ML20132F713
| ML20132F713 | |
| Person / Time | |
|---|---|
| Site: | 05000447 |
| Issue date: | 07/31/1985 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-0979, NUREG-0979-S04, NUREG-979, NUREG-979-S4, NUDOCS 8508020356 | |
| Download: ML20132F713 (91) | |
Text
. ._ __
- Supplement No. 4 Safety Evaluation Report related to the final design approval of the GESSAR ll BWR/6 Nuclear Island Design Docket No. 50-447 General Electric Company U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation July 1985 RER"!88!R888?8147 E PDR
- O NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013 7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
-The following documents in the NUREG series are available for purchase from the NRC/GPO Sales i Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
1 Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations,and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
NUREG-0979 Supplement No. 4 Safety Evaluation Report related to the final design approval of the GESSAR 11 BWR/6 Nuclear Island Design Docket No. 50-447 General Electric Company U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation July 1985 f." m,,,,
{f
7
- ABSTRACT Supplement 4 to the Safety Evaluation Report (SER) for the application filed
, by General Electric Company for the final design approval for the GE BWR/6 l nuclear island design (GESSAR II) has been prepared by the Office of Nuclear R: actor Regulation of the Nuclear Regulatory Commission. This report supple-ments the GESSAR II SER (NUREG-0979) issued in April 1983 summarizing the I rssults of the staff's safety review of the GESSAR II BWR/6 nuclear island d2 sign; Supplement 1, issued in July 1983; Supplement 2, issued in November
- 1984; and Supplement 3, issued in January 1985. Subject to favorable resolu-tion of the items discussed in this supplement, the staff concludes that the GESSAR II design satisfactorily addresses the severe-accident concerns-described in the~ Commission's Policy Statement on Severe Reactor Accidents Rsgarding Future Designs and Existing Plants.
t 1
c p
- j. GESSAR II SSER 4 iii
TABLE OF CONTENTS P_ age ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii ACRONYMS AND INITIALISMS . . . . . . . . . . . . . . . . . . . . . . vii 1 INTRODUCTION AND GENERAL DISCUSSION . . . . . . . . . . . . . . 1-1 1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . .
- 1. 8 Summary of Outstanding Issues 1-1
.............. 1-1 1.9 Confirmatory Issues ................... 1-2 1.10 Interface Information .................. 1-2 3 DESIGN CRITERIA FOR STRUCTURES, SYSTEMS, AND COMPONENTS . . . . 3-1 3.8 Design of Seismic Category I Structures ......... 3-1 3.8.5 Foundations . . . . . . . . . . . . . . . . . . . . 3-1 15 TRANSIENT AND ACCIDENT ANALYSIS . . . . . . . . . . . . . . . . 15-1 15.3 Radiological Consequences of Design-Basis Accidents. . . . 15-1 15.3.1 Loss-of-Coolant Accident . ............ 15-1 15.6 Severe Accidents . . . . . . . . . . . . . . . . . . . . . 15-1 15.6.2 Major Review Results and Conclusions From PRA Review ................. 15-1 15.6.3 Consideration of Potential Design Improvements . . 15-8 APPENDIX A CONTINUATION OF CHRONOLOGY APPENDIX 8 REFERENCES APPENDIX C UNRESOLVED SAFETY ISSUES AND GENERIC SAFETY ISSUES APPENDIX E PRINCIPAL STAFF CONTRIBUTORS AND CONSULTANTS APPENDIX G COMPLIANCE WITH CP/ML RULE (10 CFR 50.34(f))
I l
i GESSAR II SSER 4 v
TABLE OF CONTENTS (Continued)
P_ age FIGURES 15.1 GESSAR II Mark III containment: typical fission product release pathways with drywell intact ............ 15-27 15.2 GESSAR II UPPS ....................... 15-28 15.3 Monetized risk potential for further risk reduction in GESSAR II for internally generated severe accidents . . . . . 15-29 15.4 Monetized risk potential for further risk reduction in GESSAR II for externally generated events (seismic) . . . . . 15-30 TABLES
- 1. 2 Interface items . . . . . . . . . . . . . . . . . . . . . . . 1-3 15.1 Conditional consequences predicted by the staff for internally initiated events and probability of occurrence with and without UPPS, per reactor year . . . . . . . . . . . 15-31 15.2 Conditional consequences predicted by the staff for externally initiated events (seismic) and probability of occurrence, per reactor year ................ 15-32 15.3 Potential design improvement groups for GESSAR II . . . . . . 15-33 15.4 Potential design improvements for GESSAR II . . . . . . . . . 34 15.5 GESSAR II potential design improvements, ranked by cost-benefit ratio ..................... 15-38 15.6 RDA study results for GESSAR II, Mark III containment mitigation ......................... 15-39 15.7 Designs and design modifications evaluated ......... 15-40 15.8 Estimated frequency of core damage resulting from internal events for GESSAR II base case and with design modifications ..................... 15-41 15.9 'Public risk from internal events (person-rems per unit per year) per GESSAR II base base and with design modifications . . . . . . . . . . . . . . . . . . . . . . . . 15-42 15.10 Estimated frequency of release categories resulting from seismic events for GESSAR II base case and with design modifications .................... 15-43 15.11 Seismic risk, person-rems per unit year . . . . . . . . . . . 15-44 15.12 Core-melt frequency probabilities (per year) for GESSAR II base case'and with design modifications . . . . . . 15-45 15.13 Estimated accidental releases to the public (person-ress per year) for GESSAR II base case and with modifications .. 15-45 15.14 Containment failure classes . . . . . . . . . . . . . . . . . 15-46 15.15 Release categories ..................... 15-47 15.16 Monetized worth of risk reduction . . . . . . . . . . . . . . 15-48 GESSAR II SSER 4 vi
.~ - .. - .- . .- . . - - . ._ . . - - .. .
D l
ACRONYMS AND INITIALISMS APRM average power range monitor ASME American Society of Mechanical Engineers ASTP0 Accident Source Term Program Office ATWS anticipated transient (s) without scram BNL Brookhaven National Laboratory B0P balance of plant BWR boiling-water reactor C/B cost-benefit CDF core damage frequency CFR Code of Federal Regulations CP construction permit
-CRGR Committee to Review Generic Requirements CRT cathode-ray tube DAS data acquisition system DCRDR Detailed Control Room Design Review DEGB double ended guillotine break DF decontamination factor DOP data output peripherals DPS data processing system ECCS emergency core cooling system EMI electromagnetic interference EPG Emergency Procedure Guidelines ERIS- Emergency Response Information System FDA Final Design Approval FES Final Environmental Statement FSAR Final Safety Analysis Report GE General Electric Co.
GESSAR General Electric Standard Safety Analysis Report '
GSI generic safety issue HCOG Hydrogen Control Owners. Group HPCI high pressure coolant injection HPCS high pressure core spray IRM intermediate range monitor
-LLNL Lawrence Livermore National Laboratory LOCA loss-of-coolant accident LPCI low pressure coolant injection LPCS low pressure core spray LWR light-water reactor ML manufacturing license MTBF mean time between failures MTTR mean time to repair NPSH net positive suction head NRC Nuclear Regulatory Commission NTOL near-term operating license OL operating license f PDA Preliminary Design Approval PRA probabilistic risk assessment PWR pressurized-water reactor RCIC reactor core isolation cooling l GESSAR II SSER 4 vii 1
RCS reactor coolant system RDA R&D Associates RG regulatory guide RHR residual heat removal ROGR Regional Operations and Generic Requirements RPV reactor pressure vessel SLC standby liquid control SPDS safety parameter display system
'SRM source range monitor SRP Standard Review Plan SRV safety / relief valve SSE safe shutdown earthquake SSER Supplement to Safety Evaluation Report TMI-2 Three Mile Island Unit 2 UPPS ultimate plant protection system USI unresolved safety issue V&V verification and validation i aman l
l l
l GESSAR II SSER 4 viii i >
1 INTRODUCTION AND GENERAL DISCUSSION 1.1 Introduction On April 8, 1983, the Nuclear Regulatory Commission staff (staff) issued a Safety Evaluation Report (NUREG-0979) regarding the application by General Electric Company (GE) for a Final Design Approval (FDA) for GE's BWR/6 nuclear island design (GE Standard Safety Analysis Report, GESSAR II). In July 1984, Supple-ment 1 to the Safety Evaluation Report (SSER 1) was issued for GESSAR II, and en July 27, 1983, the Office of Nuclear Reactor Regulation issued FDA-1 for GE's BWR/6 nuclear island design. This approval allows the GESSAR II design to be referenced in operating license (OL) applications for plants that referenced the GESSAR-238 nuclear island design Preliminary Design Approval (PDA-1) at the con-struction permit (CP) stage of the licensing process. FDA-1 is the first Final Design Approval issued by the Office of Nuclear Reactor Regulation for a standard nuclear plant design or major portion thereof.
SSER 2 and SSER 3 were issued in November 1984 and January 1985, respectively.
They provide information related to the staff review of GESSAR II for severe-cccident concerns. The present supplement (SSER 4) provides more recent infor-mation regarding resolution or update of the open and confirmatory items identi-fled in SSER 3.
Each of the following sections and appendices of this supplement is numbered the same as the SER section or appendix that is being updated, and the discus-sions are supplementary to and not in lieu of those in the SER unless otherwise noted. Accordingly, Appendix A is a continuation of the chronclogy of the safety review. Appendix 8 is an updated list of references. Appendix C has been updated to include a further discussion of those unresolved safety issues cnd generic issues that remained unresolved in SSER 3. Appendix E lists the principal contributors to this supplement. Appendix G provides further discus-sion of compliance with the CP/ML Rule.
The NRC Licensing Project Manager for GESSAR II is Mr. Dino Scaletti.
Mr. Scaletti may be reached by calling him at (301) 492-9787 or by writing to him at the Division of Licensing, Office of Nuclear Reactor Regulation, U.S.
Nuclear Regulatory Commission, Washington, D.C. 20555.
1.8 Summary of Outstanding Issues During the course of the staff review of the GE probabilistic risk assessment (PRA) of the BWR/6 nuclear island described in GESSAR II, issues have been identified that remain unresolved. SSER 3 listed 12 outstanding issues that were either under staff review, under consideration, or awaiting information.
The issues relate to severe-accident concerns, and their unresolved status is attributable to the fact that (1) the staff needs to review existing informa-tion, (2) GE needs to supply additional information, or (3) the staff needs to consider the issue further. For those items discussed in this supplement, the relevant section is indicated in parentheses following the item.
GESSAR II SSER 4 1-1
Issue Status l Containment structural analysis (Appendix G) Resolved Hydrogen control measures, USI A-48 (Appendices C & G) Resolved Potential design modifications Resolved Safety parameter display system (Appendix G) Resolved Containment emergency sump reliability, USI A-43 Resolved (Appendix C)
Safety implications of control systems, USI A-47 Resolved (Appendix C)
Loads, load confirmations, stress limits, GSI B-6 Resolved (Appendix C)
Passive mechanical failures, GSI B-58 (Appendix C) Resolved Beyond-design-basis accidents in spent fuel pool, Resolved GSI 82 (Appendix C)
External events Relay chatter Under consideration Consequence analysis Resolved Pool bypass sequences Resolved 1.9 Confirmatory Issues SSER 3 listed six confirmatory issues that were either under staff review or awaiting information requiring a staff audit of available information. The tabulation below shows the current status of each of the six issues as well as the new confirmatory issues.
Issue Status Factor of safety against sliding (3.8.5) Resolved RHR and RCIC pool bypass (15.6.2) Under review Software engineering manual Awaiting staff audit Optical isolators Awaiting information Combustible gas control Under review Station blackout, USI A-44 (15.6.3) Resolved Shutdown decay heat removal, USI A-45 (15.6.3) Resolved SPDS performance evaluation (Appendix G) Under review i 1.10 Interface Information GESSAR II describes a standard BWR/6 nuclear island design. Consequently, GESSAR II does not describe an entire facility, but is limited in scope to those design and safety features associated with the nuclear island design. The design scope is defined in the SER and GESSAR II Section 1.2. GESSAR II also defines interface requirements that must be imposed on the reference plant (individual applicant referencing GESSAR II) so that the balance of plant (BOP) will provide compatible design features that will ensure the applicability, functional performance, and safe operation of the GESSAR II systems.
A summary of the interface requirements resulting from the staff review of the GESSAR II for severe-accident concerns is presented in Table 1.2 of this supplement. For a complete list of interface requirements, see GESSAR II (Section 1.9) and Table 1.2 of the SER and its supplements.
GESSAR II SSER 4 1-2
i i
Table 1.2 Interface items SER Section Item b.5 Factor of safety against sliding 15.6 Containment venting procedures Appendix C Safety implications of control systems, USI A-47 Appendix C Interfacing LOCA, GSI 105 Appendix G ERIS validation program and system availability l
GESSAR II SSER 4 1-3
3 DESIGN CRITERIA FOR STRUCTURES, SYSTEMS, AND COMPONENTS 3.8 Desian of Seismic Category I Structures 3.8.5 Foundations In SSER 1, the staff stated that GE was considering an approach similar to one cutlined in Appendix 3-7C-G of the San Onofre 2 and 3 Final Safety Analysis R: port (FSAR) (Southern California Edison and San Diego Gas & Electric) to eval-uate the factor of safety against sliding for the auxiliary and the control building. However, GE later decided not to pursue this approach and instead performed the revised sliding stability calculations for the auxiliary and con-trol building. These calculations considered the effects of passive soil pres-sure on the sides of the foundation resulting from the torsional rotation of the foundation during seismic excitation. GE submitted this approach and its results for staff review by a letter dated December 10, 1984.
The staff discussed this issue further with GE on several occasions. As a re-sult of these discussions, the staff determined that, because of the conserva-tism involved in the envelope approach used in the GESSAR II design, it would be difficult to calculate factors of safety against sliding for all site condi-tions. However, it is expected that individual applicants can demonstrate com-pliance with the staff acceptance criteria for sliding stability on a site-specific basis. Therefore, the staff requires that individual applicants ref-crencing GESSAR II demonstrate an adequate factor of safety against sliding for tha auxiliary and control building for their specific site conditions. With the incorporation of this interface requirement, the staff considers this issue r solved.
{
i GESSAR II SSER 4 3-1
15 TRANSIENT AND ACCIDENT ANALYSIS 15.3 Radiological Consequences of Design-Basis Accidents 15.3.1 Loss-of-Coolant Accident 15.3.1.1 Radiological Consequences of the Loss-of-Coolant Accident The radiological consequences of the loss-of-coolant accident (LOCA) originally reported in the SER were calculated using methods described in Regulatory Guide (RG) 1.3, " Assumptions Used in Evaluating the Potential Radiological Consequences of a Loss-of-Coolant Accident for Boiling Water Reactors." Position C.1.f of RG 1.3 states: "No credit is given for retention of iodine in the suppression pool." In SSER 2, however, the staff estimated pool decontamination factors ranging from 6 to 10,000 (from 83 to 99.99% retention in the pool) for the se-vere accidents considered.
The thyroid dose consequences reported in the SER are well within the guide-lines of 10 CFR 100. Had these doses been estimated more realistically by in-cluding the effect of suppression pool decontamination, thyroid doses very much smaller than those reported would have been calculated. The staff agrees with GE that positions in RG 1.3 and Section 6.5.2 of the Standard Review Plan (SRP, NUREG-0800) that allow no credit for pool retention of fission products nor de-contamination by BWR containment sprays are inappropriate for application to the GESSAR II design. For any application referencing the GESSAR II design, there-fore, the staff will explicitly consider suppression pool retention, suppression pool bypass, and containment spray fission product removal in assessing the site evaluation factors given in 10 CFR 100.
15.6 Severe Accidents 15.6.2 Major Review Results and Conclusions From PRA Review 15.6.2.5 GESSAR II Risk Findings (5) Containment Analysis Containment St.actural Analysis The findings reported here are based on two reports prepared by Brookhaven Na-tional Laboratory (BNL), BNL-NUREG-51790 and BNL-NUREG-51789. BNL provided an independent review of the containment capability and probabilistic analyses as contained in Appendix G of GESSAR II. Thes, reports contain the details of ana-lytical methods and assumptions used, technical information reviewed, acceptance criteria, and technical findings with respect to GESSAR II containment structure.
The staff has reviewed the reports and concurs with their technical findings.
The BNL review methodology and results for different structural analyses versus those of GE are summarized below.
GESSAR II SSER 4 15-1
Torispherical Steel Containment: Both BNL and GE agree that the torispherical dome of the Mark III containment vessel has a lower pressure-carrying capacity relative to other parts of the shell. Therefore, when the containment vessel is pressurized, the structural integrity is determined by the capability of the tortspherical dome.
BNL obtained failure results for the torispherical dome by different methods:
The Shield-Drucker plastic finite element approach and the small deformation elastic plastic finite element approach predicted that plastic collapse of the knuckle region would occur at 38 and 42 psig, respectively. GE's results using limit analysis found the limit pressure to be 38 psig. Thus the BNL predictions compare well with GE's.
However, in order to meet the 45 psig Service Level C limits, GE has nodified the head design of the GESSAR II steel containment into a three-centered tori-spherical dome (see Appendix G, Item (3)(v)). The pressure capability for this torfspherical dome is evaluated to be 52 psig by GE according to Level C limits.
The ultimate containment capacity is 83 psig in the knuckle region (GE letter, Dec. 3, 1984).
In the December 3,1984, letter, GE described the usefulness of containment venting for long-term overpressure protection. The venting will occur at an internal pressure significantly below the ultimate containment pressure-carrying capability of 83 psig. However the final venting guidelines and procedures must be provided by a utility applicant who references GESSAR II.
Drywell Head: The pressure loading to the drywell head is applied from the out-side. BNL's result for the plastic failure, based on large deformation finite element method, is evaluated at 190 psig in the knuckle region. GE's predic-tion, based on Level C stress intensity limit as defined in NE 3221 of Sec-tion III of the American Society of Mechanical Engineers Boiler and Pressure ,
Vessel Code (ASME Code), is 160 psig. The ultimate pressure capability of the drywell head is more than 160 psig.
Drywell Roof Slab: BNL modeled the drywell roof slab using layered finite ele-ments with non-linear reinforced-concrete material. The finite element ideal-ization details also included the pool walls to properly account for their stiffening effect on the roof slab. The results show that substantial cracking occurs at 125 )sig. In spite of this, however, the slab does not fail. The middle two-thi.*ds of the structure remains intact and the rebars are still plastic. It is thus concluded that the failure pressure for the drywell roof slab would greater than 125 psig.
GE modeled the roof slab as a rectangular plate with three edges built in and the fourth adge free. The ultimate moment capacity for a given section was determined to be equivalent to 163 psig. However, the ultimate section capac-ity in resisting shear force was calculated to be equivalent to 130 psig. Thus both BNL's and GE's results are considered to be compatible.
Containment Anchorage System: The Mark III standard plant containment pressure vessel is anchored to the concrete baserrat by two hundred forty 3-1/4-inch-diameter anchor bolts spaced uniformly around the circumference of the vessel.
On the basis of GE's calculations, the bolt material yield strength is 105 ksi GESSAR II SSER 4 15-2
and the tensile load per bolt is 705.6 kips which is equivalent to 104 psig in-ternal pressure. However, when the ultimate tensile strength of the bolt mate-rial is used, the corresponding internal pressure is evaluated to be 125 psig.
Also, based on 18-in. x 18-in. x 5-in. embedded bearing plate and 3000 psi com-pressive strength for the basemat concrete, the capability of the anchorage sys-tem was determined to be equivalent to 135 psig internal pressure. Therefore, the containment anchorage system capability is governed by the ultimate tensile strength of the bolt material (125 psig). Since it is based on the tensile strength of the bolt material, it is acceptable to the staff.
Independent Probabilistic Analysis of the Steel Containment: A probability-based reliability analysis method for containment structures developed at BNL was used for this evaluation. The limit state is defined as the first occur-rence of plastic yielding through the entire thickness of the containment wall during the lifetime of the structure. The plastic yielding will occur when the maximum shear force exceeds the product of the yield stress and the wall thick-ness, or when a plastic hinge is formed for a combination of bending and mem-brane forces.
On the basis of the given containment geometry and material properties, the BNL results are compatible with those reported by GE. For example, for the 50% limit state probability (probability of reaching yield), the mean internal pressure obtained by BNL is 46 psi and the GE value is 51 psi. This difference can be attributed to different limit states used for the two analyses. The GE result is based on the formation of three plastic hinges in the knuckle region; the BNL results are based on the first occurrence of plastic yielding. The results from both analyses are considered compatible.
Conclusion On the basis of the above discussions, the staff concludes that the GESSAR II containment structural capabilities for the containment shell, the drywell head, the drywell roof slab, the containment anchorage system, and the steel contain-ment probabilistic analysis results are acceptable to the staff. The conclusion is based on the comparisons of DNL's independent analysis results with GE's for the specific items mentioned above, as well as the staff's review evaluation.
(8) Consequences and Risk From Internally Initiated Severe Accident Events SSER 2 contains considerable detail concerning the assessments of internal events by the staff and its consultant. The discussion below is limited to providing an overview of the final results and the insights gained from those results.
Table 15.17 in SSER 2 gave the damage indices (conditional consequences) for three representative accident release categories for internal events. During the staff studies of potential design modifications, several additional se-quences were analyzed. Table 15.1 summarizes the results of all of the staff's internal event consequence calculations and provides the BNL estimates of the probability of occurrence for each release category shown for the GESSAR II design before and after the addition of the ultimate plant protection system (UPPS).
GESSAR II SSER 4 15-3
As seen in Table 15.1, the consequences are very low for the internal events.
No early fatalities are predicted, except for the small-break LOCA catagory with early containment and drywell failure as a result of hydrogen detonation (1-SB-El release category). Early fatalities are calculated for this event only if the BNL upper range source term values are assumed. Upper range source terms are considered physically realizable values and should not be considered upper bounds.
Areas Most Critical to Internal Events Consequences During the course of its review, the staff identified several areas that had the potential for strongly impacting the magnitude of the consequences. These areas were
- source term values (including suppression pool scrubbing) suppression pool bypass Source Term Values: As noted in SSER 2 (Tables 15.13 and 15.16), the source term values used to assess the conditional accident consequences for GESSAR II by GE and the staff (with BNL) differed by as much as two orders of magnitude.
It is the staff's belief that both sets of values are credible, given the present understanding of the physical processes involved during severe acci-dents. The GE values have been characterized by GE as being best estimate, whereas BNL and the staff chose to use a range of values with the larger values being viewed as upper range. The staff /8NL values were chosen after consider-ation of the information provided by the results of the Accident Source Term Program Office (ASTPO) and QUEST programs described in Battelle, 1984, and Lipinsky et al. ,1984. On the basis of this information, the staff does not believe that it is possible at this time to define statistical distributions or meaningful best estimate values for the source terms. It is hoped that ongoing experimental and analytical research will allow estimates of conditional conse-quences that are not burdened with such large source term uncertainties to be made sometime in the future. In the meantime, the staff believes that the lat-est information from the ASTP0 work and the American Physical Society review of that work tends to confirm that the staff /BNL range of source terms chosen to analyze GESSAR II is appropriate. Although described as upper range, the staff does not necessarily view them as being an upper bound.
In the GESSAR II PRA, GE has used fission product decontamination factors (OFs) for the suppression pool based on GE experimental data. The staff has reviewed the GE data and has concluded that the higher values of scrubbing assumed by GE are not supported by the available data. However, the staff has accepted lower values of scrubbing factors as being reasonably supported and has used a range of these values in its independent analyses. An important result from the staff review is that the lower (conservative) DFs assumed by the staff still indicate that the suppression pool should be effective in reducing the accidental releases of fission products to the environment.
Suppression Pool Bypass: As indicated in Table 15.1, the conditional conse-quences predicted by the staff for internally initiated events are quite low.
The 1-SB-El (small-break LOCA) release category is the most severe. The prin-cipal reason that this case gives the most severe consequences is that it in-volves an early containment and drywell failure that would allow part of the GESSAR II SSER 4 15-4
(
I fission product vaporization release to bypass the suppression pool. GE has tcken credit in the PRA for extensive scrubbing of the fission products. As long as the drywell is intact, it is assumed that the majority of the fission i products will either be retained in the primary system, or will pass through the pool during a severe accident. The "A assumed that before the reactor pressure vessel fails, most of the volatile fission products that are not re-tained in the primary system will pass out through the safety-relief valves into the suppression pool, where all but a small fraction would be retained.
The PRA further assumes that after the vessel fails (drywell still intact), the ex-vessel fission products (including those produced by the interaction of core debris and concrete) vill pass through the containment horizontal vents into the pool where scrubbing again would occur. Figure 15.1 shows the GESSAR II Mark III containment and the expected fission product release pathways as depicted by GE.
The staff's review has tended to confirm the GE assessment because the staff finds that, for most severe accident sequences, a majority of the volatile fis-sion products released from the primary system will pass into the suppression pool and be attenuated by scrubbing before entering the environment. The staff d:es not agree with GE, however, on the degree to which these fission product removal processes are expected to occur.
Because of the importance of fission product retention by the pool, the staff has focussed much of its review of GESSAR II in the area of suppression pool bypass events to try to determine if any such events exist with sufficient ex-pected probability to impact the overall GESSAR II risks significantly.
The staff's review of the potential bypass events included consideration of leakage and failure of the containment (drywell) penetrations, such as the electrical and piping penetrations (including failure of isolation valves) and cther penetrations, as described in detail in SSER 2. Also included was the potential for structural failure from hydrogen detonations and consequential pool bypass.
Of these possibilities, the most important was judged to be drywell failure from hydrogen detonations. This has been envisioned to be possible during a severe core-melt accident involving a loss of all offsite power and the plant emergency diesels (station blackout). Restoration of power to the containment clectrical equipment later in the accident could then cause detonation of accu-culated hydrogen, either globally or locally within the containment. Although GE did not predict any early fatalities in the GESSAR II PRA, hydrogen detona-tion resulting in drywell failure and pool bypass of the vaporization release was found to be a major contributor to risk. As shown in Table 15.1, the staff predicts a fractional early fatality for this type of event (1-SB-E1) when using the staff /BNL upper range source terms.
During the staff's continuing review of GESSAR II, after SSER 2 was issued, other potential means for bypassing the pool were investigated. Two of these that could result in substantial conditional consequences are a residual heat removal (RHR) suction line pipe break and a reactor core isolation cooling (RCIC) steamline break with a failure of the isolation valves (BWR Event V).
The staff and BNL have concluded that an appropriate calculation of the fission j
product release for these two types of events is very complex and requires the GESSAR II SSER 4 15-5 L
i l
l application of the ASTPu codes (TRAPMELT, NAUA, etc.) in a manner that has not been performed before. Work is ongoing in this area, and it is expected that an estimate of consequences for these events will be available later this year.
The staff believes, however, (1) that a'large fraction of the volatile fission products released during these events will be retained in the primary system and in containment and will not be released to the environment, and (2) that the contribution to risk from these additional bypass events will not change the staff's conclusions for the GESSAR II design, that the overall risk is low. '
The staff will confirm this conclusion.
(9) Consequences and Risk From Externally Initiated Severe Accident Events I (Seismic)
The staff and its consultants have also reviewed the GE assessment of exter-nally initiated severe accidents for the GESSAR II design. This has included a review of seismic, flood, and fire events. Of these, seismic has been found to be the most important contributor to risk. In the areas where the staff / ;
I consultant review disagreed with the information supplied by GE, an independent
! assessment was performed. The results of the staff's independent assessment
- b. are given in Table 15.2.
t l GE did not provide tabular results of estimated seismic consequences or risk, i j but instead presented a risk curve for internal and external events as Figure 7 in the GESSAR II Seismic Events Analysis (1983). GE states that externally initiated core damage events contribute just 5% to the overall plant risk. The
{ overall risk levels reported by GE for GESSAR II are 1.75 x 10 5 (mean annual ,
! risk) for both internal and external events and 1.66 x 10 5 for internal events.
l The staff and its consultants estimate a targer relative contribution from ex-1 ternal (seismic) events as compared to internal events, as seen in Tables 15.1 l and 15.2. The staff estimates that the seismic risk is approximately 4 to 5 i
times the magnitude predicted for the internal events, or about 80% of the to-tal risk.
l In computing the consequences of external events, no public evacuation or shel- -
! tering was assumed, and relocation of population from contaminated areas was l assumed to be delayed until 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after plume passage, r i
Areas Most critical to the External Events Consequences l
l The results given in Table 15.2 indicate that there are two factors that cause
! the magnitude of seismically induced accident consequences to increase signifi-cantly compared with those that are internally initiated:
- drywell failure and suppression pool bypass
- severe seismic events that would preclude public evacuation due to failure l of roadways or bridges, etc.
4 As noted above in the discussion of internal events, the values used for the l
source terms are believed to contain a large degree of uncertainty. For sefs-l mic events as well, source terms dominate the computed levels of conditional
! consequences greater than any other effect.
! GESSAR II SSER 4 15-6 i
(10) Conclusions On the basis of its assessment of internally and externally initiated severe cccident events for the GESSAR II design, the staff concludes that the level of risk for this plant design is low. The level of risk also is low when compared with the levels predicted in other PRAs for other plant designs.
As stated in SSER 2, there are two major reasons for the staff's low risk pre-dictions for GESSAR II:
the Mark-III containment design in which fission products generated during severe accidents will tend to be retained either in the primary system or in the suppression pool the use of improved methods and data for the analysis of the effects of severe accidents Although the risk levels given in this report are low, the staff believes that further reductions are possible if certain design improvements are made in GESSAR II. The staff's detailed evaluation of potential design modifications aimed at the further reduction of risk in GESSAR II is in Section 15.6.3 of this Supplement. The results of the staff's evaluation of design modifications indi-cates that there are two major design features that have the potential for reduc-ing risk significantly from the levels associated with the original GESSAR II design proposed by GE. These two features are the UPPS, which has already been adopted by GE as a part of the final GESSAR II design, and the hydrogen control system. UPPS is predicted to be most effective in reducing the core melt fre-quency of internally induced events, and this effect is shown in Table 15.1.
Including UPPS reduces the overall core-melt frequency from internal events by as much as a factor of 5. UPPS is predicted to have a much lesser impact on scismic events. Hydrogen control by the use of an igniter system with dedicated power is most effective for seismically initiated events; it is predicted to r: duce the risk from seismic events by as much as a factor of about 2 to 4, depending on the specific accident conditions and the effectiveness of the installed igniter system.
Because of the very large uncertainties believed to exist in current predictions cf severe accident source terms (as discussed in detail in other sections of the GESSAR II SER), the staff has used a range of values for the source terms in its cvaluation of GESSAR II. The staff considers it impossible to define meaningful probability distributions and best-estimate or mean values for these important parameters at this time. Accordingly, the staff has not attempted to compute the total risk of early health effects. Computed person rem totals based on upper range source terms have been employed in the staff's cost-benefit studies.
As noted previously, the values used appear to be supported by recent informa-tion such as the American Physical Society review of severe accident source t';rms.
The upper range source term values have also been used in the staff's evalua-tion of the potential design modifications fo* GESSAR II. (See Section 15.6.3 cf this Supplement.)
8:cause of the dominant effect of the suppression pool on the magnitude of tie release of fission products to the environment and the associated level of risk GESSAR II SSER 4 15-7
from severe accidents, possible means for bypassing the pool are very important and have been a focus of the staff review. The evaluation of some of the poten-tial bypass events (RHR line break and BWR Event V) are complex and are still being evaluated. The staff believes that the risk contribution predicted in the onjoing studies for these events will not change its present conclusions that tre risk level associated with the GESSAR II design is low. The staff will confirm this conclusion.
15.6.3 Consideration of Potential Design Improvements 15.6.3.1 Introduction The staff's review of the GESSAR II PRA has included an assessment of the degree to which GE has considered potential design modifications during the evolution of the GESSAR II design as a means for reducing plant risk from severe accidents.
The need for this assessment is set forth in the NRC's proposed policy statement on severe accidents (NUREG-1070). This policy states that an application for a standard plant design must comply with the requirements of 10 CFR 50.34(f).
Item (f)(1)(1) requires that potential improvements be considered that address the reliability of core and containment heat removal systems that are signifi-cant and practical and do not impact excessively on the plant. The staff ob-jectives are (1) to arrive at conclusions on the adequacy of the currently pro-posed GESSAR II design and (2) to determine whether any design modifications appear attractive from consideration of value-impact information, risk insights from the PRA, strengthening of defense-in-depth concepts, and application of other engineering considerations.
The staff's assessment was performed in two parts: (1) a review of information submitted by GE describing the GE evaluation of potential design modifications, and (2) independent evaluations of the GESSAR II design by the staff and its consultants. Details of these two review efforts are described below.
15.6.3.2 Staff Review of the General Electric Evaluation of Potential Design Modifications 15.6.3.2.1 Comprehensive List of Potential Design Modifications To provide guidance for GE's initial evaluation, the staff prepared a compre-hensive list of potential design improvements. Items were chosen on the basis of a survey of all of the technical review groups at the NRC that had been in-volved in the earlier Standard Review Plan review of GESSAR II. The items covered a wide range of modifications that the staff believed could potentially improve the GESSAR II design for the prevention or mitigation of severe acci-dents. The various items, over 70 in number, were arranged into 14 functional groupings (Table 15.3). Specific items are given in Table 15.4. The list of potential design changes was sent to GE with a request that GE address each of
- these items, as well as any other GE proposed design modifications (Thomas, April 13, 1984).
15.6.3.2.2 General Electric Evaluation (NEDE-30640)
Based on staff guidance, GE prepared a detailed assessment (NEDE-30640) that included, for each design modification considered, a description of the design GESSAR II SSER 4 15-8
modification, estimates of its cost and potential benefit (risk reduction), and the resulting cost-benefit ratio. GE stated that some of the items on the staff's list were adequately addressed in the GESSAR II design.
In NEDE-30640, GE concludes that because none of the design modifications ana-lyzed were predicted to have a cost-benefit ratio of 1 or less, none of the modifications are cost beneficial for the GESSAR II design. In the method used by GE in NEDE-30640 to calculate cost-benefit ratio, the value of "1" is the cutoff value between those design features that are judged to be cost beneficial (C/B51) and those that are not (C/8>1). GE also stated that if any modification to cope with severe accidents was to be implemented, GE would recommend the UPPS.
(Subsequently, GE did incorporate UPPS into the GESSAR II design).
NEDE-30640 includes a brief conceptual description of UPPS, which GE designed to perform a number of accident preventive functions. Principally, these func-tions are to (1) provide for primary coolant inventory makeup, (2) allow emer-gency primary system depressurization, and (3) provide containment heat removal capability. The UPPS is intended to be independent from electric power. The UPPS is discussed in more detail in Section 15.6.3.2.3.
On the basis of the cost-benefit analyses performed by GE (NEDE-30640), the staff has prepared the ranked design improvement list shown in Table 15.5. This table shows that there are a number of diverse design modifications for which GE estimates a cost-benefit ratio of about 100 or less. Noted in the table are the specific items that, according to GE, are addressed by UPPS. The staff is in general agreement with GE regarding these claims.
The staff and its consultants reviewed NEDE-30640 and concluded that the design modification topics that warranted further study should include the UPPS, hy-drogen control schemes, enhanced battery capability, and ac cross-over. A dis-cussion of these topics follows.
15.6.3.2.3 Details of Major Design Improvements 15.6.3.2.3.1 Ultimate Plant Protection System (UPPS)
GE considered UPPS in its evaluation of various potential design improvements to the GESSAR II design. The UPPS is a simple, manually initiated system designed to provide core cooling, primary system depressurization, and contain-ment heat removal for extended periods without reliance on normal or emergency ac/dc power systems.
GE will provide detailed design information when an individual applicant refer-ences the GESSAR II design. Figure 15.2 shows a preliminary conceptual design of UPPS. The three primary functions of the UPPS are to (1) provide a reactor pressure vessel (RPV) makeup water supply capable of keeping the core covered, (2) provide RPV depressurization, and (3) provide containment heat removal. The system utilizes portions of the plant's emergency fire system, with modifica-tions to allow for injection of water into the low pressure core spray line.
Dedicated air bottles will be used to provide motive power for air-operated injection valves, as well as operation of the safety / relief valves that must be used to depressurize the plant before injection from the low pressure fire pumps. Air-operated containment vent valves will also be included to permit GESSAR II SSER 4 15-9
heat removal from the containment. Local mechanically operated pressure and level instrumentation will be available to allow operation of the system.
After evaluating the potential design modifications, GE incorporated UPPS into the GESSAR II design. However, because of the preliminary nature of the design, the staff could not arrive at definitive assessments of the system's performance and capabilities. Conceptually the system offers significant advantages for responding to station blackout events, a class of accidents shown by the PRA to be a dominant contributor to core-melt frequency.
In the GESSAR II plant, the RCIC system, which relies on a steam-driven, high-pressure injection pump, can respond to a total station blackout (loss of all ac). The PRA assumed that the control and instrumentation power (de) supplied by the station batteries was sufficient for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of operation. Later analy-sis showed that the RCIC could operate for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> with minor modifications and procedural actions. After this period, if offsite or emergency ac power were not restored, no further means would be available to provide makeup flow to the reactor vessel; the makeup would have been lost through boil-off to the suppression pool. At this point, the UPPS would be initiated by manual action to open the safety / relief valves (SRVs) to depressurize the primary system be-low the delivery head of the plant fire pump. The air-operated valves would be manually realigned and the fire pumps started by their dedicated battery supply.
(Additional provisions are planned for connections to allow injection from a fire truck utilizing various suction sources). Utilizing local level and pres-sure instrumentation, plant operators would provide low pressure makeup fIrw to keep the reactor core covered. Steam flow from the vessel would be directed by the SRVs to the plant suppression pool, which would accumulate the core's decay heat. Containment vent valves would be opened to control containment pressure and allow heat rejection from the suppression pool by boil-off.
As proposed by GE, the system would be nonsafety grade, with no specific seis-mic capability. The GE estimates indicated that a core-melt reduction of ap-proximately a factor of 10 would be available from the UPPS (based on the GE PRA estimates).
Without the necessary design details and procedures, the staff and its contrac-tor could only roughly estimate the benefit from UPPS. The staff believes it is likely that UPPS could offer a core-melt reduction factor of 5 for internal events. The frequency of core melt from internal events was estimated to be 3.8 x 10 5 per reactor year and the inclusion of UPPS was estimated to result in a reduction to 8.2 x 10.e per reactor year. It appears that UPPS offers a worthwhile capability for responding to loss of offsite power transients (in-cluding station blackout). Section 15.6.3.4 addresses modifications to the UPPS proposed by GE.
15.6.3.2.3.2 Hydrogen Control As noted in the SER, both GE and the staff believe that hydrogen detonation is an important contributor to early containment failure in the GESSAR II design.
Preventing hydrogen detonation in the dominant event sequences involving early containment failure resulting from hydrogen detonation removes the major cause GESSAR II SSER 4 15-10
of early containment failure and a corresponding measure of plant risk. Reduc-ing the potential for drywell failure from local hydrogen detonation is impor-tant in preventing suppression pool bypass. Also, maintaining containment integrity for an extended period (several hours) would enhance agglomeration and settling of radionuclide-bearing aerosols in the containment wetwell and drywell . Hydrogen control, however, will not prevent long-term containment overpressurization failures from noncondensible gas buildup (core-concrete interaction).
(1) Compliance With the CP/ML Rule Regardina Hydrogen Control The proposed policy statement on severe accidents includes a provision that new standard plant applications should demonstrate compliance with the CP/ML rule, 10 CFR 50.34(f). The rule states that consideration should be given to hydro-gen ignition and post-accident inerting systems, that a cost-benefit comparison of alternative systems should be performed utilizing both analysis and data, and that, for the selected system, a preliminary design description should be provided.
GE provided cost-benefit comparison results for igniter and post-accident inert-ing systems that indicated that neither system was cost-beneficial (Sherwood, August 20, 1984). In NEDE-30640, these topics were addressed again, along with other methods for hydrogen control. In spite of GE's position that hydrogen control is not cost beneficial, GE did commit to an interface requirement that applicants install an igniter-type system based on the ongoing studies of the BWR Hydrogen Control Owners Group (HCOG). The GESSAR II system will be designed to accommodate up to 75% equivalent metal-water reaction. In GESSAR II there are approximately 78,000 lb of Zircaloy cladding and 63,600 lb of Zircaloy in channel boxe.s. The available oxygen in containment would permit the burning of about 2700 lb of hydrogen, which would be produced by about 79% of the clad assuming complete burning of the oxygen in containment and by about 65% of the clad assuming a 4% oxygen lower limit for combustion.
ilowever, the staff review has repeatably shown that the rate as well as the magnitude of the hydrogen production is important. The most probablo sequence in the GESSAR II PRA is a station blackout in which only about 1000 lb of hy-drogen would be produced in vessel before core slump, and the hydrogen would be produced at a rate for which the proposed ignitors provide protection.
Very large uncertainties are associated with the estimates of magnitude and rate of hydrogen production when the core slumps into the RPV lower head, with esti-mates of ex-vessel hydrogen production magnitude and rates, and with the esti-mates of associated containment performance. If the rate of hydrogen production is low, as seems likely, and if containment heat removal is operable, the pro-posed igniters will provide adequate protection for 100% metal-water reaction of the clad. If sustained high rates of hydrogen production occur and/or con-tainment heat removal is ineffective, the igniters would not provide adequate protection of containment. Pre-accident or post-accident inerting, which have been shown not to be cost beneficial, would be required (see item (2) below).
Appendix G to this supplement discusses the staff review and conclusions related to the GESSAR II compliance with the CP/ML rule.
GESSAR II SSER 4 15-11
(2) GE Assessment of Hydrogen Control in NEDE-30640 In NEDE-30640, GE addresses four possible means of achieving hydrogen control:
post-accident inerting, pre-accident inerting, containment venting, and igni-tion systems. None of these systems are reported to be cost beneficial by GE.
Post-accident inerting using carbon dioxide and Halon 1301 was considered with and without containment venting and independent of ac power. The ccst of the system, the potential benefit in terms of a risk-reduction factor, and the cost-benefit ratio are estimated to be $8,000,000, 2.2, and 580, respectively. The risk-reduction factor is computed by dividing original total risk (person-rems) by the risk after the design change is made. The cost benefit is calculated assuming $1000 per person-rem averted over a 40 year plant life, with no dis-counting. GE believes that if credit is given for the potential reduction in core-melt frequency afforded by the UPPS, the cost-benefit ratio would increase to about 5800.
Pre-accident inerting is evaluated assuming a system using nitrogen similar to that presently being used in the Mark I and II BWR containment designs. The total cost for this system, including initial cost and annual costs, is esti-mated to be about $34,000,000 (present worth). Again, a risk-reduction factor of 2.2 is used and the resulting cost-benefit is estimated to be about 2700.
Containment venting to prevent the accumulation of combustible amounts of hy-drogen is estimated to cost about $5,000,000. This estimate includes a dedi-cated power supply for the venting system. Venting of the hydrogen after core melt and vessel failure would have the effect of an early reinse, and GE esti-mates that there could be an increase in plant total risk of about 23%. This system was not studied further because of the predicted increase in risk.
Although NEDE-30640 did not address the negative aspects of containment venting, post-accident or pre-accident inerting in detail, the staff would require that a detailed evaluation of these effects be performed before implementation is considered.
GE also considered a distributed ignition system to burn the hydrogen as it is released to containment to preclude containment damage. For effectiveness in loss of ac power events (the dominant core damage sequences), a dedicated (de) power supply was included. GE stated that a containment heat removal system, such as a spray system, would also be required to prevent containment over-pressurization. GE estimates the total cost, benefit, and cost-benefit values to be $10,000,000, 2.2, and 730. The cost estimate includes a dedicated igniter power supply and a containment heat removal system, i 1
15.6.3.2.3.3 Enhanced Battery Capability Like the PRA studies for other plants, the GESSAR II PRA indicates that a loss of offsite power with a concurrent loss of the plant diesel generators (station l blackout) is a major contributor to core-melt frequency. A logical approach l l
for reducing this contribution is to enhance the plant's de power supply. GE evaluated several methods for enhancing de power in the GESSAR design including:
extending the capability of the existing plant batteries, adding more batteries or electrical divisions, using fuel cells, and using de divisional cross-ties.
GESSAR II SSER 4 15-12 l
GE reported (NEDE-30640) that the most attractive of these alternatives is ex-tending the capability of the existing batteries. In this method, the capabil-ity of the existing batteries would be extended to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> by making certain control logic modifications to provide load shedding and limit the environmen-tal heatup in some plant areas. It is expected that the modifications would be relatively minor and would not require significant hardware (some switches and solid-state logic modifications would be required). GE estimated that the cost for this feature would be about $200,000, and that the total core damage fre-quency (for internally caused events) could be reduced by a factor of about 5.
The resulting improvement in probability assumed that offsite power will be restored before the battery is depleted. GE estimated the cost-benefit ratio to be about 1.4.
GE concluded that the addition of more batteries or electrical divisions was not warranted because the GESSAR II design already includes four divisions of de power, each with its own battery and redundant charging sources. Cost-benefit results were not reported.
GE evaluated fuel cells as a means of providing diverse motive power to certain '
plant components such as a dc motor / pump combination for coolant injection or containment cooling. It was estimated that the costs to provide the needed technology development and to assess the possible fire safety problems would be at least $5,000,000. The cost-benefit ratio for this system was estimated to be about 30. GE stated that a separate battery system to perform the same func-tion would be more effective, with an estimated cost of $1,000,000 and cost-benefit ratio of about 6.
GE also evaluated de bus cross-ties and concluded that this feature could pro-vide operating flexibility. However, it would not be expected to significantly reduce core-damage frequency. The cost of this change and the resulting cost-benefit ratio were estimated to be at least $200,000 and 14, respectively.
15.6.3.2.3.4 AC Cross-Over Capability As described by GE in NEDE-30640, the ac cross-over capability would provide a means for powering Division 1 safety equipment electrical loads from the Divi-sion 3 diesel generator by the use of a manually controlled and key-interlocked system of cross-ties. GE states that this feature would be mainly useful as a means for operating the suppression pool cooling system for containment heat removal in the event of a loss of offsite power and a concurrent failure to start the Division 1 and 2 diesel generators.
A second use was envisioned wherein the cross-tie could provide power to an RHR cr low pressure core spray (LPCS) pump for core cooling after depressurization, if the Division 1 and 2 diesels failed to start and the high pressure core spray (HPCS) failed to deliver flow for some reason other than failure of the HPCS diesel to start.
In the initial evaluation of this concept (NEDE-30640), GE estimated that the cost of this design modification would be about $300,000 for the cross-tie and the associated load-shedding procedures development and training. The cost-benefit ratio was estimated to be about 3.
GESSAR II SSER 4 15-13
In response to a staff question about the potential for common-mode failure with an ac cross-tie system, GE reported (GE letter, Dec. 3, 1984) that further study of this system indicated significant uncertainty about the adequacy of the time available for the operators to perform load shedding and other steps needed to implement the cross-tie. Because of this concern, GE reported that this system would probably be useful only for containment heat removal. The cost-benefit ,
ratio was revised to be about 170. '
T 15.6.3.2.4 Staff Conclusions Regarding GE Evaluation s
(
On the basis of its review of NEDE-30640 and GE's response to questions, the '
staff concludes that these documents provide a useful catalog of the large num-ber of possible design modifications that could be considered for severe acci-dont risk reduction in GESSAR II. For reasons discussed below, these documents are judged to be of more use for their qualitative (descriptive) information than for their quantitative (cost-benefit) information.
The cost-benefit analysis presented in NEDE-30640 was based on the accident f sequence frequencies and consequence assessment of the GESSAR II PRA. Consider- ]
able staff and contractor review effort was applied in these areas. Questions in the areas of transient initiation frequency, systems analysis, and contain-ment failure analysis resulted in considerable reassessments of core-melt and risk estimates. These reassessments were not utilized in the GE cost-benefit analysis, and may result in underestimation of the risk-reduction potential of Nl various design modifications.
Numerous, questions also exist in the area of the GESSAR II consequence assess-ment. The results from the ASTP0 (Battelle, 1984) and the QUEST (Lipinsky et al., 1984) programs indicate that there are large uncertainties in current predictions of severe accident source terms and that it is premature to attempt to define probability distributions (and corresponding best estimates) for .
these values. These upper range estimates are believed to be credible values '
j of fission product release and should not be interpreted as upper bound values. ,
Staff /BNL release estimates are consistent with concerns expressed by the Amer - 1 s j ican Physical Society in its review of the ASTP0 effort. Accordingly, the '
! staff sfinds that the upper range values used in the staff assessments of acci-dent consequences and cost benefit are more appropriate for estimates of public .
l risk. The effect of the use of upper range values for the GESSAR II evaluation is discussed further in Section 15.6.5.4.1. ,
1 The staff and its consultants did not independently calculate costs, risk re-duction, and cost-benefit values for each of the potential design modifications included in NEDE-30640. However, an evaluation of the various factors that are -
used in the calculation of cost vs. benefit has been performed to allow a judg- \
ment regarding the validity of the cost-benefit values in NEDE-30640. This evaluation is described below, along with the process used by the staff to re- ,
duce the initial large number of potential design modifications to the final
- set under consideration. An independent cost-benefit assessment of the final ;
set of design features considered for GESSAR II was performed by the staff and '
its consultants, and these results are given in Section 15.6.3.3.4.
The costs reported by GE were reviewed, and the staff concluded that there was general agreement on cost--at least close enough to make cost a lower order GESSAR II SSER 4 15-14 ,
. - - , -=
F Er E
effect in assessments of cost benefit. However, the staff's best estimate for the core damage frequency (CDF) in GESSAR II for internal events is about a "
factor of 10 higher than the GE estimate. The staff's upper range estimate -
for the source term is about a factor of 100 greater than the GE best-estimate E source term. Because of these differences, staff estimates of cost benefit may be significantly different (more favorable toward implementation) than the C F
values in HEDE-30640 because of the correspondingly higher potential reductions in risk predicted by the staff. E
-y On the basis of these considerations, the staff performed an initial screening of the comprehensive list of potential modifications using the values in hi E 9 NEDE-30640. In general, modifications for which GE reported cost-benefit -
ratios greater than 1000 were discarded es not cost beneficial. All remaining items were considered to determine which would be expected to supplement the i r
s UPPS and hydrogen control (both of which have been committed to by GE as a part -
of the GESSAR II design). It should be noted that all cost-benefit values _
reported in NEDE-30640 and cited previously in this report were calculated E assuming only implementation of the modification being evaluated with no other concurrent changes. If UPPS or hydrogen control were implemented, much less 1 benefit would be gained from additional features than indicated by the values E in NEDE-30640. =
Because of the uncertainties involved in calculations of cost benefit (mainly i -
as a result of the expected broad range in source terms), the staff does not E believe that cost-benefit information alone should be used for final decision-making on plant design changes after an initial coarse screening has been done.
(This issue is further discussed in Section 15.6.3.4.1.) Accordingly, a final list of potential modifications was recommended by a staff group representing g various engineering disciplines that were familiar with the GESSAR II design. r In makings its recommendation, the group relied on cost-benefit estimates as -
i-well as on a consideration of such things as defense in depth and engineering l judgment based on past experience. (Defense in depth entailed such concepts E i
as the desirability of multiple levels of protection, actions to increase time -
available for human performance, and actions to reduce the impact of significant -
?
uncertainties.) -
- L The final list of candidate design changes resulting from these group discus- I F sions were
- UPPS, hydrogen control,10-hour battery capability, dedicated power =
source to a battery charger. The ac cross-ties were dropped because of the .
potential for adverse impact on ac reliability.
In summary, GE concluded that no potential design improvements studied were -
cost beneficial for GESSAR II. At the same time, GE agreed to commit to UPPS -
and some form of hydrogen control for GESSAR II. No additional documentation ,
regarding design information was provided by GE, and the followup evaluations 3 of the final list of design features resulting from this review effort were performed by the staff and its consultants. A summary of this final evalua-tion is in Section 15.6.3.3.4. -
15.6.3.3 Staff / Consultant Independent Evaluation of Pctential Design Modifications Completely independent of the previous work was an assessment of the adequacy of the GESSAR II design for severe accidents performed by a staff contractor, t
R&D Associates (RDA).
GESSAR II SSER 4 15-15 ing a i -i 6 m - i'- - -
As a part of a 2 year contract to investigate general mitigation schemes for severe accidents in light-water reactors (LWRs), RDA included some plant-specific studies for the GESSAR II design. BNL aided RDA by using BNL's cur-rent severe accident computer codes to calculate estimates of the reduction in accident consequences provided by various mitigation schemes. NUREG/CR-4025 gives details of the RDA studies in Sections 15.6.3.3.1 through 15.6.3.3.3.
15.6.3.3.1 Evaluation Approach Used by RDA in the Independent Assessment The approach used for the staff / consultant independent evaluation was different from that taken during the GE assessment and staff review.
As indicated above, the list of design options used in the GE assessment was based on the professional opinions of numerous NRC and consultant staff mem-bers. The intent was to evaluate a very broad list of possibilities and to document each item considered.
The approach used by RDA was much more focused in that it started with an in-vestigation of the dominant containment failure modes that had been determined from the BNL PRA review for GESSAR II. This information was used to try to determine specific mitigation requirements that should be met if significant reductions in risk were to be accomplished. These requirements were then used to identify mitigation strategies (embodied in design modifications) having potential for implementing the desired risk reductions.
i Once the design options were identified, the process was similar to that used in the GE assessment in that risk reductions and costs were estimated for each potential design modification so that cost-benefit information could be calculated.
15.6.3.3.2 Design Modifications Investigated The various accident mitigation schemes that were investigated by RDA may be grouped as containment heat removal systems or devices, hydrogen control sys-tems, filtered vent systems, containment penetration protection devices, and core retention devices. Potential devices initially considered by RDA include the following:
(1) Containment heat removal heat pipes large surface condenser
- BWR suppression pool cooling
- turbine expander / compressor
- external water sprays (2) Hydrogen control
- ignition devices high and low pressure combustion devices
- hydrogen / oxygen recombiners fan mixers
- compartment venting GESSAR II SSER 4 15-16
.J
inerting containment sprays, fogs, and foams (3) Filtered vent systems large capacity systems moderate capacity systems enhanced containment volume (4) Containment penetration protection insulation around penetrations active or passive cooling improved seal materials i'
redesign to cause closure of penetration on pressurization structural bracing of large penetrations i (5) Core retention devices
(
vertical dry crucible flooded rubble or pebble bed alternatives for core retention Although each of the design features listed above was considered for GESSAR II, many of them were rejected early in the study for one or more of the following reasons: the feature did not appear to offer significant risk reduction for the dominant accident sequences, and, therefore, the potential for risk reduction was inadequate; the cost of implementing the feature was too high for the po-tential risk reduction; or the technology involved in implementing the feature was too uncertain to guarantee its success. Discussions of the reasons for rejecting specific design features for the GESSAR II Mark III containment are in NUREG/CR-4025.
NUREG/CR-4025 also addresses those design features that were determined to be worthy of detailed study. These features were evaluated to estimate their po-tential risk reduction in terms of person-rems averted and their approximate implementation costs, including design and development costs, hardware costs, and labor costs for installation.
15.6.3.3.3 Results of the RDA Studies A summary of the results of the studies by RDA is given in Table 15.6. In this table,. costs are itemized for two types of containments. The first type is a conventional containment designed for high pressure, such as the current Mark III containment. The second is a new type of containment using a chilled filtered vent so that the containment may be designed for lower pressures.
Details of this concept are included in NUREG/CR-4025. In addition, three dif-forent versions of the conventional high pressure containment are shown for various combinations of design features. Option 1 is the most expensive and includes a dry-crucible, core-retention design. Option 2 is next in expense and includes a filtered vent and nitrogen inerting (as does Option 1) but not core retention. Option 3 has dedicated heat removal but no filtered vent or nitrogen inerting. Option 3 has fewer features than Options 1 or 2 and is, therefore, the least expensive.
GESSAR II SSER 4 15-17
i The cost-benefit results shown in Table 15.6 for the four design options for internal events indicate that these options are, marginally, not cost benefi- '
cial, using the value of $1000 per person-rem averted.
If the staff's recommended design improvements discussed in Section 15.6.3.4.4 are adopted by GE for GESSAR II, the benefits from the options listed in Table 15.6 will be reduced.
l - As a result of these findings, the staff has not added any further candidate design improvements to its list in Section 15.6.3.
15.6.3.3.4 Assessment of the Final Design Feature Candidates As a result of its review of the comprehensive list of potential design modi-i fication candidates (see Section 15.6.3.2), the staff identified several candi-dates for final consideration: seismic upgrade of UPPS, hydrogen control, 10-hour battery capability plus long-term battery charger capability. Because 2
of the potential for increased risk created by ac cross-ties, these were not included in the final assessment. Of these potential modifications, GE has committed to including the UPPS and some additional hydrogen control as a part of the GESSAR II design.
However, the hydrogen control offered by GE does not offer significant risk-reduction potential because the proposed igniter system relies on plant emer-i- gency ac power, whereas plant core melt is dominated by station blackout events where no ac power is available. Therefore, the igniters would not be available for this class of accident, and thus offer.little risk benefit.
- The staff and its contractors performed a more detailed cost-benefit analysis for this limited list of potential design improvements. They investigated the benefits of the improvements both individually and in various combinations.
The analyses used the modified core-melt frequencies developed from the PRA review. Consequence estimates were developed using the staff's upper range source term estimate. Although there are considerable uncertainties related to these consequence estimates that can be reduced only through completion of the ongoing ASTP0 program, at this time the staff considers that the results pre-sented herein are valid estimates on the likely upper range of plant risk. As mentioned before, the cost-benefit findings are only one element the staff considered in determining the appropriateness of various proposed design in-provements. The other major elements were defense in depth and engineering judgment.
i For the various proposed design modifications, the staff and its contractors
- estimated the impact on the frequency of accident classes and on release cate-gories. Revised total core-melt and risk estimates were obtained based on es-timates on the impact of the proposed modification on accident frequency or event progression. Table 15.7 shows the modifications and combinations evaluated.
The impact of the various proposed design modifications is presented separate-ly for internal events and seismically initiated events. Table 15.8 indicates
, the impact of the various design modifications on internal events. Table 15.9 presents the corresponding public risk if various design modifications are i
GESSAR II SSER 4 15-18 e , , - - - - x-m , , , r --,n----. ,- ,--.,--.. -
v_.- - , - , , , --- - , . , , . - - - - . -
J i
i I
implemented. As seen from these tables, the addition of the GE proposed UPPS system reduces core melt from 3.8 x 10 5/yr to 8.2 x 10 s/yr, and public risk
, is reduced from about 130 person-rems per year to about 30 person-rems per year. This already-incorporated modification represents the bulk of the risk benefit shown from the staff analysis for internal events. However, the tables
] show that the addition of a dedicated power supply to provide improved hydrogen igniter response and to power a de charger results in a small further risk re-duction to about 20 person-reas per year. Corresponding results for the seis-mic events are presented in Tables 15.10 and 15.11. Figures 15.3 and 15.4 show 1 ~
these results for monetized risk. (Monetized risk is a measure of the value in reducing a plant's total estimated risk to zero assuming $1000 per person-rems
! averted and a 40 year plant life.)
lSnall reductions in core melt frequency are obtained from addition of a UPPS de-signed to seismic Category I requirements. For risk, only a small reduction (about 630 person-rems to about 560 person-rems)'is obtained from the instal-lation of UPPS because of the limited seismic capability of the presently pro- ,
posed system. A seismic UPPS can reduce risk further to about 440 person-rems per year. However, the addition of a perfect hydrogen control system, combined
- with a seismic UPPS, reduces risk to about 130 person-rems per year.
Tables 15.12 and 15.13 provide a summary of the impact of the more beneficial combinations of the design modifications.
The large benefit obtained from perfect nydrogen control could, in practice, i probably be achieved only by pre-accident inerting the Mark III containment.
, The staff does not consider pre-accident inerting to be cost-beneficial (see Section 15.6.5.3.3.4) for several reasons. The cost of pre-accident inerting has been estimated by GE to be $35 million. This cost would outweigh the poten- '
t tial benefit'. In addition. the inerted atmosphere would reduce access to con-tainment during operation and adversely impact maintenance. As noted in Sec-tion 15.6.3.2.3.2, GE has committed to installing a deliberate ignition sys-
. . tem in GESSAR II, based on the resolution of the BWR HCOG studies. However, ,
the HCOG ignition system is designed to control releases from degraded core accidents and its ability to prevent containment failure during full core-melt accidents has not been established. It is not yet clear that this ignition system will be able to maintain containment integrity for all full core-melt accidents; however, the system should help to maintain drywell integrity. If the drywell remains intact, much of the potential fission product release will be retained in the suppression pool with a corresponding reduction in offsite consequences. Tables 15.9 and 15.13 and Figures 15.3 and 15.4 show the bene- ,
, fits to be gained from a deliberate ignition system and a dedicated power sup- l
! ply, as well as the benefits from perfect hydrogen control. The change in the i . calculated risk is not significant for internal events if an igniter system is used because of the influence of UPPS; however, the igniter system with dedi-cated power has the potential to reduce seismic risk significantly, as shown on j Figure 15.4. Again, it is shown that hydrogen control would reduce the uncer-j -tainty on the internal risk estimates.
- Table 15.14 describes the various containment events shown in Table 15.8, and l' Table 15.15 describes the release categories shown in Tables 15.9, 15.10, and i 15.11.
i GESSAR II-SSER 4 15-19 i
4 w., , . , . , . . . - ~ - . - - - - - . . , - - - . . - . - - , , . - - - - - - --,- ---- ,,...n ,- ,, - - - - - . - , . - - , - , , , .
15.6.3.4 Conclusions / Recommendations 15.6.3.4.1 Effect of Uncertainties on the Use of Cost-Benefit Results The very large uncertainties associated with cost-benefit estimates severely limit the usefulness of this information for making decisions about the GESSAR II design, particularly in evaluating a potential modification that is borderline (close to meeting the criteria for being cost beneficial). Although the majority of the final candidate design modifications do show favorable cost-henefit results, this result is somewhat driven by various modeling assumptions.
The major contributor to this uncertainty is in the estimation of risk reduction where broad ranges of values are believed to be possible for the source terms.
As noted in Section 15.6.3.2.4, the estimates of risk reduction generated by the staff and its contractor may be expected to be a factor of 1000 greater than those estimated by GE for the same design change. The staff considers both the GE source term values (best estimate) and the staff's value (high range) are credible, and feels they reflect the broad range possible in these values.
Considerable uncertainties also exist in the areas of the PRA event frequencies and system performance, because detailed design information was not generally available for any design improvements. In contrast, estimates of implementation cost by the staff / consultant and GE are in much better agreement (perhaps within a factor of 10).
The staff has attempted to account for these uncertainties and to utilize them in two ways. First, the GE cost-benefit values in NEDE-30640 were used to perform a coarse screening of the comprehensive list of potential changes by assuming that the reported values could be too high by a factor of 1000 (Sec-tion 15.6.3.2.4). Because this is probably conservative, it is unlikely that favorable cost-benefit modifications will be omitted from further study.
Second, using the BNL high-range source term values in the staff / consultant estimates of risk reduction shows that there are probably no significant, cost-beneficial changes other than UPPS and an effective hydrogen control system.
This statement is based on the results of the studies of the additional changes, as reported in Section 15.6.3.3.2. These results indicate that the additional changes are not cost beneficial, even though they were evaluated using the staff /
BNL source terms, which tend to bias the results toward being cost-beneficial.
In addition, if the staff recommendations for further design improvements described in Section 15.6.3.4.4 are adopted, any additional changes will be further reduced in value.
15.6.3.4.2 Listing and Discussion of Specific Uncertainties During the review of the GESSAR II design, the following uncertainties regard-ing our assessment of potential design changes were identified:
- risk reduction estimates implementation cost estimates
- hardware costs (nuclear grade versus nonnuclear) t potential need for additional design evaluations Uncertainties in risk-reduction estimates and their dominant role in calculat-ing cost benefit have been discussed in some detail earlier in this document and in NUREG/CR-2450. These uncertainties stem mainly from an inability to predict specific values for the source terms. Analytical and experimental GESSAR II SSER 4 15-20
k research is ongoing in this area and may eventually help to reduce the uncer-tainty bands in future PRAs; however, it is likely that the complex nature of the physical processes involved in severe accidents will always limit the pre-cision of these estimates. Cost-benefit information and other input--such as
. described in Section 15.6.3.4.3--should be used for final decision making. '
On the other hand, uncertainties in implementation costs for design improve-ments appear to be very much less than risk-reduction uncertainties. Thus, al-
, though the costs are important, the differences in cost were not a significant factor in the staff's interpretation and use of the cost-benefit information developed for GESSAR II.
In the RDA studies of potential design improvements for GESSAR II, the equip-ment costs were based on information for equipment with high quality and reli-(bility but without the pedigree and associated higher cost of nuclear grade equipment. The costs estimated by GE reported in NEDE-30640 were based on GE's standard use of nuclear grade equipment. During staff discussions with ;
RDA and GE, it was determined that the disagreement between the RDA and GE cost :
cstimates stemmed mainly from the differences in using nuclear- and nonnuclear-grade cost information. There do not appear to be any firm regulatory guide-lines for costing of equipment for reducing severe accident risk, although the use of high quality, nonnuclear grade equipment seems reasonable, considering its expected low use factor. Use of nonnuclear grade equipment also permits a broader spectrum of suppliers with an associated benefit of diversity.
As indicated in Section 15.6.3.4.4, the staff believes that high quality, nonnuclear grade equipment will be acceptable for the design improvements re-quired for GESSAR II except where that equipment impacts on the operation of existing safety equipment. These issues are discussed in detail in an RDA report on implementation strategies for severe accident design improvements (NUREG/CR-4244).
In its critique of the RDA studies for GESSAR II (GE letter, Feb. 5,1985), GE stated that RDA had neglected certain costs associated with additional design evaluations that GE expected would be made necessary by the impact of the new accident mitigation equipment on the remainder of the plant. An example of
- these costs was the need to re-evaluate the structural capability of the con-tainment if penetrations were added to accommodate new containment spray sys-tems. The staff agrees that there could be such costs and that these costs would have to be evaluated on a case-by-case basis. However, the staff does not believe that these types of costs would have a significant impact on the design features that are currently under serious consideration for GESSAR II.
15.6.3.4.3 Deterministic Information, Defense in Depth, and Engineering Judgment In making decisions regarding design options that appear to be marginally cost L effective or between several options that appear to be close in cost effective-ness, it is necessary to consider such information as the desire to maintain defense in depth and engineering judgment.
The staff has had to rely heavily on this sort of information in its assessment of the GESSAR II design. For instance, the staff believes that a 10-hour
, battery capability should be provided for defense in depth. Such a caoability GESSAR II SSER 4 15-21
_ . _ - . _ . . . . , _ ~ . - - -. , ,
1 could make it unnecessary to use the manually initiated UPPS during the initial phases of an accident if the extended battery capability maintained safety sys-tem operability until power could be restored during a station blackout accident.
Providing a hydrogen control system independent of standard station emergency power appears prudent. Maintenance of containment integrity for several hours i during dominant accident sequences would enhance agglomeration and settling of I radionuclide-bearing aerosols. The staff's risk estimates would be less reli-ant on pool scrubbing effectiveness and, more importantly, less reliant on the estimates of the probability of suppression pool bypass. Without the diversely powered hydrogen igniters, containment failure as a result of hydrogen detona-tions and deflagrations can be expected in dominant sequences. In turn, calcu-1ations of radionuclide transport and retention with the relatively high uncer-tainties associated with these calculations must be used. With diversely powered igniters, these areas of uncertainty regarding public exposure would be lessened.
15.6.3.4.4 Overall Conclusions and Recommendations As discussed previously, GE has incorporated both UPPS and a hydrogen control i
system into a revised GESSAR II base design. As proposed by GE, the UPPS does not incorporate any seismic requirements and the hydrogen control system relies upon emergency ac power, which would be unavailable following station blackout.
Further modifications to these systems were among the final list of design in-provements considered, along with modifications to the station batteries and dc battery chargers. The staff's conclusions regarding each final candidate de-sign improvement are presented below, along with its recommendations on apprc- +
priate combinations.
j (1) Hydrogen Control As proposed, the GESSAR II committed hydrogen control system will use electric glow plugs for controlled burning of evolved hydrogen; they would be powered by the plant's essential ac power supply. Rapid combustion can result in contain-ment failure and radiological releases. Hydrogen detonation represents one mode for suppression pool bypass that could result in more significant consequences.
The dominant GESSAR II core melt arises from station blackout sequences (no off-site or onsite ac power). The hydrogen igniter system proposed by GE would l provide no accident mitigation benefit for these cases, because ac power has l
already been assumed lost. Additionally, the hydrogen igniter system proposed is intended only to mitigate limited invessel hydrogen generation (such as occurred at Three Mile Island). The core-melt scenarios for GESSAR II assume
- core melt-through of the reactor vessel and the dropping of the core debris l onto the basemat. This could result in higher hydrogen generation rates than i
assumed for the proposed hydrogen ignitor system. Therefore, the benefit of such a system would be somewhat less than that achievable from a " perfect" hy-I drogen system. The staff has considered the inclusion of both an upgraded hy-drogen control system with dedicated power and the use of the presently proposed system with simply the addition of a dedicated power source.
The staff's contractor (BNL) calculated the risk reduction possible from inclu-sion of a perfect hydrogen control system. Such a system would likely require the pre-accident inerting of the GESSAR II Mark III containment, with resultant j
hazards to occupational workers. The risk for the base case GESSAR II design j with UPPS is about 595 person-rems per year. With the incorporation of a GESSAR II SSER 4 15-22
perfect hydrogen control system this can be reduced to about 160 person-ress.
This provides a risk reduction of about 435 person-ress per year, or a mone-tized reduction of $17.4 million for the 40 year life of the plant. GE esti-mated that a pre-accident inerting system for GESSAR II would have a present value cost of $34 million, yielding a cost-benefit ratio of 1.9. This large expenditure does not appear attractive from a cost-benefit perspective.
The staff also evaluated the benefit from a lesser modification to the presently I proposed hydrogen igniter system: just the addition of a dedicated power source for the igniters. The staff postulated the addition of a small ac generator, which would be expected to have a relatively high availability. (Another possi-ble approach would be use of a dedicated battery supply.) Including a dedicated power source does not provide all the benefits shown above for a perfect hydro-gen control system. However, significant risk reduction does occur. From the base case risk of about 595 person-rems per year, this modification results in a risk of about 290 person-rems per year, for a risk reduction of about 305 person-rems per year. For the 40 year life of the plant, this can be mone-tized to a $12.2 million benefit. Design details are not available for a dedi-cated igniter power source. The staff estimates that a small (20-50 kW) diesel generator should be adequate to supply the loads required. The staff estimates that the cost of purchase and installation of a commercially available diesel generator set would not exceed $200,000. This results in a favorable cost-benefit ratio of 0.02. The value of the modification of the hydrogen control system appears quite favorable and will be required by the staff for the GESSAR II design. More extensive modifications to the hydrogen control system to achieve the maximum risk reduction possible (such as pre-accident inerting) do not appear to justify their high cost.
To maintain the risk-reduction benefit shown above, there must be a high like-lihood that the additional dedicated power. source will be available after a
. seismic event. Because differential motion of the basemats is a large contri-bution to core melt from a seismic event (failure of inter-building penetra-tions), the staff suggests that the small dedicated power source be connected by cabling that can tolerate the differential motion expected from seismic events greater than the safe shutdown earthquake. Adequate procedures must also be developed. Although the staff does not propose that this generator be required to meet Category I criteria, its design, location, and installation must be carefully developed to provide reasonable levels of seismic resistance.
GE or an individual applicant referencing GESSAR II must demonstrate that this power source and connections provide seismic resistance by identifying relevant component and structural capability values, and expected failure modes. Consi-deration.of competing risk of the interconnections due to the potential degra-dation of existing equipment would also be required.
(2) Seis.5ic Upgrade to UPPS Although the UPPS system as proposed by GE has no seismic qualifications, the staff's PRA review indicated that seismic events dominate public risk. Without design details of the UPPS systes, it was not possible to perform a detailed assessment of the system's seismic capabilities and response. However, the staff's contractor, BNL, in a draft report, "An Evaluation of Core Damage Re-duction Benefits of Ultimate Plant Protection System" (Shiu and Reed,1985),
estimates the likely present seismic capability of the proposed UPPS. BNL modeled the core-melt reduction impact for upgrading the seismic capacity GESSAR II SSER 4 15-23
1 of various portions of the system. The BNL results indicated that accident sequence frequency was very sensitive to assumed human error rates for initia-tion of the systems, and that the seismic capacities of both the UPPS water source and air bottles were also quite important. Upgrading these components to a quality equivalent to seismic Category I resulted in seismic core-melt frequency reductions of approximately a factor of 2.
The staff and BNL used this information in developing the risk-reduction esti-mates presented in Section 15.6.3.3.4 above. With the incorporation of a dedi-
, cated power source to the hydrogen control system, GESSAR II residual risk is estimated to be about 290 person-rems per year. With the seismic upgrade to i
UPPS, risk is reduced to about 240 person-rems per year, for a reduction of about 50 person-rems per year. This yields a monetized benefit of approximately i $2 million for the 40 year life of the plant.
i With no design details of the UPPS, it is not possible to estimate the cost of l the seismic upgrades accurately. The staff believes that the sensitive elements of the system should be seismically hardened. The staff estimates that this would cost approximately $1 million, which is roughly the presently proposed cost for the entire system. Assigning a monetized value of $1000 per person-rem to represent offsite health and property costs produces a cost-benefit ratio for the UPPS seismic upgrade of 0.5.
j This estimate indicates a favorable cost-benefit ratio for the seismic upgrade to UPPS. The staff would not suggest that the UPPS be made fully seismic Cate-gory I, .which could drive the cost beyond the break-even point. Rather, the staff suggests that a careful evaluation be made of the UPPS when its design is complete, and that seismic vunerabilities be carefully considered. Actions
, should be taken to harden those elements that are shown to be important. When the UPPS design is finalized, a detailed submittal must be provided to the staff demonstrating that the system has strong seismic resistance. The seismic capa-I cities of critical components must be identified, and their physical placement carefully considered and documented to ensure that failure of nonseismic equip-f ment and structures will not degrade the ability of UPPS to perform its safety function. At a minimum, it must be demonstrated that UPPS will remain fully
!. functional following a 0.3g seismic event. A favorable finding from the staff
! will be required before a GESSAR II plant is licensed.
j From a defense-in-depth viewpoint, the staff also sees benefits to a seismi-cally hardened UPPS even if the cost-benefit ratio is not shown to be attrac-l tive. The UPPS was proposed to be a final line of defense for the GESSAR II
! design. Very little plant equipment is required with this system to provide extended core cooling and containment heat removal. The staff evaluation of the GESSAR II PRA has shown that seismic core-melt risk exceeds the core-melt risk from internal events. Therefore, the proposed fall-back function of UPPS
- should show capabilities to respond to this class of event. However, the staff
' does affirm GE's design goal to maintain UPPS as a simple, manually initiated system of -last resort.
(3) 10-Hour Batteries and DC Charger Initially GE proposed modifications to the station batteries to allow continued operation of the.RCIC system for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> following a station blackout event.
GE claimed only minor hardware and procedural changes would be required to i GESSAR II SSER 4 15-24
allow for load shedding and logic changes to allow switching of suction sources i
to enhance RCIC room cooling. This would allow the present batteries to sur-
- vive for the 10-hour period. After UPPS was added to the GESSAR II design, GE dropped this proposed change. Cost estimates were $200,000.
, Assuming that a seismic UPPS and dedicated power hydrogen ignitors have been added to the GESSAR II design, very little quantifiable risk reduction can be
' achieved by addition of the 10-hour battery modification (at most 6 person-reas per year). However, because the staff finds that there would be significant advantages to maintaining control room operability during extended station blackouts, the staff will require this modification. This requirement also L conforms to the staff resolution of USI A-44 in Supplement 2, which relied upon increased de blackout capacity.
W The staff believes that there are major advantages to extended de capacity dur-ing a station blackout. The GESSAR II PRA assumes 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of battery power for a blackout situation. Essential control room instrumentation is provided by l the dc buses. Control room indications would be in jeopardy after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> if full blackout loads were being carried by the batteries. Extended battery capa-bility will provide additional time for recovery of onsite or offsite ac power sources. In the high stress situation of a station blackout, the staff finds 4
that there would be a significant benefit from maintaining the operability of the controi room for this extended period, both from the perspective of plant monitoring and from that of enhancing possible recovery. The longer period would also increase the time available for initiation of UPPS, in situations where the RCIC is operational.
t In a further addition of defense in depth, the staff also requires that the dedicated power supply for the ignitors be available for feeding a single de battery charger. This would allow for long-term de power and, in conjunction with UPPS, would ensure both long-term cooling of the core and operability of control room instrumentation. Because the justification for this generator is hydrogen control, there is essentially no incremental cost for this purpose.
Again, the staff would require power connections that can survive the relative 4
motion of connecting buildings and the development of appropriate procedures.
The staff will also require an investigation to document what simple, inexpen-sive actions are available to facilitate RCIC room cooling for extended opera-tion during a blackout.
(4) Onsite Costs i
The staff evaluations discussed above are made to reduce offsite risk and en-hance defense in depth.
However, there is an additional benefit: reducing potential costs to a utility that would result from a core-melt accident and its resulting impacts. The staff did not feel that a detailed analysis of this issue was warranted because of the large uncertainties inherent in the nature of a standard nuclear plant review.
- Studies by the Regional Operations and Generic Requirements (ROGR) staff esti-mate a value of $10 billion as a surrogate for all onsite severe accident costs.
(A similar estimate was used by the staff during the rulemaking on anticipated
~
transients without scram.) This value accounts for all onsite costs, including the costs of replacement power, accident recovery, and cleanup. Because of the l large uncertainties in accident costs, the staff has not discounted these values. '
i GESSAR II SSER 4 15-25 i
Accounting for discounting could reduce the present value of onsite costs by approximately a factor of 2. The staff estimates that the GESSAR II plant with nonseismic UPPS has a core elt of 6.7 x 10 s per year. The design modifications discussed above would reduce this value to 5.2 x 10 s. This core-melt reduction of 1.5 x 10 s per year would show an accident reduction cost of $150,000 per year or $6 million over the 40 year operating life of the plant. This onsite benefit exceeds the staff's cost estimates of all the additional modifications 3
the staff has proposed. However, large uncertainties exist in the costs asso-ciated with recovery from a severe accident. The staff considers that these t
values further support efforts to reduce the likelihood of severe accidents.
Table 15.16 provides the monetized worth of risk reduction and onsite costs for various modifications to show the relative impact of both factors. The onsite costs for those modifications involving hydrogen control would be constant, because that is a mitigative feature, with no impact on core-melt frequency.
15.6.3.5 Summary In summary, the staff finds that the following design modifications to the i GESSAR II design are necessary to satisfy the Commission's concerns related to severe-accident considerations for future designs:
+ seismic upgrade to UPPS dedicated power supply to hydrogen ignitor system
! +
10-hour station batteries ability to power a dc battery charger from ignitor power supply l
Without these changes, the staff estimates.the annual public risk from the GESSAR II design to be approximately 600 person-rems per year. With the changes, the staff estimates a resulting public risk of approximately 240 i I person-rems per year. The staff finds this to be a worthwhile risk reduction.
However, the staff does acknowledge that these risk estimates inherently in-clude large uncertainties.
Independently, the staff finds significant advantages in the principles of de-fense in depth for the above modifications. The upgraded UPPS and de power systems will allow the plant to respond successfully to extensive failures while still maintaining core and containment cooling. Extended operability of the control room during station blackout events will be enhanced, which will be beneficial from a perspective of operator performance, especially in the high-stress environment following a severe accident. Modifications to the hydrogen ignitor power system will result in a significant improvement of the hydrogen control system to respond to core-melt accidents, because the majority of these events are believed to involve station blackout.
The staff requires that GE provide details of how the modifications discussed in l this section will be incorporated in the GESSAR II design. The staff require-ments for these design improvements are conceptual in nature. In presenting
- the required detailed information on these systems, alternative designs may be proposed that offer equivalent functional performance. The staff requires that this information be submitted in sufficient time to complete its evaluation before issuing a construction permit or an operating license for a facility referencing the GESSAR II design. At this time, the staff does not believe that any design modifications in addition to those discussed and required above are warranted.
l l
15-26 GESSAR II SSER 4 I
I 1
__..g.,....a .
./ % .
t 4
?
s,
?
't fE"N **
\ '.5
\
n .'.
l 't ,,
- CONTAINMENT
- . d
.! 9 A '.,
.' r.
~
DRYWELL ;
,., HEAD g a ?
l *. ,
,,,- 6 POOL
. ; i ;ri i 6 s ,.
{' .
.: p sRvDisCHARGE j REACTOR c,
,,,,,,, a 5
1 r ; 't :1
. r . #/p'"y.. I
'.1 : ,,,, nrAcTOR 9 'l
';l i g; 9t.
- SHIELD WALL f ***
fF F ,
f tg
- s. < e .
i - M :
- f [', ti $ ( ;j,,,,,. 4RYWEu.
, , s .
i
- 6 l
- c fs %y, u'* a p'. ,--At c<J $5Sh $ ,:; .:.*f **;s %% VENTS
., ... 1 s.
e *
. .I.':.. . .- ,'g. ' . -surrREsslON
@. , . , , '.s,'
.......u...".
w,gm R. .'
p ..... .
poot
...- c s...... . .. . ..
- V.. .,' .: ,'1.:.
. , ..,........54
. . . . .,1..,f
- 3. .. ..... .......:
I f
In-vessel release passes through safety / relief valve (SRV) lines, is scrubbed in suppression pool before entering secondary containment, and
- then is released to the environment.
Ex-vessel (core / concrete vaporization) release passes through horizontal vents into the pool and is also scrubbed.
Figure 15.1 GESSAR II Mark III containment: typical fission product release pathways with drywell intact i
I GESSAR II SSER 4 15-27
> CONTAINMENT H -- -- -- -------- -- --
- - ] CONTAINMENT PURGE SYSTEM HIGH FLN EXHAW
$ HIGH g v'ow
- LY ,J V m
, wa , ,w, JVm
- a ,
VmJ Vm J l LOCKED LOCKED l FUEL SUILDING CLOSED CLOSED DRYWELL LOCKED l CLOSED l RPV " '
k , ! !
PRESSURE t\ I l l V kJ l l dL
' c LPC$
RPV SEAL FM l
- " -- --- l p LEVEL POTS p , {- -] e l MAIN STE AM I LINE T ' -- "
l ,
m W \/
q CONTROL CENTER f f y E^jg"""@ p g
2 k n
g , EiR$ '
FUM9 1
p SAFETY 1-l j
/ RELIEF BOTTLEO _
VALVE / AIR $UPPLY , , ,
/ - FROM FIRE PROTECTION l
== SYSTEM l
WAf f ei FIRE TRUCK CONNECTION Figure 15.2 GESSAR II UPPS Source: NEDE-30640
b E s
=
a
= 8-
= 0 Risk I = Cl x FI x PA x 40 R-Y w
a 5.3 4.6
- ci- Total consequences Remaining g g 5-2.4** with Design improvement I
+ co FI = Total Core Melt Frequency 54-g PA = 1000 dollars per Person-Rom Averted y 3.0 * = ignitors 8- 27 ** = Perfect Hydrogen Control in*~ 1.2* 1.0
- E $ 1.3 0.9" 0.9" s 1- MW , , , , , .
0-0 4 4 44 +
1 Figure 15.3 Monetized risk potential for further risk reduction in GESSAR II for interr'lly generated severe accidents i
l
E 2 E
- IO so-
- = Ign:!ers O 25.3 25.0 25.0 " " "'"'**"## '
,,_ .0 e
- j 20- 18.0 18.0 i E 2 15 - 11.0*
6.0**
~
l O 6-
?
/
V/)
h $
$ 0- -
4 4 4 Y 4 Figure 15.4 Monetized risk potential for further risk reduction in GESSAR II for externally generated events (seismic) f
- ' Table 15.1 Conditional consequences predicted by the staff for internally initiated events and probability of occurrence with and without UPPS, per reactor year Probability Release Early Early Latent Person-category
4 1-T-L3 0 0 40 7 x E5** 3 x E-6 9 x E-7 i
1-1-E3 0 0.0005 200 3 x E6 8 x E-6 1 x E-6 i 0 1-T-I2Q 3 200 3 x E6 1 x E-5 1 x E-6 j 2-T-83 0 0 300 5 x E6 4 x E-6 4 x E-7 ATWS 0 1 400 6 x E6 3 x E-6 3 x E-6 1-T-I2 0 6 500 8 x E6 3 x E-6 3 x E-7 1-SB-El 0.006 10 600 9 x E6 1 x E-9 1 x E-9
- See definitions in Table 15.15.
- 7 x ES = 7 x 105 Notes:
(1) All conditional mean consequences were calculated using the upper range BNL source term values described in SSER 2.
, (2) The calculations assumed the Shippingport site, with public evacuation within 10 miles and relocation 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after plume passage. ,
(3) Mean consequences were computed over 91 different weather
, conditions.
1 GESSAR II SSER 4 15-31
Table 15.2 Conditional consequences predicted by the staff for externally initiated events (seismic) and probability of occurrence, per reactor year Probability Release Early Early Latent Person-category
- fatality injury fatality rem w/o UPPS w/UPPS 1-T-L3 0.3 8 600 1 x E6** 3 x E-7 3 x E-7 ATWS 50 150 500 7 x E6 6 x E-6 6 x E-6 1-T-I2 70 200 600 9 x E6 6 x E-5 5 x E-5 1-SB-El 100 300 700 11 x E6 1 x E-6 1 x E-6 S2 E, 250 900 600 8 x E6 1 x E-7 1 x E-7
- See definitions in Table 15.15.
- 1 x E6 = 1 x 105 Notes:
(1) All conditional consequences were calculated using upper range source term values.
.(2) The Shippingport site was assumed.
(3) No public evacuation was assumed; relocation 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after plume passage and no sheltering for severe earthquakes, as specified in Case 3 of the Limerick Final Environment Statement (NUREG-0974), were assumed.
(4) The S2 E, category was approximated using BMI-2104 information (Battelle, 1984).
1 l
GESSAR II SSER 4 15-32
Table 15.3 Potential design improvement groups for GESSAR II
- 1. Accident Management / Human Factors
- 2. Reactor Decay Heat Removal
- 3. Containment Capability
- 4. Containment Heat Removal
- 5. Containment Atmosphere Mass Removal
- 6. Combustible Gas Control
- 7. Containment Spray Systems
- 8. Prevention Concepts
- 9. AC Power Supplies
- 10. DC Power Supplies
- 11. ATWS Capability
- 12. Seismic Capability
- 13. System Simplification
- 14. Core-Retention Devices n
GESSAR II SSER 4 15-33
- - - - -- ._- - _ - - . _ _ - _ - _ _ - _ - . . . . . _ ~
4
- Table 15.4 Potential design improvements for GESSAR II
- 1. Accident Management / Human Factors
- a. use of advanced instrumentation important to accident management,
' including improved transient indicators, control room data acquisition, and display and alarm prioritization (computer aided)
! b. computer-aided artificial intelligence including attention to risk issues in human-machine interfaces
- c. improvements in maintenance procedures and manuals for the GE scope of supply
- d. incorporation of plant design features to improve maintainability and the incorporation of a " designed" preventive maintenance program 1
) e. extention of emergency procedure guidelines to cover severe accidents f.
coordination of design of remote shutdown capability with control room design and habitability and with other design interfaces (e.g. , fire protection) considering human factors engineering
! g. consideration in the design of the safeguards (security) syst.en of i
! the safety-safeguards interface with respect to access of ope,ators in emergency conditions (fires, shutdown capability outside tt.a control room, etc.)
- h. use of simulators for operator training for severe accidents i
j 2. Augmented Reactor Decay Heat Removal l
l
- a. improved reliability of decay heat removal at operating pressure (high pressure coolant injection (HPCI), RCIC)
- b. addition of active decay heat removal system capable of operating at system pressure (see also Items 9e and 10e below)
- c. addition of passive decay heat removal system (such as an isolation condenser) capable of operating at system pressure
- d. improved reliability of depressurization system
- e. Items 2a, 2b, and 2c designed for low pressure
- f. installation of a dedicated suppression pool heat removal system
- g. enhanced jockey pump system for alternate heat removal
- h. safety-related condensate storage tank (protected from natural phenomena) with capability for a 16-hour station blackout GESSAR II SSER 4 15-34
Table 15.4 (Continued)
- 1. provision for removal of decay heat during a 16-hour station blackout via direct steam condensation to either the RHR heat exchanger or another heat sink other than the suppression pool
- 3. Increased Containment Capability Margins
)
- a. increased volume
- b. increased pressure capability (increased to 25 psi or higher from 15 psi
- c. improved pressure suppression reliability
- d. increased temperature margin (improved penetration seals, etc.)
- e. improved vacuum breaker design
- 4. Augmented Containment Heat Removal
- a. active and passive systems (including assessment of enhanced suppression pool cooling vs. higher capacity heat sink- perhaps 30%
full power capacity for anticipated transients without scram (ATWS))
- b. passive ultimate heat sink
- 5. Containment Atmosphere Mass Removal
- a. filtered and unfiltered vent systems
- b. low flow and high flow vent systems
- 6. Combustible Gas Control Systems
- a. inerting including consideration of pre-accident inerting, post-accident inerting, and preconditioning
- b. hydrogen ingiters
- c. use of existing or enhanced fire suppression systems
- 7. BWR Containment Spray Systems including consideration for: capacity, initiation, additives water source, ac/dc dependencies, installation of a dedicated system, and the ability to connect to a backup water supply (a fire truck or a jockey pump system)
- 8. Specific Prevention Concepts
- a. improved valve or drain design (such as safety-relief valves, main steam isolation valves including orientation effects, emergency core cooling system equipment room drains, rad waste system drains)
GESSAR II SSER 4 15-35
Table 15.4 (Continued)
- b. improved control logic and component design to provide reliable operation over the full operational range (such as feedwater con-trols and RHR systems)
- c. reduction of common cause dependencies pump cooling and ventilation service water dependencies
+ air supply dependencies other support systems reloaction of equipment to improve separation and protection diversity of manufacturer of redundant equipment (such as low-pressure coolant injection (LPCI) pumps)
- d. modification or alternate selection of equipment based on operating experience (such as the replacement of three-stage Target Rock safety-relief valves with two-stage, as has occurred in earlier BWR designs)
- e. consideration of water hammer (USI A-1) in current design, following ongoing SRP revisions (use of void detection and venting design features and potential for water hammer with degraded piping)
- f. consideration of degraded emergency core cooling system pump perform-ance (USI A-43) in accordance with RG 1.82, Revision 1 when issued
- g. provision of sufficient instrument air to operate valves and neces-sary air-operated instrumentation and controls during a 16-hour station blackout
- h. provision of sufficient ventilation and cooling to ensure operation of essential equipment and controls during a 16-hour station blackout
- i. assurance of recirculation pump seal integrity during a 16-hour station blackout
- j. alternate power source for feedwater pumps (such as gas turbine)
- 9. Improved AC Power Supplies
- a. more and/or improved diesel generators and electrical division
- b. uninteriuptible power supply providing backup power to equipment critical to safe shutdown
- c. optimitation of the configuration of the onsite safety related l distribution system from a reliability viewpoint including the i l effect4 of bus crossties !
l d. diversh motive sources (such as gas turbines) l l l l GESSAR II SSER 4 15-36 l l
l l l
Table 15.4 (Continued) i
- e. dedicated onsite power supplies to dedicated (bunkered) decay heat removal systems
- 10. Improved DC Power Supplies
- a. higher capacity batteries l
- b. additional batteries and electrical divisions
, c. diverse de power systems (e.g., fuel cells) d .' optimization of the configuration of the onsite safety-related distribution system from a reliability viewpoint including the effects of bus crossties
- e. dedicated, diverse onsite power supplies to dedicated (bunkered) decay heat removal systems
- f. diverse motive sources (such as a steam-driven turbine generator)
- 11. Improved Capability for ATWS
- a. diverse electric scram
- b. improved control rod drive hydraulic system including scram discharge volume
- c. additional standby liquid control (SLC) system pumps or other SLC system improvements
- 12. Improved Seismic Capability
, a. integral basemat 1 b. increased design margin for these systems and components whose failure is shown to contribute significantly to seismic-related t risk 4
- 13. System Simplification-4
- a. elimination of unnecessary interlocks and auto initiation systems
- b. elimination of certain redundant valves and components that are shown to have a negative effect on overall plant safety
- c. elimination of seismic and pipe whip restraints
- 14. Core-Retention Devices
- a. including consideration of specific concrete types (limestone vs.
basaltic) in the current cavity GESSAR II SSER 4 15-37
Table 15.4 (Continued)
- b. including a consideration of modification of the cavity geometry (access ports, finor slope, addition of corium flow diverters, etc.)
to accomplish:
equipment protection (e.g., electrical penetrations) retention of corium within the cavity region dispersal of the corium outside the cavity including diversion to the suppression pool Table 15.5 GESSAR II potential design improvements, ranked by cost-benefit ratio (C/B)
Rank Design modification C/B Note 1 Increased battery capability for 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> blackout (3.10a) < 10 1 2 Ultimate plant protection system (UPPS) (App. A) < 10 -
3 Improved or additional low pressure system (3.2e) < 10 2 4 AC bus crossties (3.9c) < 10 2 5 Improved maintenance procedures / manuals (3.lc) < 10 -
6 Computer aided instrumentation (3.lb) < 10 -
7 Alternate pump power source (3.8j) < 10 2 8 Batteries for dc pump power (3.10c) < 10 -
9 Increased battery capability for 16-hour blackout (3.10.1) < 10 -
10 Simulator training for severe accidents (3.1.h) < 10 -
11 Improved high pressure system (3.2.a) < 20 -
12 DC bus crossties (3.10.d) < 20 2 13 Additional active high pressure system (3.2.b) < 50 -
14 Uninterruptible power supplies (3.9b) < 50 2 15 Fuel cells for diverse dc pump power (3.10.c) < 50 2
, 16 Additional diesel generator (3.9.a.1) < 50 2 l 17 Gas turbine (3.9.d) < 50 2 l Passive high pressure system (3.2c) < 50 18 -
19 Steam-driven turbine generator (3.9.f) < 50 2
! 20 Increased electrical divisions / diesels (3.9.2) <100 2 l 21 Increased design margins (3.12b) <100 -
i 22 Jockey pump system (3.2.g.1) <100 2 l 23 Reduction of common-cause dependencies (3.8c) <150 2
- 24 Passive ultimate heat sink (3.4b) <150 2 l l 25 Improved operating response (3.8b) <150 -
Notes:
l l (1) The number / letter in parentheses is the NEDE-30640 section in which the
- item is discussed.
(2) Included in UPPS, according to GE.
1 GESSAR II SSER 4 15-38
Table 15.6 RDA study results fer GESSAR II, Mark III containment mitigation COST ($ thousands)
High pressure containment (Mark III)
Low pressure Option Option Option containment Function Equipment 1 2 3 w/ chill. filt.
Heat removal Pool Dedicated cooling 2,085 2,085 2,085 2,085 Spray Drywell sprays plus 565 565 565 --
external feed Core control Basemat rubble bed --
744 744 --
Dry crucible 2,295 -- --
2,295 Pressure protection Overpressure Igniters -- --
300 300 ATWS clean vent 1,579 1,579 1,579 --
Filtered vent 1,950 1,950 -- --
Nitrogen inerting 1,557 1,557 -- --
Underpressure Larger breaker 865 865 865 --
Both Chilled filter -- -- --
2,938 Total costs (impact) 10,896 9,345 6,138 7,618 VALUE (or BENEFIT) (person-rems averted)
Estimator-GE 11 11 11 11 NRC 5,240 5,240 5,240 5,240 COST / BENEFIT ($/ person-rem)
Estimator GE 9.9E5* 8.5ES 1.6E4 6.9E5 NRC 2,060 1,780 1,170 1,450 89.9E5 = 9.9 x 106 GESSAR II SSER 4 15-39
9 W
I
. Table 15.7' Designs and design modifications ~ evaluated Design / modification Impact considered i.
l Base Case. This represents the plant design as pre-sented in the GESSAR II PRA. Modified core-melt values, given in the SER, are !
taken from the BNL PRA review for the
- national average grid. site. Consequences
, reported have been predicted using.the i staff /BNL upper range source term _ values.
n The values used are believed to be ,
physically realizable.and should not be construed as being upper bounds.
Case 1: GE proposed UPPS These values reflect the impact of UPPS
, proposed by GE. This represents the actual new base case.
-Case 2: UPPS with seismic upgrade Impact of UPPS with seismic upgrade equivalent to component and structure capacity values expected from seismic Category I systems.
Case 3: 10-hour battery capacity Impact of the base GESSAR II design with
, the addition of 10-hour station batteries.
Impact of the base GESSAR II design with
~
Case 4: DC charger the addition of a dedicated de battery charger driven by a diverse small n generator.
!' : Case 5: UPPS and charger Impact of UPPS combined with de charger /
- . generator..
4 Case 6: Perfect hydrogen control Impact of base GESSAR II design with assumed perfect hydrogen control.
Case 7: Seismic UPPS and de charger Impact of combining seismic UPPS with de
- charger.
Case 8: Seismic UPPS and perfect Impact of combining seismic UPPS with hydrogen control perfect hydrogen control. .
Case 9: UPPS and igniters Impact of combining UPPS with hydrogen control from igniters having a dedicated power supply.
Case 10: . Seismic UPPS and igniters Impact of combining seismic UPPS with ,
hydrogen control from igniters having a {
' dedicated power supply.
i GESSAR II.SSER 4 15-40 l
Table 15.8 Estimated frequency of core damage resulting from internal events for GESSAR II base case and with design modifications UPPS and Base case some 10-hour DC Unlimited (nat'l avg.) seismic battery charger de power Class
- loop UPPS upgrade capacity generator and UPPS CT1-T 1.1(-6)** 9.0(-7) 9.0(-7) 1.1(-6) 1.1(-6) 9.0(-7)
CT1-Pa 1.1(-5) 1.3(-6) 1.3(-6) 4.4(-6) 3.4(-6) 4.4(-7)
CT1-Pb 1.9(-5) 2.28(-6) 2.28(-6) 7.6(-6) 5.76(-6) 7.6(-7)
CT2-T 3.8(-6) 3.8(-7) 3.8(-7) 3.8(-6) 3.8(-6) 3.8(-7)-
CT3 1.3(-7) 1.3(-7) 1.3(-7) 1.3(-7) 1.3(-7) 1.3(-7)
CT4 3.2(-6) 3.1(-6) 3.1(-6) 3.1(-6) 3.1(-6) 3.1(-6)
CT2A 1.2(-7) 1.2(-7) 1.2(-7) 1.2(-7) 1.2(-7) 1.2(-7)
CT1L 3.0(-9) 3.0(-9) 3.0(-9) 3.0(-9) 3.0(-9) 3.0(-9)
CT2L 1.4(-8) 1.4(-8) 1.4(-8) 2.4(-8) 2.4(-8) 1.4(-8)
CT5 2.3(-11) 2.3(-11) 2.3(-11) 2.3(-11) 2.3(-11) 2.3(-11)
CT6 1.2(-9) 1.2(-9) 1.2(-9) 1.2(-9) 1.2(-9) 1.2(-9)
CT7 0.0 0.0 0.0 0.0 0.0 0.0 Total 3.8(-5) 8.2(-6) 8.2(-6) 2.0(-5) 2.7(-5) 5.7(-6)
- See Table 15.14 for description of the containment failure classes.
- 1.1(-6) = 1.1 x 10 8 GESSAR II SSER 4 15-41
M Table 15.9 Public risk from internal events (person-rems per unit per year) for GESSAR II base case and with design modifications O Unlimited m generator M Base UPPS and and UPPS Unlimited
- GESSAR case perfect 10-hour DC Unlimited and perfect generator
- UPSS H2 control UPPS control capacity generator igniters and UPPS control igniters 1-T-E2 3 -
0.5 -
1 1 -
0.3 - -
1-T-E2Q 1 -
0.2 -
0.4 0.3 -
0.1 - -
1-T-E3 23 -
4 -
10 8 9 2 -
4 1-T-I2 22 -
3 -
9 7 -
1 - -
1-T-I2Q 31 -
4 -
12 10 -
1 - -
2 1-T-I3 12 -
2 -
5 4 2 0.5 -
- 0. 5 1-T-L2 - - - - - - - -
1-T-L3 2 22 0.6 3 1 1 0.6 0.5 2 0.5 1-SB-El 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 II-T-B3 20 20 2 2 20 20 2 2 2 2 AD6 18 18 18 18 18 18 18 18 18 18 Total 131 59 33 23 76 68 31 25 22 25
- See Table 15.15 for a description of the release categories.
l l
E Table 15.10 Estimated frequency of release categories-resulting from seismic
$- events for GESSAR II base case and with design modifications R
0 Base case UPPS and UPPS and
, and perfect UPPS and .10-hour - generator seismic upgrade-l $
- =
Release hydrogen seisatic battery DC charger and seismic and perfect
! category
- Base case control UPPS upgrade capacity generator upgrade hydrogen control i
a
! 1-58-El 1.2(-6)** -
1.2(-6) 1.2(-6) Same as base case Same as -
! UPPS and i
Seismic 1-T-L3 3.5(-7) 5.8(-5) 3.2(-7) 1.9(-7) 3.8(-5) s 1-S2(max) 6.9(-8) 6.9(-8) 6.9(-8) 6.9(-8) "
6.9(-8)
ATWS 5.9(-6) 5.'9(-6) 5.9(-6) 5.9(-6) 5.9(-6) y 1-T-I2 5.6(-5) -
4.9(-5) 3.6(-5) " " "
2.3(-7) a + -
j V-event 2.3(-7) 2.3(-7) 2.3(-7) 2.3(-7) - "
2.2(-6) i RHR pipe break 2.9(-6) 2.9(-6) 2.7(-6) 2.1(-6) 1.4(-7)
Massive failure 1.4(-7) 1.4(-7) 1.4(-7) 1.4(-7)
TOTAL 6.7(-5) 6.7(-5) 5.9(-5) 4.6(-5) 6.7(-5). 6.7(-5) 4.6(-5) 4.6(-5)
"See Table 15.15 for a descripton of the release categories.
- 1.2(-6) = 1.2 x 10 8
Table 15.11 Seismic risk, person-rems per unit year h UPPS and seismic -UPPS and m Base
~ case and UPPS and UPPS and upgrade and seismic m perfect UPPS and perfect 10-hour seismic perfect- upgrade i $ Release Base hydrogen UPPS and seismic hydrogen . battery DC charger ~ upgrade and hydrogen with l
categoryt case control UPPS igniters upgrade control. capability generator -generators control igniter s
l I-58-El 13 --
13 --
13 ---
Same as base case Same as -- --
1 UPPS I-T-L3 0.3 52 0.3 0.3 0.2 45 " "
45 0.2 I
I-52(max) 0.5 0.5 0.5 0.5 0.5 0.5- 0.5 0.5 ATWS 43 43 43 43 43 43 43 '43 I-T-I2 526 --
456 --
342 -- --
s I-T-E3 -- -- --
170 -- -- --
130 T
2 V-event
- 12 12 12 12 12 12 " " "
12 12 l RHR pipe 31 31 30 30 24 30 24 24 break **
Massive 7 7 7 7 7 7 7 7 failure Total 632 145 562 260 44 137 633 633 440 131 212 tSee Table 15.15 for a description of the various release categories listed.
- Based on estimated person-res values. from Limerick for Event V.
- RHR pipe break assumed to have person-rem impact equal to that of 1-SB-El.
~
A r
4 4
Table 15.12 Core-melt frequency probabilities (per year) for GESSAR II base case and with design modifications UPPS and seismic UPPS and
- .Cause of core melt Base case UPPS upgrade DC charger Internal event 3.8(-5)* 8.2(-6) 8.2(-6) 5.7(-6)
Seismic event. 6.7(-5) 5.9(-5) 4.6(-5)- 4.6(-5)
Total 1.1(-4) 6.7(-5)** 5.4(-5) 5.2(-5)
- 3.8(-5) = 3.8 x 10 s,
- Core-melt estimate includes large contribution from relay chatter.
Resolution of this issue could reduce core-melt contribution to approximately 2 x 10 s, A
Table 15.13 Estimated accidental releases to the public (person-rems per year) for GESSAR II base case and with modifications UPPS and seismic UPPS and
- UPPS and upgrade and seismic perfect perfect upgrade UPPS UPPS and hydrogen hydrogen with Risk Base case UPPS seismic igniters control control igniters Internal
- event risk 130 30 30 30 20 20 30 Seismic-risk 630 560 440 260 140 130 210 4 Total 760 590 470 290 160 150 240 4
i GESSAR II SSER 4 15-45
, _ . . , - . ws-w..e-.e.. -.c. , ,-s.- ~,..-,-----.-_-.,-y
Table 15.14 Containment failure classes Event Class tree name Description j i
I CT1-L Core damage initiated by a drywell LOCA l t
IT CT1-P Core damage initiated by loss of ac power I
T CT1-T Core damage initiated by transients other than loss of ac power II CT2-A No containment heat removal and an earlier potential for A
loss of containment integrity compared to II and II l L T II g CT2-L No containment heat removal following a LOCA
- - II T
CT2-T No containment heat removal following transient event III CT3 An ATWS event with boron injection but without core cooling IV CT4 An ATWS event with core cooling but without boron injection V CT5** Core damage caused by containment or ex-containment LOCAs VI CT6** A loss of containment integrity caused by a containment LOCA
- The frequency associated with this event is relatively small and does not justify an individual tree. These sequences were processed by other trees.
Source: Table C.16.3, GESSAR II PRA.
- GESSAR II SSER 4 15-46 i
e Table 15.15 Release categories ;
Release category Description 1-T-L3 Class 1 core-melt transient-(e.g., station blackout) with late ,
containment failure as a result of overpressurization from gases '
generated during core-concrete interaction.
1-T-E3- Core-melt transient as above with early containment failure result-4 ing from local or global hydrogen detonation. However, the drywell is assumed to remain intact and pool scrubbing is maintained.
1-T-I2Q Core-melt transient. Station blackout with power restored after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Global hydrogen detonation with drywell failure and poten-tial pool bypass;-however most fission products are assumed to be released before the vessel fails and so are retained in the pool.
Also, core debris is assumed to be quenched.
1-T-I2 Same as 1-T-I2Q but without quench.
1-T-E2 Variations of above core-melt transients where "E" represents 1-T-E2Q early containment failure, "I" intermediate time, and "L" late.
1-T-I3 The "1",'"2", and "3" refer to partial, intermediate, and con-1-T-L2 tinuous scrubbing as defined in Table 15.11 of SSER 2. "Q" refers to quenched ex-vessel core debris.
J' 1-SB-El Small-break core-melt transient with early containment failure
{drywell) from hydrogen detonation and bypass of suppression pool.
1-SB-E1Q Same as above but with quench of ex-vessel core debris.
! 1-SB-E3 Same as above but drywell remains intact and there is no pool bypass.
1-SB-L1 Small-break core-melt transient with late overpressurization failure of containment and partial bypass of the pool. '
1-S8-L3 Same as 1-SB-L1 but with no bypass.
II-T-83 Class 2 core-melt transient with initial failure of containment heat removal causing overpressurization and failure of containment.
Core melt and vessel failure follow the containment failure. No pool bypass.
ATWS Anticipated transient without scram and core melt.
S2 E, ' Core-melt accident caused by a very severe earthquake. Early con-tainment and drywell failure with suppression pool bypass. Analysis values were approximated using BMI-2104 information (Battelle, 1984).
4 GESSAR II SSER 4 15-47
Table 15.16 Monetized worth of risk reduction Seismic upgrade Seismic and UPPS with ;
i~ upgrade unlimited Parameter Base case UPPS .UPPS dc power Total core-melt 1.1 x 10 4 6.7 r. 10.s 5.4 x 10 5 5.2 x 10 5 frequency per year Offsite risk (40 years) $3.1 x 107 $2.4 x 107 $1.9 x 107 $1.9 x 107 Onsite risk (40 years) :$4.4 x 107 $2.7 x 107 $2.2 x 107 $2.1 x 107 1
k 1
s 4
GESSAR II'SSER 4 15-48
2 APPENDIX A CONTINUATION OF CHRONOLOGY November 29, 1984 Letter to applicant requesting review of NUREG/CR-4025 for proprietary information prior to December 4-5, 1984 ACRS subcommittee meetings.
November 30, 1984 Letter to applicant transmitting SSER 2 to GESSAR II.
December 3, 1984 Letter from applicant transmitting proprietary contain-ment pressure-carrying capability study and responses to informal questions on design modifications.
December 10, 1984 Letter from applicant transmitting Revision 21 to Appendix A of Response 3.84, concerning calculations and assumptions for auxiliary and control building sliding stability analysis.
December 18, 1984 Letter to applicant forwarding draft SER input for GESSAR.II SPDS. Review and schedule for responding to open items in report requested by December 31, 1984.
December 20, 1984 Letter from applicant submitting additional information on GESSAR II SPDS, display clutter, and reliability analysis.
December 27, 1984 Letter to applicant requesting review of enclosed SSER 3 for proprietary information.
January 31, 1985 Letter to applicant transmitting for information only Generic Letter 85-01, " Fire Protection Policy Steering Committee Report."
February 5, 1985 Letter from applicant transmitting comments on R&D Associates proprietary report on potential design modifications and enclosing response to issues identi-fied in SSER 3 on seismic events relative to pool bypass sequences.
February 8, 1985 Letter from applicant transmitting supplemental infor-mation on capability of ultimate plant protection system.
February 28, 1985 Letter from applicant transmitting Addendum 1 to NED0-10466, an additional halon and soak time option for the power generation control complex fire suppres-sion system.
GESSAR II SSER 4 1 Appendix A
April 4, 1985 Letter from applicant advising of preparations to up-date and resubmit draft amendment supporting leak-before-break approach to achieve consistency with Volume 3 of NUREG-1061.
' April 26, 1985 Letter from applicant transmitting proprietary up-dated draft "GESSAR II Amendment Supporting Laak-Before-Break" and June 18, 1985, carbon steel piping schedule.
?
May 1,'1985 Letter from applicant transmitting supplemental infor-mation to Addendum 1 to NEDO-10466 " Power Generation Control Complex (PGCC) Fire Suppression Licensing.
Topical Report," and discussing establishing Halon concentration requirement for control room.
May 8, 1985 Letter to applicant transmitting BNL Report, " Review of BWR/6 Standard Plant PRA," and requesting review to identify proprietary information.
May 9,.1985 Letter from applicant transmitting Anacapa Technical Report TR-550-1, " Human Factors and Performance Eval-uations of Emergency Response Information System."
Should resolve NRC questions regarding amount of information contained in GESSAR II displays.
June 7, 1985 Letter to applicant transmitting proposed Amendment 1 to FDA-1 for review.
1 June 10, 1985 Letter from applicant transmitting information on resolution of open item on clutter in GE emergency response information system.
J l
l l
, GESSAR II SSER 4 2 Appendix A i
i
h APPENDIX B REFERENCES Battelle Memorial Institute, BMI-2104, "Radionuclide Release Under Specific LWR Accident Conditions," July 1984.
Brookhaven National Laboratory, BNL-NUREG-51790, " Failure Evaluations of Con-tainment Structures in Appendix G of GESSAR Report," S. Sharma et al., June 1984.
- -- , BNL-NUREG-51789, " Reliability Evaluation of a Steel Containment Under Hydro-gen Burn Pressures," J. Pires, H. Hwang, and M. Reich, June 1984.
Code of Federal Regulations, Title 10, " Energy" (10 CFR), U.S. Government Printing Office, Washington, D.C.
General Electric Company, "GESSAR-II, Seismic Events Analysis," September 1983.
, -- , Topical Report NEDE-30640, " Evaluation of Proposed Modifications to the 3
f GESSAR-II Design," K. W. Holtzclaw and P. D. Knecht, June 1984 (proprietary).
Lipinsky, R. J. , et al. , " Uncertainty in Radionuclide Release Under Specific LWR Accident Conditions, Volume II: Analyses," draft SAND 84-0410/2, March 1984.
Sherwood, G.'G., GE, letter to D. G. Eisenhut, NRC, " Draft Amendment to GESSAR-II Sections 1G.12 and 1G.22," August 20, 1984.
Shiu, K. K., and J. Reed, "An Evaluation of Core Damage Reduction Benefits of Ultimate Plant Protection System," draft report, Brookhaven National Laboratory, April 1985.
! Southern California Edison and San Diego Gas & Electric, " Final Safety Analysis Report, San Onofre Nuclear Generating Station Units 2 and 3."
Thomas, C. O., NRC, letter to G. G. Sherwood, GE, " Request for Additional Infor-nation Regarding Severe Accident Devices of GESSAR-II," April 13, 1984.
- U. S. Nuclear Regulatory Commission, NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," July 1981.
! -- , NUREG-0974, " Final Environmental Statement Related to the Operation of 1 Limerick Generating Station, Units 1 and 2," April 1984.
-- , NUREG-1070 (draft), "NRC Policy on Future Reactor Designs: Decisions on Severe Accident Issues in Nuclear Power Plant Regulations," November 16, 1984.
! GESSAR II SSER'4 1 Appendix B F
,. - , . . - , . - . - - . . - , . . . - - - - ----.,--n,,,,,_,-e.. ,- ,-,-. - - _.--,,, ,- , - . . . , - - , - --
wn . ~ . -
, NUREG/CR-2450 (draft), " Cost Benefit Evaluation," W. E. Kastenberg et al,,
June 1985.
-- , NUREG/CR-4025 (proprietary draft), " Detailed Conceptual Design and Feasibil-ity Study of Existing New or Improved Mitigation Systems," October 1984.
-- , NUREG/CR-4244 (draft), " Strategies for Implementing a Mitigation Policy for Light Water Reactors," W. E. Kastenberg et al., June 1985.
4
- GESSAR II SSER 4 2 Appendix B
4 i
l J
i l APPENDIX C UNRESOLVED SAFETY ISSUES AND GENERIC SAFETY ISSUES ,
i Technical resolution of unresolved safety issues (USIs) and high/ medium priority '
j generic safety issues (GSIs) is required by the Commission's proposed " Policy i Statement on Severe Reactor Accidents Regarding Future Designs and Existing i Plants." The status of the USIs is found in NUREG-0606, " Unresolved Safety '
l Issues Summary." The status of the GSIs is discussed in NUREG-0933, "A Prior-i itization of Generic Safety Issues," along with the proposed generic resolution i schedule.
It must be acknowledged that the staff's generic evaluation of the USIs and GSIs is ongoing. Since staff findings for many USIs and GSIs are, at most, prelim-inary, it is not possible at this time to evaluate the GESSAR II design against established staff criteria. Therefore, technical resolution of the issues will be achieved through engineering evaluations and demonstration that: (1) the sub-
) ject USI or GSI is not applicable to the GESSAR II design, (2) GE risk assess 4
ment (or engineering analysis) shows insignificant societal risk arising from the issue, or (3) where the risk assessment or engineering analysis cannot demonstrate insignificant societal risk, the design incorporates features which adequately respond to all concerns inherent in the issue. If requirements appli-i
- cable to the GESSAR II design are developed as a result of the resolution of the USIs and GSIs, the utility applicants referencing the GESSAR II design will be
- j. required to comply with the requirements.
4 i
Unresolved safety issues and generic safety issues which were outstanding when i SSER 3 was issued plus a newly identified and prioritized generic safety issue related to interfacing system LOCAs are discussed below, along with staff con-l clusions regarding their resolution.
UNRESOLVED SAFETY ISSUES l
USI A-43: Containment Emergency Sump Reliability i
I Following a postulated loss-of-coolant accident, that is, a break in the reac-tor coolant system piping, the water flowing from the break outside the drywell
, would be collected in the suppression pool. This water would be recirculated through the reactor system by the emergency core cooling pumps to maintain core
! cooling. This water might also be circulated through the containment spray sys-i tem to remove heat and fission products from the wetwell atmosphere. Loss of the ability to draw water from the suppression pool could disable the emergency cooling and containment spray systems.
l '
The principal concerns are somewhat interrelated but are best discussed sepa-rately. The first concern deals with the various kinds of insulation used on i piping and components inside of containment. The safety concern is that the j loss-of-coolant accident (LOCA) would destroy insulation and that this insula-l tion debris could block the residual heat removal (RHR) suction strainers or
-GESSAR II SSER 4 1 Appendix C e p--,-,m- -
-g s p 'tw-,--y +mawm- T~'*W##"9'
1 4
) otherwise adversely affect the net positive suction head (NPSH) requirement of j the pumps, block spray nozzles, and degrade the safety systems' performance.
.The second concern deals with the hydraulic performance of the RHR intakes as
- related to the hydraulic performance of safety systems supplied therefrom.
j Extensive full-scale experiments have been performed to assess air ingestion and other adverse hydraulic conditions. The results for BWRs (NUREG/CR-2772) show that air ingestion is generally less than 0.5% when the Froude number at '
l the suction intake is less than 0.8.
f The potential debris in the drywell resulting from blowdown transient could only be swept or driven into the suppression pool through the horizontal vents.
The staff's licensing evaluation of GESSAR II indicated that the likelihood of i
any insulation being drawn into an emergency core cooling system pump suction line is small. This is in part due to the multiple intakes associated with the i RHR systems being located at widely separated positions around the suppression pool, and that the intakes are 10 feet above the pool bottom and are equipped with strainers that have flow areas 200% larger than the suction pipes. However, should a blockage of flow occur in the RHR systems following the accumulation of insulation debris in the suppression pool, the GESSAR II design is provided with a supplemental core cooling system called the ultimate plant protection
- system (UPPS). The basic functions of this system are to provide core cooling, reactor pressure vessel (RPV) depressurization, containment heat removal, and suppression pool makeup independent of electrical power sources. The UPPS can achieve core cooling independent of suppression pool makeup by use of the exist-ing fire protection system pump or by some external source such as a dedicated I fire truck. Therefore, because of the low. likelihood of RHR line blockage and the alternative core cooling capability, the staff considers USI-43 resolved for GESSAR II. '
i USI A-47: Safety Implication of Control Systems I
^
This issue concerns the potential for accidents or transients being made more severe as a result of non safety grade control system failures or malfunctions.
These failures or malfunctions may occur independently or as a result of an i
accident or transient, and would be in addition to any control system failure !
l that may have initiated the event. It is generally believed that control sys-tem failures are not likely to result in loss of safety functions which could l lead to serious events or result in conditions that safety systems are not able to cope with.
In-depth studies for all the non-safety grade control systems have not been performed, however, and there exists some potential for accidents or transients being made more severe than previously analyzed, as a result of some of these control system failures or malfunctions.
Failure or malfunction of the non-safety grade control system can potentially (1) cause a steam generator or reactor vessel overfill, or (2) can lead to a transient (in PWRs) in which the vessel could be subjected to severe overcool-ing. In addition, there is the potential for an independent event such as a single failure, or a common-mode event, to cause a malfunction of one or several control systems which would lead to an undesirable control action, or provide misleading information to the plant operator.
GESSAR II SSER 4 2 Appendix C i_____._._ _.._ _ _
t i
J l
} The purposes of this unresolved safety issue are to perform an indepth evalua-tion of the non-safety gcade control systems that are typically used during i
normal plant operation, to evaluate the need for requiring control system changes in operating reactors, and to verify the adequacy of current licensing
- design requirements or propose additio1a1 guidelines and criteria to ensure j that nuclear power plants do not pose an unacceptable risk from inadvertent
! failure of such controls. It should be recognized that the effects of control system failures during accident or normal plant operation may differ from plant to plant, and therefore it may not be possible to develop generic solutions to these concerns. It is possible, however, to develop generic criteria that can
- be used for the plant-specific reviews.
i The GESSAR safety systems have been designed with the goal of ensuring that
- control systems failures (either single or multiple) will not prevent automatic i or manual initiation and operation of any safety system aquipment required to
- trip the plant or to maintain the plant in a safe shutdown condition following any anticipated operational occurrence or accident. This has been accomplished by either providing independence between safety- and nonsafety grade systems or i
by providing isolating devices between safety- and nonsafety grade systems.
, These devices preclude the propagation of nonsafety grade system equipment j faults so that operation of the safety grade system equipment is not impaired.
In addition, the UPPS can provide RPV depressurization, core cooling, and con-
! tainment venting and heat removal independent of electrical power (ac and dc),
- thus further reducing the likelihood of core damage resulting from a control system failure. Much of the design evaluation required to resolve concerns
- related to the failure of control systems is outside the scope of GESSAR II
- (see NUREG-0979, Section 7). It is the responsibility of the utility appli-
- cants who reference the GESSAR II design to provide the necessary evaluations i of the control systems that are required by NUREG-0979 and that will be required by the resolution of USI A-47.
l ,
Although it does not do so explicitly, the GESSAR II probabilistic risk assess-1 ment (PRA) does include consideration of control system failures in the data base utilized for transients and the fault trees.
With regard to the concern with reactor vessel overfill transients, commercial-
- grade high-level trips (Level 8) for feedwater and turbine have been installed in most boiling-water reactors (BWRs), including the GESSAR II design, to ter-minate flow from the appropriate systems. Periodic surveillance testing of these high-level trips is required by the Technical Specifications. No over-filling events have occurred since the Level 8 trips were installed. Indepen-
. dent high-level safety prade trips are also provided for the reactor core l
isolation cooling (RCIC) and high pressure core spray (HPCS) systems. In addi-tion, the GESSAR II design empicys a high-level scram that reduces the con'se-quences of an overfill event. Further, severe overcooling is not a problem in BWRs khich, unlike pressurized-water reactors (PWRs), operate at substantially lower pressures.
On the basis of (1) the existing overfill protection provided in the GESSAR II design and (2) the requirement that utility applicants referencing the GESSAR II design provide the necessary evaluation of the control systems that are required l by NUREG-0979 and that will be required by the resolution of USI A-47, the staff j concludes that USI A-47 has been adequately addressed for GESSAR II.
i GESSAR II SSER 4 3 Appendix C 1
USI A-48: Hydrogen Control Measures Postulated reactor accidents that result in a degraded or melted core can produce and release to the containment large quantities of hydrogen. The hydrogen is formed from the reaction of the zirconium fuel cladding with steam at high tem-peratures and/or by radiolysis of water and by reactions involving organic com-pounds such as protective coatings. Experience gained from the Three Mile Island Unit 2 (TMI-2) accident indicates a potential need to require more specific design provisions for handling larger hydrogen releases than are currently required by the regulations, particularly for smaller, low pressure containment designs.
The Commission's regulations in 10 CFR 50.44(c)(3)(iv) " Hydrogen Control Re-quirements" (50 FR 3498) requires plants with Mark III containments for which construction permits were issued before March 28, 1979, to employ a hydrogen-control system, e.g., igniter system, to control the quantity of hydrogen that would be produced in a 75% metal-water reaction for PWR fce condenser and Mark III BWR containments.
By letter dated August 20, 1984, GE submitted a draft amendment to GESSAR II, Sections 1G.12 and 1G.21. This draft amendment requires utility applicants referencing GESSAR II to provide an igniter hydrogen control system capable of handling hydrogen as required by the proposed " Interim Requirements Related to Hydrogen Control" (46 FR 62281) now a final rule (50 FR 3498). The hydrogen control system will be based on the NRC staff-approved results of the Hydrogen Control Owners Group tests and analyses. GE has also provided an ultimate plant protection system (UPPS) which will reduce the overall risk of core damage and the overall probability that hydrogen will Le generated.
Section 2(ix) of the CP/ML Rule (10 CFR 50.34(f)), a requirement of the Commis-sion's severe accident policies statement, requires primarily that the applicant must provide a system for hydrogen control that can safely accommodate hydrogen generated by the equivalent of a 100% fuel-cladding metal-water reaction.
By letter referenced above, GE has proposed a preventive alternative (the UPPS) to meeting the explicit mitigative requirements of this section of the CP/ML Rule by augmenting the GESSAR II design with a supplemental cooling system which would substantially reduce the overall probability of core damage and hence, the like-lihood of generating the amount of hydrogen specified in the CP/ML Rule.
The basic function of the UPPS is to provide reliable core cooling, RPV depres-surization capability, and containment heat removal capability that are inde-pendent of the onsite emergency diesel generators and station batteries. The UPPS schematic diagram is shown on Figure 15.2 of this Supplement.
The UPPS will achieve its core cooling capability when power is unavailable by utilizing the existing fire protection system pumps which will be appropriately aligned. If the diesel-driven fire pumps are not available, a site-dedicated fire truck will be available through an UPPS fire truck connection.
If power is unavailable, long-term containment heat removal may be accomplished by opening the containment purge system supply and exhaust lines. The purge system isolation valves will be air operated, and the operator will be able to control the air supply with bottled air at the UPPS control center. Finally, GESSAR II SSER 4 4 Appendix C
the reactor may be depressurized by actuating selected safety / relief valves from the pneumatic system air bottles currently housed in the fuel building.
The staff has evaluated the proposed UPPS in conjunction with the interface item cn the igniter hydrogen control system. In this evaluation, the staff recognizes the proposed deviation from the explicit requirements of the CP/ML Rule, which calls for a system to mitigate the effects of a postulated accident which will g:nerate 100% metal-water reaction, by giving credit to the UPPS for accommo-d; ting a portion of the total hydrogen generation. This was done in lieu of a d; tailed analysis of the capability of the hydrogen control system to safely cccommodate an additional 25% hydrogen beyond the 75% hydrogen control rule for present Mark III plants. The staff finds that the presence of the igniter system pursuant to the interface requirement provides a substantial measure of contain-ment integrity protection for postulated hydrogen generation events.
The staff has assessed the impact of the UPPS on total core damage frequency for internal events. Detailed discussion of the UPPS is found in Section 15.6.3 of this Supplement.
The staff concludes that the hydrogen control system proposed for GESSAR II taken in conjunction with an acceptable design for the UPPS provides reasonable tsurance that there will be no undue risk to the public from the potential for hydrogen releases from metal water reaction in the reactor core during postu-lated severe accidents. Therefore, the staff considers USI A-48 resolved for GESSAR II.
GENERIC SAFETY ISSUES GSI 8-6: Loads, Load Combinations, Stress Limits This issue concerns the design of structures, systems, and components which cust accommodate individual loads and combinations of loads that can result from natural phenomena, normal operating conditions, and postulated accidents. Part of this generic issue has already been resolved--the part which concluded that seismic loads and LOCA (loss-of-coolant accident) and SRV (safety / relief valve) loads on containment structures should continue to be combined. These loads have been combined for the GESSAR II containment structures. The only remaining work on this issue is research into decoupling the LOCA and safe shutdown earth-quake (SSE1 events for mechanical systems. Recently, combined loads were in-creased to further account for phenomena such as asymmetric blowdowns in pres-surized-water reactors (PWRs) because improved techniques have been developed for defining loading. These changes have raised questions concerning implemen-tation of new regulations, increased construction costs, increased radiation exposure of maintenance crews performing increased inspections and maintenance, and reduced reliability of stiffer systems under normal operating transients.
The staff, in addressing the probability of an earthquake-induced large LOCA, published Research Information Letter No. 117 (April 10, 1981) that identified the following results:
(1) Through-wall cracks are about a million times more likely to occur than double-ended guillotine breaks, thus supporting the leak-before-break hypothesis.
GESSAR II SSER 4 5 Appendix C
- -. . . - - =_ . -- _ __ --
i t
i (2) Fatigue crack growth due to all transients, including earthquakes, is an extremely unlikely mechanism for inducing a large LOCA. The contribution of earthquakes to the occurrence of this event is a small percentage of the
. total probability.
Although the above results are identified for PWRs, it is assumed that the results for BWRs are similar for this analysis. The proposed generic resolu-l tion for this issue is to decouple the SSE-LOCA load requirements which will
- permit the removal of some snubbers and pipe whip restraints. The removal of pige restraints will improve access to many equipment areas and, as a result, will reduce the time plant personnel need to spend in high radiation areas, i thus reducing occupational exposure. Removing snubbers will reduce the stiff-
- ness during normal operation resulting in a reduction in the probability of j pipe rupture during normal operating transients, i
- The cost-benefit evaluation for GSI B-6 that appears in NUREG-0933 assumes that
- there will be a small reduction in risk to the public from the removal of appro-
- j. priate snubbers in systems designed to withstand SSE-LOCA-induced loads. The computed reduction in core-melt frequency for BWRs is 1.2 x 10 s/ reactor year.
i This small reduction would have very little impact on the already low core-melt i frequency calculated for GESSAR II.
The high priority rating of this generic safety issue comes from the reduction in operational exposure to plant personnel from the improved access to high radiation areas and to the large savings ir. cost to industry that would result from reduced inspection, testing, and maintenance when appropriate snubbers and pipe restraints are removed. However,.because of the small impact on the GESSAR II core-melt frequency and a small reduction in risk from a GESSAR II plant, the staff considers this issue resolved for GESSAR II.
It is expected that this issue will be resolved generically in 1985 when the double-ended guillotine-break (DEGB) studies for Mark I plants by Lawrence i
Livermore National Laboratory (LLNL) and parallel studies by GE on Mark II and Mark III plants (GE letter, May 31, 1984) that support the leak-before-break approach will be complete. It is expected that these studies will sup-
{ port decoupling of LOCA and SSE events which will yield reductions in public
- risk and occupational exposure. If so, the staff will consider the decoupling l of LOCA and SSE loads in the GESSAR II if requested by GE.
GSI B-58: Passive Mechanical Failures Safety-related systems contain many valves; therefore, passive failures present a potentially significant safety concern because the effects on safety-related l systems can be widespread. GSI B-58 is concerned with passive mechanical valve 4
failures; GSI C-11 is concerned with active pump and valve failures. Active failures typically occur during valve operation; passive failures occur over a period of time and go undetected between the surveillance testing that is re-quired by Technical Specification. The valve is rendered inoperable with the failure occurring after valve operation is demanded.
l i
l 1
l GESSAR II SSER 4 6 Appendix C
The GESSAR II environmental qualification program for safety related equipment meets all the requirements of SRP Section 3.11. The GESSAR II design is also committed to a quality assurance program for safety-related mechanical and elec-trical equipment (RG 1.116). Designing to meet these requirements should lead to a reduction in passive mechanical failures. Passive mechanical failures have been considered in the GESSAR II probabilistic risk assessment (PRA). Both active and passive failures make up the component failure rate data base (NUREG/
CR-0848). On the basis of the available data, it is'noted that the hardware-related passive failures represent about 12% of all valve failures, which means active failures dominate mechanical component failure rates. The GESSAR II com-mitment to SRP Section 3.11 and the quality assurance program in RG 1.116 should lead to improved component performance. It also should be noted that NUREG-0933 concluded that the value impact score for this issue warrants a low to medium priority ranking, in part largely from a small reduction to public risk asociated with this issue. The medium priority rating is also due to the potentially large industry cost savings that could accrue from reduced maintenance and down time.
For the reasons discussed above, the staff considers this issue resolved for GESSAR II.
GSI 82: Beyond-Design-Basis Accident in Spent Fuel Pool The risks associated with beyond-design-basis accidents in the spent fuel storage pool were examined in the Reactor Safety Study (NUREG-75/014) and were considered to be orders of magnitude below those involving the reactor core. The reason for this is the simplicity of the pool; i.e., coolant is at low pressure, spent fuel is subcritical, heat source is low, no anticipated transients could intercept cooling or cause criticality. The reasons for re-examination of this issue are twofold. First, spent fuel is being stored instead of being reprocessed, thus adding a larger inventory of fission products in the pool, incr2asing the heat load on the pool cooling system, and decreasing the distance between fuel assem-blies. Second, certain laboratory studies (NRC memorandum, August 10, 1983; NUREG/CR-0649) have provided evidence of the possibility of fire propagation between assemblies in an air-cooled environment. These two reasons together provide the basis for an accident scenario not previously considered.
A typical spent fuel pool with high density storage racks can hold about five times the fuel in the core; however, since typical reloads discharge one-third the core, much of the spent fuel in the pool will have considerable decay time (this reduces the radioactive inventory and the heat load on the pool). After a period of about 3 to 5 years of storage, most of the spent fuel stored in the pool may be air coolable (i.e. , need not be submerged to prevent melting, even though submersion may be desirable for shielding and reduction of airborne activity). If the pool were drained, the last two discharged fuel loads would still be " fresh" enough to melt under decay heat. The Zircaloy cladding of this fuel could be ignited during the heatup with the resulting fire spreading to most of the fuel in the pool. The heat of combustion in combination with the decay heat would probably drive " borderline aged" fuel to melt. The local decay-heat generation rates necessary for ignition are now under consideration in GSI 82. Melting and/or production of airborne particulates by combustion could cause a release of fission products from the spent fuel pool to the en-vironment, since most spent fuel pools are located outside the primary contain-ment. This direct release may be more likely than for comparable accidents involving the reactor core. The safety significance and medium priority status GESSAR II SSER 4 7 Appendix C
of this issue are based on a seismic event capable of draining the pool concur-rent with the conditional failure probability of loss of pool makeup (approxi-mate accident frequency 2 x 10 6/ year).
The above analysis is based on the Reactor Safety Study assumption of a fuel pool at a 10-story elevation above grade (this situation is not applicable to GESSAR II). In addition the analysis was based on a specific pool design which was picked in an attempt, at that time, to represent both generic and worst-case situations. The number of plants actually at risk may be limited.
The fuel pool in the GESSAR II design is seismic Category I and is located below grade in a seismic Category I building (0.3 g SSE). The bottom of the pool is 23 feet below grade and sits on the basemat of the fuel building. This reduces the likelihood of drainage and makes manual filling easier to accomplish.
GE proposed eight conditions (Interface Requirements, Section 3.7.2 of the SER) ensuring a safe seismic / structural envelope for the spent fuel pool. In addition to the above conditions, the staff will require that site-specific geotechnical parameters be developed and reviewed by the staff with respect to those used in the GESSAR II seismic analyses to establish comparability, as stated in Section 3.7.2 of the SER. Because of the increased seismic design and the loca-tion of the fuel pool, the frequency of a seismic event causing pool drainage should be much less for GESSAR II relative to those assumptions in NUREG-0933.
Therefore, the staff considers this issue resolved for GESSAR II.
, GSI 105: Interfacing System LOCA at BWRs Although GSI 105 has been identified as only applicable to BWRs licensed before 1980, the following evaluation of this issue is provided as it relates to the severe accident review of the GESSAR II design.
LOCA Outside the Containment in GESSAR II Plant Recently, the staff has identified eight events (between 1975 and 1984) in-volving isolation failure and overpressurization or potential overpressuriza-tion in the BWR by the reactor coolant system (RCS) of the high- and low-pressure emergency core cooling systems (ECCSs). These events are of potential concern because if not mitigated in time, they could lead to a LOCA outside the primary containment. This is of particular interest for the GESSAR II design
, because a LOCA outside the containment gives rise to a direct release path of fission products to the environment without going through the suppression pool.
Hence, this sequence may potentially result in high offsite consequences.
In the GESSAR II design, overpressurization and a potential pipe break outside the containment of the ECCS by the RCS could occur when a series of faults including operator errors occur in valves that provide overpressure protection for low pressure interface systems. Although ostensibly those isolation valves are designed to operate against a maximum differential pressure of 1,200 psi at 550*F as per the Technical Specifications, they have not been demonstrated to be capable of closing or opening under forces created by steam flow resulting from a pipe break outside the primary containment. Failure of such valves '
opening against the full operating differential pressure across the valve disk has been reported at Rrowns Ferry. Further, in another recent event, steam was released from the relief valves into the pump room compartments following a GESSAR II SSER 4 8 Appendix C 1
i
faulting of the testable, air-operated check valve which provides the overpres-sure protection; this further lends some credibility to the potential of such an occurrence in the GESSAR II design.
Following the hypothetical LOCA outside the containment, if all ECCS rooms freely communicate, then there is a potential that the ECCS equipment may even-tually be disabled. As the vessel inventory becomes depleted without makeup flows, the core will uncover and core melt will eventually ensue. Further, if the pump room is situated at a lower elevation than the suppression pool and if such a LOCA is allowed to continue unimpeded, there is a potential that the suppression pool may eventually be drained.
In the GESSAR II design, each train of ECCS equipment is located in an individ-ual room that contains floor drain sumps to collect leakage fluids. There are level alarms in each ECCS room and the corridor areas. The doors and equipment hatches of the ECCS rooms are provided with double redundancy seals. As the flood reaches the level alarms, the operator should notice the imminent flooding conditions in the ECCS compartment and take appropriate action to mitigate any further worsening of the flood. Of the eight events identified by the staff involving isolation failure and overpressurization in the BWR, all were detected and isolated in a relatively short time. The longest event at Browns Ferry 1 lasted about 13 minutes. Since the ECCS roo;ns do not freely communicate, and the wall thicknesses below flood level are not less than 2 ft (to further mini-mize seepage in the event of prolonged water levels), the probability of a com-mon cause failure of the ECCS resulting from flooding caused by a hypothetical LOCA outside the containment appears to be low.
A whole series of events must go wrong before a core melt with high offsite consequences would occur in the GESSAR II plant following a LOCA outside the containment with a common cause failure in ECCS due to internal flooding. In addition to the mitigating LOCA, there would have to be a failure to detect and isolate the leak, followed by failure of the flooding barriers to contain the water loss. Because individual compartments are provided for ECCS in the GESSAR II design, the potential of a common cause failure of ECCS equipment following a LOCA outside the containment with the loss of suppression pool inventory is deemed to be low and the core damage frequency for this event is also appropriately low.
The above qualitative arguments include elements of uncertainty because the progression of this event is dependent on plant-unique design and procedures.
For example, the structural integrity of the ECCS rooms, the layout of the pipings and level detection systems, the reliability of door and equipment hatch seals for both ingress and egress of floods, operating procedures for such an event, and operability of the isolation valves are all unique to plant design. Also, the staff's review of the GESSAR II seismic risk assessment did raise some question of the flooding retention potential of the ECCS room and potential for draining of the suppression pool. For the above reasons, the staff will require that this issue be reevaluated during the flooding review when 4
future applications using the GESSAR II design are submitted.
In addition, failing of isolation valves not only violates the required safety function of the valves but also constitutes a breach of the primary pressure boundary. Because it is difficult to show by analysis whether the isolation 9 Appendix C GESSAR II SSER 4
valve will perform the safety function as intended, it is recommended that an applicant referencing the GESSAR II design demonstrate the intended design capability of the isolation valves, at least on a prototype basis, by performing a closing and opening test with full design differential pressure and flow across the valve disk. Such a design test is recommended in addition to the leak and operability testing of isolation valves as required by the BWR Standard Technical Specifications, Section 3.4.6.2. On the basis of the low probability of core damage and the required valve testing, the staff considers the issue resolved for GESSAR II.
REFERENCES General Electric Company, letter, May 31, 1984,
Subject:
Mark II and Mark III plants.
-- , August 20, 1984,
Subject:
draft amendment to GESSAR II, Sections 1G.12 and 1G.21.
U.S. Nuclear Regulatory Comission, " Hydrogen Control Requirements," 50 FR 3498, January 24, 1985.
-- , memorandum, August 10, 1983, from R. Mattson, NRC, to T. Spets, " Proposed Generic Issue on Beyond Design Basis Accidents in Spent Fuel Pools."
-- , NUREG-75/014 (WASH-1400), " Reactor Safety Study: An Assessment of Risks in U.S. Commercial Nuclear Power Plants," December 1975.
-- , NUREG-0606, " Unresolved Safety Issues ' Summary, Aqua Book," issued quarterly.
-- , NUREG-0933, "A Prioritization of Generic Safety Issues," December 1983.
-- , NUREG/CR-0649, " Spent Fuel Heatup Following Loss of Water During Storage," May 1979.
-- , NUREG/CR-0848, " Summary and Bibliography of Operating Experience with Valves in Light-Water-Reactor Nuclear Power . Plants for the Period 1965-1968,"
August 1979.
-- , NUREG/CR-2772, " Hydraulic Performance of Pump Suction Inlets for Emergency Core Cooling Systems in Boiling Water Reactors," June 1982.
-- , Research Information Letter No. 117, April 10, 1981.
GESSAR II SSER 4 10 Appendix C
.. . - . - = _ - _ . _ _ _ . . - _ - - _ - . . -- .
k APPENDIX E
) PRINCIPAL STAFF CONTRIBUTORS AND CONSULTANTS l U.S. NUCLEAR REGULATORY COMISSION Name Branch N. Chokshi Structural and Geotechnical Engineering R. Frahm Reliability and Risk Assessment
- 8. Hardin Reactor Systems J. Lane Containment Systems J. Lazevnich Power Systems K. Leu Structural and Geotechnical Engineering J. Read Accident Evaluation i J. Rosenthal Reactor Systems M. Rubin Reliability and Risk Assessment BROOKHAVEN NATIONAL LABORATORY Name H. Ludewig T. Pratt K'. Shiu l
RESEARCH & DEVELOPMENT ASSOCIATES
~
Name J. Castle i I. Catton
! J. Dooley P. Hammond W. Kastenberg .
)
l 4
GESSAN II SSER 4 1 Appendix E
APPENDIX G COMPLIANCE WITH CP/ML RULE (10 CFR 50.34(f))
Item (1)(xii)
Perform an evaluation of alternative hydrogen control systems that would satisfy the requirements of paragraph (f)(2)(ix) of 10 CFR 50.34. As a minimum include consideration of a hydrogen ignition and postaccident inerting system. The evaluation shall include:
(A) A comparison of costs and benefits of the alternative systems considered.
(B) For the selected system, analyses and test data to verify compliance with the requirements of paragraph (f)(2)(ix) of 10 CFR 50.34.
(C) For the selected system, preliminary design descriptions of equipment, function, and layout.
- Discussion In a letter.to the Commission (Glenn G. Sherwood, GE, to D. G. Eisenhut, NRC, August 20, 1984, " Draft Amendment to GESSAR II Sections 1G.12 and 1G.21"), GE provided in tabular form a cost / benefit comparison between an igniter and a post-
. accident inerting system. Although GE indicated that, "neither igniters nor p;staccident inerting exhibit overriding benefits," GE did commit to an inter-face item (Item 1.127) that would require future utility applicants to install an igniter-type hydrogen control system designed to accommodate up to 75% equiv-alent metal-water reaction. In lieu of providing analyses, test data, and a preliminary design description to verify compliance with 10 CFR 50.34(f)(2)(ix),
GE has committed to incorporate the results and findings of the Mark III Contain-ment Hydrogen Control Owners Group (HCOG), as approved by the staff, into the final igniter system design. An igniter hydrogen control system has been adopted for all Mark III plants under review for operating licenses (OLs) in response to the Commission's proposed Interim Requirements Related to Hydrogen Control (46 FR 62281). The GESSAR II containment design is also a Mark III design and I is sE stantially the same as that provided for current Mark III plants. See Item'(2)(ix) and Section 15.6.3 of this Supplement for further discussion of the hydrogen control systems for GESSAR II.
Item (2)(iv)-
Provide a plant safety parameter display console that will display to operators a minimum set of parameters defining the safety status of the plant, capable of displaying a full range of important plan parameters and data trends on demand, and capable of indicating when process limits are being approached or exceeded (I.D.2).
GESSAR II SSER 4 1 Appendix G
1 Discussion (1) Introduction and Background All holders of operating licenses (licensees) issued by the Nuclear Regulatory Commission and applicants for operating licenses must provide a safety parameter display system (SPDS) in the control room of their plants. The Commission-approved requirements for the SPDS are defined in Supplement 1 to NUREG-0737.
The purpose of the SPDS is to provide a concise display of critical plant vari-ables to control room operators to aid them in rapidly and reliably determining the safety status of the plant. NUREG-0737, Supplement 1 requires licensees and applicants to prepare a written safety analysis describing the basis on which the selected plant variables are sufficient to assess the safety status of each identified function for a wide range of events, including symptoms of severe accidents. Licensees and applicants shall also prepare an implementation plan for the SPDS which contains schedules for design, development, installation, and full operation of the SPDS as well as a design verification and validation (V&V) plan. The safety analysis and the implementation plan are to be submitted to the NRC staff for review. The results of the staff's review are to be pub-lished in an SER supplement.
The GESSAR II SPDS is described in NEDE-30284-P, a proprietary topical report submitted by the General Electric Co. (GE) for staff review. The staff met with GE to discuss this report; minutes from this meeting are reported in an NRC memorandum dated June 11, 1984 (D. C. Scaletti to C. O. Thomas). A design verification audit of the display system was conducted during July 24-27, 1984, and the results from this audit are presented in an NRC memorandum from V. A.
Moore to C. O. Thomas (June 18, 1984). A report (NEDC-30885) that describes GE's program to evaluate and test the integrated software was also submitted for staff review. This supplement to the SER serves to document the staff's evaluation of the GESSAR II SPDS.
(2) Summary The staff audited and reviewed GE's design for the GESSAR II SPDS and concludes it is acceptable for the vendor to continue implementing its SPDS program; how-ever, GE or utility applicants who reference GESSAR II must resolve successfully the items defined in Section 4 below and in Section 1 of this report.
(3) Evaluation The staff evaluated GE's Topical Reports NEDE-30284-P and NEDC-30885 and con-sidered the audit results in the preparation of this supplement. The staff's evaluation considered the design process, the verification and validation (V&V) plan used in the design, the basis for plant variables selected for display, i the methods used to validate data before display, the human factors program used in the design of display formats, and the qualification of the electrical i and electronic isolation devices used in the system.
(a) SPDS Description GE has developed an Emergency Response Information System (ERIS), a display system which contains the SPDS function. ERIS is a computer-based system and consists of three subsystems which are: a data acquisition system (DAS),
GESSAR II SSER 4 2 Appendix G
s l a data processing system (DPS), and data output peripherals (DOPs). The
' data acquisition system gathers plant signals and converts these signals into a. form usable by a digital computer. The data processing system prep-
, ares the signals for display upon cathode-ray tubes (CRTs) and also stores
, the processed signals for later use. The data output peripherals contain
, CRTs for displaying plant data. Keyboards are also provided as an operator j interface to the display system.
l_
GE stated that ERIS is based upon the symptom-oriented Emergency Procedure Guidelines (EPGs). In the control room, ERIS assists the operating personnel
.l in their assigned functions by displaying the following information on CRTs:
Real-time plant status to aid in early emergency procedure entry con- [
dition recognition. These data may be displayed continuously and moni-tored by control room operators during normal operations.
i i
Data are displayed to assist the operator in following the emergency procedures (including current readings, trends of process variables, '
and status of major systems).
Two-dimensional limits of process variables as defined in the emer- I gency procedures. This assists the operator by precluding the need l
j M perform manual calculations to determine margins to limits. !
}
Critical process variable validation status.
Critical process variable trend plots.
(b) Design Process t
During the design verification audit of the SPDS (NRC memorandum from
}' Moore to Thomas, June 18, 1984), the staff evaluated the process used by GE to develop the system. The staff evaluated a software engineering
- manual which contained guidelines on how to structure and document the.
design. The staff also evaluated specifications of functional require-i ments, specifications of software requirements for the real time analysis and display processor, which is a key processor within the system. Further, 3 the staff evaluated appendices to the specifications and found guidelines i
E on the use of color codes and on text abbreviations.
i The staff found the ERIS software engineering manual to be comprehensive ,
- in scope and to cover all phases of the software life cycle from the plan 4
phase to development and maintenance. The staff found the technical con-l tent of the specifications and appendices to be appropriate for the design of the display system and also found the structure of the specifications
! t responsive to the guidelines stated in the Software Engineering Manual. On '
the basis of the results from the staff's audit of the Software Engineering Manual and of the design specifications, the staff finds the process used
{ by GE in the design of the SPDS acceptable for the development of the system.
i ,
i The staff also evaluated the display's design for provisions which allow !
! for expansion of the system to accommodate future revisions to the Emer-4 gency Procedure Guidelines. The design of the display system was modular i
in form and provided for the addition of modules for data acquisition
- functions, increased data storage, and new display formats. GE also stated i
! GESSAR II SSER 4 3 Appendix G i
,,- _ _ _ _ . - _ . _ _ _ _ _ . _ . _ _ _ . _ _ _ _ . ~ . . _ , _ _ _ _ . , . _ _ , _ _ _ , _ _ . _
that the design goal's inaximum duty cycle for the real time analysis and disp 1Ay processor is 70%. On the basis of these data, the staff concludes that the design does provide for expansion of the display system.
(c) Verification and Validation Program During the design verification audit of the SPDS (NRC memorandum from Moore to Thomas, June 18,1984), the staff evaluated the V&V program used by GE in the design of the system. GE described the V&V program and stated that it was patterned after NSAC-39 (Nuclear Safety Analysis Center, Decem-ber 1981). In the program, a typical design verification activity consisted of a review of requirements on interface and interaction needs. A typical design validation activity consisted of test and evaluation of the inte-grated hardware / software system. The staff evaluated these data and con-cluded that GE's V&V program is similar to the one described in NSAC-39 and is acceptable for the development of an SPDS.
'In evaluating the application of the V&V program, the staff found that GE was able to demonstrate how staff-selected problems, defined in previous verification activities, were documented and adequately resolved. In eval-uating the ERIS validation and test requirement document, the staff did successfully correlate test requirements with the functional requirements of the design. The staff also learned that GE is preparing validation test procedures. On the basis of the review of the V&V activities com-plated at the time of the audit, the staff concludes that the V&V program is being effectively applied.
By letter (Sherwood, May 7, 1985), GE provided the staff with a report or.
ERIS software validation. The purpose of the validation program was to demonst' rate through static testing, dynamic testing, and analysis that ERIS meets the generic functional, performance, and interface requirements of its design. The scope of the validation test results reported in a letter from G. G. Sherwood, dated May 7, 1985, is limited to performance param-eters for the ERIS. Other validation activities--such as correctness of the analysis and display of plant parameters--are to be conducted as part of software integration tests, data base validation, preoperational tests, and startup tests.
The staff reviewed the Software Validation Report and evaluated test procedures and acceptance criteria test results problems defined during the tests and how they were resolved The staff analysis of the report concludes that the test procedures, accept-ance criteria, and test results are comprehensive, thorough, and well docu-mented in assessing performance parameters of the ERIS. In addition, the staff review of the problems identified during the tests and staff discus-sions of these problems with GE personnel did not detect a generic pattern within the set of problems evaluated. Also, it appeared that the detected problems were being resolved through the use of pre-defined methods and i procedures. l l
The program to validate ERIS against its design requirements is incom- ,
lete. It is the staff's understanding that software integration tests, ;
GESSAR II SSER 4 4 Appendix G
data base validation, preoperational tests, and startup tests are to be l conducted on a plant-specific basis. The staff requires those utilities
- that install ERIS to report on the validation activities defined above within the plant-specific V&V program. The staff will review these vali-dation activities and report the review results in plant-specific SERs.
(d) Process Variable Selection Section 4.1(f) of Supplement l'to NUREG-0737 states that:
j The minimum information to be provided shall be sufficient to provide information to plant operators
'about:
- j. (i) reactivity control (ii) reactor core cooling and heat j- removal from the primary system (iii) reactor coolant system integrity (iv) radioactivity control
! (v) containment conditions i
- For review purposes, these five items have been designated as critical i safety functions.
I GE selected the SPDS process variables for display on the basis of the BWR
- Owners' Group, to D. G. Eisenhut, NRC, December 22, 1982). The staff con-i ~ firmed that the variables selectec are consistent with the presently ap-proved BWR EPGs (Revision 3) with one exception. Revision 3 contains a radioactivity release control guideline which contains an entry condition j based on offsite radioactivity release rate. GE's basic SPDS display does
, not contain a monitored variable dealing directly with radiation a measurement.
l The SPDS variables and their relationship to the critical safety functions 1 are summarized in Table G.I. The grouping was made by the staff based on
,' inspection of the first-level SPDS display format and information furnished by GE at the design verification audit. GE has grouped the individual vari-ables to coordinate with the generic EPGs which include separate aequential 1
procedural steps identified under the general functions of reactor pressure vessel control and containment control. These individual groups of vari-
I GE has taken the position that the critical safety function radioactivity control, is adequately covered by variables on second-level display formats. l The staff understands that optional enhanced display formats are available
- for purchase; these include display formats for process radiation, reactor i
building radiation, and vent and exhaust raatation. If these display for-l mats were included, the staff would find the SPDS variable selection ac-l captable for radiation control.
i GESSAR II SSER 4 5 Appendix G
Neutron flux is a fundamental variable for monitoring the status of reac-tivity control. An indication of reactivity control should be provided for all power ranges. The GE SPDS provides monitoring of the power level by average power range monitors (APRMs) during power operation. For condi-tions below the APRM range, the GE SPDS does not monitor power level, but does provide scram status. GE has stated that the combination of power level and scram status is sufficient for monitoring reactivity control.
Following a reactor scram and a core-wide verification of rods-in status, the scram-status indicator on the SPDS will display " RODS IN." This dis-play message will not change unless a rod is withdrawn or drifting, in which case the data changes to an alarm (red) indication. Also, in the startup mode, the intermediate range monitor (IRM) upscale trip results in a rod-withdraw block which will result in a scram displayed on the SPDS if a high-high setpoint (>120/125 of scale) is exceeded. During some plant con-ditions, such as performance of core alterations (e.g. , fuel loading), if a signal from the neutron monitoring system exceeds a source range monitor (SRM) high Nigh setpoint, this condition would be indicated on the SPDS scram-status indicator (letter from D. B. Bitter, GE, to M. McCoy, NRC, August 29, 1984). The staff concludes that since the scram signals are directed to the SPDS display, the combination of the AoRMs and scramstatus indicator provides adequate monitoring of the reactiv..y control critical safety function. The staff also recognizes that during periods of startup and heatup, a portion of the plant operations staff would focus its *tten-tion on the neutron instrumentation in the control room.
The staff has verified that the GE ERIS design includes sufficient capabil-ity for expanding the system so that additional variables (such as hydro-gen concentration) may be added as the generic EPGs are revised.
The staff finds that the variables selected for the GE SPDS would be acceptable with the addition of radiation monitors to identify the status of the radioactivity control critical safety function.
(e) Display Data Validation The staff reviewed GE's SPDS design to determine that means are provided in the display's design to ensure that the data displayed are validated.
The staff audited the SPDS design and found that the top level display format of critical plant variables contains each plant variable used as an entry variable to the Emergency Operation Procedures. These data were presented as numerical data enclosed by a color-coded status box. The code of the status box informs the operator about tk validation status of the enclosed data.
As part of the real time processing of the data, the ERIS/SPDS performs the following checks on analog and digital input signals: redundancy, range check, zero adjust, density correction, reference leg boiling, tem-perature compensation, and instrument power as a means of data validation.
Furthermore, secondary display formats which contained detailed data on the intermediate steps of the data validation process were available for each entry variable to the Emergency Operations Procedures. Properly im-plemented in a plant, these intermediate data should prove valuable to a supervisor in evaluating the validity of the data for use in decision-making tasks during emergencies.
GESSAR II SSER 4 6 Appendix G
1 1
i i On the basis of the information obtained during its audit of GE's SPDS, the staff confirms that means are provided in the SPDS design to ensure that the data displayed are validated.
(f) Human Factors Program i
The staff also evaluated GE's SPDS design for a commitment to a human fac-tors program in the development of the SPDS. During the design verifi-4 cation audit, the staff learned that GE had hired ANACAPA Sciences, Inc.,
to conduct a human factors review of' selected SPDS display formats. The i- staff evaluated a July 19, 1984, report by ANACAPA titled " Human Factors j and Performance Evaluations of the Emergency Response Information System (ERIS)." The report was comprehensive in its scope of review, in the
, recording of review results, both positive and negative, and in the recommendations made as a result of the evaluation. The staff evaluated several of the recommendations and noted that many had been already implemented into the design.
1 1 The staff evaluated the design for consistent use of colors in the various I display formats. This evaluation effort focused on two display formats, j RPV CONTROL-NR/ TEMP and CONTAINMENT CONTROL-NR. The initial explanation i '
of how color was used to highlight and code information in these display formats left the staff confused. The staff was concerned that a confused, complicated application of color would result in operator errors, i To clarify the issue, the staff requested an explanation of color codes
- in terms of the individual data sets for the selected display formats.
After considerable explanation by GE, it appeared that a logical, consis-tent application of color had been made. To confirm this judgment, the j staff asked GE to document how color is used to code information and to j submit that documentation to the staff for confirmatory review. GE re-j sponded by letter (from D. Bitter to L. Beltracchi, NRC, August 14, 1984) i and defined how information was color coded. The staff reviewed the letter and confirmed that it agrees with the information provided at the audit.
During audit of the SPDS design, the staff evaluated some of the display formats within the system. Most of the display formats were uncluttered i and easy to read and comprehend. However, relative to other display for-i mats in the system, two were dense with information: RPV CONTROL-NR/ TEMP l and CONTAINMENT CONTROL-NR.
1 1 The structure of the data in each of the two " cluttered" display formats
! was the same. In the right-hand portion of the display screen, trend i plots of process variables were presented; in the left-hand portion of j the display screen, text was used to present information on several plant systems. The information on a system was grouped into boxes and the box ;
i for the system was labeled. As data for several systems were presented, l the dense concentration of text, boxes, and labels give the appearance of
- clutter.
! General Elect.aic stated that the data on plant systems were not a part of
- the SPDS requirements. The staff acknowledged this fact, noting however l that the information on the status of these systems did impact the process variables displayed. This represents good integration of related data and i
- GESSAR II SSER 4 7 Appendix G
would prove useful to the operator in evaluating the performance of the emergency core cooling systems in the mitigation of an accident. The staff is concerned that in times of stress, the clutter will impede operator per-formance by increasing search time for data within the format.
After the design verification audit, the staff received letters from GE (Pfefferlen, December 20, 1984; Sherwood, May 9, 1985), met with GE (NRC memorandum, Secletti, May 6, 1985), and conducted several teleconferences with GE on the display clutter issue. In a letter from G. G. Sherwood to H. L. Thompson, dated June 10, 1985, GE proposed modifications to the text used to present data on plant systems. These proposed modifications reduced the number of characters needed to display the same information.
The staff evaluated the proposed modifications and found that 21% of the text characters had been eliminated from the original display format. The change did not result in a loss of information. The change did introduce many blank spaces that should enhance the operator's ability to quickly locate and use the displayed data. With the exception of one small area within the matrix of displayed text, the local density of information is acceptable to the staff. The one area of exception contains turbine-related data, and these data are of much lesser significance than other data presented in the matrix. On the basis of its review of the proposed modifications to the display formats, the staff now concludes the display formats containing system data are acceptable.
On the basis of the information evaluated during the staff audit of GE's SPDS and the results of the staff review of docketed reports and letters, the staff confirms that GE did commit to a human factors program in the design of the SPOS.
(g) Electrical and Electronic Isolation NUREG-0737, Supplement I requires that the SPDS be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems. The staff audited GE's design for the adequacy of the isolators (fiber optics) between the safety systems and the SPDS.
The fiber optics serve as the interface between Class 1E inputs and the data multiplexer within the ERIS. The fiber optics cable used in the sys-tem varies in length from 2 to 5000 feet. This unique isolator possesses inherent characteristics that cannot be found in other isolators within nuclear power plants. For example, one of the tests that must,be per-formed to qualify an isolator is the application of maximum credible fault (voltage, current) to the output of the device to verify that the fault does not propagate or degrade the input (Class 1E) side. This postulated failure does not affect fiber optic cable because optical fibers are totally dielectric (i.e. , the electrical energy resulting from the fault will not propagate through the fiber). Another characteristic of the fiber optic cable is its non-susceptibility to the coupling of cross-talk and electromagnetic interference (EMI). Ground loop problems, inherent in copper cables, are also eliminated.
As part of the qualification program for the isolators, GE performed environmental (IEEE 323-1974) and seismic (IEEE 384-1975) qualification tests. On the basis of its audit of the above information, the staff GESSAR II SSER 4 8 Appendix G
a r..e .
. ,.. n .. ~ :. r . ? :- .n -
>-vv.- nc .s- -+,,:..~. e . r. , = .v : ,s 4.;
.y 3. .. ,
3... .
O@'
concludes that the fiber optic cables are qualified isolation devices N,VI i
and are acceptable for interfacing the ERIS/SPDS with safety systems. '~
e
.a t
- (h) System Reliability ,._ Y. '4.
~
.y-NUREG-0596 notes that the SPDS design should have an unavailability goal 3 . .- L .
of 0.01 while the plant is operating at power. The analysis on availabil- 3.5 >
ity for the GE ERIS hardware resulted in an expected value of 98.6%. The i .
major contributors to the system unavailability were the six nonredundant 4-i components (i.e., the dual port disk, two synchronous interfaces, an out- .q.4l f:'
put multi,lexer, and two unibus switches). These components contributed 7.,
- s.
59 to 99% of the system unavailability. -fc. - T I E. ' .N, The mean time to repair (MTTR) ranged from 1.0 to 6.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> for plug-in ' '^
component replacement and 1.0 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for equipment repair. A fault- y ? .;
tree analysis was performed for the vital portions of the ERIS and numer- V1 ,
ical values were assigned for the mean tima between failures (MTBF). On M." A ,
the basis of this information, an unavailability calculation was performed >
using the ratio of MTTR/(MTTR + MTBF). The staff finds this methodology S<t._ J g.
an acceptable approach and concludes that the 98.6% availability is '
~( a .;
acceptable for the SPDS. Mh? e 5 i [.;s With regard to plant-specific SPDS reliability,' the following items were not considered in the availability analysis: sensor availability, power ).9 :
supply configuration, and routine maintenance. The staff requires GE to identify these items as interface requirements. The staff will audit the S
',H . .-;
plant-specific implementation program for utilities that reference the % + ,. '
General Electric GESSAR II SPDS to verify that the interface requirements ;
are implemented in order to maintain the system availability of 98.6%. f. ]; s ..
In addition, the staff requests that GE evaluate the performance of the s J '?
f~ system up to and including the validation tests. All failures in the system which occurred during these performance tests should be analyzed [.d : A-m with regard to impact upon the reliability analysis and results discussed. Q, J.
[.%..
The staff is concerned that unforeseen failures experienced during the N' * ;
test of the system may destroy the assumptions used in the reliability 9 .. i analysis and significantly reduce the predicted availability. General P. ' J.
Electric provided the staff with information on equipment failures and their impact on the reliability analysis assumptions in the software 6][
'.r?
validation report identified earlier. Tne staff will perform a confirma-tory review cf this information and report the results of its review in a 7 ~. (
'; fl 4._
supplement to the SER.
- i. y- k,;a' (4) Conclusion Ng + .: 5 The NRC staff reviewed the design of General Electric's GESSAR II safety param-
~
J .J. .f; E eter display system to confirm the adequacy of the variables selected to be .; 3 . lJ displayed to monitor critical safety functions, to confirm that means are pro- W vided to ensure that the data displayed are valid, to confirm that the licensee k,.h has committed to a human factors program to ensure that the displayed information %E c
can be readily perceived and comprehended so as not to mislead the operator, and Y T."
- '. to confirm that the SPOS is suitably isolated.
g, _
, . . .~;
. g..?
- f. S -
GESSAR II SSER 4 9 Appendix G $4/X p .~
y .a w ...
.- 5.. i " -J.-
l._'.
a'. !
-y *,'J *, , . * **
%.l 'Y _e ,. l '_ .
- l } .' }: ;.. _
L $_._._
[. . ; w :3; .s _p . . , t ~. ;-
. .( ; _ y.. ; j Q } . , ;; );_ ;&
On the basis of its review the staff concludes that:
The variables selected for the General Electric SPDS will be acceptable with the addition of radiation monitors to identify the status of the ,
radioactivity control critical safety function. Other ways to monitor the radioactivity control critical safety function may be acceptable to the staff. The FDA will be conditioned accordingly. ,
Means are provided in the SPDS design to ensure that the data displayed ~
are valid.
An appropriate commitmeat to a human factors program was made in the '
design of the SPDS. '
The SPDS will be suitably isolated from electrical and electronic inter-ference with equipment and sensors that are used in safety systems.
The staff further concludes that the GESSAR II SPDS is acceptable and satisfac-torily resolves Item (2)(iv) pending the addition of the radiation monitors identified above.
The staff's review of the ERIS validation program is incomplete. Utility appli-cants who reference GESSAR II must conplete plant-specific validation programs for ERIS and report the results of those programs to the staff.
Utility applicants who reference GESSAR II must demonstrate an ERIS availability of 98.6% or greater.
(5) References ANACAPA Sciences, Inc., " Human Factors and Performance Evaluations of the Emergency Response Information System (ERIS)," July 10, 1984.
General Electric Co. , " Licensing Topical Report for the General Electric Emergency Response Information System, General Electric Company Proprietary Information," NEDE-302844-P, November 1983.
-- , " Licensing Topical Report on Generic ERIS Software Evaluation,"
April 1985.
Letter, December 22, 1982, from T. J. Dente, BWR Owners Group to D. G. Eisenhut, NRC, transmitting "BWR Emergency Procedure Guidelines,"
Revision 3 (December 8, 1982).
-- , June 10, 1985, from G. G. Sherwood, GE, to H. L. Thompson, NRC, "In the Matter of 238 Nuclear Island General Electric Standard Safety Analysis Report (GESSAR), Docket No. 50-447; Emergency Response Information System (ERIS)."
-- , August 14, 1984, from D. B. Bitter, GE, to L. Beltracchi, NRC, "ERIS Color Coding."
-- , August 29, 1984, from D. B. Bitter, GE, to M. McCoy, NRC, " SCRAM Event Status Target / Source Range Monitor Inputs," Ref. MFN-131-84, August 29, 1984.
GESSAR II SSER 4 10 Appendix G
-- , December 20, 1984, from H. C. Pfefferlen, GE, to L. Beltracchi, NRC, "Open Items from Draft SER on GESSAR II SPDS."
-- , May 7, 1985, from G. G. Sherwood, GE, to H. L. Thompson, NRC, "In the Matter of 238 Nuclear Island General Electric Standard Safety Analysis Report (GESSAR) Docket No. STN f0-447; Emergency Response Information System (ERIS)," with attachment NEOC-30885, " Generic ERIS (BASIC RTAD)
Software Validation," dated April 1985 (grants permission to file report in the NRC Public Document Room).
-- , May 9, 1985, from G. G Sherwood, GE, to H. L. Thompson, NRC, "In the Matter of 238 Nuclear Island General Electric Standard Safety Analysis Report (GESSAR) Docket No. STN 50-447; Emergency Response Information System (ERIS) (provides basis of system data located on display format).
Memorandum, June 11, 1984, from D. C. Scaletti, NRC, to C. O. Thomas, NRC,
" Meeting Summary, GESSAR II SPDS."
-- , June 18, 1984, from V. A. Moore, NRC to C. O. Thomas, NRC, " Design Verification Audit Report for the General Electric Safety Parameter Display System."
-- , May 6, 1985, from D. C. Scaletti, NRC, to C. O. Thomas, NRC, "GESSAR II Meeting Summary. "
Nuclear Safety Analysis Center, Electric Power Research Institute, "Verifi-cation and Validation for Safety Parameter Display Systems," NSAC-39, December 1981.
U.S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response Facilities," February 1981.
-- , NUREG-0737, Supplement 1, " Clarification of TMI Action Plan Requirements:
Requirements for Emergency Response Capability," January 1983.
Item (2)(ix)
Provide a system for hydrogen control that can safely accommodate hydrogen generated by the equivalent of 100% fuel-clad metal-water reaction. Preliminary design information on the tentatively preferred system option of those being evaluated in paragraph (1)(xii) of 10 CFR 50.34(f) is sufficient at the con-struction permit stage. The hydrogen-control system and associated systems shall provide, with reasonable assurance, that: (II.B.8)
(A) Uniformly distributed hydrogen concentrations in the containment do not exceed 10% during and following an accident that releases an equivalent amount of hydrogen as would be generated from a 100% fuel-clad metal-
, water reaction, or that the postaccident atmosphere will not support j hydrogen combustion.
(B) Combustible concentrations of hydrogen will not collect in areas where unintended combustion of detonation could cause loss of containment integ-rity or loss of appropriate mitigating features.
GESSAR II SSER 4 11 Appendix G
(C) Equipment necessary for achieving and maintaining safe shutdown of the plant and maintaining containment integrity will perform its safety func-tion during and after being exposed to the environmental conditions attend-ant with the release of hydrogen generated by the equivalent of a 100% fuel-clad metal-water reaction including the environmental conditions created by activation of the hydrogen-control system.
(D) If the method chosen for hydrogen control is a postaccident inerting system, inadvertent actuation of the system can be safely accommodated during plant operation.
Discussinn GE has proposed a preventive alternative to meeting the explicit mitigative requirements of this section of the CP/ML Rule by augmenting the GESSAR II design with a supplemental cooling system which would substantially reduce the overall probability of core damage and hence, the likelihood of generating the amount of hydrogen specified in the CP/MI Rule.
The proposed system is called the ultimate plant protection system (UPPS); its basic function is to provide reliable core cooling, reactor pressure vessel (RPV) depressurization capability and containment heat removal capability that are independent of the onsite emergency diesel generators and station batteries.
The UPPS schematic diagram is shown in Figure 15.2.
The UPPS will achieve its core cooling capability when power is unavailable by utilizing the existing fire protection system pumps which will be appropriately aligned. If the diesel-driven fire pumps are not available, a site-dedicated fire truck will be available through an UPPS fire truck connection.
If power is unavailable, long-term containment heat removal may be accomplished by opening the containment purge system supply and exhaust lines. The purge system isolation valves will be air operated, and the operator will be able to control the air supply with bottled air at the UPPS control center. Finally, the reactor may be depressurized by actuating selected safety / relief valves from the pneumatic system air bottles currently housed in the fuel building.
The staff has evaluated the proposed UPPS in conjunction with the interface item on the igniter hydrogen control system. In this evaluation, the staff recognizes the proposed deviation from the explicit requirements of the CP/ML Rule, which calls for a system to mitigate the effects of a postulated accident which will generate 100% metal-water reaction, by giving credit to the UDPS for accommodating a portion of the total hydrogen generation. This was done in lieu of a detailed analysis of the capability of the hydrogen control system to safely accommodate an additional 25% hydrogen beyond the 75% criterion adopted for near-term operating license (NTOL) Mark III plants. The staff finds that the presence of the igniter system pursuant to the interface requirement pro-vides a substantial measure of containment integrity protection for postulated hydrogen generation events having a reasonable connection to the Three Mile Island Unit 2 (TMI-2) accident.
The staff assessed the impact of the UPPS on total core damage frequency for internal events. On the basis of this assessment, the staff estimates that
the core damage frequency is reduced by a factor of 4.6 from 3.8 x 10 5 events /
year to 8.2 x 10 8 events / year. This estimate was based on an evaluation which included the three main functions which the UPPS serves, namely, an auxiliary source of low pressure core cooling, reactor pressure vessel (RPV) depressuri-zation, and containment heat removal (via venting). The acceptability of the UPPS design is addressed in Section 15 of this supplement.
The staff concludes that the hydrogen control system proposed for GESSAR II taken in conjunction with an acceptable design for the UPPS provides reasonable assurance that there will be no undue risk to the public from the potential for hydrogen releases from metal-water reaction in the reactor core during postulated severe accidents. Futhermore, the staff concludes that the aforementioned sys-tems provide an acceptable alternative to the explicit requirements contained in Sections 1(xii) and 2(ix) of 10 CFR 50.34(f), the CP/ML Rule.
Item (3)(v)
Provide preliminary design information at a level of detail consistent with that normally required at the construction permit (CP) stage of review suffi-cient to demonstrate that: (II.B.8)
(A)(1) Containment integrity will be maintained (i.e., for steel containments by meeting the requirements of the ASME Boiler and Pressure Vessel Code,Section III, Division 1, Subsubarticle NE-3220, Service Level C Limits, except that evaluation of instability is not required, consid-ering pressure and dead load alone for concrete containments by meeting the requirements of the ASME Boiler and Pressure Vessel Code, Sec-tion III, Divisio1 2, Subsubarticle CC-3720, Factored and Load Category, considering pressure and dead load alone) during an accident that releases hydrogen generated from 100% fuel-clad metal-water reaction accompanied by either hydrogen burning or the added pressure from post-accident inerting, assuming carbon dioxide is the inerting agent. As a minimum, the specific code requirements set forth above as appropriate for each type of containment will be met for a combination of dead load and an internal pressure of 45 psig. Modest deviations from these criteria will be considered by the staff, if good cause is shown by an applicant. Systems necessary to ensure containment integrity shall also be demonstrated to perform their function under these conditions.
(2) Subarticle NE-3220, Division 1, and subarticle CC-3720, Division 2, of Section III of the July 1, 1980 ASME Boiler and Pressure Vessel Code, which are referenced in paragraphs (f)(3)(v)(A)(1) and (f)(3)(v)(B)(1) of this section, were approved for incorporation by reference by the Director of the Office of the Federal Register. A notice of any changes made to the material incorporated by reference will be published in the Federal Register. Copies of the ASME Boiler and Pressure Vessel Code may be purchased from the American Society of Mechanical Engineers, United Engineering Center, 345 East 47th St., New York, NY 10017. It is also available for inspection at the Nuclear Regulatory Commission's Public Document Roo.n, 1717 H St., NW., Washington, D.C.
(B)(1) Containment structure loadings produced by an inadvertent full actua-tion of a postaccident inerting hydrogen control system (assuming GESSAR II SSER 4 13 Appendix G
carbon dioxide), but not including seismic or design-basis accident loadings will not produce stresses in steel containments in excess of the limits set forth in the ASME Boiler and Pressure Vessel Code, Sec-tion III, Division 1, Subsubarticle NE-3220, Service Level A Limits, except that evaluation of instability is not required (for concrete containments the loadings specified above will not produce strains in the containment liner in excess of the limits set forth in the ASME Boiler and Pressure Vessel Code,Section III, Division 2, Subsub-article CC-3720, Service Load Category).
(2) The containment has the capability to safely withstand pressure tests at 1.10 and 1.15 times (for steel and concrete containments, respec-tively) the pressure calculated to result from carbon dioxide inerting.
Discussion As a result of the structural audit held on July 26 and 27, 1984, by the staff, GE committed to document its fulfillment of the CP/ML Rule [10 CFR 50.34(f)(3)
(v)(A)(1)] requirements pertaining to containment capability (i.e., demonstration of a capability to withstand a minimum of 45 psig pressure concurrent with the dead load for Service Level C Limits) and perform additional structural analyses if there are modifications in the design. On October 26, 1984, GE made a pre-sentation in its office in Bethesda, Md., providing technical details on ful-filling the CP/ML requirement and on November 9, 1984, GE submitted written doc-uments in support of its presentation.
In order to meet the 45-psig Service Level C requirements, GE has modified the head design of the GESSAR II steel containment into a three-centered torispher-ical dome and performed structural analyses at key locations of the containment and the drywell structure.
- Review Findings The pressure capabilities according to Service Level C Limits as defined in ASME Code,Section III, Subsection NE, for the Mark III standard plant containment vessel and other structural components in the containment structural system are discussed below (the following discussions imply that the dead loads are also included in the evaluation):
(1) Containment Pressure Vessel The pressure capability for the torispherical dc ne, based on SA-516 Grade 70 steel and under the combination of local membrane stresses (P L) and bending stress (P ) is 52 psig.
b For the cylindrical shell, the lowest pressure capa-bility is 63 psig located near the knuckled region.
(2) Containment Anchorage System The Mark III standard plant containment pressure vessel is anchored to the concrete basemat by two hundred forty 3-1/4-inch-diameter anchor bolts spaced uniformly around the circumference of the vessel. The bolt material yield strength according to Level C is 105 ksi and the tensile load per bolt is 705.6 kips which is equivalent to 104 psig internal pressure. Also, based on GESSAR II SSER 4 14 Appendix G
18-inch x 18-inch x 5-inch embedded bearing plate and 3000 psi compressive strength for the basemat concrete, the capability of the anchorage system was l determined to be equivalent to 135 psig internal pressure.
(3) Drywell Wall and the Roof Slab The pressure-carrying capabilities of the drywell structure are assessed for external pressure loads. The formulas developed for a thick-walled cylindrf-cal shell are used to calculate the stresses in the cylindrical shell of the drywell. A compressive concrete strength of 4000 psi and allowable stresses according to Level C loads are used to determine the capabilities throughout the drywell structure. The lowest pressure capability is found to be 84.5 psig in the drywell roof slab which is under the water.
Conclusion On the basis of the technical findings discussed above, it is apparent that the lowest pressure capability is 52 psig (concurrent with the dead load) located in the knuckled region of the torispherical containment dome shell. Since this value is larger than the minimum required 45 psig, the staff concurs with GE and concludes that the applicant has met the Service Level C requirement as specified in 10 CFR 50.34(f)(3)(v)(A)(1).
s i
i Table G.1 SPDS variables for GESSAR II Critical safety function Variable Reactivity control APRMS Scram status (all rods in)
Reactor core cooling and Reactor vessel water level Heat removal from the primary system Reactor vessel water temperature trend plant Reactor coolant system integrity Reactor vessel pressure Reactor vessel isolation status Drywell/ containment pressure Radioactivity control RPV control display
- Containment control display
- Containment integrity Containment /drywell temperature Drywell pressure Suppression pool water level Suppression pool water temperature Suppression pool makeup system status
,, Containment isolation status
- Refers to secord level displays on the Emergency Response Information System (ERIS) associated with Emergency Procedure Guidelines for RPV control and containment control.
a GESSAR II SSER 4 16 Appendix G
u s. ~uct... . aut.vo., co .o. . e oa r ~uon a ,A ,~. r,oc. v., a. . . .,,
a,ag o= ==
%',">'#, BIBLIOGRAPHIC DATA SHEET NUREG-0979 ne.~svaucr.o~so~1 .. vi. . Supplement No. 4 3 f tTLt ANo SUSTITLE 3 LE AVE OLA~E SafetyEvaihtionReportrelatedtotheFinalDesign 1 Approval of t e GESSAR II BWR/6 Nuclear Island Design , ,j ,,,,,,,co ,L,,,,
.o~yi l veAa
. Auv oam J6ne 1985 -
)
/ 6 oATE Rt omT ISSWE, oNT- vtAR
,4... o..,~o o.a A~a Av .o. . A.. A~o A,u~a Aoo.. ,,,,,, ie c ,
/ July oncm A.A.o. A u , ~uou.
1985 -
Division of Licensing =
Office of Nuclear React Regulation "6"'*""
U. S. Nuclear Regulatory omission '
Washington, D. C. 20555 10 8,o45omeNG oAGANG AfioN ~ AWE ANo MAILING AooRE sac,v le Cap., 11a TV,E o, Rt omi Safety Evaluation Report, Same as 7, above. Supplement 4
\ . ,e a,oo cov . .u ,,-, ,
\
g -
is su,,u . ~1. v ores <
Docket No. STN 50-447 g\
t Supplement 4 to the Safety Evaluatio/ V., (SER) for the application filed n Report by General Electric Company for the'finah design approval for the GE BWR/6 nuclearislanddesign(GESSARII)fhasbee(preparedbytheOfficeofNuclear .
Reactor Regulation of the Nuclear Regulatovy Commission. This report supple-ments the GESSAR II SER (NUREG-9979) issued'71n April 1983 summarizing the results of the staff's safety review of the GESSAR II BWR/6 nuclear island design;' Supplement 1, issued in July 1983; Supplement 2, issued in November Subject to favorable resolu-1984; tion of and Supplement the items discussed 3, issuoi!
in this in y
January 1985!'$the staff concludes that supplement, the GESSAR II design satisfactorily addresses th severe-accident concerns
, 's Policy Statement on' vere Reactor Accidents l
described Regarding Future in theDesigns Commissiop'dan Existing Plants. 1%
u I
Q l %
4
/ g S,
/
- s 14 ooCUMENT A~ALv$is - e utvy,Opos'oE5cmi ons
- . 15 Ava AS LsT V f ,\ Unlimited
( i. secu.ivv et Assi,,cAvio~
t a r.. ,
s io ~ri,inas,o,i~ isoio rs=s j Unclassified
- <r..-> . .
17~uM$ta0,, AGES
- I j i . . . .c .
- < . ,v ,
s rosa sas u s. Nucitan n ecut Atoav commission i a t POa f Nuwe t a vam eae< *, rioc. , v., N . .. ..,,
%',"3#- slauOGRAPHIC DATA SHEET
- NUREG-0979 ne .N TavcT,0 O 7 8.svi a Supplement No. 4 2 TITLE AND SutisTLE 3 LE AVE SLANE Safety Evaluation Report related to the Final Design Approval of the GESSAR II BWR/6 Nuclear Island Design , ,,,,,,,,,,c,,,,,,,,
woNTM vtAR
, j
- Auf oaisi June 1985 6 DATE REPORT IS$wtD MONTM vtAR July 1985 7= Ptmf 0RMING ORGAmaZAf TON NAME AND wasLING ADOntS5 tsareweele cessi e enOJECitT Asm/wonn UNif NuwetR Division of Licensing Office of Nuclear Reactor Regulation "'a oa 6a'a' av""a U. S. Nuclear Regulatory Comission Washington, D. C. 20555 10 SPONSomeNG ORGANS 2ATION NAwt AND MAaLING ADORt55 tfac8vdete Case # lia TYPE OF REPORT Safety Evaluation Report, Same as 7, above. Supplement 4 e PtmeDo covEnto asace me e 12 SUPPLEMENTARY notal Docket No. STN 50-447
^
Supplement 4 to the Safety Evaluation Report (SER) for the application filed by General Electric Company for the final design approval for the GE BWR/6 nuclear island design (GESSAR II) has been prepared by the Office of Nuclear Reactor Regulation of the Nuclear Regulatory Commission. This report supple-ments the GESSAR II SER (NUREG-0979) issued in April 1983 summarizing the results of the staff's safety review of the GESSAR II BWR/6 nuclear island design;' Supplement 1, issued in July 1983; Supplement 2, issued in November 1984; and Supplement 3, issued in January 1985. Subject to favorable resolu-tion of the items discussed in this supplement, the staff concludes that the GESSAR II design satisfactorily addresses the severe-accident concerns described in the Commission's Policy Statement on Severe Reactor Accidents .
Regarding Future Designs and Existing Plants.
to DOCuweNT ANatvles -a EEvwOmOSCESCR*PYoms ,5 AvasLatiLIT V
$T ATEME NT Unlimited 16 SECURITv CLA55tFICATiON tTa. sepee
. ice NTi.sias,0. N ENo'a 'ta $
Unclassified
,r..-,
17 NuwstmOSPAGES
, . ...c t l
UNITED STATES nRsr etass man eostaaee,rris rAio NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555 wYsE"o"c.
PERMIT No. G47 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300
't r7' / / ,
7,
- - n, , ,
c
,I y
7 ..
. -Tr v-W I
x N
Z C
O r-m x
5 r"
Z O
O m
O Z