Text

.

4 UNITED STATES

,f g

NUCLEAR REGULATORY COMMISSION L

j WASHWGTON D. C. 20655

\\...../

Jt312 8155 MEMORANDUM FOR: Comissioner Asselstine FROM:

William J. Dircks Executive Director for Operations

SUBJECT:

GESSAR II SEVERE ACCIDENT CONSIDEPATIONS This is in response to your memorandum to me dated May 22, 1985, concerning the compliance of the GESSAR II design with the provisions of 10 CFR 50.44(c)(3)(iv) and the technical resolution of USIs A-17, A-44, A-45, A-46 and A-47.

The requirements of 10 CFR 50.44fc)(3)(iv) apply only to licensees with boiling water reactors with Mark III Containments whose construction permits were issued before March 28, 1979.

For forward referenceability, however, the GESSAP II design must comply with the more stringent requirements of 10 CFR 50.34(f)(2)(ix) as required by the Severe Accident Policy Statement.

The review of GESSAR II for severe accident concerns has been ongoing since m

March 1982. During this period, GESSAR II has undergone certain design changes in anticipation of the requirements of the Severe Accident Policy Statement. Two of these design changes relate to the accommodation of possible hydrogen generation as required by 10 CFR 50.34(f)(2)(ix). These

'\\

design changes are: (1) provisions for an ignition-type hydrogen control system consistent with a staff-approved system that will result from the Hydrogen Control Owners Group review for the Grand Gulf Nuclear Plant, and (2) increasing the Mark III Conteinment strength to 45 psig Service 1.evel C.

~

Plant Protection System (UPPS)gn is provided with a system called the Ultimate i

In addition the GESSAR II desi The UPPS has the ability of reducing the l

probability of hydrogen production by preventing degraded core conditions that could result from a station blackout or some other debilitating condition.

The UPPS is~ designed to provide reliable core cooling, reactor pressure vessel depressurization,'and containment heat removal capabilities that are independent of all electrical power sources. All functions of the UPPS will be accomplished by the use of air-operated valves using a bottled air source.

l The normal water supply for UPPS is the existing fire protection system.

However, if the diesel fire pumps are not available, make-up for core cooling L

- can be accomplished through the use of a site-dedicated fire truck connection.

CONTACT:

-D. Scaletti, SSPB Ext. 29787 I

I M

k$

47 A

PM

7

.o-

, The staff believes that the inclusion of the aforementioned systems in the GESSAR II design scope demonstrates compliance with 10 CFR 50.34(f)(2)(ix).

This natter has been discussed in Supplenent 2 to the GESSAR II Safety Evaluation Report (NUREG-0979) and will be discussed further in Supplement 4 which is expected to be issued in June 1985.

With regard to the USIs, A-17 (Systems Interaction) A-44 (Station Blackout) and A-45 (Shutdown Decay Heat Removal) have been addressed for the GESSAR II design as described in Supplement 2 to the SER (copies of the relevant pages are provided as Enclosure 1). The evaluation of A-47 (Safety Implication of Control Systems) for GESSAR II is provided as Enclosure 2 This evaluation will be included in Supplerent 4 to the SER. With regard to USI A-46 (Seismic Oualification of Equipment in Operating Plants), GESSAR II was designed using current seismic criteria and commitments for seismic equipment qualification which are in accordance with the latest codes and standards.

Therefore, USI A-46 is not applicable to GESSAR II.

Finally, the major improvements in the GESSAR II design over the current BWR/6 Mark III plants are as follows: the strength of the Park III containment has been increased to 45 psig Service Level C; the UPPS has been added; and GESSAR II has been designed to withstand a 0.39 SSE.

(Signe0 William l.Dircks William J. Dircks Executive Director for Operations

Enclosures:

As stated cc: Chairnan Palladino Commissioner Roberts Conmissioner Bernthal Commissioner Zech OGC OPE SECY DISTRIBUTION iCentreT File

?

WDircks JPee "NRC PDR w/cf of' incoming DCrutchfield/CSchum TPehm

~

Local PDR w/cy of incoming HThompson/MJambor VStello ED0 #000662 CThomes PMirogue ED0 Reading DScaletti GCunningham SSPB Reading (w/cy of incoming)

PAnderson OELD

• SEE PREVIOUS CONCURRENCE SHEET f\\

DL:SSPB*

DL:SSPB* DL:AD/SA*

D:DL*

D: DST

• RR D:f(RIl ED0// '

OScaletti:tm CThomas DCrutchfield HThenpson TSpeis but HDeV on WDircks 05/31/85 05/31/85 05/31/85 06/03/85 06/13/85 06 85 06/

8506/g/85

. The sta#f believes that the inclusion of the aforenentioned systems in the CESSAR II design scope demonstrates compliance with 10 CFR SD.34ff)(P)(ix).

This ratter has been discussed in Supplement 2 to the GESSAR II Safety Evaluation Report (flUREG-0979) and will be discussed further in Suoplement 4 which is expected to be issued in June 1985.

With regard to the USIs, A-17 (Systens Interaction) A-44 (Station Blackout) and A-45 (Shutdown Decay Heat Removal) have been resolved for the GESSAR II desinn es described in Supplement 2 to the SER (copies of the relevant pages are provided as Enclosure 1). The resolution of A-47 (Safety Implication of Control Systems) for GESSAR II is provided as Enclosure 2.

This evaluation will be included in Supplement 4 to the SEP..,With regard to USI A-46 (Seismic Oualification of Equipment in Operating Plants), GESSAR II was desioned using current seismic criteria and coninitrents for seismic equipment cualification which are in accordance with the latest codes and standards.

Therefore, USI A-46 is not applicable,to GESSAR II.

Finally, the major improvenents in th'e GESSAR II design over the current BWR/6 Mark III plants are as follows: the strength of the Mark III contairrert has been increased to/45 psig Service Level C; the UPPS has been added; and GESSAR II has bee'n designed to withstand a 0.39 SSE.

/

/

/

/

William J. Dircks

/

Executive Director for Operations i

Enclosures:

/

As stated

/

DISTRIBUTION Dentral File flRC PDR w/cy of incoming Local PDP w/cy of jncoming ED0 #000662 E00 Reading SSPB Reading (w/c'y of incoming)

OELD PDircks DCrutchfield/CSchum HThompson/MJambor CThomas DScaletti Pfederson

• SEE PREVIOUS CONCURREffCE SHEET g

DL:SSPB*

DL:SSPR* DL:AD/SA*

D:N D.

T DD:NPR D:NRR ED0 DScaletti:tn CThomas DCrutchfield PTher.pso S is DEisenhut HDenton WDircks g/85 06/ /85 06/ /85 06/ /85 05/31/85 05/31/85 05/31/65 06/03/85 0

, With regard to the USIs, A-44 (Station Blackout) and A-45 (Shutdown Decay Heat Removal) are technically resolved by the UPPS's ability to maintain reliable core cooling. USIs A-17 (Systems Interaction) and A-47 (Safety Implication of Control Systems) are outside the scope of the GESSAR II design due to their plant / site specific nature and, therefore, will be reviewed on i

utility-specific applications. With regard to USI A-46 (Seismic Oualification of Equipment in Operating Plants), GESSAR II was designed using current seismic criteria and commitments for seismic equipment qualification which are in accordance with the latest codes and standards. Therefore, USI A-46 is not applicable to GESSAR II. The technical resolution of these USIs are discussed in detail in Supplement 2 to the GESSAR II Safety Evaluation Report.

Finally, the major improvements in the GESSAR II design over the current BWR/6 Mark III plants are as follows: the strength of the Mark III containment has been increased to 45 psig Service Level C; the UPPS has been added; and GESSAR II has been designed to withstand a 0.3g SSE.

William J. Dircks Executive Director for Operations DISTRIBUTION Central File

/

NRC PDR w/cy of incoming

/

Local PDR w/cy of incoming

/

EDO #000662 EDO Reading

/

SSPB Reading (w/cy of incoming)

OELD WDircks DCrutchfield/CSchum HThompson/HJambor f

DScaletti 1

PAnderson

/

)

/

o:

n, '~ l ' i~'-

e

tm QD o

g

/5//85 05/J //85 05

/85

/ ]/8 05/ /85 i

Enclosure i USI A-17:

Systems Interaction The design, analysis, and installation of systems in a nuclear power plant are frequently the responsibility of teams of engineers with functional specialties--

such as civil, electrical, mechanical, or nuclear.

Experience at operating plants has led to questions of whether the work of these functional specialists is sufficiently integrated to enable them to minimize adverse interactions among systems.

Some adverse events that occurred in the past right have been prevented if the teams had ensured the necessary independence of safety systems under all conditions of operatien.

GE has not described a complete or comprehensive program that separately evaluates all safety related structures, systems, and components for adverse systems interactions.

The GESSAR II nuclear island was reviewed against the' Standard Review Plan (NUREG-0800) which contains the regulatory criteria for the interdisciplinary reviews.

the SRP are provided in the SER for GESSAR II (NUEEG-0979).The staff While GE has not described a separate program addressing systems interactions GE states that provisions are included in the PRA methodology to identify com-monalities and dependencias that could result in adverse systems interactions.

These provisions included using the minimal cutsets derived from system-level fault trees that were linked through event trees developed for the PRA event sequences.

The procedure calls for the use of a consistent nomenclature for basic components and events for all systems throughout the plant and to identify commonalities and dependencies whenever the same basic item occurred as an element in cutsets of different systemic fault trees.

' The GE effort to identify common cause events, common-mode failures, and inte system dependencies has gone beyond the licensing basis to address the systems interaction issue for the GESSAR II design and is being done in advance of the issuance of any formal NRC guidance or requirements.

In the absence of criteria and requirements, no conclusions can be made concerning the adequacy and completeness of GE's additional work.

On the basis of experience with the systems interaction issue, the staff identi-fled the following concerns:

(1)

The system-level failure modes and effects analyses considered only the failure effects within a system.

(2) The RPS, RCIC, RHR, remote shutdown, S8GT, and some HVAC systems were excluded from the failure modes and effects analyses.

(3)

The balance of plant systems upon which the GESSAR II systems depend were not within the scope of the GE efforts.

(4) Spatially coupled systems interactinns could not be analyzed because the GESSAR II design is yet to be constructed.

GESSAR II SSER 2 3

Appendix C

k GESSAR II has been evaluated against current licensing requirements that are founded on the principle of defense in depth.

Adherence to this principle results in requirements such as physical separation and functional independence of redundant safety equipment.

Considering GE's PRA analysis and GE's compliance with current SRP guidelines, the staff finds that some assurance exists that adverse systems interactions that pertain to GESSAR II design will be minimized; however since systems interaction is an issue that applies to complete plant designs, the staff will require that the systems interaction and PRA studies be completed by applicant-performed programs that supplement the work that GE has done on the nuclear island.

The final assurance must be deferred until an applicant makes refer-ence to the GESSAR II design.

The applicant must either address the above concerns or comply with any requirements produced from the resolution of USI A-17.

GESSAR II SSER 2 4

Appendix C

i i

i j

i USI A-44:

Station Blackout Electrical power for safety systems at nuclear power plants must be suppl.ied by at least two redundant and independent divisions.

The systems used to remove decay heat to cool the reactor core following a reactor shutdown are included among the safety systems that must meet these requirements.

Each electrical division for safety systems includes two offsite alternating current i

(ac) power connections, a standby emergency diesel generator ac power supply, and direct current (dc) sources.

The term " station blackout" refers to the complete loss of ac electric power to the essential and nonessential buses in a nuclear power plant.

Station blackout therefore involves the loss of offsite power concurrent with the failure of the onsite emergency ac power system.

Because many safety systems required for core decay heat removal and containment heat removal are dependent on ac power, the consequences of station blackout could be severe.

USI A-44 involves a study of whether or not nuclear power plants should be designed to withstand an extended station blackout.

This issue arose because of the accumulated experience regarding the reliability of ac power supplies.

There have been numerous instances of emergency diesel generators failing to

• tart and run in response to tests conducted at operating plants.

In addition, s

a number of operating plants have experienced a total loss of offsite electrical power, and more occurrences are expected in the future.

In almost every one of these loss-of-offsite power events, the onsite emergency ac power supplies were available immediately to supply the power needed by vital safety equipment.

However, in some instances, one of the redundant emergency power souces has been unavailable.

In a few cases there has been a complete loss of ac power, but during these events, ac power was restored in a short time without any serious consequences.

The major areas of study in A-44 included the likelihood and duration of the loss of offsite power, the reliability of onsite emergency ac power sources, and the potential for severe accident sequences after a loss of all ac power.

Significant factors that contribute to risk from station blackout events were identified and evaluated.

On the basis of this evaluation, the staff has proposed recommendations to resolve this issue, but the resolution is not yet final.

l f

GESSAR II SSER 2 5

Appendix C 3

The proposed resolution.of A-44 would require nuclear power plants to be capable of coping with a station blackout for a specified duration.

The duration would be determined on the basis of the following site-specific characteristics:

(1) the redundancy of onsite emergency ac power sources (number of diesel generators available for decay heat removal minus the number needed for decay heat removal), (2) the reliability of onsite emergency Ec power sources (e.g., diesel generator), (3) the frequency of loss of offsite power, and (4) the probable time to restore offsite power.

For generic resolution of A-44, the capability and capacity of all systems necessary to provide core cooling and decay heat removal for the duration of the station blackout should be assured.

The following items should be included in this evaluation 1

de battery capacity condensate storage tank capacity compressed air capacity leakage from pump seals that could result in loss of reactor coolant inventory needed to maintain core cooling operability of necessary equipment in an environment resulting from a station blackout (i.e., without HVAC)

In addition to the above, the proposed resolution includes recommendations to improve and maintain the reliability of onsite emergency ac power sources at or above specified minimum levels.

A loss of all ac power was not a design-basis event for the GESSAR II nuclear island.

If both offsite and onsite ac power are lost however, the plant does have the capability to respond successfully, for a limited time, by relying on various backup systems.

GESSAR II can utilize a combination of safety / relief valves, de power systems, and the reactor core isolation cooling (RCIC) system to remove core decay heat without reliance on ac power.

These systems have the capability to ensure that adequate cooling could be maintained for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

The loss of ac power for a period of time exceeding 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> has been analyzed in the GESSAR II PRA.

This event was found to be a dominant contribution to core-damage frequency.

This accident was found to contribute approximately 79% of the total core-damage frequency (as modified by BNL review).

Although the relative frequency was still quite low (approximately 3 x 10 5 per reactor year), station blackout events were identified as fruitful areas for risk reduction efforts.

Further work by GE indicated a station blackout capability exceeding 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> is possible assuming credit for straightforward operator actions and potential design improvements.

A preliminary assessment by BNL indicated that this would reduce core damage from internal events by a factor of approximately 2.

In addition to extended station battery capacity, GE has proposed an ultimate plant protection system (UPPS) which significantly improves the plant's capa-bility to respond successfully to total station blackout events.

Details of GESSAR II SSER 2 6

Appendix C

i t

I this system and of the proposed battery extended capability are discussed in 4

Section 15.6.3 on design improvements.

This modification, considered tc.lether with the ability to withstand a station blackout for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, gives the staff r

confidence that the resolution of USI A-44 has been achieved in a manner that will result in low public risk from the issue.

This conclusion is confiiniatory subject to the completion of the staff review of the UPPS and extended strtion battery capacity.

i' USI A-45:

Shutdown Decay Heat Removal The primary objectives of the USI A-45 program are to evaluate the safety i

adequacy of decay-heat removal (DHR) systems in existing light-water reactoi (LWR) power plants and to assess the value and impact (or cost-benefit) of alternate measures for improving the overall reliability of the DHR function.

The A-45 program is conducting probabilistic risk assessments and determinist c evaluation of those DHR systems and support systems required to achieve hot-shutdown and cold-shutdown conditions in both pressurized-and boiling-water reactors.

Integrated systems analysis techniques are being used to assess the i

vulnerability of DHR systems to various internal and external events, includ-ing transients, small-break loss-of-coolant accidents, and special emergency challenges, such as fires, floods, earthquakes, and sabotage.

State-of-the-art

{

cost-benefit analysis techniques are being utilized to assess the net safety benefit of alternative measures to improve the overall reliability of the DHR system.

l At this time, the staff in its safety assessment for generic resolution of A-45 1

considers the following alternative measures for improving the overall reliabil-I ity of the DHR function:

i (1) Improved operating and/or procedural changes that would strengthen the i

availability of decay-heat removal.

(

(2) In conjunction with (1) above, the staff will search for alternate paths for decay-heat removal wherein existing equipment is used in atypical modes of DHR (e.g., bleed and feed in PWRs).

(3) Add on dedicated shutdown decay-heat-removal systems.

The GESSAR II PRA indicated that shutdown cooling system failures (following a transient) accounted for less than 1% of the original PRA core-damage fre-quency from internal events.

However, staff reassessment indicated core-damage contributions attributable to failures of the DHR systems is nearer to 7% of the total frequency.

Additionally, the PRA did not consider DHR system failures when the plant is in extended shutdown mode.

Additional core-damage frequency contribution from this failure mode may exist; however, it probably would not exceed the contri-bution from the previous effect.

Actual core-damage contribution because of RHR failures may, therefore, be a few percent of total core damage.

GE has also proposed an alternate diverse DHR system called the ultimate plant protection system (UPPS). The staff has not fully evaluated the capabilities of this system.

However, it would appear to significantly enhance the ability to mantain decay-heat removal following extensive system failures from internal GESSAR II SSER 2 7

Appendix C

and external events.

Since the staff seismic review is incomplete, these pre-liminary conclusions may be impacted. The staff will report on its UPPS evalua-tion in a future supplement to the SER.

Therefore, because of the low contribu-tion to the core-damage frequency attributable to DHR system failures, a favor-able finding on the UPPS may demonstrate satisfactory resolution of USI A-45.

The staff's conclusion on UPPS will be reported in a future supplement to the SER.

c GESSAR II SSER 2 8

Appendix C w

USI AJ7: Safety Implication of Control Systems This issue concerns the potential for accidents or transients heir.p made more severe as a result of non-safety-grade control system failures or malfunctions. These failures or malfunctions may occur independently or as a result o# cn accident or transient, and would be in addition to any control system failure that may have initiated the event.

It is generally believed thet control system failures are not likely to result in loss of safety functions which could lead to serious events or result in conditions that safety systems are not able to cope with.

In-depth studies for all the non-safety-grade control systems have not been performed, however, and there exists some potential for accidents or transients being made more severe than previously analyzed, as a result of some of these control system failures or malfunctions.

Failure or malfunction of the non-safety-grade control system can potentially (1) cause a steam generator reactor vessel overfill, or (2) lead to a transient (in PWRs) in which the vessel could be subjected to severe overcooling.

In addition, there is the potential 'or an independent event such as a single failure, or a comon-mode event, to cause a ralfunction of one or several control systems which would lead to an undesirable control action, or provide misleadino information to the plant operator.

The purpose of this unresolved safety issue is to perform an indepth evaluation of the non-safety-grade control systems that are typically used during norrel plant operation to evaluate the need for requiring control system changes in operating reactors and to verify the adequacy of current licensing design requirements or propose additional guidelines and criteria to ensure that nuclear power plants do not pose an unacceptable risk from inadvertent failure of such controls.

It should be recognized that the effects of control system failures during accident or normal plant operation may differ from plant to plant, and therefore it may not be possible to develop peneric solutions to these concerns.

It is possible, however, to develop generic criteria that can be used for the plant-specific reviews.

The GESSAR safety systems have been designed with the goal of ensuring that control system failures (either single or multiple) will not prevent automatic or manual initiation and operation of any safety system equipment required to trip the plant or to maintain the plent in a safe shutdown condition followino any enticipated operational occurrence or accident.

l This has been accomplished by either providing frdependence between safety-and nonsafety-prede systems or by providing isolating devices between safety-and non-safety-grade systers. These devices preclude the propagation of nonsafety-grade system equipment faults so that operation of the safety-grade system equiprent is not impaired.

In addition, the i

UPPS can provide RPV depressurization, core conling, and containment venting and heat removal independent of electrical power (ac and dc) thus further reducing the likelihood of core damage resulting from a control system failure.

b 2-Much of the design evaluation required to resolve concerns related to the failure of centrol systems is outside the scope of GESSAR II (see N' REG-0979, J

Section 7).

It is the responsibility of the utility applicants who reference the GESSAR II design to provide the necessary evaluations of the control systens which are required by NUREG-0979 and which will be required by the resolution of USI A-47 The GESSAR II PRA analysis, although not explicitly, does include consideration of control system failures in the data base utilized for transients and the fault trees.

With regard to the concern with reactor vessel overfill transients, connercial-grade high-level trips (Level 8) for feedwater and turbine have been installed in most BWRs, including the GESSAR II design, to terminate flow from the appropriate systems.

Periodic surveillance testino of these hiqh-level trips is required by the Technical Specifications.

No overfilling events beve occurred since the Level 8 trips were installed.

Independent high-level safety-grade trips are also provided for the RCIC and FPCS systems.

In addition, the GESSAR II design employs a high-level scram that reduces the consequences of an overfill event.

Further, severe overcooling is not a problem in BHRs which, unlike PWRs, operate a substantially lower pressures.

On the basis of the existing overfill protection provided in the GESSAR II design and the requirement that utility epplicants referencing the GESSAR II design provide the necessar," eveluation of the control systens which are required by NUREG-0979 and which will be recuired by the resolution of USI A-47, the staff conludes that USI A a7 has been adequately addressed for GESSAR II.

i t

4 a

' [.

es:g#o UNITED STATES

,8 g

NUCLEAR REGULATORY COMMISSION 3

l tWASH80eGTON. D. C. 20666

%'.."...+/

EDO PRINCIPAL CORRESPONDENCE CONTROL 9

FROM:

DUE:.:06/0E EDO CONTROL: 000662 COMMISSIONER ASSELSTINE 7 fad E#h%

h FINAL P

r[ I//MTb" 0

LL TB W tMW C 0 e9 AO*Y DIRCKS FOR S10 NATURE OF

• • PRIORITY mm SECY NO:

EXECUTIVE DIRECTOR DESC:

ROUTINO:

DIRCKS

. GESSAR ROE REHM STELLO MINOGUE DATE: 05/22/85 GCUNNINGHAM

. ASS 10NED.TO: NRR CONTACT: DE_NTON_

'SPECIAL INSTRUCTIONS OR REMARKS:

,',j>

RECEIVED NRR:.05/23/85._

(ACTION:'

f H. : Thompson,~ DL,,

(Inputito;be-plroide'fromDST)

Owlc ROUTING: DENTON/EISENHUT

~

PPAS T. Speis, DST 6

f d'