were '

identified. '

The FRA was further reviewed (Sections 19K.4 through 19K.10) for other important features, the failure of which was not addressed directly in Section 19K.3, to supplement the above list. Finally (Section 19K.11), the individual features identified in Sections 19K.3 throu6h 19K.10 were revt.ewed to .

determine appropriate maintenance and surveillance actions.

i l

i i

u Amendment __ 11/11/92 19K*2

- . . . .~. - , , . . . - , . . - . .. .._, ,

, , General Electric Company ABVR 23A6100AS ilandard P1Ant . R e v , ..... c 19K,3 Determination of "Important Structures, Systems and Components" for ,

Level 1 Analysis To deteruine which plant structures, systems and components (SSCs) are 4

the most important with respect to CDF, the Level 1 analysis results were  ;

analyzed. The SSCs were listed in order of russell Vesely (FV) importance, or the percent of cutsets that contribute to the CDF, as calculated by the CAPTA .

code. A second criterion for selecting SSCs was to consider those $$Cs with l high " risk achievement worth", or the increase in CDF if that SSC always <

l' fails. The 19 SSC.t of greatest importance, in that they had FV importance greater than it, contributed more than 60% of the sum of the importances and they are shown in Table 19K.3 1. Also shown for each SSC is its risk '

.chievement worth, and five additional SSCs with risk achievement worth .

greater than 20 were considered. Not shown in Table 19K.3 1 are several buman error contributions. Significant human errors are addressed in Subsection 19D.7.

The 24 SSCs in Table 19K.3 1 were further evaluated to eliminate those with a combination of low values for both FV importance and risk achievement worth. The five SSCs meeting this criterion are so indicated. However, one of those five is retained because of its designation as a " critical task" in the human factors evaluation of Subsection 18E.2. The other four are not considered further in this Section.

The remaining 20 designated SSCs of Table 19K 3 1 should be. included with important SSCs being considered for periodic testing and/or preventive maintenance (PM) as part of the Reliability Assurance Program (RAP) of the plant owner / operator. The reliability and maintenance actions suggested for the listed SSCs are identified in Section 19K.11.

A second table, 19.K.3-2, was prepared to show those S$Cs with risk achievement worth between 5 and 20. These SSCs all have very low-Fussell-  :

Vesely importance, indicating a low probability of failure. However, if they fall, tb.e impact on CDF is not negligible. Most of these SSCs have-risk Amendment _ 11/11/92 19K-3

Consrel Cloctric Company _

, ,, ABVR 23A6100AS EL4DI! AIL.f. Lint Rev. G Table 19K.3 1 AWR SSCs cf Createst Importance for CDF, Level 1 Analysis Fussell Vesely Risk Importance Achievemer.t SSC 4 Vorth RC1C System (Unavailable, Test or Maintenance ) 21.8 12.

Multiplex Transmission Network (CCF) 12.1 204,400.

RCIC Turbine 12.0 12, RCIC Pump 7.4 12.

Trip Logic Units 6.0 204,300.

Remote Multiplexing Units o.0 204,300.

RCIC Turbine Lubrication System 4.6 12.

Stttion Batteries (CCF) 3.3 13,160.

Single Offsite Powet Line (1) 3.1 4.1 ,

RCIC Min Flow Bypass Valve E51 F011 (NOFO) 2.0 12.

RCIC Min Flow Bypass Valve E51 F011 (NCFC) 1.9 12.

. RCIC Injection Valve E51 F004 (NCFC) 1.9 12. .

RCIC Steam Supply Valve E51 F037 (NCFC) 1.9 12.

HPCF Maintenance Valvo E22 F005B (2) 1.7 2.7 Combustion Turbine Generat: (1) 1.7 1.3 RCIC Isolation Signal Logic 1.5 12.

Both Offsite Power Sources 1.3 14.

HPCF Pump (1) 1.1 2.6 SRVs (1) 1.0 4.3 kHR Flow Transmitters (CCF Miscalibration) 0.2 32.

SRV (CCF) < 0.1 189.

Level 2 Sensors (CCF) < 0.1 273.

Level 8 Sensors (CCF Miscalibratic a) -< 0.1 28.

Digital Trip Modules (CCF) << 0.1 281.

(1) SSCs with low FV importance and low risk achievement worth.

'2) Not SSC considered with low FVfurther for RAP.

importance and low risk achievement worth, but retained because of human factor importance.

Amendment _, 11/11/92 19K 4 l

27 . -

LConeral Eloctric Company 3, -,- ABVR- 23A6100AS ,

FLaD.diLd floh Rev: C-Table 19K.3 2

-ABWk SSCs With Risk Achievement Worth Between 5 & 20 For CDF Level 1 Analysis ,

russell Vesely Risk '

Importance - Achievement SSC 4 Worth f

RCIC Turbine Exhaust Isolation Valve F039 Limit Switch Fails 0.74 12.

RCIC Steam Supply Bypass Valve F045 Limit Switch Fails 0.74 12. "

Div 1 Transmission Ntwk Failure (EMS) 0.70 13.

All 3 Diesel Generators, CCF 0.56 11.

lat ESF RMU Div 1 Fails 0 34 13. ,

2nd EST RMU Div 1 Fails 0,34 13.

RCIC Flow Sensor E51 FT007-2 Fatis 0.32 12.

RCIC Isolation Valve F036 Fails (NOFC) '

O.18 12. '

RCIC Isolation Valve F035 Fails (NOFC) 0.18 -12.

RCIC Isolation Valve F039 Fails (NOFC)- 0.18 12.

RCIC Check Valva E51 F003 Fails to open 0.15 12.

RCIC Check Valve F038 Fails to Open 0.15 12.

RCIC Outboard Check Valve F005 Fails - m en 0.15 12. t NBS Isolati r 'a- > Valve B21 F003B (FW.Is ae.!rmi Fails Closed 0.15 12. >

NBS Isolatio., ;k Valve B21-F0048 sFV-Isolation) Fails Closed

~

0.15 12.

NBS Manual Valvo B21 F0058 (FW Isolation) Fails closed (NOFC) 0.14 12, .

RCIC Pres Sensor PIS Z605 Miscalibrated 0.054 12.

RCIC Flow Sensor FT 007-2 Miscalibrated 0.054 12.

RCIC Pressure Sensor E51 PIS Z605 Fails -0.013 12, .

3 Failure of Division 1 Distribution Panel 0.0064 12.

SP Temp High (Loss of Pump Head) 0.00055 6.6 SLU/ EMS Link for Div 1 SLU 1 Fails (RCIC Fails) 0.00046 12.

SLU/ EMS Link for Div i SLU 2 Fails .

(RCIC Falls) 0.00046 12.

I; >

Notes: EMS.- Essential Multiplexing System ESF - Engineered Safety Feature _,

RMU - Remote Multiplex Unit

~

SLU Safety System Logic Unit l

l Amendment ,_ -11/11/92 19K 5-

.w. _ - -- -. . ..

~ - - - , - - - - - - - , - - - - - - - , - - - - , , - - , ,

l Gen 2ral Electric Company ABVR 23A6100AS Standard Plant Rev. C achievement worth of 12 because their failure would result in failure of the RCIC system to perform its function.

Initiating events that are significant contributors to CDF in the Level 1 analysis are listed in Table 19K.3-3. There are five such events which are shown with their frequency and their total and relative contribution to CDF.

The three most significant events, accounting for more than 70% of the CDF, are all station blackout events. The next two events, contributing lit and 74 of CDF, respectively, are isolation / loss of feedwater and manual reactor rhutdown. All other initiating events contribute less than 5% of CDF each. ._

The components within the control of the COL applicant that are of most significance to limiting the frequency of station blackout are the diesel generators and the combustion turbine. The COL applicant should assure that maintenance and test activities for these components are appropriate to assure high reliability.

Systems that are most important to limiting the frequency of isolation /

loss of feedwater are the feedwater and feedwater control (FWC) systems. The FWC system is triply redundant, having digital logic with self checking, The automatic checking of the FWC system assures that its reliability remains high throughout operation. The COL applicant should assure that maintenance and test activities for risk significant components in the FW system, the FW pumps _

and motors, are appropriate to assure high reliability.

Unplanned manual reactor shutdowns occur with a relatively short time for preparation, in contrast with a planned shutdown. To assure that the unplanned shutdowns will not cause undue risk to the plant, the training procedures should include adequate training, including simulator exercises, for such events so the operating crews can respond to plant conditions during such shutdowns on short notice.

The RAP activities for important SSCs identified by consideration of initiating events are included in Table 19K.ll 1.

I Amendment __ 11/11/92 19K 6

-1 Censrel Eloctric Corpeny 1

' C *-ABVR :23A6100ASL  ;

~ Standard Plant Rev C 1 <

Table 19K.3 3 ABVR Initiating Event Contribution  ;

to CDP, Level 1 Analysis j I

Events Total 8

Percent CDF Initiatine Event Per Year CDF X 10 Contribution Station Blackout for Less i Than Two Hours 1,22E 6 6.67 42.7 Station Blackout for Two i to Eight Hours 4.46E 7 2.57 16.5 l

Station Blackout for More Than Eight Hours 1.62E 8 1.71 11.0 Isolation / Loss of Feedwater 0,18 1.70 10.9 Unplanned Manual Reactor Shutdown 1.00 1.15 '7.4 The relative importance of some ABWR features is not established by the _

Level 1 analysis described above because some important SSCs are not treated >

in the Level I calculation. To identify other important SSCs, the Level 2,.

seismic, fire, flood and shutdown analyses results were carefully reviewed by knowledgeable engineers who identified additional SSCs for the' RAP.- The important SSCs identified in these other studies are given in Sections'19K.4 through 19K.10, and RAP activities are in Section.19K.11.

Amendment __ 11/11/92 19K 7 E

_ _ _ _ _ . _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ __________i'.___.________

______l__

Censral Electric Company

. 4 ABVR _

-23A6100AS-l Standard Plant Rev. C I 19K.4 Determination of "Important Stniett.res, Systems and Components" for i Level 2 Analysis '

The Level 2 analysis evaluates the offsite release of fission products following core damage. Those analyses related to- the consequences of- core damage were reviewed, including source term sensitivity studies, deterministic analysis of plant performance, and containment event trees, 'Those-systems

'l which would be important with regard to mitigating a core damage event were considered as potential risk significant SSCs. The following features were 1 1

identified:  ;

I

1. The automatic depressurization system (ADS) The ADS depressurizes the j RPV so that the low pressure systems can inject water. Even if no water injection is available, the depressurization via or.e safety / relief valve (SRV) eliminates the potential for direct containment heating in event of RPV failure, The SRVs are important SSCs for the ADS since they are the components that function to release steam to reduce RPV pressure.
2. The ae-independent water addition (ACIWA) system -- The ACIVA system has

[ ho major benefits, First, it can inject water into the- RPV to prevent

~

l core damage or facilitate in vessel recovery. Second, it helps protect the containment by flooding the lower drywell.(diverse from LDF) to cool corium in event of core' melt and vessel failure, The ACIWA system can also be used to reduce high drywell temperature when operated in the drywell cpray mode, Also, for sequences with loss of containment heat removal, the ACIWA system adds thermal mass to the containment, significantly delaying the-

! time of rupture disk opening. The important SSCs for the ACIWA system are the valves and the die.sel driven pump, as they provide'for the addition of L water to the core and/or drywell.

~

L 3. The lower drywell flooder (LDF) -- The LDF system was selected because it l'

is important in providing cooling for corium released from the reactor.

l vessel and in scrubbing fission products released from the corium'in the l-l Amendment _ 11/11/92 19K 8 t-l

General Electric Company

.- - t ABVR .

23A6100AS 11andAI.d Plant' Rev. C-event all the automatic and manual systems- fail to inject water. The LDF fusible plug valves are important SSCs for the lhF system since they provide for. flooding of the drywell floor.

4. The containment overpressure protection system (COPS) The COPS is important since it prevents containment failure and assures a fission-product release path through the suppression pool. This serves to limit the potential offsite dose after a core damage event. Sequences which result in slow pressurization will lead to a failure in the wetwell, as opposed to the drywell. Since the suppression pool scrubs. fission-products before they enter the wetvell air space, this results in a much lower source term than does the case of a drywell head failure, The COPS will also reduce the potential for a Class 11 sequence to lead to core damage. The predominant mechanism for core damage in Class II sequences is failure of containment or reactor building structures causing -

damage to long term heat removal equipment. Operation of the COPS directs the gas flow to'the stack, preventing damage to the equipment. The COPS SSCs identified by the analysis are the rupture disks, which prevent containment failure-and limit offsite doses after core damage, the I

isolation valves, and the flow lines.

5. The RHR system is a primary source of decay heat removal. Decay heat-removal is necessary to prevent fission product release from the containment in the unlikely event of a severe accident. Also, the drywell spray function of the RHR is an important feature in limitin6 the consequences of the Level 2 analysis. The valves of the RHR system that control this spray function are included in RAP. The wetwell spray function of the RHR is used for control of bypass leakage by. keeping containment pressure low. It does not play.as important a role in the analyses performed as does the drywell spray, so its components'will not be a part of the RAP.

The RAP activities for important SSCs identified by this Level 2 analysis are given in Table 19K.ll-1.

Amendment __ 11/11/92 19K 9

~Ceneral Electric Compcny-

.- .. ABVR 23A6100AS Standard Plant Rev. C 19K 5 Determination of "Important Structures, Systems and ' Components" for Seismic Analysis The' seismic analysis considers the potential for core damage from plant damage resulting from a seismic event. The results of the seismic analysis identified key features by consideration of those SSCs important to reactor shutdown or to decay heat removal which could potentially be damaged by seismic action. The following features were identified as having high confidence, low probability of failure (HCLPF) capacities less than 0.60 (twice SSE),

- The diesel generators, 480Vac transformers, and motor control centers of-the ac power system The batteries, battery racks and inverters of the de power system-The motor driven pumps, heat exchangers, and room air conditioning units of the service water system The motor driven pumps of the high pressure core flooder system

- The motor driven pumps of the residual heat removal system The SLC tank and the motor driven pumps of the standby liquid control system

- The motor driven pumps of the fire water system The RAP activities for important SSCs identified by this seismic analysis are given in Table 19K,11-1.

Amendment __ 11/11/92 19K 10

General Electric Company

.- -, ABVR 23A6100AS itandard Plant Rev. C I

l 19K.6 Determination of "Important Structures, Systems and Components" for Fire Analysis The fire analysis considers the potential for core damage from plant damage resulting from a fire. The important SSCs identified by this analysis are the room fire barriers, which prevent the fire from spreading to other rooms, the smoke removal system, which maintains pressure differentials to exhaust smoke rather than allow it to reach other areas, and the remote shutdown panel and control which are needed following a fire in the control room or HVAC failure in the control room.

The RAP activities for importaut SSCs identified by this fire analysis are gievn in Table 19K ll 1.

19K.7 Determination of "Important Structures, Systems and Components" for Flood Analysis

~

The flood analysis considers the potential for core damage from plant damage resulting from a flood. The important SSCs identified by this analysis are the ECCS room and turbine building / service building water tight doors, which prevent water from flowing into rooms other than the one with the leak, isolation valves on the reactor service water system, which limit the amount of water spilled into the control building, and circuit breakers that will trip RSV pumps, which also limits the amount of water spilled into the control i

. building.

The RAP activities for important SSCs identified by this flood analysis are given in Table 19K.11-1.

19K.8' Determination of "Important Structures, Systems and Components" for Shutdown Analysis The shutdown analysis considers the potential for core damage during shutdown. Potential core damage during shutdown arises when the RHR system is lost. The important SSCs identified by this analysis are the ADS system, the 11/11/92 19K-11 Amendment _

, w. .

~

, y_

4 , - . .

General Electric { Company

' ~

ABVR4  : 23A6100AS - l

.'Slandard Plant Rev. d; A= .RHK1 system for1 shutdown' cooling and in the-low pressure f1'oodert(LPFL)fmode;.

the~high'pressureicore flooder-(HPCF) system, and the control rod-drive-(CRD): J

~

sys tem._ The.important components are-SRVs of the ADS ^ system,-valves and: pumps of the RHR system and of the - LPFL.. HPCF and CRD~ systems ,

t The RAP activities for important SSCs identified _by-this-flood analysist are given in Table 19K.1141. 4 M

- . . .1 19K,9 Identification of Important Systems With Redundant Trains j Several plant systems have multiple. trains of wh'ich only one is - required :

to operate to perform the system safety function,'the other trains providing4 redundancy. Because of this redundancy, components:of the ' systems may(not' 4 show up in a listing of high importance components. . However, ittis possible1 d ,

that operation or maintenance activities related to these systems could ,

introduce some common cause failures which could affect All similar' trains of'

~

a given system and, thereby, render all trains 'of'such systems incapable .of Eperforming their safety functions. Engineering judgment' was used tot identify _

the multiple train systems havins important. safety functions-that should-be-checked in addition to any identified component. tests or maintenance zThe1 systems selected are the RHR system in the; shutdown cooling and,theylow  :

pressure flooder (LPFL) mode, the high~ pressure core _-flooder (HPCF)Esystem,'

L the reactor. water cleanup (CUW) system, the reactor service' water (RSW) . .

system, and the ac' electrical system.

i A single train of each of these systems :sh6uld be[ designated'for RAP by; '

3 the COL applicant and the train should'be given!a walkdown; inspection every) 3 refuelin8 outage. The inspection should. verify that-system' equipment?is being-operated.and' maintained properly so that there is.no: reason toisuspect:thati other trains of the same system'have problems'thatswouldipreclude the.systemi from performing-its safety functions. The RAP activities,forEtrainst of{

systems identified by this. analysis are given'in Table'19K.11-1".

J S

s

, Amendment 11/11/92 -19K 12:

y- -

H J

84--- y ee wr,,.s.,w m . . um__is-<J m e ___u_____.__.___.______--__m_a-_m ___.--___m_ _ _T_ _.I _m 2 +--

General Electric Company 1 ABVR 23A6100AS Standard Plant _ Rev. C 19K.10 Id;<eti; cation of Important capabilities Outside the Control Room Most safety related actions by plant operators are conducted from inside the control room. However, in some sequer.ces it is necessary for the operators to take appropriate action from stations outside the control room.

Engfrc:rin6 judgment was used to identify activities that the operators should be capt.ble of performing outside the control room, during internal flood, during reactor shutdown, or when the control room is insecessible, such as in event of a fire.

The identified activities outside the control room are: (1) execution of the emergency operation procedures for operating the remote shutdown panels; (2) manual operation of the RCIC from outside the control room; (3) closing water tight doors that are open (if there is flooding in the intact RSW division) before opening doors to attempt corrective action; (4) manual lineup of the combusticn turbine generator and emergency diesel generators to non safety related buses; (5) manual connection of the ac-independent water addition system; (6) manual bypass of the regenerative heat exchanger in the reactor water cleanup system; and (7) connection of the diesel fire truck to the ac independent water addition system after a seismic event. The RAP

. activities identified by these considerations are given in Table 19K.11 1.

i Amendment _ 11/11/92 19K-13

w

+n

~k2 " -

i , _ ,.

Genatal-ElectricLCompany da 'U CABWRJ . :23A6100AS Litandard~ Plant- Rey, c

19K,11
' Reliability /and Maintenance Actions The-individual SSCs identified as being "important" -in Sections 19K.3 through 19K.10 were reviewed to determine the appropriate reliability _and maintenance actions. These actions are defined in this~section.-

19K.11.1 Component. Inspections and Maintenance The system of greatest FV importance is the RCIC system,'which'has been -

assigned 2n' unavailability for-test and-maintenance. The" amount of time:the:

~

RCIC system is unavailabli-because of test and maintenance should beimonitored l

to assure that it remains within the 2n_ assumption annually.

L -

j Multiplexers which provide multiple signalsLeo.several systems:are-identified by the- Level 1 analysis as high importance Leosponents._ ; SafetyL system multiplexers have'a' built in self test that checks 1 circuits frequentlyp In addition, one of four multiplexers can_be bypassed and tested _during planti '

operation without loss of system function. Such tests provide a' complete  !

simulation of the multiplexer signals, more than included'in the self test.

During plant outages more' detailed multiplexer tests are possible, including a-a complete system tort and identification of signal errors. - -These .testsiwill; include verification that the remote multiplexing l units function' properly.

~

Multiplexer tests that are suggested as part-of theLRAP'are given in-Table 19K.11 1.

The turbine of the RCIC system is an important-component, as identified in Table 19K.3-1. . Periodic startup and operation offthe RCIC turbine 1sLoneLway1 7

, -to monitor this-turbine, andfless frequent turbinesinspection and'refurbishi 1

ment are also recommended. The RCIC pump is tested at the same time by

- measurement of speed,L flow rate, differential pressure, and. vibration. The= .

turbine lube oil pump operation and many of the.RCIC valves are-also'testedL

~

when the. turbine testing is done. These RAP activities are included in Table- -

- n

- 19K.11- 1. n 4

t Amendment __ 11/11/92 19K 14- .

_ _ . - . ~ . . _ _. -

Ceneral Electric-Company ABVR 23A6100AS-Standard Plant Rev. O Trip logic units (TLUs) for t,e reactor protection system (RPS) represent another high importance component. Functional tests of these TLUs are performed at frequent intervals by the on-line, self-test feature of ABWR solid state logic. Additional off 1!ne, semi automatic, end to end (sensor input to trip actuator) testing of TLUs, which exercises th'e safety system logic and control logic processes, is important because it allows the detection of failures not sensed by the on line system. The TLU tests that are suggested as part of the RAP are given in Table 19K.11 1. .

Station batteries receive periodic checks in accordance with plant technical specifications. These checks will be adequate to assure that the batteries will have the reliability assumed in safety analyses.

For the normally closed, fail closed (NCFC) injecrton valves, the steam supply valves and the bypass valves of the RCIC system, ridch normally are not required to operate during plant operation, a quarterly full stroke test is judged to be appropriate for the RAP. Such tests are in compliance with ASME

~

Code requirements for valves in nuclear plants, . Detailed disassembly, inspection and refurbishment of valves would be done less frequently. The normally open, fail open (NOFO) bypass valves should be considered for similar tests. Suggested RAP activities and frequencies, and the basis for each suggested activity, are shown in Table 19K 11 1 for identified failure modes.

The HPCF maintenance valve is normally locked open, and -its failure mode is being left closed following maintenance. To prevent this human error from occurring, administrative controls should require independent verification of the valve position-following maintenance, positive control of the key to the-valve lock, and control room verification of the valve position prior to startup. The RAP activities are in Table 19K 11 1.

The RCIC isolation signal logic should have a logie functional test every three months to assure it is functioning properly as hown-in Table 19K.11-1.

Amendment __ 11/11/92 19K 15

Csnsrr'. Electric Company

  • " ABVR ,23A6100AS Standard plant Rev. C Reliability of offsite. power sources cannot be: completely controlled by the plant. However, to c.;wie that plant equipment does not contribute to power losses, inspection of'wwitchyard equipaent should be performed with a frequency of at least once every six months in accordance with site adminis-trative procedures. Such inspections should include confirmation of secure structural mounting of equipment, physical condition of insulators and other supporting apparatus, and virual inspection of transformers and other oil filled equipment for oil lesks. Infrared thermography should be used to detect hot spots on electrical equipment and connections. All supports and supporting structures should be examined for structural integrity. = Suggested RAP activities are S iven in Table 19K.11 1.

Common cause failures (CCFs) of RHR flow meter calibration, Level 8' sensor-calibration. Level 2 senser malibration, and of digital trip modules (DTMs) will have acceptable probabilities if adequate administrative controls are exercised. Calibration procedures for RHR flow meters and.for level 8 sensors-should include notes about the safety importance of these instruments. The-procedure for testing DTMs should include a warning about their importance to safety. Suggested RAP activities are given in Table 19K.11 1.

The CCF of safety relief valves (SRVs) can be kept to an acceptably low

-probability if the SRVs receive the appropriate inservice inspection, if identified problems eeive root cause analysis and correction, and if the configuration and qualified life of the valves.at the site (or elsewhere) is maintained correctly, including consideration for agin5 and wear-of _ parts.

The SRV control panel'can also be tested, separate from valve operation,:to assure that it works properly. An inservice oueck.to detect for valve leakage that can lead to setpoint drif t is the temperar;-- alarm on the tail pipe.

The inservice inspection of SRVs is included'in Table 19K.11 1 for RAP.

Isolation check valves ,of the NBS are leak tested at refueling outages,-

and that test demonstraces that the valves move from.open to closed.

Subsequent plant operation of the feedwater system opens the valves, giving assurance that they have ability to open. The NBS manual isolation valve has a stroke test at each refueling' outage to assure that it can function.

Amendment __ 11/11/92 19K 16 a

Ganstal Electric Compeny ~

  • - C 'ABUR 23A6100AS

-Standard Plant Rev. C T6 stable check valves of the RCIC system can also.be checked at each refueling.

-to assure that they-would function properly if' conditions required a change'in position. These valve tests are included in Table 19K.11 1.

19K.11.2 RCIC System Testing The Level 1 analysis identified the reactor core isolation cooling (RCIC)-

system as one whose failures contribute substantially to CDF. Failure of RCIC to start or failure to continuo operation after start are failure modes that are identified as si nificant.

5 To provide assurance that the RCIC operation will be as reliablo as assumed for the analysis it is suggested that the-system be started and operated long enough to demonstrate stable operation at least once every three months. The flow rat'e of RCIC should be measured to verify that it meets design requirements for injection into the-RPV, Quarterly tests are with flow to the suppression pool. The RCIC system testivill accomplish many of the RCIC turbine, pump and valve' tests and will demonstrate that the Division 1 distribution panel is functioning. Components of RCIC

- that have been identified as significant, including many~ valves andI instruments, are included in Table 19K.11-1 with identified failure modes and 4 suggested RAP activities.

19K.11.3 Depressurication The ADS technical specifications were reviewed, and it was . concluded' that no additional reliability and maintenance actions are~nseded. . Testing of ADS ~

- system SRVs is included in Table 19K.11 1 with the other RAP activities, 19K.11.4 Lower Drywell Flooder-(IEF)

Activities suggested for RAP are given in Table 19K 11-1 and discussed-below.

1. The ten fusible plug valve flanges and outlets should be inspected every refueling outage to assure there is no leakage Amendment 11/11/92 19K 17 i 4 l

i

-5

General Electric Company a

  • AB'IR 23A6100AS I

Etandard P' ant Rev. 'C

2. Two of ten fusible plug valves should be removed, inspected and their temperature setpoints tested every two refueling outages. (See testing and inspection requirements Section 9.5.12.4.)

19K.11.5 AC Independent Water Addition (Firewater) System Inspection and testing of this system should be included -in RAP. However, because of the importance of manual alignment, lining up the firewater should be specifically included in the training programs to assure that the system benefits are obtained.

The strategy discussed below is recommended to test key components to assure that pumps and valves are operable and that there is no significant flow blockage in the flow paths from the fire water system to the reactor pressure vessel and to the drywell spray. Component testin5 is included in Table 19K.11 1.

~

1. On site fire truck (pumper) maintenance should be conducted in accordance with the utility's normal fire protection maintenance procedures. A site service test of fire truck performance should be performed annually or af ter any major repairs in conformance with Chapter 11 of NFPA1901,

" Standard on Automotive Fire Apparatus" These tests should demonstrate that the pumper / engine combination is capable of meeting the performance requirements of the original certification or acceptance tests. Fire truck reliability for supperting the water injection function is assumed to be 90%. A satisfactory service test should consist of pumping water to the ground or back to the suction source as follows:

(a) Twenty minutes of pumping 100 percent rated capacity, preferably at draft, at 150 psi (1039 kPa) net pump pressure; (b) Ten minutes of pumping 70 percent rated capacity at 200 psi (1379 kPa) net pump pressure; and Amendment __ 11/11/92 19K-18

Ceneral Electric Company ~

ABVR 23A6100AS Standard Plant p,v. C

'(c) Ten minutes of pumping 50 percent rated capacity at 250 psi (1724 kPa) net pump pressure.

Engine speed should be recorded for each condition. A " spurt" test need not be conducted, but if care is taken to ensure that the pump does not cavitate, rusning the pumper with wide open throttle at 165 psi (1138 kPa) net pump pressure may give a good indication of engine condition.

2 As a part of the normal testing required by the utility's fire protection procedures, the following tests should be considered:

(a) Once every two refueling outages or every four years (which ever is most convenient) the fire truck shc.uld be used to pressurize the fire protection system and test the flow capacity. Suction should be from both fire protection tanks and the ultimate heat sink water supply.

(b) Once every two refueling outages or every four years the flow capacity of both the ac-driven and the direct diesel driven fire

~

pumps should be tested. This flow test can be alternated with the fire truck flow test (2a above). The diesel driven fire water pump-is assumed to have 90t reliability for supporting the water injection function.

. 3. Once every two years the RHR nonsafety related valve (E11 F103C of Figure 5.4-10. Sheet 7) which must operate to provide flow to the vessel, or to the drywell spray or wetwell spray, should be manually opened and closed.

Safety related valves E11-F101C and E11 F102c are exercised every three months as part of the valve in-service testing program.

4 Once every four years the ac independent water addition (ACIVA) flow and flow monitoring instrumentation from the fire protection system (FPS) to the RHR main loop should be tested. This can be accomplished during a reactor shutdown by initially isolating and closing off the branch lines of the RHR main loop C (however, the heat exchanger throttle valve E11-F004C remains open) and stopping both pumps, C001C and C002C. After ACIWA valves E11-F101C and E11-F102C are opened to apply the FPS pressure .

Amendment _ 11/11/92 _19K-19

Censral Electric Comptny .

ABVR . 23A6100AS-Standard Plant- Rev. C to the RHR mainLloop, the shutoff head pressure shoult 'l 'rtrified. With the RHR main loop closed off, no flow should occur. Then for a short time period..the flushing J+2in to the radwaste using valves E11 F029C-and E11-F030C, Figure 5.4 10, Sheet 6, can be opened. The resulting flow can be measured with flow meter E11-FE012B, Figure 5.4 10, Sheet.-4, Throttling valve E11-F030C can be used to turn the flow on and off and limit the flow to the desired-rate and duration. The flow duration should be minimized to reduce the load to radwaste. The test should be repeated first with valve E11 F101C closed, then with the fire truck hose connec-tion and valves E11 F101C and E11-F103C opened Figure 3.4 10, Sheet 7.

5. Once every fivo years all fire protection and RHR piping which forms the ac independent water addition system should be tested to ensure.that it is structurally intact and properly supported.
6. Seismic related inspections listed in Subsection 19K.11.7 should be done.

19K.11,6 Containment overpressure Protection System (COPS) v The COPS is identified in Section 19K.4 as important to limiting. fission product release. Suggested system component testing as- part of RAP is identified in Table 19K.11--1. Also, system flow testing and special operator training should be ccasidered for inclusion in the RAP.

1. Air operated valves (A0Vs) in series with rupture diske should be maintained in the same manner as other containment isolation valvra. It is suggested that, during preoperational testing and during each R/M outage, each valve be exercised and proper open and closed local and control room indication be checked. -Any position other than full open should alarm in the control room. After valves are returned to the open position, indication should be verified locally and in the main control room. These tests are included in Table 19K.11 1.

Amendment __ 11/11/92 19K 20

Constal Electric Company

"' \ABWR _ 23A6100AS Standard Plant' Rev C

~2. Rupture disks should be maintained'as required by the'ASME code. The.

rupture disk manufacturer should-perform the necessary tests to1 certify that the rupture disks will open at a pressure within 24 of the rated value. Every five years, the disks should be tested _and replaced. These tests are included in Table 19K,11 1,

3. A flow test should be conducted every five years to assure that there are no obstructions in the pressure relief path.

4 Special training on operator actions following rupture disk opening should-be included in the plant training program.

19K.11.7 Seismic Related Inspections The seismic capability of the following equipment is identified.(Sub-section 19K 5) as risk significant: emergency diesel generators, 480Vac transformers and motor control centers of the ac power system;; batteries,

+

battery racks and inverters of the de power system; motor driven pumps, neer..

exchangers and room air conditioning units of the service water system;.the SLC tank and motor driven pumps of the standby liquid centrol system; and motor driven pumps of the HPCF system, the RHR system and the firo. water-system. For this equipment, the following seismic related inspections -should be conducted once every 10 years or.after any-earthquake equal to or greater.

~

than the operating basis earthquake (OBE): -

1. Repeat the seismic walkdown which was conducted after construction in'the general area of the equipment.
2. Visually inspect all related supporting devices and supporting structures, l-i:

l 19K.11.8 Plant Structures l-No maintenance activities other'than those already associated with the-in service surveillance:of L the seismic instruments defined -in Subsection 2.7.4.5 areLneeded for seismic events.- The seismic instrumentation program (subsection 3.7.4) is designed to_ provide information on the input ground-Amendment __ 11/11/92 19K-21 b.

Con 3rc1' Electric ~CcLpeny

.ABVR' 23A6100AS.

jftandani Plant Rev C motion and resultant-responses nf representative Category I structures and-equipment in the event an earthquake occurs sufficient to activate tae seismic instrumentation-. -If the eaethquake exceeos the:0BE, the plant is shut down manually ~if necessary, and a detailed post earthquake evaluation is under-taken. When it isEdetermined that plant structures-and equipment were'r.ot damaged, the plant can be safely re started on the basis of seismic considerations.

19K.11.9 Hydraulic Control' Units and Control Rod Drives The technical specifications associated with the hydraulic control' units and conttol rod drives were reviewed. It was concluded that no additional-reliability and maintenance actions are needed beyond those in technical specifications.

19K.11.10 Emergency Diesel Generators

. Maintenance for the emergency diesel generators is expected to be '

performed in accordance with site procedures and the manufacturer's-_recom-mendations. Surveillance testing is required in accordance with Regulatory Guide 1.108, " Periodic Testing of Diesel Generators", and with the-surveillance requirements described in the Technical Specifications (Section 16.11.1) beginning with SR 3,8,1.4. Seismic related inspections noted in Subsection-19K 11.7 should-be done. '

Maintaining emergency diesel generator reliability is a basic'part of the station blackout rule (10CFR50.63). A reliability-assurance program is required which maintains a target reliability. In view of the. existing L

requirements noted above, it-is judged thac additional reliability and -

maintenance activities are not needed.

l t

Amendment _ 11/11/92 19K 22 v.

L ,:

General Electric Company

, . AE'JR 23A6100AS Standard Plant Rev. C 19K.11.11 Combustion Turbine Generator daintenance for the combustion turbine generator (CTG) is expected to be performed in accordance with site procedures and the manufacturer's recom-mendations. Suggested surveillance testing includes monthly operation at 1

rated speed and rated load until temperatures reach steady state values, approximately one hour. Also monthly there should be a check of oil levels and assurance that there are no oil or fuel leaks. Quarterly the oil should be sampled and analyzed for acceptable quality. At each refueling / maintenance outage CTG fuel oil and lube oil and fuel, oil and air filters should be replaced and there should be a thorough inspection of the entire assembly, including assurance that the inlet and outlet plenums are not blocked or deteriorating. Also, a complete visual inspection of the power unit should be made to assure that support bolts are secured and that there are no cracks and no blown gasket or engine hot spots. These tests and preventive maintenaace activities are included in Table 19K.11 1.

19K.11.12 Fire Protection The room fire barriers, the smoke removal system, and the remote shutdown panel and control were determined to be relatively important (Subsection 19K.6). Fire barriers, including penetrations, should be inspected period-ically to assure that they retain their inte6rity with respect to confining a fire. The smoke removal system should be operated annually to demonstrate

. that it will be able to maintain a negative pressure in a room with a fire so that probability of propagation of fire and/or smoke to other rooms is low.

The remote shutdown panel should be tested periodically to show that it can perform its functions that will lead to safe shutdown. These RAP activities are included in Table 19K.11-1.

Amendment __ 11/11/92 19K-23

. - .. ~

Gen 2ral ElectricLComp:ny c .- ABVR- -

. 23A6100AS'

_ Standard Plant Rev. C 19K.11.13 Flood Protection-The important SSCs for flood protection are-the water' tight doors in the-turbine building and in ECCS rooms, the RSV isolation valves and the circuit- ,

breakers that trip RSV pumps (Subsection 19K,7). Periodically room water barriers should be inspected to assure that they will prevent:the spread of flooding, RSV isolation valves (MOVs) sh.. eld be stroke tested (normally accomplished by switching from one pump to the standby pump in a given loop),

and the ability of RSV pump circuit breakers to trip upon receipt of a trip-signal should be demonstrated. These RAP activities are includeduin Table 19K 11 1, 19K.ll.14 Shutdown Protection The shutdown analysis (Subsection 19K 8) identified as important components the SRVs of the ADS system and valves and pumps of the:RHR system (including the LPFL mode) and of the HPCF and CRD systems. RAP activities for SRVs are covered in Subsection 19K.11.2. Testing of valves and pumps of the RHM system and for the HPCF and IEFL function of the RHR are covered by the technical specifications and valve and pump inservice testing -(Table = 3,9 8) .

for these systems. These testing requirements were reviewed and it was-concluded that no additional reliability and maintenance actions are needed.

This RHR testing also provides adequate assurance that the suppression pool temperature vill be maintained below its high temperature limit _(Table 19K.3-2).

The CRD system is normally. operating, but system- flow can be . increased by , ,

opening some partially closed valves and/or by operating the second-pump in addition to the operating one. The RAP activity, in Table 19K.11 1, is to review the CRD operating procedures and-verify that they include steps to -

increase flow when necessary in a manner consistent with GE's Service <

Information Letter, " Increase CRD System Flow to RPV.After Shutdown for Emergency", SIL 200, Rev. 1, Supplement 1.

Amendment __ _11/11/92 19K Gonarcl Electric Corpiny ABVR 23A6100AS.

Standard Plant Rev; C TABLE 19K.ll 1. FAILURE MODES & RAP ACTIVITIES UMAVAIL*

TEST OR ABILITY.

FAILURE RECCrNEffDED MAINTENANCE TAILUPI CL'MP?tfrNT tpCE/CAUSE MAINTINANCE .INTDVAL M EL RCtc System Unevallable due to Nonstre unavailable time. Annually Level 1 2.CE 2 test er maintenance compere with assumed 21 analysis Phaltiplesers Common cause failure System functional test 3 eenthe Espe;-tence S.9E 7 of all HUX to gave proper stEnals Complete system test, error 2 years Erportesce check One E$F RHU for Failure of remote Systwo functional test 3 senths Erportance 3,CE-4 Div 1 or one multiples unts or SLU/D13 Link link between RMU and Complete system test, error 2 years Expertence for $LU Civ 1 safety system legts check unit RCIC Turbine & Mechanical fetlure to Turbano startup and operetton; 3 senths Exportance 1.1E 2 Pump (System operate measure puarp vsbration velocity (Turbine)

Test) & displecoment flow, speed. 6.8E 3 dt!!, pressure. (P ep)

. Turbine inspection, S years Expertence refurbistuoent RPS 7:15 Losta Feature to telp upon System functional test 3 sonthe Experience 3.0E 7 Units demand Complete ayates test, error R/M outage Expertence check RCIC Turbine Lube oil pump failure Lube att pump operetton and oil 3 months Espertance. 4.2E 3 Lube system pressure check

. e RCIC Check Failure to open Open and close durans system 3 months Experience 1.41 4 Valve F038 test RCIC Check Fetture to open Open and close test R/M outage- Espertence 1.4E-4 Valves F003 &

F004 RCIC ! solation Failure to provide Logia functional test 3 monthe Expertence 1.4E-3 Signal Lotte isoletten alsnal when conditions warrant These types of valves and turbines have been veed in operating BWRs. so there la much expertence to guide owners / operators in care of the equiptent.

l- Amendment _ 11/04/92 19K-25 l'

l l

Consrel Electric Company ABUR 23A6100AS.

Standard Plant Rev. C TABLE 19K.ll 1. FAILURE MODES & RAP ACTIVITIES UNAVAIL-TEST OR ABILITY, ,

Tall,URE RICrm ENDED MAIN!ENANCE fA! LURE C'JdPO4 TNT MortICAt'5E MAIN?tN ect IN?rRVAL EMM &

t.0!C Min Flow Tatlure to operate Stroke test 3 months Erperience : 1.6E 3 err.se valve because of e,echanical AsME Code Is! (NOTC)

(NOTO or NOTC) problems Visual and penetrant inspection 10 years Low fatture 1.6f 3 of stem, ultrasonic inspection rate ASME (NOTC) of stama; repisce af necessary, Code ISI.

e railure to cretate Electrical circuit test 3 conthe Erperience because of electrieel problems ROIC Injectton Tatlure to open Strose test 3 months Experience ;- 1.EE J Yalve and because of mechanical ASME Code ISI tuzhane Steam problems Supply Valve Visual and penetrant inspection 10 years Low failure of stem. ultrason&c inspection rates ASME of steet replace if necessary, code 15!.

e re41ure to open Electrical ciecult test 3 emnths Erre tt ence because of electrical probleme RCIC'4 solation Spurious fatture Sttche test. 3 sunthe - -Experience : 1.4t-4~

Velves (NOTC) because of mechanical ASME Code 251 problems Visual and penetrant Snapection 10 years Low fatlure of stem, ultrasonic inspection- rete; ASME of atta; repisco if necessary. Code ISI,

! e Spurious fatlure Electrical circuit test 3 monthe Expertence because of electrical problece Limit Switches Failure of switch to Observation of usias switch 3 months Experience en ROIC Turbine change position when actuation during valve stroke 6.8E af _

l Exhaust valve omvement occurs test

Isolation Valve and Steam Supply Bypass l

Valve l

l t

These types of valves and turbines have been used in operating BWRs. so there is much experience to guide owners / operators in care of the equipnent.

Arnendment _ 11/04/92 19K 26

- e. . _ _ . . . . _ _

, 7 _

y  ::'

Generel! Electric c$mpany h ABVR 23A6100AS-Standard Plant' F ev .- EC- l I

TABLE 19K.11-1, FAILURE MODES & RAP.; ACTIVITIES (CONTIhUED)/ _

-]

UNAVAIL*- ]

TEST OR ABILITY,

.TAILURE RICCrNENDED MAINTENANCE = FAILURE g2ir;En .trer/CAUSE MAINTINANCE- 1M M VAL - BMl} RAT!

s HPCT Meanten- Tallure to open valve Independent vertiteetion of ' After Judsment 1.0E 2 ante Valve efter metatenance- volve position followit.g maintereanc e. -

maintenancel position 'before_-

verification before.startup startup Switch Yard Tetture results'in Inspect evitch'yerd equipment . 3 yeere Expertense - N/A Equipnent loss of offsite power for signs of incipient failure, such as insecure structures, 4 degraded insulatore, lenktes oil, Use thermoltsphy to detect-hot spots on transformere, insu1 store, circuit breakere &

connectore. Repair as necessary.

b RRR Flow Meters Comon mode Revtew calibration procedures Annual .Judseent: 5.0E 5: ,

statalibration .for note about potentiel safety

.aonsiderations E- Level 2 Sensors Common mode Review ca11bretton procedures Armuel Judsment  ; 2.4E*6 -

miscalibration for note about potential safety consideratione Level 8 Sensore Conman mode Review celtbretten procedures Annual Judament LCE S miste11bration for note about potential selety -

considerettone Digttel Trip Common cause failure Review trip unts test procedure- Annuel- 'Judsment; , 3.cE*7 -

Modules to trtp to assure note about potential-safety.considerettone ADS System SRVs Te11ure of several Inspect and replece degradable.. - $ years - Environmental 5.0E*6:

SRVs to open on parts and test.for correst .(naz) queltitcotton s

demand or f ailure to operation remain open- {

Remove velve, teet for setpoint 3 years. Erperience, pressure, adjust setpoint as ANSI /ASME' necessary, test for seat lenk* CM-1; p1.c age, repett, __ Stagger testina of . ,

valves, 504 at one outase control penet t.et -3 onthe Experience -

Amendment _ 11/04/92 19K-271

. e Can')rel Elsetric Cetp ny AWR 23A6100AS Standard Plant Rev. C TABLE 19K.11 1. FAILURE MODES & PAP ACTIVITIES (CONTINUED)

UNAVAIL-TEST OR - ABILITY, FAILURE REC 0mENVED MAINTENANCE FAILURE CTPortrf torr /CAUSj tyIF?t N CY INTERVAL PA318 RATE LCF Tusible Leakage Inspect for leakage R/M outage Judgment- ,1E 3 Flus Valves Teilure to open at Two of ten pluso replacad; 2 R/M Judament temperature tested te verify temgerature outages setpoint Fire =eter Tellure of pumps to 20 min pump et 1001 rated flow, 1 year Judgment 1E 1 System Pumps on provide required flow 150 pai Fire Truck et pressure 10 min puisp at 701 rated flow, 3 year Judgment 200 psi 40 min p ep at 501 rated flow. 1 year Judgment 250 poi Failure of system to Test system flow with fire truck 4 years Judgment 1E 1 deliver required flow pumps, water from tanks & free URS

- Test system flow with oc dstven 4 years Judgment and diesel driven pumps, water frem tanka & frras URS ACIWA Flow Tellure to accurately Measure sero flow and is11 4 years Judsment Note (1)

Instrumentation monitor flow system flow ACIWA Manuel Failed closed Review procedure to assure note 2 yeare Experience Note (1)

Velves following maintenance regarding safety consideratione ACIWA Diesel Failure to pump on Pump start test 3 acnthe Erperience 11 1 Pump demand Pump flow test 4 years Experience R!DL Non Safety Fe11ure to open ort Manually open and close valve 2 yeare Experience Note (1)

Related valve demand Piping of Piping failure that Piping visual inspection under S years Judgment Note (1) ac Independent precludes successful operating pressure to assure no Water Addition operation leak e Systen Piping support visual inspection 5 years- Judgment to assure structural edequacy Note (1): ACIWA system unevettability ranges frein IE-1 to 1E 2 depending on time evellable for operator action.

Amendment _ 11/11/92 19K 28

.. General Electric Company AB'JR 23A6100AG ltamfard Plant Rev. C TABLE 19K.11 1, FAILURE MODES & RAP ACTIVITIES (CONTINUED)

UNAVAIL.

TEST OR ABILIIy, TAILURE RECCrtENDED MAINTEKANCE TAILtT4 G W.NTNI Ttt /CETE m!NTEN ANCE INTERVAL - IA315 P> T E COPS A0Vs Inadvettently left Stroke test; position tndication R/H outage Erpertence pote (t) open following check; verificetton of local and maint en anc e control room indication followans test COPS Rupture ratture to open on Disk toplacement 3 years ASME Code Note (2)

Diske demand Veritteetion of actuetton within 5 years A2 E Ccde 21 of rated pressure COPS Flow Lines Flow blockage Flow test to aneure no blockage 5 years Judgment Note (f.

in line Fire Barriors Failure to retain Inspection of fire berriers, 1 year & Judgment N/A Between Rooma integrity including seals and penettettone after major maintenance Smoke Removal Tetlure to maintain operate system to eseure that it 1 year Jadament N/A System low race pressure functions as designed Remote Shutdown Tellure to provide Demonstrate ahtlity to shut down R/M outage Judgment N/A Panel control for reactor reactor and remove decay heat by shutdown operation et remote shutdown panet Turbane Batid- Tellure to retain Inspection of water barriers, 1 year & Judgment N/A ang & ECC5 Room integrity includir.s penetratione after major Water Barriera maintenance R5W Isolation Ta11ure to close on Stroke test 1 month Erpertence 42 3

. Valves demand R5W Pump Teilure to trip pump Breater trip test to esaure trip 6 monthe Judgment IE*3 Circuit on demand on demand Break ers CRD System Flow Teilure to increase Review CRD operating procedures 2 years Judgment 2.01 2 Increase CRD flow in shutdown to assure that steps to provide incraesed flow ere constatent with SIL 200 Note (2): COPS system unavailability ranges fica 1E-2 to SE 2 depending on drywell-to-wetwell differential pressure.

Amendment _ 11/11/92 19K 29 j

,0'-- -

^

,, , ,. ' Gen 3ral Electric:Co Ipany. "

'ABWR' 23A6100AS-S ta.ndard - Pl ant - Rev. 'C- .

n, TABLE 19K;11 1i TAILURE MODES & RAP.ACTIVITIESt(CONTINUED):

UNAVAILa.-

- Test OR : - JA31L27Y, TAILL%E - - RECCPNENDED MAINTENANCE- FAILURE' fj2'POWIFT fCff/CAUSE MAINTENANG _' INTDV AL RgM .. . RATE .. _

RCIC Flow - Senser felle Ca11bretton of sensor = :Esperience-n/M outese 2.9E 4- .

Sensor TT 007-2 'l Misceltbratton Review elabratiets procedurse - .;R/M outase:- -Judseent 5.01 3- ;i for nu e about potential safety : .g  !

comenderettone -. j RCIC Fressuro Sensor falle Ce11bretton of eeneer - R/Modtese ; ' Espertence ~ 1,tE*5 8ensor FIS 2603 j Misce 11bretton Review ea11bration procedures: R/M outese Jedament L $,0E 5 - [

for note about potential safety 7~

- considerations. ,.

N13 leolation Falle to open Leak rate test and subsequent R/M outage- Erpstience. 1'.4E 4; -j Check Velves operetton of valvee 0033 ( 0049 ,

Wls Manuel Normally open valve Stroke test _ . R/M outase Esperience_. 1.3E a /*

valve F0053 falla closed (NOFC) de Div 1 Dis- Penel fatture Panel-function to demonstrated :3 months' -Emperience- -$,8E*6 tribution Fans 1 by eyetse test -

Div 1 EMS Fetwork failure System functionel test-- 3 months-1  : Esportonce '. J$,9E*4-Transains ton .

~

Network . Complete system test, errer '2 yeare lExpertence_ i check' Combueston Failure to start and.' Start and operate CTG _et retodi Monthly: -.Erportonce- ' $,0E 2 - ,

Turbine- run speed and lood for.1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />

' Generator (CTG)

~

Check oil levele, check for 4 Monthly Espertence? y_

leake L - Sample, analyse oil- . 3 monthe. ~ Experaence -

I.

l Replese oil and (11teret-inspect R/M outase Experience l~ inlet and outlet'plenuma and- .a

[ entire e&sembly

=)

h.<

e ll '

l{

-Amendment _ 11/11/92 19K-30,

~

{4 e a

il 04nsrel Electric (.orpeny

( =.. a<. Aggg 23A6100AS Standard' Plant Rev. C L

! TABLE.19K,ll 1. FAILURE H0 DES 6, RAP ACTIVITIES (CONTINULD)7

.UNAVAIL -

-TT57 OR -'A2!LITY,1 TAILURE RECGtENDED ... MAINTINANCE - FAILi RE C22grifl MQDELCAl'SE tiaLMIIJ!AKg TN m vat agig ~ J MTE _..

Structures of Structural failure of Setemic welkdown to assure 10 years Judseent.- N/A.

as Power EDGo, supporte durins structural inteStity e60 Vat Trans- eensais event formen & ICCol Visuel inspection, support 10 yeare Judseent N/A de Betteries, structures & devices. .

3ettery Rocks &

Inverters; PSW Post

  • earthquake evaluation After CBE or Judgment N/A Pumps , IIKs . & leraer quehe -

A/C Units; SLC Tank & Pumps; &

Pumps of 8 PCT, .3 ACIWA & RER Single Train of Ceaumon mode type System walkdcun to identify CCF R/H outa.ge. Jud68eent . N/A . IN RER System failure type problems (5hutdown i Cooling & LFFL.

Modes) 3

- . Sinste Train of Common mode type Syntes wendown to identify CCF R/M outose - Judgement N/A- ,

BPCF System failure type probles.? q Single Train of Cceanon mode typ3 Systee walkdown to identify CCF R/M outa6e' :Judsoment -- M / A . ,

CUW Systee failure type problems t

Single Train of Cousion mode type System walkdown to ident&ty CCF R/M nutage, Judsoment N/A R3W Systee tailure type problems e

$1ngin Train of Common ende type System wendown to identify CCF R/H outase. 'Judsoment - N/A '

se Electrical failure type problems

- 4 Systen , ,

. 4 f

5

.5 y.

h P

6 a

+

f h

N 3

- Amendment: _ .11/11/92 19K[

1)

J +'

~ - , c , . .