ML20207B420
| ML20207B420 | |
| Person / Time | |
|---|---|
| Issue date: | 06/30/1986 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-1206, NUDOCS 8607180002 | |
| Download: ML20207B420 (114) | |
Text
-
busse-,20s i
Analysis of French (Paluel) i Pressurized Water Reactor
! Design Differences Compared to Current U.S. PWR Designs l
l l
1 U.S. Nuclear Regulatory
( Commission l
i GAM AIGOg
\\
Re#72gg econao i
luos a voi<
i, NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013-7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
4 Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission issuances.
j Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, I
such as books, journal and periodical articles, and transactions. Federal Register notices, federal and j
state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of Technical information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
i s
NUREG-1206 Analysis of French (Paluel)
Pressurized Water Reactor Design Differences Compared to Current U.S. PWR Designs i
t Manuscript Completed: May 1986 Date Published: June 1986 Division of Safety Review and Oversight Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Weshington, D.C. 20666 i
i f * *%
s 9
i l
i I
i
.n~-~------n
,,.--n-.
w-
-e-,
-n----
t 1
l ABSTRACT To understand better the regulatory approaches to reactor safety in foreign countries, the staff of the Nuclear Regulatory Commission has reviewed design 1
information on the Paluel nuclear power plant, one of the current standard i
1300-MWe plants operating in France.
This report provides the staff's evalua-i tion of major design differences between this standardized French plant and cur-rent U. S. pressurized water reactor plants, as well as insights concerning French regulatory practices.
The staff identified approximately 25 design differences, and an analysis of the safety significance of each of these design features is presented, along with an assessment comparing the relative safety benefit of each.
i I
1 1
j 1
i i
l l
i i
i l
t i
i NUREG-1206 111 i
I
_ -, - - -, -, - -, _., _, ~. -.
CONTENTS Page ABSTRACT................................................................
iii LIST OF FIGURES.........................................................
viii LIST OF TABLES..........................................................
ix ACKNOWLEDGEMENTS........................................................
xi i
EXECUTIVE
SUMMARY
xiii
{
1 INTRODUCTION........................................................
1-1 1.1 Purpose.......................................................
1-1 1.2 Background.....................................................
1-1
- 1. 3 Scope of the Review............................................
1-2
- 1. 4 Comparison to Sizewell B Review.................................
1-2 1.5 Format for Review Results.......................................
1-2 1.6 Findings of Relative Safety Significance........................
1-3 2
DESIGN DIFFERENCES...................................................
2-1 2.1 Emergency Core Cooling Systems..................................
2-1 3
2.1.1 Two Additional Dedicated Residual Heat Removal Pumps with j
Heat Exchanger, and Automatic Switchover from Injection to Recirculation Following a LOCA.......................
2-1 2.1.2 Interconnection Between the Low Pressure Injection System and the Containment Spray System, and Mobile Equipment for Long-Term Cooling Following a LOCA..................
2-4 i
2.2 Residual Heat Removal System Inside Containment, and Remote Manual Instead of Automatic Closure of Isolation Valves........
2-6 2.3 Secondary Heat Removal.........................................
2-8 I
2.3.1 Four Auxiliary Feedwater Pumps (Two Steam Driven and Two Electric Driven)........................................
2-8 2.3.2 Resupply of Condensate Storage Tank Independent of AC Power................................................
2-11 l
2.3.3 Seven Safety-Relief Valves per Steam Generator..........
2-12 l
2.4 Four 100% Capacity Essential Service Water Pumps, and Four 50%
Capacity Component Cooling Water Heat Exchangers..............
2-13 2.5 Small Steam-Driven Generator for Reactor Coolant Pump Seal Cooling and Selected Instrumentation and Controls.............
2-17 1
4 i
CONTENTS (Continued) l Pag 2.6 Self-Cooled Safety-Related Pumps...............................
2-20 2.7 Electric Power and Instrumentation and Control.................
2-21 2.7.1 DC Electric Power Supplies.............................
2-21 2.7.2 Gas Turbine To Back Up Diesel Generators................
2-26 2.7.3 Protection System Logical Processing and Reactor Trip Scheme.................................................
2-28 2.7.4 Use of Microprocessors in Reactor Protection System....
2-38 2.8 ATWS Features.................................................
2-41 2.9 Load Rejection Capability.....................................
2-42 2.10 Control Room Features.........................................
2-43 l
2.10.1 Control Room Design....................................
2-43 2.10.2 Safety Parameter Display System........................
2-44
)
2.11 Double Containment...........................................
2-46 1
2.12 Safety and Relief Valves.....................................
2-50 2.13 Fire Protection..............................................
2-54 1
2.14 Core Design..................................................
2-56 2.15 Remote (Auxiliary) Shutdown Panel............................
2-60 i
2.16 Main Steam Lines and Main Steam Isolation Valves Outside Containment, No Steam Tunnel.................................
2-65 2.17 Waste Sewer Monitoring.......................................
2-66 2.18 Steam Generator Design.......................................
2-66 2.19 Reactor Vessel Materials and Techniques for Fracture Prevention..................................................
2-68 2.20 Emergency Operating Procedures...............................
2-69 1
3 SAFETY G0ALS AND PROBABILISTIC ASSESSMENT..........................
3-1 3.1 Safety Goals Based on Probabilistic Criteria..................
3-1 3.1.1 Description of U.S. Safety Goals.......................
3-1 3.1.2 Description of French Safety Goals.....................
3-2 3.1. 3 Analysis of the Safety Significance....................
3-3 3.1.4 Acceptance Criteria....................................
3-4 l
3.2 Probabilistic Assessment of Design Differences................
3-5
)
3.2.1 Scope..................................................
3-5 3.2.2 Station Blackout.......................................
3-5 3.2.2.1 AC Power Effects..............................
3-5 4
3.2.2.2 Decay Heat Removal Effects....................
3-7 l
3.2.3 Loss of Main Feedwater (Event Initiator)...............
3-10 3.2.4 Anticipated Transients Without Scram...................
3-10 3.2.5 Automatic Switchover Following a LOCA (Recirculation Phase).................................................
3-10 t
NUREG-1206 vi i
f
_~
1 b
\\
j CONTENTS (Continued) t 1
P_ age 1
)
3.2.6 Self-Cooled Safety-Related Pumps........................
3-11 1
3.2.7 Safety and Relief Valves................................
3-11 3.2.8 Interconnection Between the Low Pressure Injection-System and the Containment Spray System..................
3-11 i
}
l APPENDIX A: ACRONYMS..................................................
A-1 FRENCH ACRONYMS...........................................
A-3 i
l APPENDIX B:
BIBLIOGRAPHY..............................................
B-1 I
}
i i
i i
)
1 i
)
I a
4 l
h 4
1 1
1 4
]
i i
i.
I i
l i
t l
1 i
NUREG-1206 vii o
4
'1 l
LIST OF FIGURES i
l Figure P_ age 2.1 SNUPPS emergency core cooling system.............................
2-2 2.2 P4 emergency core cooling system..................................
2-3 2.3 ECC systems for post-LOCA long-term cooling.......................
2-5 2.4 Schematic diagram of a typical U.S. RHR system....................
2-7 2.5 P4 AFW system....................................................
2-9 2.6 P4 CCW system.....................................................
2-15 2.7 P4 ESW system.....................................................
2-16 2.8 French backup turbine generator for station blackout..............
2-19 2.9 Schematic of Class 1E DC electrical power supplies for Paluel (12 batteries)...................................................
2-22 2.10 Schematic of nonsafety DC electrical power supplies for Paluel (five batteries)..................................................
2-24 2.11 Backup connection for mobile gas turbines.........................
2-27 2.12 Westinghouse protection system....................................
2-30 2.13 CE reactor trip scheme...........................................
2-31 2.14 Paluel reactor protection system logic............................
2-34 2.15 Paluel reactor breaker trip scheme................................
2-35 2.16 ULS logic technology..............................................
2-37 2.17 Original French design............................................
2-52 2.18 New French design.................................................
2-52 I
l NUREG-1206 viii
LIST OF TABLES Table Page 1.1 Design differences between French and U.S. designs and their relative safety significance.......................................
1-5 1.2 Additional design differences......................................
1-7 2.1 Containment design characteristics.................................
2-48 2.2 SNUPPS instrumentation and controls on alternate shutdown panel....
2-61 2.3 Systems / components controlled on the P4 remote shutdown panel......
2-63 2.4 French emergency operating procedures and associated design features...........................................................
2-72 3.1 Summary of French design features relative to station blackout.....
3-9 I
t 4
a NUREG-1206 ix
1 ACKNOWLEDGEMENTS This project was managed by Alan Rubin in the Division of Safety Review and Oversight of the Office of Nuclear Reactor Regulation.
The NRC staff members who participated in technical discussions with the French safety authorities and visited the Paluel site were i
T. Speis, Director, Division of Safety Review and Oversight A. Rubin, Division of Safety Review and Oversight G. Bagchi, Division of PWR Licensing-A W. LeFave, Division of PWR Licensing-A In addition, the following staff members contributed to this report:
C. Cheng, Division of PWR Licensing-B j
R. Ferguson, Division of PWR Licensing-B J. Guttmann, Office of the Secretary (formerly with Division of Systems Integration)
G. Hammer, Division of PWR Licensing-A W. Hazelton, Division of BWR Licensing 4
S. Israel, Division of PWR Licensing-A W. Kennedy, Division of Human Factors Technology E. Lantz, Division of PWR Licensing-B 1
J. Lazevnick, Division of PWR Licensing-A
]
J. Lee, Division of BWR Licensing l
A. Ramey-Smith, Division of Human Factors Technology H. Richings, Division of BWR Licensing R. Riggs, Division of Safety Review and Oversight F. Rinaldi, Division of PWR Licensing-A R. Stevens, Division of BWR Licensing C. Tinkler, Division of PWR Licensing-A The staff wishes to express its appreciation to the French team from the Insti-tut de Protection et de S0rets Nucidaire (IPSN) (Institute for Nuclear Protection and Safety) of the Commissariat h l'Energie Atomique (Atomic Energy Commission),
Electricits de France (EDF), and the Service Central de SDrets des Installations Nuclsaires (SCSIN) (Central Division for Safety of Nuclear Facilities) of the Minist6re du Red 6ploiement Industrial et du Commerce Extsrieur (Ministry of Industry) for their cooperation during this project.
The assistance from i
J. Petit, D. Queniart, M. Dupuis, P. Moriette, and many others from IPSN and their colleagues at EDF and SCSIN in providing technical information on the P4 design and their review and comments on the draft report were extremely useful.
1 a
NUREG-1206 xi i
1
)
EXECUTIVE
SUMMARY
The staff of the Nuclear Regulatory Commission (NRC) reviewed the design differ-ences between a current standard 1200 MWe French pressurized water reactor (PWR) and a typical U.S. four-loop PWR and assessed the relative safety significance 1
of these differences.
The project was similar to a 1983 staff project that compared design differences between the British Sizewell B design and current U.S. PWR technology, with major emphasis on potentially significant safety im-i provements and their importance (NUREG-0999).
Both projects were undertaken because of the continued interest of the staff and the Advisory Committee on Reactor Safeguards in safety technology and regulatory approaches to reactor safety in foreign countries.
Electricits de France (EDF), the French electric utility, operates about 30
" standard design" PWR units of the three-loop 900-MWe variety.
In recent years EDF developed a new four-loop 1300-MWe PWR design (called P4).
Six of the P4 reactors are in operation in France, and about 12 more are under construction.
Four of the six operating P4 plants are at the Paluol site.
The Paluel plant includes a number of features that differ significantly from current U.S. PWR technology.
Accordingly, the NRC staff reviewed the P4 design to. identify and assess the safety significance of design features that differ from those of typical U.S. four-loop PWRs.
This review included a visit to the Paluel plant and discussion with French safety authorities and EDF.
The focus of the NRC review was on significant design differences and associated emergency procedures that could enhance safety at future or advanced U.S. nuclear plants.
Once a design difference was identified, it was evaluated by the staff.
For 1
each design difference, this report includes (1) a brief title to identify the j
design feature, (2) a description of the design feature in U.S. PWR plants, (3) a description of the design feature in current French P4 standardized plants, (4) a discussion of the safety benefits associated with the French design fea-ture, and (5) the basis on which the U.S. plant was found acceptable, and, if 2
applicable, a comparison of the U.5. and French acceptance criteria and how the respective designs meet them.
Approximately 25 design differences were identified.
The staff evaluations of the relative safety significance of these design differences were based on 1
deterministic assessments, engineering judgment, and insights derived from generic probabilistic assessments.
The relative terms "high," " moderate," and
" low" that are used are not intended to indicate absolute values.
- Rather, these terms are used to give insights on the relative importance of various design differences.
If those features with a "high" safety significance were applied to U.S. designs, they could have a relatively significant safety benefit j
when compared with the other design differences evaluated.
If the features designated " moderate" or " low" were applied to a U.S. plant, they would have a lower safety significance, but they would still provide a safety benefit.
1 Two design features were judged to be of high relative safety significance:
(1) the interconnection between the low pressure injection system and the NUREG-1206 xiii f
-,uy.
y
--.4--,,-.--y.,,.w~.
-~_,_..-_.-,,__.m-.---.,~
.a
containment spray system, and mobile equipment for long-term cooling following a loss-of-coolant accident (LOCA), and (2) the small steam-driven electrical generator that provides power for reactor coolant pump seal cooling and selected iristrumentation and controls in the event of a station blackout.
The two significant design features next in terms of their relative incremental l
safety benefit (i.e., judged to be of moderate to high relative safety signif-icance) are (1) the use of two additional dedicated residual heat removal pumps with neat exchanger, and automatic switchover from injection to recirculation following a LOCA, and (2) the use of microprocessors in the reactor protection system.
Those design features that were judged to have a moderate relative incremental 1
safety benefit are*
(1) having the residual heat removal system inside containment and having manual rather than automatic closure of isolation valves (2) having four auxilliary feedwater pumps (two steam-driven and two electric-driven)
(3) having the capability to resupply the condensate storage tank independent of AC power (4) having self-cooled safety-related pumps P
(5) DC electrical power supply features (6) having a gas turbine to back up the emergency diesel generators (7) control room features Overall, the French P4 design incorporates a number of design features that reduce the risk associated with the operation of PWR power plants.
Although a probabilistic risk assessment (PRA) for the Paluel plant was beyond the scope of this project, for a number of U.S. PWRs the factors that have a significant impact are system dependencies, human errors, and electrical system reliability.
The French considered these factors in designing the P4 plants.
For example, the self-cooled safety-related pumps'in the Paluel plant reduce dependence on component cooling water or essential service water.
The automatic switchover from injection to recirculation following a LOCA minimizes operator error and the risks associated with failure to perform the manual switchover.
The French have also developed a set of emergency operating procedures (along with corre-sponding hardware char.ges) to deal with the loss of redundant safety systems.
The P4 plant includes several design features (as well as procedures) that en-able the plant to cope with a loss of all AC power for up to 3 days, thereby substantially reducing the risk from station blackout events.
Based on the scope of this review, it appears that for a number of potential dominant acci-dent sequences the French P4 design offers a substantial improvement in safety compared to the typical U.S. four-loop PWR design.
- These features are not listed in any order relative to each other.
NUREG-1206 xiv
1 INTRODUCTION 1.1 Purpose The staff of the Nuclear Regulatory Commission (NRC, staff) has reviewed the l
differences between a typical French pressurized water reactor (PWR) (Paluel) and a typical U.S. four-loop PWR (SNUPPS) and assessed the relative safety
(
significance of these differences.
- 1. 2 Background In late 1982 and early 1983, NRC performed a comparative analysis of the dif-ferences between the British Sizewell 8 design and current U.S. PWR technol-ogy, as typified by the SNUPPS design, with' major amphasis on potentially sig-nificant safety improvements and their importance.
The results of that evalua-tion were published in May 1983 as NUREG-0999.
Because of the value of that activity and the continued interest of the NRC staff and the Advisory Committee on Reactor Safeguards (ACRS) in regulatory approaches to reactor safety in foreign countries, the NRC staff has compared a typical French design with a typical U.S. design.
Electricits de France (EDF), the French electric utility, operates about 30
" standard design" PWR units of the three-loop 900-MWe variety.
In recent years EDF developed a new four-loop 1300-MWe PWR design (called P4).
As of April 1, 1986, 14 of these reactors were under construction and 6 were in operation.*
Plants of an advanced design, called N4, will have a power level of 1400 MWe, The first N4 plants (Chooz B1 and 82) received their construction permits in early 1984 and early 1986.
The first six units of the P4 1330'-MWe standard design began operation in the last 2 years; four of these units constitute the four-unit Paluel plant, which 1
is located at Paluel on the English Channel near St. Valery en Caux.
(The other two units are at Flamanville'and St. Alban.) As far as the nuclear steam supply system is conherned, the Paluel design is similar to that of the U.S. South Texas plant (two units), which is a Westinghouse /Bechtel 1250-MWe PWR.
l The Paluel design (as well as the N4 design) employs a number of features that differ significantly from current U.S. PWRs.
Accordingly, the NRC staff re-viewed numerous French reports describing the P4 design to identify and assess the safety significance of design features that differ from those of a typical U.S. four-loop PWR design.
The staff then prepared an initial draft report based on this review.
A team from NRC visited the Paluel plant and held dis-cussions with the French safety authorities and EDF to review the draft report.
l l
- Twelve of the units are designated P'4 to account primarily for minor i
changes that resulted in smaller buildings with less free access space.
NUREG-1206 1-1
On the basis of additional information obtained during these discussions and the site visit, the staff prepared this final report.
1.3 Scope of the Review The NRC staff reviewed relevant French reports to identify differences between French and current U.S. four-loop PWR designs, comparing the Paluel (P4) design and the SNUPPS design.
Because the focus of the review was on significant de-sign differences that could enhance safety at future or advanced U.S. nuclec.
plants, the staff reviewed in detail French design features that are not in-cluded in the SNUPPS design.
Design features included at SNUPPS but not in the Paluel design were outside the scope of this review and were not evaluated.
If the SNUPPS design does not include a specific design feature of the P4 plant but other U.S. plants do, this fact has been identified in the discussion in Section 2 of this report. A review of the French N4 design was not within the scope of this project.
1.4 Comparison to Sizewell B Review Although the review of the Paluel design was similar in scope to the Sizewell review, there were differences.
For the Sizewell B plant, the British Central Electric Generating Board (CEGB) had selected the SNUPPS plant as the basic ref-erence design and then made a number of design changes.
The NRC staff had the benefit of the "Sizewell B Probabilistic Safety Study" (Westinghouse, WCAP-9991, Revision 1) to evaluate the safety significance of the Sizewell design differences in terms of reduced core-melt frequency; however, such a probabilistic safety study was not available for the Paluel plant.
Although not having a plant-specific probabilistic assessment as a reference made quantifying the safety benefit of specific design features more difficult, it was still possible, in general, for the staff to utilize the results of generic probabilistic safety studies for the Paluel review (see Section 3.2 below).
It was not possible for the staff to do a probabilistic assessment for each design difference identified.
One other difference between the French Paluel and British Sizewell reviews should be noted.
At the time of the Sizewell B review, that plant was in the design stage, and a number of design changee were still being evaluated by CEGB.
The staff evaluated thera "open issues" at lizewell B, even though the entiri design was not complete (Sizewell B is not yet under construction).
In con-trast, the French P4 design is fixed, and four units at Paluel, one at Flaman-ville, and one at St. Alban are already in operation.
1.5 Format for Review Results Once a design difference was identified, it was evaluated by the staff.
Sec-tien 2 belos gives the results of this review for each design difference in the following format:
Title (a brief title to identify the design feature)
U.S. Plant Description (a description of the design feature in U.S. PWR plants as typified by SNUPPS)
NUREG-1206 1-2
French Plant Description (a description of the design feature in current French P4 standardized plants as typified by Paluel)
Analysis of Safety Significance (a discussion of the safety benefits asso-ciated with the French design feature)
Acceptance Criteria (if U.S. criteria exist for the design feature)
(the basis on which the U.S. design was found acceptable, and, if applicable, a comparison of the U.S. and French acceptance criteria and how the respec-tive designs meet them; a detailed review of the French acceptance criteria was beyond the scope of this project)
- 1. 6 Findings of Relative Safety Significance On the basis of information available from French reports, a site visit, and discussions with the French, the staff compared the Paluel design features that differ from U.S. design features and evaluated their relative value in terms of safety significance.
Evaluations of the relative safety significance were based on deterministic assessments, engineering judgment, and insights derived from the probabilistic assessments discussed in Section 3.2 of this report.
Approximately 25 design differences were identified; they are listed in Tables 1.1 and 1.2.
In some cases the staff could not assess the relative safety significance of a design difference on a probabilistic basis because (1) the uncertainty in the probabilistic assessment was too large, (2) adequate reliability data were not available and assumptions necessary to evaluate the safety significance were too uncertain (e.g., probability of operator error),
or (3) the design features had potential advantages as well as disadvantages and it was difficult to determine the net overall safety benefit.
Table 1.1 includes a qualitative assessment ("high", " moderate," or " low") of the relative safety significance for each of the design differences given there; a detailed discussion and analysis of each of these design features is included in Section 2.
Table 1.2 lists French design features that differ from the SNUPPS design but that do not differ substantially from an overall safety point of view.
These items are included in this report for completeness of identifying design differ-ences between typical French and U.S. designs; they also are discussed in more detail in Section 2.
Although emergency operating procedures are not a design feature per se, they are discussed separately in Section 2.20.
These procedures are closely tied to a number of design features that have been assessed for their safety signifi-cance. However, the safety significance of the emergency procedures themselves has not been evaluated separately.
Overall, the French P4 design incorporates a number of design features that reduce the risk associated with the operation of PWR power plants.
Although a probabilistic risk assessment (PRA) for the Paluel plant was beyond the scope of this project, the insights derived from the PRAs performed for a number of U.S. PWRs highlighted factors that dominate risk.
Some of the factors that were found to have a significant impact are system dependencies, human errors, and electrical system reliability.
The French considered these factors in NUREG-1206 1-3 i
designing the P4 plants.
For example, the self-cooled safety-related pumps in the Paluel plant (see Section 2.6) reduce dependence on component cooling water or essential service water.
The automatic switchover from injection to recircu-lation following a LOCA (see Section 3.1.1) minimizes operator error and the risks associated with failure to perform the manual switchover. The French have also developed a set of er.argency operating procedures (with appropriate hardware changes) (see the discussion of H 3rocedures in Section 2.20) to deal with the loss of redundant safety systems.
In particular, the P4 plant includes several design features (as well as procedures) that enable the plant to copen.
with a loss of all AC power for up to 3 days, thereby substantially reducing the risk from station blackout events.
Based on the scope of this review, it appears that the French P4 design offers a substantial improvement in safety compared to the typical U.S. four-loop PWR design for a number of potential dominant accident sequences.
'I NUREG-1206 1-4
Table 1.1 Design differences between French and U.S. designs and their relative safety significance
- Relative incremental French design feature safety significance **
1.
Emergency core cooling system 1.1 Two additional dedicated residual heat Moderate to high removal pumps with heat exchanger, and automatic switchover from injection to recinculation following a LOCA 1.2 Interconnection between the low pressure High injection system and the containment spray system, and mobile equipment for long-term cooling following a LOCA 2.
Residual heat removal system inside contain-Moderate ment, and remote manual instead of automatic closure of isolation valves 3.
Secondary heat removal 3.1 Four auxiliary feedwater pumps (two Moderate steam-and two electric-driven) 3.2 Resupply of the condensate storage Moderate tank independent of AC power 3.3 Seven safety relief valves per steam generator 4.
Four 100% capacity essential service Low water pumps, and f( ir 50% capacity component cooling u ter heat exchangers
- The numeric designations used in this table correspond with the pesignations used in Section 2 (i.e., item 1 is addressed in Section 2.1).
- The reader is cautioned on the use of the relative terms "high," " moderate,"
and " low," because these are not intended to be absolute values.
- Rather, the qualitative terms are used to give insights on the relative importance of various design differences.
If those features with a "high" safety sig-nificance were applied to U.S. designs, they could have a relatively signifi-cant safety benefit when compared with the other design features listed in this table.
If the features designated as " moderate" or " low" were applied to U.S. plants, they would have a lower safety benefit.
For example, the seven safety relief valves (low safety significance, item 3.3 in this table) would enhance safety somewhat, but not as much as the self-cooled safety-related pumps (moderate safety significance, item 6).
The small steam-driven electrical generator for reactor coolant pump seal cooling and selected instrumentation and controls (high safety significance, item 5) would improve safety more than either of the first two features.
A detailed' discussion and analysis of each of the design differences in this table is included in Section 2 of this report.
NUREG-1206 1-5
Table 1.1 (Continued)
Relative incremental French design feature safety significance 5.
Small steam-driven electrical generator High*
for reactor coolant pump seal cooling and selected instrumentation and controls 6.
Self-cooled safety-related pumps Moderate 7.
Electric power and instrumentation and control 7.1.DC electric power supplies Moderate 7.2 Gas turbine to back up diesel generators Moderate 7.3 Protection system logical processing and Low reactor trip scheme 7.4 Use of microprocessors in reactor Moderate to high 3
protection system i
8.
Anticipated transient without scram (ATWS)
Low to moderate feature i
9.
Load rejection capability Low to moderate 10.
Control room features Moderate 11.
Double containment Low 12.
Safety and relief valves Low to moderate 13.
Fire protection Low 14.
Core design Low 15.
Remote (auxiliary) shutdown panel Low
- This relative value is predicated on the assumption that reactor Molant pump (RCP) seals will fail about o te-half hour after a station blackout resulting from loss of seal cooling.
This assumption is consistent with the assumption made in the Zion and Indian Point Probabilistic Safety Studies, but further analysis may show this assumption to be conservative.
Westinghouse has presented test results and analysis from vaich Westing-house concludes that the time to failure for the RCP sealt, under condi-tions of loss of seal cooling, is considerably greater than 30 minutes, and the probability of significant seal leakage after a 1-hour period without seal cooling is small (WCAP-10541).
The staff is evaluating the Westinghouse analysis.
If the staff evaluation confirms the Westinghouse analysis, the safety benefit of this design modification would not be characterized as "high."
It should be noted that the French design assumes that the RCP pump seals can fail after 2 minutes, if uncoolei NUREG-1206 1-6
Table 1.2 Additional design differences
- French design feature 16.
Main steam lines and main steam isolation valves outside containment, no steam tunnel
- 17. Waste sewer monitoring 18.
Steam generator design 19.
Reactor vessel materials and techniques for fracture prevention
- The numeric designations used in this table correspond with the designations used in Section 2 (i.e., item 16 is addressed in Section 2.16).
NUREG-1206 1-7
2 DESIGN DIFFERENCES 2.1 Emergency Core Cooling Systems 2.1.1 Two Additional Dedicated Residual Heat Removal Pumps with Heat Exchanger, and Automatic Switchover from Injection to Recirculation Following a LOCA U.S. Plant Description As shown in Figure 2.1, the SNUPPS plants are designed with two residual heat removal (RHR) pumps for normal operating functions, as well as for low pressure safety injection.
Also, in the recirculation phase of a LOCA, the RHR system is used to feed the safety injection pumps and the centrifugal charging pumps in a " piggy-back" alignment.
The centrifugal pumps, which are used to " charge" the reactor coolant system during normal plant operation, are also used for emergency core cooling.
In the event of a LOCA, the inlets to the charging pumps have to be switched from the chemical ar.d volume control system (CVCS) to the refueling water storage tank (RWST) for a safety injection.
When the SNUPPS operators receive an RHR aut,matic switchover alarm (which can occur any time after about 13 minutes following a LOCA) they are required to perform manual operations to complete the switchover from the injection mode to the recirculation mode.
About 11 valve positioning operations must be performed in a timely manner.
Most of these manual operations appear to result indirectly from the use of the centrifugal charging pumps and the RHR system for both emer-gency core cooling system (ECCS) and normal operating functions.
(Some U.S.
plants use separate low head safety injection pumps in lieu of RHR pumps for low pressure safety injection and recirculation.)
French Plant Description In the P4 design, the ECCS is not used during normal operation.
As shown in Figure 2.2, the P4 plant is designed with an additional low pressure injection system that is independent of the RHR system.
In addition, in the P4 plant the RH3 system is not used to feed the safety injection pumps (as it is in the SNUPPS plants), and the safety injection system is independent of the CVCS.
The RHR pumps, which are inside containment, are qualified for environmental conditions following a steam line rupture or a LOCA, but their operation is required only in the long term following a steam line rupture or a small-break LOCA.
There-fore, the low pressure injection system, which is outside containment, would be used for long-term decay heat removal in the event of a LOCA.
The P4 plant is designed for completely automatic injection and switchover from injection from the RWST after a LOCA to recirculation from the containment sumps.
This completely automatic operation is feasible, in part, because the P4 ECCS has dedicated subsystems that do not have to perform other functions during normal operation.
NUREG-1206 2-1
/
s REFUELING S OR E TANN d '
TO RCS J g y
HOT LEGS SAFETY INJECTION RHR h PUMPS v
g M
4^
)
> TO RCS COLD LEGS CVCS CENTRIFUGAL s
CHARGING PUMPS J
f O
RO JL TO SAFETY INJECTION PUMP INLETS (RCS HOT LEG 7
0RCS i
.IiI9, COLD
'I555' CONTAINMENT 1
CCW 7(
- HOT I
'liI5' COLD
[
LEGS
'RCS HOT LEG ai TO CENTRIFUGAL CHARGING PUMP INLETS Note.
Not shown are four accumulators that discharge at about 600 psi.
Figure 2.1 SNUPPS emergency core cooling system NUREG-1206 2-2
, FROM RWST s
CONTAINMENT LPSI PUMP
- INJECTION ir pggy OUTSIDE
/
INSIDE CON I MENT i
/
1
/
/
/
/,/
l
/
SPRAY PUMP g
~
HEAT
/
EXCHANGER
///
LPSI PUMP
[
~ INJECTION
/[
LINE
//
I
/
_\\
//
EXCHANGER
/
SPRAY PUMP g
~
/
MOBILE EXCHANGER._
1
/
t
/
U MOBILE PUMP 3
Figure 2.2 P4 emergency core cooling system NUREG-1206 2-3
,--o,--4
,n
,-,----m-
Analysis of Safety Significance As can be seen by comparing the two EJCS schematic diagrams, the multiple use of the RHR system in the SNUPPS plants makes it more complex with more valves i
and more failure modes.
The comparative simplicity of the P4 ECCS results from the complete separation of safety systems used in accident conditions and in normal operations. The automatic switchover from injection to recirculation reduces potential operator error and should provide more reliable emergency core cooling in the event of a LOCA.
Acceptance Criteria For the switchover from the injection phase to the recirculation phase of emer-gency core cooling, the U.S. acceptance criteria are that the primary mode of actuation for the ECCS must be automatic, and that actuation must be initiated by signals of suitable diversity and redundance.
Provisions must also be made for manual actuation, monitoring, and control of the ECCS from the reactor con-trcl room. The U.S. acceptance criteria do not prohibit the use of the same system for both low pressure injection and residual heat removal or the same system for both high pressure injection and charging.
The French P4 ECCS system is designed to be functionally independent and phys-ically separate from systems used in normal plant operations.
To reduce the circulation of primary coolant outside containment and to ensure protection from external hazards, the P4 RHR system is inside containment.
The two addi-tional pumps for low pressure injection are located outside containment to allow accessibility for maintenance and repair.
2.1.2 Interconnection Between the Low Pressure Injection System and the Containment Spray System, and Mobile Equipment for Long-Term Cooling Following a LOCA U.S. Plant Description The pumps for the low pressure injection system and the containment spray system in the SNUPPS plants are independent of each other with no interconnections between the two systems.
As discussed in Section 2.1.1 above, the SNUPPS plants use the RHR system in the recirculation phase of a LOCA.
They are not designed with an alternate post-LOCA long-term cooling method ~as are the P4 plants (see below).
French Plant Description In the P4 plant, the pumps on the low prcssure safety injection (LPSI) system-and the containment spray (CS) system may be interconnected, as shown in Fig-ure 2.3.
This interconnection allows the CS pumps to be used for low pressure safety injection if the LPSI pumps are unavailable or vice versa.
If this situation occurs, the French implement an emergency operating procedure, H4 (see Section 2.20).
In the event of loss of all LPSI and CS pumps, the French design provides an alternate method of long-term cooling 2 weeks after a LOCA, the U3 procedure discussed in Section 2.20.
A mobile pump and heat exchanger can be transported NUREG-1206 2-4
s REFUELING WATER STORAGE TANK
.. f INTERMEDIATE PRESSURE INJECTION PUMP (1619 psi)
- TO RCS COLD LEGS
eTO RCS COLD LEGS s
- TO RCS HOT LEGS
, r TO FITTINGS FOR MOBILE UNIT L
L a
- TO CONTAINMENT f
CONTAINMENT SPRAY SPRAY PUMP CCW CONTAINMENT SUMP 1r TO TRAIN B Note:
(identical to A)
Not shown are four accumulators that discharge at about 600 psi.
Figure 2.3 ECC systems for post-LOCA long-term Cooling NUREG-1206 2-5
1 to the site to replace an inoperative pump or an unavailable heat exchanger.
The necessary fittings are incorporated on the ECCS piping in a shielded area in the safeguard auxiliary building.
The flow path for the mobile pump and heat exchanger is shown schematically in Figure 2.3.
The mobile unit is designed to remove levels of decay heat existing 2 weeks or more after a LOCA.
These mobile units are normally kept at centrally located sites that are within 2 days' travel time from the plants to served by the mobile units.
The units can be installed in an additional day.
Analysis of Safety Significance The interconnection between the LPSI and CS pumps provides additional flexi-bility for long-term decay heat removal following a LOCA or containment spray should one or both pumps in either system fail.
By providing a diverse pump and heat exchanger, the mobile unit would be expected to decrease the risk of a total loss of long-term decay heat removal compared to that for the SNUPPS plants.
2.2 Residual Heat Removal System Inside Containment, and Remote Manual Instead of Automatic Closure of Isolation Valves U.S. Plant Description The residual heat removal (RHR) system in the SNUPPS plants is located outside containment, but in a few U.S. plants the RHR system is inside containment.
The design includes a safety grade, automatic system that closes the two RHR isolation valves (placed in series) in each line from the reactor coolant system (RCS) to the suction side of the RHR system (Figure 2.4).
This isolation occurs when the pressure in the RCS exceeds a given setpoint.
French Plant Description The RHR system in the French P4 plant is located inside containment.
In lieu of an automatic system, the P4 plant has indicators and position alarms on the RHR suction isolation valves.
Furthermore, each RHR train is equipped with two safety valves. The operator manually closes the isolation valves when the P4 plant is being heated to operating temperature and the RCS pressure is being increased.
Analysis of Safety Significance Although there are no known instances in which the automatic closure systein on the RHR isolation valves saved the RHR system from being overpressurized, in quite a few instances malfunctions or faulty maintenance of this autoclosure system have isolated decay heat removal by the RHR system.
The use of an automatic systera implies the need for either rapid action or mini-mizing operator error.
However, in this case, with the rate of increase of RCS l
temperature limited to 50 F per hour at the P4 plants (the allowable heatup l
rate for SNUPPS is 100 F per hour), there is hardly any need to automatically isolate the RCS against rapid pressure increase during the plant's heat up phase.
If the RHR system is turned off when the RCS temperature reaches 350 F, it will be at least 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> before an RCS pressure of 600 psi is established.
The RHR design pressure is 600 psi, and this pressure will be required to prevent NUREG-1206 2-6
N h
\\
=
\\
\\
.=IA w,
TO REACTOR VESSEL,
1 I via COLD LEGS gA J L I
SUCTION -
ISOLATION l
VALVES COMPONENT R
HOT A5 LEG 7
n RHR U
PUMP RHR HEAT Q
[
EXCHANGER FROM REACTOR BUILDING 1 g
+
a i
SUMP FOR I
RHR RECIRCULATION l
1 PUMP MODE OF LPCI J
RHR HEAT
(
EXCHANGER o
BORATED WATER FOR COMPONENT INJECTION OF LPCI COOLING WATER CONTAINMENT Figure 2.4 Schematic diagram of a typical U.S. RHR system
boiling in the RCS.
Thus the operator has ample time to manually isolate the RHR and ensure that two isolation valves in series in each line are closed.
The RHR safety valves are located upstream of the RHR pumps and prevent the RHR system from exceeding its design pressure.
With the indicators and alarms to monitor the position of the isolation valves in the P4 plants, the French have determined that the public risk associated with the RCS overpressurizing the decay heat removal system is less than the public risk that would result if the automatic closure system malfunctioned and stopped the decay heat removal during shutdown.
The French also have reviewed their operating experience and have not found any problems with their procedure for manual closure of the RHR isolation valves.
Acceptance Criteria Because the RHR system is designed for low pressure and, at SNUPPS, is outside containment, significant efforts are made to prevent overpressurization and rupture of the system (referred to as an " interfacing LOCA - Event V").
There-fore, the U.S. acceptance criteria (Section III of the Boiler and Pressure Ves-sel Code of the American Society of Mechanical Engineers, ASME Code, Para-graph NB 3612.4) for the SNUPPS plants required (1) that there be at least two power-operated valves in series in the suction side of the RHR system and (2) that these two valves have independent, diverse interlocks to protect against one or both valves being open during an RCS pressure increase above the design pressure of the RHR system.
The French design does not need protection against Event V because in the P4 design the RHR system is inside containment.
2.3 Secondary Heat Removal 2.3.1 Four Auxiliary Feedwater Pumps (Two Steam Driven and Two Electric Driven)
U.S. Plant Description The SNUPPS auxiliary feedwater (AFW) system consists of three AFW pumps (two motor-driven, plus one turbine-driven) that take suction from one condensate storage tank (CST) during normal operation, with each pump capable of discharging via th.e main feedwater system piping to any combination of one to four steam generators.
Normally, one motor-driven pump is lined up to automatically supply water to two steam generators while the other motor-driven pump is lined up to automatically provide water to the remaining two steam generators.
The turbine-driven pump is normally lined up to automatically supply water to all four steam generators.
French Plant Description The P4 AFW system consists of four AFW pumps (two motor-driven and two turbine-driven) that take suction from one CST, with each pump capable of discharging via the main feedwater system to two steam generators (Figure 2.5).
A motor-driven pump and a turbine-driven pump automatically supply water to two steam generators while the other motor-driven and turbine-driven AFW pumps automa-tically supply water to the remaining pair of steam generators.
There are no interconnections between the redundant trains (one train consists of a motor-driven pump and a turbine-driven pump).
NUREG-1206 2-8
UACUUM TANK LOCATED PRESSURE BREAKER INDOORS RELIEF C
CONTAINMENT
- K3 2
5
+
MINIMUM RECIRCULATION ITYP.)
CST OUTSIDE p' INSIDE 1
A Ty* -- - - - -- - -I'IF M --,
N O,1yp.,
N STEAM l
F.O.
CENERATORS s
MOTOR-XX "J#"~
M I
MAIN FEEDWATER)
+
Notes:
7 V
TRAIN A
- All pumps and control valves can be operated from the
/
~
qp ht o n p nel.
[
+ The turbine governor has a TURBINE.
/
5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> accumulator for remote DRIVEN
/
2 operation without air. It can PUMP,
j then be operated locally.
- The CST has an N blanket for 3,
2 (TYP.)
MAIN FEEDWATER
+
deseration. Makeup water is t
Q
/
V
.normally deaerated to inhibit N
corrosion (not safety-related).
L-M-IS/G 2
/
e
- Control valves are preset to prevent excessive flow in the s
/
event of a break.
(O TOR AND p
j
+ N.O. = Normally open I
F.O. = Fail open FO4 (TYPJ
/
_l l N H X:
>0-8C N->/-N-S/G = Steam generator 3
A
~
~
6 'I MOTOR.
/
PJUP h
j 3
TRAIN B MAIN FEEDWATER)
+
OIL COOLER (TY P.) FO7
/
M h
b TURBINE.
/
DRIVEN
/
4 PUMP MAIN FEEDWATER)
+
Figure 2.5 P4 AFW system i
Analysis of Safety Significance The total pumping capacity of the SNUPPS and P4 systems is essentially the same, with the SNUPPS turbine-driven pump being twice the size of one turbine-driven pump of the P4 design. The P4 design provides redundancy in the turbine-driven AFW pumps and, therefore, reduces the risk in the event of a loss of all AC power (loss of offsite power and failure of both diesel generators).
The in-creased availability of the four AFW pumps also reduces the risk in other AFW system demand scenarios (although not as significant as the risk reduction associated with the loss of all AC power).
For events of the type postulated in Chapter 15 of the NRC Standard Review Plan (SRP) (NUREG-0800), the P4 design requires two AFW pumps to prevent the pres-surizer from going solid, but only one of the four pumps is required to prevent an unrecoverable condition.
Therefore, for probabilistic risk assessment pur-poses, only one pump is required to ensure that the AFW system will function.
(This is similiar to the South Texas design.)
In the SNUPPS plants, one pump is sufficient to prevent the pressurizer from becoming water solid (except for a main feedwater line break) primarily because the megawatt rating of the SNUPPS design is smaller than that of the P4 design (3400 MWt versus 3800 MWt).
Acceptance Criteria The acceptance criteria for both the P4 and SNUPPS plants are basically the same as those given in SRP Section 10.4.9.
Both the P4 and SNUPPS AFW systems are protected against natural phenomena and the effects of pipe breaks because they are located in seismic Category I, flood, missile, and tornado protected buildings, and their pumps and active valves are located in separate rooms (as stipulated in General Design Criteria (GDC) 2 and 4 in Appendix A to Title 10 of the U.S. Code of Federal Regulations to Part 50 (10 CFR 50)).
In both designs the AFW systems are not shared between units (GDC 5).
Both systems are auto-matically initiated and can be controlled from the remote shutdown panels (GDC 19), and both have adequate isolation from non-essential systems and suit-able redundancy in components and power sources (GDC 34 and 44).
The AFW systems for both designs can be tested and inspected during normal operation (GDC 45 and 46) and both designs have diverse power sources (NRC Branch Technical Posi-tion (BTP) ASB 10-1).
SNUPPS has one steam-turbine-driven pump, while the P4 plant has two steam-turbine-driven pumps.
BTP ASB 10-1 requires that an AFW pump be able to operate for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, independent of AC power.
Both the P4 and SNUPPS AFW systems are designed to allow the primary plant tempera-ture to be brought to the RHR cut-in point from the control room, using only safety grade equipment and assuming the worst case single active failure (BTP RSB 5-1).
The SNUPPS design relies on the essential service water system for a safety grade water supply, while at the P4 plants the CST is the safety-grade source of water.
In addition, for the P4 plants, the French require that the two AFW trains be completely separate and independent.
The French require that the AFW system be able to respond to beyond-design-basis events by providing redundancy and a long-term water supply that is independent of AC power (see Section 2.3.2 below).
NUREG-1206 2-10 i
l i
l
However, these features are not identified as specific acceptance criteria for the AFW system.
2.3.2 Resupply of Condensate Storage Tank Independent of AC Power U.S. Plant Description For long-term cooling, the CST in the SNUPPS plants can be resupplied with water from the demineralized water storage tanks using AC powered pumps.
French Plant Description The P4 plant has the design capability to provide additional water to the AFW system for at least 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> following a complete loss of AC power by using gravity feed from the demineralized water storage tank to the condensate storage tank.
The French design also has additional sources of makeup to the CST that are also independent of AC power.
At seashore sites, this additional source of water is two soft water tanks that can be gravity drained to the CST via manual hose connections.
These design features provide for AFW supply for up to 3 days in the event of an extended loss of all AC power.
At inland sites, a mobile pumping unit (gasoline-or diesel-driven) can provide water from a river to the fire mains and then via hose connections to the CST.
In the event of loss of heat sink, these features can provide up to 30 days AFW supply if AC power is available (see discussion of procedure H1 in Section 3.20).
Analysis of Safety Significance Both the SNUPPS and P4 plants have a long-term AFW supply capability when AC power is available.
The significant safety difference in the design relates to the capability to provide a long-term AFW supply independent of AC power, which the P4 plants do by using gravity feed from additional tanks to the AFW system.
However, adding just this capability at SNUPPS would not provide a significant decrease in risk because SNUPPS plants have no reactor coolant pump (RCP) seal cooling or reactor makeup capability under these conditions.
A charging pump independent of AC power would also be necessary.
If SNUPPS had the seal cooling capability, risk would be reduced by the addition of a long-term AC power-independent AFW supply.
The amount of risk reduction would be dependent on the probability that AC power would be restored within about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, assuming the present SNUPPS design (AFW only) is capable of operation without AC power for 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
Acceptance Criteria The only related U.S. acceptance criterion is that the AFW system be capable of operation independent of AC power (BTP ASB 10-1) for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
The U.S. designs usually meet this criterion by having one turbine-driven pump sup-plied from the condensate storage tank.
The SNUPPS design can probably operate the AFW system for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with AC power unavailable.
The French design criteria initially required (1) procedures and capability to maintain plant shutdown, assuming the complete loss of one redundant safety system, and (2) the capability to maintain safe shutdown for at least 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> without AC power sources.
Beyond-design-basis (H) procedures and ultimate (U) procedures are used to deal with the loss of redundant systems and the loss of AC power.
For the loss of AC power, gravity feed from existing water storage NUREG-1206 2-11
tanks is used to extend the AFW supply to 3 days, with longer term capability provided by mobile pumps or gravity feed from other onsite water sources.
2.3.3 Seven Safety-Relief Valves per Steam Generator U.S. Plant Description Each steam generator in the SNUPPS design and in other Westinghouse designs has five safety relief valves (SRVs), none with a power assist.
French Plant Description Each steam generator in the P4 design has seven SRVs.
The seven SRVs are func-tionally divided into two groups, one of two and one of five.
The two SRVs in the first group, which open at a lower pressure than those in the group of five, are air-assisted to open anc close.
The five SRVs in the other group are mechanically operated by syst.em pressure to open and spring action to close.
The two power-assisted SRVs are in addition to the atmospheric dump valves on each steam generator.
Analysis of Safety Significance The five unassisted SRVs in the P4 design provide protection against overpres-surization identical to that provided by the five SRVs at SNUPPS and other U.S.
plants.
However, the additional two power-assisted SRVs on each P4 steam line provide an additional level of overpressurization protection.
The P4 design, therefore, would provide a reduced risk against secondary system overpressurization.
At SNUPPS each SRV is set at a different opening pressure.
Therefore, only the minimum number of valves required to reduce the pressure (depending on the ini-tiating event and inic.ial conditions) will open.
At the P4 plants, generally both SRVs in the group of two have the same pressure setting, and each SRV in the group of five has the same pressure setting, which is higher than the set-ting for the group of two.
Therefore, either two valves open or all seven valves open.
At some P4 plants the group of five valves is split so that two valves open at a carticular pressure setting while three valves open at a higher pres-sure setting.
Setting each steam generator safety valve at a different opening pressure, as in the U.S. design, results in a lower probability of valve chatter.
In the P4 plants more than the minimum number of valves required for overpres-sure protection might open because two or more valves are set at the same pressure.
Therefore, the risk reduction associated with improved overpressure protection might be offset by increasing the risk from overcooling accidents because of the possibility that more valves may stick open more frequently.
However, accumulated operating experience seems to indicate that such a proba-bility is very low.
Acceptance Criteria The acceptance criteria for French and U.S. plants regarding SRVs appear to be somewhat different.
For U.S. plants, the total number of SRVs is such that the single failure criterion is met.
For French plants, if more than three safety valves Are used, it trust.be postulated that two will fail to open (instead of NUREG-1206 2-12 i
one as in the single tailure criterion).
This requirement is based on a 1926 French regulation on pressure devices.
For U.S. plants, the minimum total capacity of SRVs must be sufficient to limit steam pressure to 110% of design; the French apply the same criterion to class 4 transients (using the American National Standards Institute (ANSI) N 18.2 classi-fication). However, for class 2 transients, the French require that the steam pressure be limited to 100% of design pressure only.
With the margin between design pressure and operating pressure being the same for Paluel as for South Texas, more safety valves are required to meet the French criteria.
For both French and U.S. plants, the maximum capacity for each SRV must be limited to prevent excessive cooldown (uncontrolled steam generator blowdown) if a single SRV were inadvertently to open or stick open after opening.
2.4 Four 100% Capacity Essential Service Water Pumps, and Four 50% Capacity Component Cooling Water Heat Exchangers U.S. Plant Description The component cooling water (CCW) system at SNUPPS consists of two separate 100% capacity essential trains with each train capable of being supplied by two 100% pumps (four pumps total).
Each train has one surge tank and one CCW heat exchanger cooled by the essential service water (ESW) system.
A common non-seismic header (loop) is used to supply nonsafety-related loads during normal operation. This common loop is connected to both essential trains via automa-l tically operated safety grade isolation valves that close upon receipt of a safety injection signal (SIS), a surge tank low level signal, or high flow rate signal indicative of,a pipe failure.
Redundant safety-related components cooled by the SNUPPS CCW system are the RHR heat exchangers, RHR pump seal coolers, centrifugal-charging pump-bearing oil coolers, SIS pump-bearing oil coolers, and the fuel pool heat exchangers. During normal operation, one pump in one of the safety-related loops is operated with the redundant safety related train isolated from the system.
If the pump should fail, the remaining pump in the same operating loop automatically starts.
If both pumps in one loop fail, one pump in the other loop automatically starts.
Upon loss of offsite power, one pump in each of the safety-related loops auto-matically starts when it is sequenced onto the diesel generator buses.
The remaining pumps stay in auto-standby.
The essential service water system for SNUPPS consists of two independent 100%
capacity trains, with one 100% capacity pump per train; each pump is in standby during normal plant operation.
During normal plant operations, the ESW loads are supplied cooling water by the nonsafety grade station service water (SSW) system, which consists of three 50% capacity pumps that take suction from a source different from the ESW pumps.
The ESW pumps take suction from the seis-mic Category I ultimate heat sink (UHS), which is either a spray pond or cooling towers for the SNUPPS plants.
The two essential trains can be cross-connected i
through normally locked-closed isolation valves.
Each train of the ESW system is interconnected with the nonsafety-related SSW system.
The ESW system trains are automatically isolated from the SSW system by SIS, AFW low suction pressure, or loss-of-offsite power signals. The ESW system
)
NUREG-1206 2-13
heat loads are all safety related, except for the air compressors, and include the diesel generators; safety-related heating, ventilation, and air conditioning systems; safety-related pump room coolers; and the containment air coolers.
French Plant Description The CCW system for the P4 plants is essentially the same as that in the SNUPPS design except (1) the CCW system for the P4 plants also supplies the loads that are cooled directly by the ESW system at SNUPPS, and (2) each train has two 50%
capacity heat exchangers in lieu of one 100% capacity heat exchanger (Figure 2.6).
The ESW system at the P4 plants consists of two 100% capacity trains, with each train supplied by two 100% capacity pumps (Figure 2.7).
During normal plant operation, one train of the ESW system is in continuous operation providing cooling to the CCW/ESW heat exchanger of. the operating CCW train. The CCW sys-tem is the only heat source to the ESW system, whose pumps take suction from the UHS.
Analysis of Safety Significance The design differences between the CCW and ESW systems of the U.S. and French designs are not significant from a safety standpoint.
The French design provides operational flexibility because one 50% capacity heat exchanger has sufficient capacity for removing heat loads during normal plant operation. Therefore, one heat exchanger in one train can be taken out of service for maintenance (i.e.,
tube cleaning) during normal plant operation without completely shutting down the train. This reduces potential unnecessary shutdowns because of technical specification requirements in the event of heat exchanger fouling.
There also is no identifiable safety significance with regard to the use of four CCW pumps and four ESW pumps.
In both the U.S. and French designs four CCW pumps are used to prevent unecessary shutdowns because of technical speci-fication requirements in the event of major overhaul of a CCW pump.
The purpose for the four ESW pumps of the French design is the same.
Because the SNUPPS plants do not normally use the ESW pumps during plant operation, major pump repairs are much less likely to be needed.
U.S. plants that use the ESW system during normal plant operation will generally have at least two 100% capacity pumps per train to better meet technical specification requirements.
The cross-connections in the SNUPPS ESW system provide some additional operating flexibility should difficulties in individual components in one train occur.
Similarly, the ESW connections between units at P4 plants provide additional reliability if the UHS of one unit is lost because pump suction is blocked.
Acceptance Criteria The acceptance criteria for both the SNUPPS and the French plants are basically the same as those given in SRP Sections 9.2.1 (Service Water System) and 9.2.2.
(Reactor Auxiliaries Cooling Water System).
Both the CCW and ESW systems (in the SNUPPS and French plants) are protected against natural phenomena.
The systems are designed to meet seismic Category I requirements and are located in seismic Category I, wind-and tornado-missile-protected structures that also provide protection against design-basis' floods.
NUREG-1206 2-14
2 C
- o m
O 1
l H
n TRAIN A ro RE CIRCUL ATIO
- --.------N-q o
SURGE g
RHR CS CCW/ E SW ESSE NTI Ag SYSTEM CCW SIS PUMPS HEAT EXCHANGER LOADS PUMPS PUMPS PUMPS AND HE AT l
~
EXCHANGER i
O
-D4-E HANG R g
l ESW
^
_t a
+
PUMPS CCW/ESW l NON SilSMIC HE AT EXCHANGER SEISMIC
~
CATEGORY 8 CATEGORY I tES. I I
^
--E& +
1 EXCESS
@'8",'",'
l LETDOWN ove nnion.
COMMON
' 'm CN"a n" l
HEAT EXCHANGER a
Puurs 1
SUCT ON
= CE NYR4 FUGAL 3
l CHAAG6mG l
g PUMPS G
- sPamT rust i
POOL MEAT EX-l CHANGERS
- noNREGENEA.
hoNESSENTIAL TOADS
=:tt.'" -
.r.L";"o=.v'a':
l
- gf manAfon
- stat atTuns 4
g
..,o,,,.,3,7.,g A;.
Ta^'N a a
/\\
/\\
Tson. Amo Am Conos.
l
,g(#8 TRAIN B
- CONTROL RGO DRIVE TRAIN B l
."'o M *,,,,
Me Ave =G.
ventst A.
(SAME AS TRAIN Al TION. AND A8A Cohol-1f vioseing iP 1
I c "ih"$~Oh""@ ="l D4-dk}-d5} '
1 Figure 2.6 P4 CCW system
,I I
G I
N TR R
AE LT T
UA A
CW R
IC W
-o
>c
}
).f PY T
0 0
(
5 5
(
A B
I oI N
N A
A cR R
m T
e T
ts ys W
S E
_N N
I P
1 T
4 N
U 0'[
7 S
0 A
0 2
1 E
M e
A r
S u
+
ig F
liI i!
M l!
S rK A
B 2
OI nY=C A
IN N
T A
I R
A m"
R mEm mg 3
N H
RT T
U S
A RT S
ETA i
3 l:s
- 3. b i s l AS E
ge s 'G 3
W P l!
_t I
i j
z.
Eg i
^
^
i i
J f:
i i
2
^
i 5
i j
r n!
t i
3:
fc!
f:
E 5
i i
i b
i 3
?
jar 9
i f
E i
i l
i E
j
=
EN o
gd~
4 All connections to nonseismic portions of the systems a n be isolated by seismic Category I, automatically operated isolation valves so that a single failure will not prevent either system from performing its safety function (GDC 2).
)
Each of the two trains of the CCW and ESW systems (in the U.S. and French plants) is located in a separate cubicle or room so that flooding, harsh environment, pipe whip, and jet impingement resulting from a pipe break or internally gener-ated missile could only affect components in that particular room or cubicle (GDC 4).
The SNUPPS plants are single units; therefore, there is no concern about shared facilities (GDC 5).
In the P4 design, there is no sharing of the CCW system.
During normal operating or accident conditions, the ESW at the P4 plants also is not shared. However, tha ESW headers of one unit can be cross-connected with the ESW headers of another unit via manually operated, normally closed valves 1
as shown in Figure 2.7, which would meet GDC 5.
Both the CCW and ESW systems in the U.S. and French plants have suitable redun-dancy and capacity to reliably transfer heat loads, including decay heat, from safety-related structures, systems, and components (GDC 44).
The systems are j
inspected and tested periodically (GDC 45).
2.5 Small Steam-Driven Generator for Reactor Coolant Pump Seal Cooling and Selected Instrumentation and Controls U.S. Plant Description Reactor coolant pump (RCP) seal cooling at SNUPPS is provided by seal injection via the chemical and volume control system (CVCS), and thermal barrier cooling is provided via the component cooling water (CCW) system.
Operation of either system will adequately cool the seals.
Both sources of RCP seal cooling at SNUPPS depend on AC power to the vital buses via offsite power or the emergency diesel generators following loss of offsite power.
Also, instrumentation and controls used to achieve and maintain hot standby at SNUPPS depend on vital bus power supplies or batteries.
4 French Plant Description Under normal operating conditions the RCP seals at the P4 plants are cooled in the same way as.the seals at SNUPPS (i.e., the CCW system via the thermal barrier and injection via the CVCS).
However, if all AC power were lost (station black-out), the RCP seals at Paluel would be cooled by injection from a hydraulic test pump that automatically gets power from a steam-driven generator that takes steam from the steam generators upstream of the main steam isolation valves (see Figure 2.8).
(The test pump is normally used for periodic hydraulic tests of the primary cooling system and connected systems.) The steam-driven generator also provides power to control room lighting and to instrumentation and controls for monitoring the primary and secondary plant parameters necessary to achieve and maintain hot standby.
Necessary control power is also provided to maintain RCP seal cooling and auxiliary feedwater (AFW) system operation.
A gravity feed backup water supply from onsite sources to the condensate storage tank
(
NUREG-1206 2-17
provides additional water for decay heat removal via the AFW system for long duration station blackouts.
The French H procedure covers loss of all AC power 3
events.
(Section 2.20 of this report discusses the emergency operating proce-dures.)
Analysis of Safety Significance The initial design basis of the P4 plants called for achieving and maintaining hot standby conditions independent of AC power supplies for at least 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />.
In practice, the design features discussed above that provide this capability pcmit the plant to withstand a station blackout for 3 days.
This 3-day station blackout capability would allow sufficient time to connect a mobile gas turbine generator to provide power if AC power could not be restored from other preferred sources.
(See Section 2.7.2 of this report for additional description of the mobile gas turbine generator.)
The SNUPPS plants can remove decay heat following a complete loss of all AC power for a limited period of time by using the AFW system (one turbine-driven pump; the P4 plant has two turbine-driven AFW pumps).
Seal cooling or primary system makeup cannot be provided by the SNUPPS design if AC power is unavailable.
Therefore, hot standby can only be achieved and maintained so long as the RCP seals can retain their integrity without being cooled.
The French estimated that if RCP seals did not maintain their integrity, there would be approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> before an unrecoverable condition was reached, assuming AFW flow is available, and there would be approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> if AFW flow is not available.
If RCP seals hold up, safe hot standby is limited by the batteries that supply instrumentation and by the amunt of water in the condensate storage tank (CST) or by the ability to resupply the CST from an alternate source.
Battery deple-tion at SNUPPS (more limiting than CST capacity) would probably occur between 6 and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> if DC loads are shed.
Given the loss-of offsite power experience and the past reliability of diesel generators, the P4 design provides a significant reduction in risk from loss of all AC power, which can be one of the major contributors to overall plant risk.
Acceptance Criteria The only related acceptance criterion for U.S. plants is in SRP Section 10.4.9 (NUREG-0800), which requires that the AFW system be capable of delivering water to tne steam generators for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> following a of loss all AC power.
The SNUPPS design provides this capability via the turbine-driven ptmp with controls and instrumentation powered by a battery-backed bus.
The NRC has issued a proposed rule for comment (51 FR 9829) that, if implemented, would require piants to be able to cope with a station blackout for some specified period of time (but not as long as the French design).
Initially the French (P4) criterion for station blackout required the capability to achieve and maintain hot standby for at least 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />.
Additional probabil-istic risk studies by the French later led to extending this time to 3 days.
The use of a turbine-driven electrical generator for operation of the positive displacement charging pump, instrumentation and controls, and control room light-ing, coupled with the two steam-ariven AFW pumps and long-term (AC-independent)
AFW supply, provides this capability.
NUREG-1206 2-18
i l
A COMPRESSED AIR TANK J L I
__ t7 MAIN STEAM LINE STEAM GENERATOR m
\\
l
[
TURBINE-DRIVEN AFW PUMP O
TO V
" ATMOSPHERE TURBINE GENERATOR r
INSTRUMENTATION AND CONTROLS N
CONTROL ROOM LIGHTING U
TO ATMOSPHERE RCS)
RCS RWST REACTOR MOTOR-DRIVEN COOLANT PUMP TEST PUMP 1
l l
Figure 2.8 French backup turbine generator for station blackout l
l NUREG-1206 2-19
2.6 Self-Cooled Safety-Related Pumps U.S. Plant Description The essential cooling water for safety related pumps and pump motors at U.S.
power plants generally is provided by room (unit) coolers and oil coolers that are supplied cooling water from CCW, ESW, or chilled water.
For example, at SNUPPS the CCW system provides cooling water to the RHR pump seal coolers, centrifugal-and positive-displacement charging pump-bearing oil coolers, and the safety-injection pump-bearing oil coolers, so that if the CCW system should fail, the dependent pumps are also considered failed or will fail in a short time.
(At the South Texas plant the safety injection pumps are self cooled by the pumped fluid.) The SNUPPS ESW system provides cooling water to all safety-related pump room coolers, which, in turn, cool the motors.
The turbine-driven j
AFW pump is self-cooled by the pumped fluid.
French Plant Description Essential cooling for safety-related pumps at the P4 plants is provided by various sources depending on the pump in question.
The CCW system at the P4 plants provides cooling to unit coolers (and possibly oil coolers) for the con-tainment spray pumps, safety injection pumps, RHR pumps, and the CCW pumps.
The P4 charging pumps are cooled by a radiator and fan driven by the pump shaft.
The charging pump motors and lube oil coolers are cooled by air so that there is no dependence on cooling water systems (CCW or ESW).
The motor-driven AFW pumps are also independent of cooling water systems because their motors and l
lube oil coolers are cooled by the pumped fluid.
As in the SNUPPS design, the P4 turbine-driven AFW pumps are self cooled by the fluid being pumped.
Analysis of Safety Significance The ability to operate the charging pumps and AFW pumps without dependence on auxiliary cooling water systems (CCW, ESW, or chilled water) may provide a sig-nificant decrease in risk from a core melt resulting from the loss of CCW or.
i ESW, including the ultimata heat sink.
The risk reduction depends on the pro-bability of total loss of the CCW system.
If the CCW system--including the ESW system and UHS--is highly reliable, risk reduction would be small.
If the CCW system, ESW system, or UHS is not highly reliable, or if the loss of the VHS or ESW system because of sabotage is a significant risk, then the risk re-duction would be high.
It appears that at least a moderate reduction in risk is achieved by this design feature coupled with procedure H, Total Loss of 1
Heat Sink.
At most U.S. plants a loss of CCW will result in an inability to provide primary makeup and cool the RCP seals after some time period, assuming that the charging pumps could run temporarily without cooling water.
Also in U.S. plants, decay heat removal through the steam generators could only be provided by the turbine-driven AFW pump.
The motor-driven AFW pumps, whose bearings may or may not be self cooled at U.S. plants, generally use CCW or ESW as the cooling medium for removal of heat from the pump motors, usually by indirect room cooling.
- Thus, they are of limited usefulness given a loss of the support system.
This design could produce a LOCA as a result of RCP seal failure without makeup in the event of a loss of ESW that cools CCW.
NUREG-1206 2-20
=_A
.+--4,a.%1 The French design has three charging pumps and four AFW pumps available inde-pendent of support system cooling, thus providing a very reliable means of maintaining safe hot standby conditions for a long time.
Acceptance Criteria The U.S. acceptance criteria are basically the single failure criterion and pipe break criteria for dual purpose moderate energy systems.
The design of the CCW system and ESW system that support the charging pump and motor-driven AFW pump operation is such that they are capable of performing their function when only one single active failure g one single passive failure is postulated.
In addition to meeting the U.S. criteria, the French design includes an overall plant requirement that safe shutdown conditions be maintained following the loss of any redundant system, including RHR, CCW, ESW, and AFW.
This require-ment is associated with "beyond-design-basis events," which are addressed in the French H and U procedures (see Section 2.20).
l 2.7 Electric Power and Instrumentation and Control l
2.7.1 DC Electric Power Supplies U.S. Plant Description SNUPPS has four safety-related DC power supplies and five nonsafety-related DC power supplies.
The four safety-related DC power supplies consist of four independent lead-acid batteries, each with its own battery charger, distribution boards, and inverter.
One spare battery charger and one spare inverter are also provided in the event that a charger or inverter for the safety-related DC system is out of service.
The batteries provide power through the inverters to the four channels of the reactor protection and engineered safety features systems.
The batteries also provide power to other essential loads such as controls for the steam-driven auxiliary feedwater train, main control room emer-gency lighting, and switching power for essential equipment.
The batteries have sufficient capacity to power their loads for about 3-1/2 hours in the event of an accident with the charger unavailable.
French Plant Description l
The Paluel design utilizes 17 DC power supplies, 12 that are Class 1E and 5 that are not safety related.
These power supplies are organized into separate dedicated purpose batteries according to the loads they feed.
Of the 12 Class 1E batteries (Figure 2.9), there are four separate batteries (125 V) for the four reactor protection system (RPS) channels, two for electromagnetic relays (48 V),
two for electromagnetic and motor-operated valves (125 V), another two for switchgear control inside the electrical building (125 V), and the final two supply inverters that feed the "controbloc" (230 V).
The Class 1E batteries are separated into two divisions (A line and B line).
The batteries of the l
A line are lead-acid and those of the B line are nickel-cadmium.
Except for l
the four RPS batteries, each of these power supplies is comprised of a battery, two battery chargers (one normal charger fed from a safety-related bus and one backup charger fed from a rionsafety related bus), and a distribution panel.
The four DC power supplies for the RPS (SPIN and UATP) have one charger and an I
inverter each.
In normal operation, the chargers for both A and B lines supply i
NUREG-1206 2-21
\\
\\<,
...I SN Q-~~-~~]...
l LJ N
%-~ ~ ~- ~ ~ ~ ]
i
!!! ~ emi
%l i g7 sis!!! semi i ne i ;ji en..s,.-. <- 4l il I l l
NL_h [ga g
iIl k
L_______Jo.i%Njj! ii
.i bi.i.wi.-oN-4__ _%-____Jo!
.i.i.i d
~
E L
u
! 1N
%-~~~~]! ! SN 7-~~~~]!
)
iII i
-ig l. I. I.
i
~is
.8 3
i..
3
%.. % m n'-%
l
(, s sls.H.-i..-. %m ui - %
(Ls als t'
m I
s a
=
8 Mb i ! !!'
- i, ' g f.npi.-d*M_ _ _N-1 5
a ia tom.u--.3 u
__a u
____a 1
- i. g ;
g g
III I l '.l
,e
.s o.
III I
III i
s-j l ' % e 4-h l'@% mui-b 3
iii hi!!
iii dt!
=
i i 'H% m ui
%- I!
i i i-s e 4 L !!
i
'> h I
a
)
lll 5
III m
ljj f is.m.i.- %
jjl 8 ji.i.ni.i.-oM-*b :
-*b:
1
~
II1 ljj i
!lIIi
--* N jj i
! ' r' r' % m pj-ob."%g-w !
}
' ' r' % muj
!F
_%g-s_
y l g
7 l l Il Di B
llI Y
R*
~
4 iii.-s mui-b,
- i. i. i. %mui b
.5
.i
-e iII a
lll lll f thbum-V lll f l11.i.91.-o%
~
~
E O
w III III 111
\\.
III m
m
_.s m
i
- te% e u.p--p__,Q_. >
jj-l-% e4 b,
g r
iii Psg l.ii.
6si t
l i H% m ul k- !
I I H% m 8-h, !,
.S
..i o
o P 'I I i
a III
=
=
i
-*b :
??'
4a
.9i.-.M--b :
5 e.l e.l "I
$ em.ni ns s.l elil e
Ra c
gse
- s. e.
u
- -.l!! !!
i 5
!!!!il
=
-. E. i.
I ElElit i\\
\\
El l l m
~'
i alElil N 1560.
31iti.l
@ 5 5.
5 6=sa f
- 3 El!! H % m uj-h, y
i
=Esi Es5!
S a
ElEl 2H% @ uj-b.,
E j'
- q g:1
'I fJ 3
a
.l.pp
= >hhl.( l%
m,
=-
'm n
E!
E!
e "e
s "2
a l
L NUREG-1206 2-22 i
.i.
the power necessary for DC loads with the batteries in a floating mode.
If the chargers are unavailable, power is supplied.by the batteries.
Both the A and B battery lines have a design-basis capacity of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, but probably have addi-tional capacity.
If one battery is unavailable or in maintenance, one of the chargers can supply DC power.
The five non-Class 1E batteries (Figure 2.10) feed nonsafety-related loads.
Two of these sources feed the regulation system that is used for control dur-ing normal plant operation; two feed pumps for lubrication of normal feedwater pumps and the turbine; and one provides backup power for computer data aquisi-tion used by the operators during normal plant operation.
One of the sources that feeds the adjustment track also provides DC power to allow the operator to monitor various plant parameters during a total loss of offsite and onsite power (station blackout).
To increase the capacity of this source in the event of a station blackout, nonessential loads would be shed.
If AC power is unavailable for a long duration, this battery can be charged by the steam-turbine-driven generator, as discussed in Section 2.4 of this report.
During a station blackout, this battery provides power for annunciators and indicators in the control room.
Control of the steam-driven auxiliary feedwater flow is accomplished by manual local control, in accordance with the French H3 procedure.
All the instrument and control cables of the nonsafety-related circuits are run together with those of the safety-related circuits, because both depend on the A line batteries.
In addition to the 17 batteries discussed above, the P4 tesign has three addi-tional non-Class 1E DC power supplies that provide power for nonsafety-related loads for multiple units on the same site.
These loads include those for plant security and for other common site auxiliaries such as demineralized water.
Analysis of Safety Significance This analysis considers separately five aspects of the DC electric power supply system.
These are (1) the number and arrangement of the batteries, (2) diver-sity, (3) capacity, (4) number of battery chargers, and (5) interfaces between safety-related and nonsafety-related circuits.
Number and Arrangement of Batteries A basic difference between the $NUPPS design and the Paluel design is the num-ber of DC power supplies and manner in which they are arranged.
At SNUPPS there are four general purpose safety-related DC power supplies.
These are separated into four divisions that supply power to all safety-related loads requiring DC power.
(This is fairly typical of recently licensed U.S. plants.) At Paluel there are more power supplies, but they are basically separated into two divi-sions (the RPS has four divisions) and are organized as separate, dedicated-purpose power supplies according to the loads they feed.
This arrangement could result in a less reliable system than at U.S. plants if the loads the batteries feed are greatly interrelated; if the loads are not interrelated and the DC buses are physically and electrically independent, the system could be somewhat more reliable than the SNUPPS design.
Although U.S. piants do not generally use dedicated batteries in the safety systems, some U.S. designs include this usage to a limited extent.
For instance, some plants use dedicated batteries for diesel generator control, and some boiling water reactors use them for a portion of their RPS logic circuits.
NUREG-1206 2-23
l
_ _ _E_M_E RG_E N_CY DISTRI.B.U.T_IO_N H_ _ _ _ _
2
_ _ _E_M_E RG_E N_CY.D.I.S.T.R.I_BUT_IO.N G_
c_
ll10 NORMAL DISTRIBUTION
1
.m C,)
-...N.OR M AL_ DIS.T.R.IBU.T_ ION.E. _ _ _
y
.Nia?.'N.Sv?l8.T!!!ETlo.N A_
om o
o o
o o
t o
o 320 Ah 30 Ah 1250 Ah 18iOO Ah 1500 Ah
?
8 8
"?'
8 8
?
8
?
8
?
8 i
?
n n
tz
?
?
n
?
n v
15.A.
lea 7
3A.
td A
.t2.e_
w
. 18(A.
o
,o v
o o
.g, o
o o
o o
30 V 30 V y
4 230 V 230 V 230 V CONTROL CONTROL PERM ANENT LU8RICATION EMERGENCY FOR MAIN FEEDWATER EUBRICATION u
(
o PUMPS 3
l.
l l
POWER FOR LUBRICATION GROUPS e
I s
s
~
SATTERy BATTERY l
L I[8] { [j t
TEST TEST s
l N
e ADJUSTMENT TRACK I I
4 elNSTRUMENTATION l
8 ll l
N AND CONTROL IN O
EVENT OF STATIOF, I
a l
o%
. go l
BLACKOUT Note:
L _ _ _ __.. __a u__
.___. I Battery charged by emergency turbine-driven generator in C
twent of station 220 V 220 V blackout 8
n ELECTRIC TRANSFER (A or 8 LINES)
Figure 2.10 Schematic of nonsafety DC electrical power supplies for Paluel (5 batteries)
Diversity Another difference between a typical U.S. plant and the Paluel design is the type of batteries used.
Paluel utilizes lead-acid batteries in one division (A line) and nickel-cadmium in the other division (B line).
This diversity of power supplies makes for a lower probability of common mode failure.
Typical U.S. plants use only lead-acid batteries in their designs.
A few have used nickel-cadmium batteries in dedicated power supplies in such areas as diesel generator control or lighting, but none have separate divisions of lead-acid and nickel-cadmium batteries.
Capacity The batteries at Paluel have a design capacity of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (they can probably last longer), compared with a typical U.S. plant battery capacity of 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
However, in the event of a station blackout Paluel uses a battery that can provide DC power for about 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> and, with the addition of the steam-driven generator (see Section 2.5), can provide DC power for up to 3 days for this event.
Typical U.S. plants must rely on their normal safety-related bat-tery systems for support during this event.
If load shedding can be utilized, these batteries should have an endurance longer than the normal 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, but not as long as 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />.
The Paluel design, therefore, has a greater margin of safety for battery endurance during a station blackout event.
Battery Chargers The Paluel design has two battery chargers for most safety-related batteries.
The backup charger is connected to a nonsafety-related bus.
The SNUPPS design has one spare charger that can be wired in as a replacement for any of the four normal safety-related chargers.
Some U.S. plant designs have two chargers per battery, both connected to safety related buses.
This Paluel design feature is considered to be of minor safety significance because the backup charger is connected to a nonsafety-related bus.
Its primary advantage is that it provides operational flexibility if one of the buses is unavailable.
Safety-Related/Nonsafety-Related Interfaces The Paluel design has nonsafety-related control circuits connected to the A line bat +eries.
In most currently licensed U.S. designs, nonsafety-related con-trol circuits are fed from separate nonsafety-related batteries.
Earlier designs used both divisions of' safety-related batteries to power nonsafety loads to a greater extent.
It is preferable to power nonsafety loads from their own bat-teries so the reliability of safety related batteries is not reduced.
Acceptance Criteria The U.S. acceptance criteria for the vital DC distribution systems are given in Table 8-1 of the SRP (NUREG-0800) and are based primarily on the General Design Criteria (in Appendix A to 10 CFR 50).
These criteria require that the vital 1
NUREG-1206 2-25
DC distribution systems have redundancy, meet the single failure criterion, be testable, and have the capacity and reliability to supply power to all the required safety loads.
The onsite DC power system at SNUPPS meets the redundancy and single failure criteria by utilizing four independent distribution system divisions, each of which is powered by an independent battery and battery charger.
Each division meets the capacity and capability requirements by utilizing battery chargers with sufficient capacity to supply the largest combined demand of all the steady-state loads connected to it.
Although no specific criterion exists for battery endurance (as part of the resolution of NRC Unresolved Safety Issue A-44, Station Blackout, specific criteria may be developed), the turbine-driven AFW train must be available for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> assuming a total loss of AC power.
The SNUPPS batteries, which support the turbine-driven AFW pumps, have a capacity of aaout 3-1/2 hours, which meets this requirement.
j The SNUPPS DC vital onsite systems further meet the redundancy and reliability requirements by physically separating the power supplies to the redundant divi-sions in separate rooms in a seismic Category I building and physically separat-ing the switchgear and cabling of redundant divisions according to the require-ments of Standard 384 of.he Institute of Electrical and Electronics Engineers (IEEE) and NRC Regulator, Guide 1.75, " Physical Independence of Electric Systems."
The French acceptance criteria for the vital DC distribution systems are basi-cally the same as the U.S. criteria.
They meet the redundancy, single failure, and testability criteria by providing DC power supplies and associated distribu-tion circuits that are divided into two separate and redundant divisions (RPS DC supplies are separated into four divisions).
They further meet the French station blackout criterion by providing a battery-backed DC power supply that has an endurance of at least 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> while providing power to monitor various reactor system parameters during this event, 2.7.2 Gas Turbine To Back Up Diesel Generators U.S. Plant Description There are no gas turbines for backup AC power in the SNUPPS design.
Some U.S.
plants do use gas turbines located on the site or nearby, primarily as peaking units or to provide a black start capability.
These can often be connected to supply the station's safety-related loads through the noru1al offsite circuits.
French Plant Description In the Paluel design, gas turbines can be utilized as a tource of backup emer-gency AC electrical power in the event of a station blackout.
A mobile gas turbine generator is located either at the site or in the region so that it can be transported to the site in the event of a station blackout.
The gas turbine is only the second priority source of power in a station blackout event.
The first priority is resupplying the blacked-out unit from a neighboring unit at the site on house load operation (main generator on line supplying its unit's normal auxiliary load) via the 400-kV switchyard.
If needed, the gas turbine would be connected through a series of sfitchgear in a connection cabinet at the site to the main safety-related buses for the reactor units (Figure 2.11).
NUREG-1206 2-26
hNIT1 I UNIT 2 I UNIT 3 I UNIT 4 l
I I
I I
I lSSlSSlSSlSSl 1
1 I
I I
I
\\"
\\"
I
\\
Y I
T
\\"
I
\\
Y I
4LHB l l
l l
l 3LHA 3LHB 4LHA 1LHA 1LHB 2LHA 2LHB l
I I
I I
'o
\\o
'o
\\o l
\\v l
_l So \\o l l
O O
O O
O O
O I
I I
9 9
9 9
9 9
9 l
l I
"!"O^J" l
I g________
_ _ _i_ _ _
________q l
l l
Gg;ugg l
c, r,
l l
O CABINET GAS I
5'""Ub" "fE"Lsa I
' ^ '
I l
I C
I m
I A
OO A
OO I
I I
t________________________;
i l
Figure 2.11 Backup connection for mobile gas turbines l
NUREG-1206 2-27
The mobile unit could be transported to the site and connected to provide back-up ac power within 3 days after a station blackout.
If the gas turbine were located on the site (as it is at Paluel), backup AC power could be available in less than 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, If both the first and second priority sources of power fail, the last resort is to resupply the blacked-out unit with the diesel generators of a neighboring onsite unit through the same connection cabinet used for the gas turbine.
It would take about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to complete this connection.
Analysis of Safety Significance The provisions taken by the French to resupply power to a reactor unit in the event of a station blackout improve the plant's capability to respond to such events.
The additional safety benefit of this design feature depends on the reliability of the offsite and onsite emergency AC power supplies (i.e., the likelihood of a station blackout) and the plant's ability to cope with a loss of all AC power. These features could provide significant benefits for reducing the risk from such events.
Because the "last resort" might be necessary (resupplying the blacked-out unit with diesel generators from-another onsite unit), care must be exercised in the design of the switchgear and procedures used to connect the neighboring diesel generator to the redundant safety buses because these have a potential of in-creasing the common mode failure probability for the safety buses on more than one unit.
Acceptance Criteria The only current U.S. requirement applicable to station blackout events is that utilities have procedures to deal with such events. There is no requirement that a turbine be available as a backup power source in the event of a station i
blackout.
Station blackout has been identified as NRC Unresolved Safety Issue A-44, and a technical resolution has been proposed oy the NRC staff.
The pro-posed resolution would require nuclear power plants to be capable of coping with a station blackout for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
The French objective for the P4 plants is to reach a probability of core melt due to loss of all ac electrical power supply of 10 7 per reactor year.
This objective is not a regulatory requirement, out it has led to the implementation l
of the gas turbine discussed above, other design features discussed in Sec-tion 2.5 of this report, and the Ha procedure for loss of all AC electrical power (Section 2.20).
2.7.3 Protection System Logical Processing and Reactor Trip Scheme U.S. Plant Description
)
Logical Processing The Westinghouse-designed protection system used in the SNUPPS reactor consists of plant process instrumentation that monitors various plant parameters.
Typi-l cally, there are four redundant instrument channels per parameter.
The outputs l
l NUREG-1206 2-28
of these instrument channels are used as inputs to each of two redundant trains of logic circuitry (trains A and B).
When two out of four instrument channels for a given parameter are in the tripped state (i.e., the setpoint is exceeded),
the two-out-of-four logic of each train is satisfied, which results in actuation of the associated reactor trip breakers and engineered safeguard systems for the respective train.
This is representative of one level of logical processing where satisfaction of any logic will activate the respective train of equipment (see Figure 2.12).
The reactor trip system used in Combustion Engineering (CE) reactou consists of plant process instrumentation that monitors various plant parameters.
Typically, there are four redundant instrument channels per parameter.
The outputs of these instrument channels are used as inputs to six logic matrices, one for each possible combination of two instrument channels.
Each logic matrix performs an "AND" logic function.
This requires that both instrument channels providing inputs to a given logic matrix be in the tripped state (i.e., the setpoints must be exceeded) so that the logic matrix may generate a reactor trip signal. When any one of the six logic matrices is satisfied, all four groups of reactor trip breakers will receive actuation signals to open.
Details of the CE breaker scheme are discussed below.
This is representative of one level of logical processing where satisfaction of any logic matrix will actuate all reactor trip breakers (see Figure 2.13).
Logic Technology Asdescribedabove,intheSNUPPSddsigntheoutputsoftheprotectionsystem
~
instrument measuring channels are used as inputs to each of two redundant trains of logic circuitry (trains A and B).
It takes two of the four channels of a given parameter to satisfy the two-aut-of-four logic.
The logical processing is performed within the solid-state protection system (SSPS).
The SSPS receives digital inputs (voltage /no voltage via a histable relay interface) from the process variables corresponding to conditions of the plant parameters.
The SSPS combines these signals to form tha required logic combination to generate the necessary trip signal. The SSPSfelectronics are constructed of integrated circuits and discrete components mounted on modular printed circuit boards for the performance of logical processing.
Reactor Breaker Trip Scheme The SNUPPS reactor tt.p system design consists of two main reactor trip breakers in series, each with its own bypass breaker, which is connected in parallel.
The bypass breakers are withdrawn (are out of service) dLring normal plant operation and are used only for testing the main reactor trip breakers.
When either of two series-connected reactor trip breakers opens, power to the control rod drive latching mechanisms is interrupted, thus allowing all control rods to drop into the core by gravity.
Each main reactor trip breaker and its associated bypass breaker (when in service) are actuated by one of two logic trains. Auto-matic actuation of a reactor trip breaker occurs when its associated train logic is satisfied (two-out-of-four for a given parameter).
Either breaker will open on loss of voltage or application of voltage to its associated undervoltage or shunt trip mechanisms (see Figure 2.12).
It should be noted that generic actions related to U.S. reactor trip systems are underway in accordance with NUREG-1000, " Generic Implications of ATWS Events NUREG-1206 2-29
w E
- o SnrEGUARDS ACTUATION +
ROD CONTROL TRAIN A M-G SETS o
CA O
MANUAL REACTOR g
N SOLID-STATE U
TRIP BUTTONS U
TANA 1 A l ifs ^
j j
COINCIDENT LOGIC T
RTB BYB S = 25 V DC l
A A
1 p-OlC
{
PLANT PROCESS l
INSTRUMENT O
W CHANNELS 2
H l
(SENSORS, MONITORING FUNCTIONS l
l 4
TRANSMITTERS (COMPUTER, ANNUNCIATORS)+
l 8
BISTABLES, ETC.)
3 3
i AND FIELD I
l CONTACTS l
7 C
l W
s 1
0 l
O N
SOLID-STATE U
l I
U T AIN B P
COINCIDENT LOGIC y
{
I I
125 V DC RTB BYB S
l l
B B
M C SAFEGUARDS ACTUATION TRAIN B q
7 Key:
ROD CONTROL UV = Undervoltage trip attachment SYSTEM ST = Shunt trip device RTB = Reactor trip breaker l '
BYB = Bypass breaker TO RODS M-G = Motor generator Figure 2.12 Westinghouse protection System
b A9 U
M G SET 1 M-G SET 2 MOTOR ENERATOR MOTOR GENERATOR CO O
O O
O C
/O("
("O-x oh K3 OR MAN AL UV MA UAL TRIP 1 ST o
g RP 0
0 N
UV Uh MAN L
UV O
K4 OR w
TR M
UAL - K4 ST U+i l
i 125 VDC
(
<MVITAL A
\\
f SUPPLY SUPPLY (y
1/2 RODS 1/2 RODS Key:
CEDM = Control element drive mechanism M-G
= Motor generator Figure 2.13 CE reactor trip scheme
LD 4 4 4 4 4 4 A
B CDCDD S
VB f6I8If 4
l l
li pgg9y9 DC
'l l
j
,{
D D
B yl
.I.
l lI l
i.
_1 l[
IU AAAB B C T
VB f8bIII 4
^
l1 ll
_I1 yy99y9 C
C B
l i'
Il l
l l
D B
l A
11 l
LB 2 2 2 2 2 2 i,
l l1 A
BCDCDD l
l1 S
T AAABB C
_I U
l1 IVB I6b6bb i
lI l
/
,I1 g;95g; 3
l C
A S
A
,}
u l
B A
SS,DS
!>l S
l SL LA EERNT
=
>l 1 1 1 1 1 1 C
A BCDCDD CNEA p
l S
.A IU T
AAABBC T)T ON l
T lI VB I66d d RAICN SCS
)
PHMTO EIY gggggg d
E CGA TCS,C IOL e
NTN RLE u
SD ANAEL T
AD n
R LERLE i
T MNX RR t
M BI P
F A
AI gOE n
R UST C
TK RRS I
T G A CA o
TOI SS O M pAE C
B pER"
(
L NIE g
N RB S(
DPIN 3
NR 1
AT" 2
e C
VA ru V
g 0
i 2 E T F
1 L YC S
B AA P
ALT XS TEN Y
C SRO A
I L
D B C E
MR 4
B 1
2 3
N A
B B
B B
f,87 T
yAT 3B A
2B A
fy71T17 y 1,T l
2 3
4 A A A A 1
B A
SP CD C
A VV 02 1
EE908 JN l!t
at the Salem Nuclear Power Plant." One significant action required is imple-mentation of an automatic shunt trip scheme for Westinghouse designs.
Current CE designs are similar to the Paluel reactor protection system design in that they incorporate eight reactor trip breakers arranged in two parallel I
paths.
The breakers are combined in four groups of two.
Each path contains two parallel combinations of breakers (four total) with each parallel combination representing one group.
A selective two of the four combinations is required i
for a full scram.
Each breaker will trip open upon actuation of either an i
undervoltage trip device (de-energize to actuate) or a shunt trip attachment (energize to actuate) (see Figure 2.13).
French Plant Description Logical Processing The Paluel reactor protection system contains process instrumentation that moni-tors various plant parameters.
Each physical parameter is measured using four sensor channels that provide inputs directly to four separate and independent parameter reception and logic processing units that are used for reactor trip and engineered safeguards actuation.
Each unit performs redundant two out-of-four logic processes on the incoming signals from each parameter channel (i.e.,
one two-out-of-four logic process for reactor trip and one for engineered safe-guards actuation).
Two of the four two-out-of-four reactor trip logic processes for a given parameter must be satisfied to produce a reactor scram.
Each two-out-of-four logic process operates its respective group of two reactor trip i
breakers. As noted below, operation of any combination of two of the four reac-3 tor trip breaker groups will produce a scram.
Thus, two of the four two-out-of-four logics must be satisfied and both breakers associated with each logic must operate (four out of eight total) to produce a reactor scram (see Figures 2.14 and 2.15).
The protection system includes two additional logical processing units for engineered safeguards actuation.
Inputs to each of the two additional safeguard actuation processing units are provided by each of the four safeguards' two-out-of-four logic processes obtained from the reception and logic processing units discussed above.
Each of these two-out-of-four signals enters the additional safeguards actuation logic units and is then processed as two-out-of-four logical t
combinations taken twice.
This design is representative of cascading logical processing (two levels of logic) where two of the four two-out-of-four logics taken twice are required to actuate engineered safeguards (see Figure 2.14).
1 Logic Technology l
The Paluel design incorporates within the reactor protection system a dynamic i
logic process based on " electromagnetic" technology.
The conventional logic used by Westinghouse plants (SNUPPS) has various failure modes so that logic states corresponding to the failure can not be predicted.
The dynamic logic used in the P4 design is fail safe in that all failure modes can be predicted and thus the detectable failure can be turned into a signal triggering a safety action.
Figure 2.16 shows the principle of the dynamic logic used in the P4 i
NUREG-1206 2-33 1
l l
INSTRUMENT l
CHANNEL l
OUTPUT
._UATP1,_
] f, _UATP 11__ ~ ] f __UATPlil
- ] f,,UATP IV
]
1 1.
J llJ J
ll J J
ll J J
l l
ll-ll ll l
l l l l l ll l
l ll ll 11 1
I II ll ll l
1 I I I I I l
1 8 I I I I I I
I r i7i l F Y/i l lI IlribriblIIl rib rib I I rib rib I i
11
_ _ _ J L
_ __ _1 4 1
1 1
L
__ _1___J L____1_ __ J L
_ _ _1 1
_ J'=c EME CY SHUTDOWN g_
_ _UL_S TR_AIN A ULS _T_R_A_IN 8_ _
q
_q l
i I
I y
y l
I l
I 2/4 l l 2/4 l
I 2/4 l l 2/4 l
l l
1 I
I I
I I
I I
2/2 l
l l
l 2/2 l
l L____
_ _ _ _ _J L________J If if s
/
ENGINEERED SAFETY FEATURES Key:
UATP = Data and processing units ULS = Engineered safeguards logical units Figure 2.14 Pauluel reactor protection system logic NUREG-1206 2-34
MOTOR GENERATOR SETS M
M G
G 1
BREAKER o
o o
/
UATP1
,/
1 0
/
0
/
s~ O O
47+ /
/
/
i
- /
/
l 4*/
U O
,l g/
o
/
o
/
r
/
U
_/
UATPIV o
o 1 f CONTROL RODS SUPPLY Figure 2.15 Paluel reactor breaker trip scheme NUREG-1206 2-35
l$
design:
state 0 is the normal state, which corresponds to a 1000-Hz frequency variation between the high and low level voltages.
The normal state is thus associated with this 1000-Hz coding waveform.
Any other state (i.e., any out-put of the device that does not exhibit the 1000-H7 waveform) is viewed as a state requiring the safety action.
Examplas of such states are low level DC t
voltage, high level DC voltage, or commutation at a frequency other than 1000 Hz.
They all correspond to state 1 and trigger the safety action.
Reactor Breaker Trip Scheme The Paluel design incorporates eight breakers for reactor scram that are arranged in two parallel paths to supply power to all the control clusters (i.e., each path contains four breakers in series).
To produce a reactor scram, power n,tt be interrupted in both parallel paths by opening the reactor trip breakers.
The eight breakers are divided into four groups of two.
It takes any combinx-tion of two of the four groups (pairs) to interrupt electrical power to both paths providing the control mechanisms of the control clusters.
Any one group (pair) can be tripped open without causing a reactor scram.
The breaker pairs will open on lack of voltage (see Figure 2.15).
Analysis of Safety Significance It is difficult to assess the safety significance of the Paluel logical pro-cessing and breaker trip scheme designs as it relates to current U.S. practice.
The design appears to lessen the chance for spurious protection system actuations and, thus, would appear to reduce challenges to the reactor protection systems, resulting in possible overall enhancement in plant safety and availability.
Also, the Paluel design enhances the ability to test the reactor trip system while at power.
(As noted above, the French design is similar to current CE designs.) Such design concepts should be weighed against the aspect of ensuring actuation of the protection systems when required as it relates to current U.S.
4 reactor designs.
Probability studies would be necessary to estimate any safety significance that might be associated with the Paluel design when compared with current U.S. designs; however, it appears that the safety significance would be minimal.
Current Westinghouse and CE designs implement reactor trip schemes whereby the i
scram breakers will trip open by diverse means (e.g., on loss of voltage via orfarvoltage trip attachments or on voltage application via shunt trip attach-raentc). Westinghouse plants are being modified to ensure this diversity exists for both the automatic and manual trips.
The P4 plant has the same diversity for a manual trip (as in the old Westinghouse designs), but the French are not planning any backfits to include diversity for autot.atic trips.
The basis for the U.S. modifications is the anticipated transient without scram (ATWS) events at the Salem nuclear plant.
However, the French design of the scram breakers includes springs that are five times stronger than the Salem design.
The operat-ing history of the French plants (900 Mw) also shows very few failures of scram breakers during maintenance or testing operations.
Therefore, a modification at the French plants appears unnecessary.
Because the French have experienced a very small number of failures and have made other modifications in the plant for ATWS events, there is little or no safety significance to this design difference.
NUREG-1206 2-36
CONVENTIONAL LOGIC z
HIGH LEVEL s,
I Ug LOW LEVEL i
LOGIC:
0 1
?
?
STATUS:
NOFiMAL ACTION
?
?
a 1
i f
l P4 DYNAMIC LOGIC (FAIL SAFE) ro HIGH LEVEL e
sa w
LOW LEVEL l
C LOGIC:
0 1
1 1
1 STATUS:
NORMAL ACTION ACTION ACTION ACTION Notes:
Dynamic: 1000-Hz voltage variation Technology: Magnetostatic device (transformer)
Figure 2.16 ULS logic technology 4
t
Because of the " fail safe" capability of the logic technology used by the French, normal processing could result in a high number of spurious trips.
Therefore, the P4 design incorporates a two-out-of-four logic taken twice.
However, the
" fail safe" mode will reduce the probability of ATWS events, because at the U.S. plants (conventional logic) failure modes exist that will prevent a scram signal from being generated.
The safety significance of this design difference is low because the number of failures required at U.S. plants makes this a low probability event.
Acceptance Criteria The U.S. acceptance criteria for protection system design and reliability are in 10 CFR 50. The principal criteria are in IEEE Standard 279, which is codified by 10 CFR 50.55a(h) and the GDC. Guidance for interpretation of the regulatory requirements is provided by regulatory guides and the Standard Review Plan, which includes staff technical positions on specific aspects of safety system designs.
The Paluel design criteria appear to be consistent with the U.S. criteria, be-cause the requirements of 10 CFR 50, Appendix A and IEEE Standard 279 are in-cluded in the design bases for the Paluel reactor protection system.
These include such criteria as single failure, testability, control and protection interaction, etc.
2.7.4 Use of Microprocessors in Reactor Protection System U.S. Plant Description The logic inputs for the SNUPPS reactor protection system are derived from a hard-wired analog processing system that is connected to the sensors that moni-tor the various parameters.
For example, calculations for the overtemperature AT and the overpower AT trips for protection against low departure-from-nucleate boiling ratio (DNBR) and excessive power, respectively, are continuously pro-cessed using hard-wired analog circuitry.
The SNUPPS reactor protection system design does not incorporate programmable digital-computer-based technology for the derivation of various trip functions.
Various U.S. CE designs use a combination of redundant digital computers and hard-wired analog circuitry for reactor protection.
These CE plants incorporate digital-computer-based systems (core protection calculators) for deriving the low DNBR and the high local power density trip functions.
The computer-based I
system receives inputs from sensors of various parameters, performs the neces-sary calculations under programmed logic, and then sends outputs to the protec-tion trip system.
The core protection calculators are programmable digital l
computers (software oriented).
French Plant Description The Paluel reactor protection system, called the digital integrated protection system (SPIN), makes extensive use of microprocessors.
The SPIN system basi-cally consists of data and processing units (UATP) and engineered safeguard logic units (ULS).
One of the primary purposes of the extensive use of micro-processors is to determine more accurately monitored parameters in order to im-l prove operating margins.
For protection purposes, the SPIN system consists of NUREG-1206 2-38 l
-+--4
l i
four redundant UATP units; for engineered safety feature (ESF) purposes, the system uses two ULS logic circuits.
The system also incorporates a plug-in i
minicomputer for periodic automatic testing.
The UATPs receive and process all the data required to generate protective action signals.
They receive signals from sensors, process the signals, compare calculations to setpoints to obtain trip information (per parameter),-process the resulting information using two out-of-four logic (per parameter), and generate trip signals directly to trip breakers and to the ULS units for ESF actions.
Processing is done with microprocessors.
The UATP units form a multiprocessor l.
system comprising two self-contained types of units.
They are i
(1) Functional units (UF), of which there are seven.
These units perform all the digital and logical processing relative to the monitoring of one or more parameters.
i (2) Exchange units (UE), of which there are six.
These units control the j
multiplex links permitting inter-UATP partial trip data transfer.
They also send data outside the protection system for display and to the main processing computer.
Each UE or UF operates separately and totally asynchronously.
Data are trans-ferred between UEs and UFs by a network of shared memories.
Each ULS unit is associated with an ESF actuator train.
It receives trip signals j
(safety injection, containment isolation, etc.) from the four UATPs and develops two-out-of-four logic combinations.
It then performs appropriate logic process-1 ing, in particular with respect to any manual signals.
Finally each ULS unit generates indivdual ESF actuation signals.
I The ESF logic units are hard wired and designed to fail in the safe direction by the use of the dynamic logic techniques described in Section 2.7.3.
l To preclude spurious trips (as a result of the fail safe design) in the event of component failure, as well as to permit online periodic testing, each ULS unit comprises two identical subsystems.
Outputs from each of the subsystems j
are combined in two-out-of-two logic before the actuators are tripped.
l j
The automatic tester used to conduct SPIN tests is designed to incorporate a i
minicomputer, and is normally disconnected.
The tester can be used to test' the UATPs and the subsystems of the ULS units, j
The SPIN system is characterized by the implementation of modern technologies, in particular, the use of microprocessors.
As a result, the French have devel-oped a comprehensive qualification program for both the hardware and software.
1 The development procedure for SPIN included the following main steps:
i
)
(1) definition of general design and operating principles l
(2) systematic validation, using mock-ups of technological options and expected performance 1
i I
I NUREG-1206 2-39
)
I t
(3) building a representative industrial prototype (4) equipment qualification tests using the prototype (5) definition of a rigorous methodology for software development (6) verification of the overall functional characteristics of the system by factory tests on the first interconnected-series produced equipment The test and qualification programs appear to verify that the system meets cri-teria equivalent to U.S. criteria for safety systems.
Analysis of Safety Significance Programmable digital computers offer several advantages over the conventional analog hard-wired circuit designs, such as the handling of several interacting i
process variables that define process limits (trip functions), testability, 1
simplification of various administrative procedures, exactness, reduction in cabling, etc. The P4 microprocessing equipment allows much faster periodic testing compared to conventional equipment and should result in fewer challenges to safety systems and fewer human errors during testing.
Much emphasis has been placed on software development for programmable digital computer applications.
U.S. reviews have placed specific emphasis on software structure and design verification and validation.
Verification and validation programs must be adequate to ensure initial and continued software reliability specifically after design changes that may be made after'the initial design installation and operation. With proper design qualification and quality con-trol procedures for both hardware and software, the computer-based systems are considered an enhancement to the operation and safety of nuclear power plant operation. The French appear to have done significant verification and valida-tion for both the software and hardware.
The safety significance of each com-ponent of the microprocessing system taken separately would seem to be low.
However, the safety significance of all improvements--including the effects on control room design, system availability, ease of operator action and testing, and reduction in the number of cables because of multiplexing--appears to be somewhere between moderate to nigh.
Acceptance Criteria The U.S. acceptance criteria for protection system design and reliability are in 10 CFR 50.
The principal criteria are in IEEE Standard 279, which is codi-fied by 10 CFR 50.55a(h) and the GDC.
The French also use these acceptance criteria for the microprocessing systems.
The French also generally follow the guidance in the NRC regulatory guides and i
the Standard Review Plan (which includes staff technical positions on specific aspects of safety system designs).
Proposed Regulatory Guide IC 127-5, " Criteria for Programmable Digital Computer Systems Software in Safety-Related Systems of Nuclear Power Plants," dated April 8, 1985, addresses software for programmable digital computers used within protection systems.
This proposed guide endorses ANSI /IEEE-ANS-7-4.3.2-1982,
" Application Criteria for Programmable Digital Computer Systems in Safety Systems NUREG-1206 2-40
l of Nuclear Power Generating Stations." The NRC staff did not compare the P4 design to this guidance.
2.8 ATWS Features U.S. Plant Description The SNUPPS design does not contain any special equipment to mitigate the conse-quences of ATWS events.
As of January 1,1985, the Code of Federal Regulations was amended (10 CFR 50.62) to require improvements in the design of light-water-cooled nuclear power plants to reduce the likelihood of failure of the reactor protection system to shut down (scram) the reactor following anticipated tran-sients and to mitigate the consequences of ATWS events.
All pressurized water reactors are required to implement a system diverse from the reactor trip system to automatically initiate the auxiliary (emergency) feedwater system and to initiate a turbine trip under conditions indicative of an ATWS.
This diverse syste.a must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system.
Also, each pressurized water reactor manufactured by CE or Babcock & Wilcox must have a diverse reactor scram system installed.
- However, 10 CFR 50.62 specifically excludes Westinghouse plants from the diverse scram requirement.
These ATWS actuation systems need not be safety related.
Each licensee was required to submit to the NRC a proposed schedule for meeting the ATWS requirements.
l French Plant Description To protect against a common mode defect within the reactor protection system, the Paluel design provides an ATWS signal.
The ATWS signal is developed on low feedwater flow rate (less than 8% of rated flow) coincident with the power level of the reactor being greater than 30% of rated power.
The ATWS signal initiates (1) the auxiliary feedwater system, (2) a turbine trip, and (3) a reactor scram.
This trip functioa is a backup to the normal low steam generator level trip used in the transient and accident analyses.
The initiating signals are diverse, and the hardware is diverse from the reactor protection system signals and hard-ware, except for portions of the scram breakers themselves.
The French design also includes specially designed pilot-operated relief valves (PORVs) that are designed to operate under two phase flow conditions (see Section 2.12).
Analysis of Safety Significance j
ATWS events are a cause for concern because under certain postulated conditions they could lead to severe core damage and release of radioactivity to the envi-ronment.
Because the Paluel ATWS system is independent and diverse from the safety-related reactor protection system, it provides more effective protection than is presently provided by the SNUPPS design, which emphasizes ATWS preven-tion.
The improved PORVs also add to the' capability of the French design to maintain a coolable core under ATWS conditions.
The diverse scram and improved PORVs appear to enhance the overall capability of the French design against ATWS compared to current Westinghouse operating reactors.
However, the reduction in risk provided by the design depends on the ATWS probabilities.
NUREG-1206 2-41
Acceptance Criteria The U.S. criteria for ATWS are contained in 10 CFR 50.62.
The equipment to be implemented for ATWS must be designed to perform its function in a reliable manner and be independent and diverse from the existing reactor trip system.
The French ATWS design criteria are basically the same as those of the U.S.
i except for the diverse reactor scram signal.
The inclusion of an ATWS system for reactor scram implies that the French design criteria are more conservative than the U.S. criteria applicable to the SNUPPS (Westinghouse) plants.
2.9 Load Rejection Capability U.S. Plant Description For a typical U.S. plant such as SNUPPS, the functional design bases for the turbine bypass system are to bypass 40% of the main steam flow to the main con-denser, to aid in the startup and cooldown of the plant, and to permit a 50%
electrical step-load reduction without generating a reactor trip.
The system will also permit a turbine trip and reactor trip from full power operation without lifting the main steam relief and safety valves.
The condensation of high energy steam is achieved through normal operation of the condenser.
French Plant Description The Paluel turbine bypass system is designed to allow a minimum of 81% of the nominal steam flow to bypass the turbine.
(The actual measured steam bypass is 85%.) If the unit were isolated from the grid, this bypass capability would provide the ability for continued plant operation (without reactor trip) at lower power levels for the plant's own house loads.
This design also permits greater load-following flexibility than the SNUPPS design.
The capacity of the bypass system is governed by economic considerations.
Typically, the greater the bypass capacity, the larger the condenser.
To reduce the size of the main condenser, 10% of the bypass steam is directed through two valves to the feed-water tank, and 75% of the steam flows through 14 valves to the main condenser.
Analysis of Significant Design Difference l
For design-basis events, the French do not take credit for the capability of the turbine bypass system.
However, this capability can provide greater plant availability by reducing the number of reactor trips.
The typical bypass capa-city of U.S. plants permits 50% load rejection without generating a reactor trip.
Increased load rejection capacity is a matter of economics (the need for a larger condenser) and grid stability rather than a safety issue.
- However, if grid failure were to occur during operation at full power, the capability to reject 100% load without reactor trip could provide an alternate source of AC power for house loads and a more rapid restoration of power to the grid.
The French experience for losses of offsite power has averaged about one loss in every 2 years.
During these events, load rejection was successful (the reactor did not trip) about 50% of the time.
During recent periodic testing, the success rate for planned 100% load rejection was significantly more successful (greater than 80%).
i NUREG-1206 2-42
2.10 Control Room Features 2.10.1 Control Room Design U.S. Plant Description The SNUPPS control room features a traditional layout with an inner and outer ring of stand-up consoles.
Displays and controls are primarily hardwired, al-though some information displays are available to the operator on cathode ray tubes (CRTs). The annunciator system is a hardwired system without a computer-ized alarm processing capability.
In accordance with the SRP (NUREG-0800),
future U.S. nuclear power plant control rooms must incorporate appropriate human factors engineering design principles to ensure that the operator-machine inter-faces of the control room are adequate to support safe operation of the plant.
Supplement 1 to NUREG-0737 required licensees of operating plants and applicants for operating licenses to conduct a detailed control room design review (DCRDR) of the plant control room (s) to identify and correct human engineering discrep-ancies.
This review effort and the implementation of corrective actions are expected to significantly enhance operator performance during emergency opera-tions and reduce operator error.
However, the corrective actions implemented as a result of the DCRDR effort do not involve an overall redesign of control boards or other major design changes.
French Plant Description The French 1300-MWe P4 control room design includes a U-shaped desk and a rear panel, " active mimic diagrams," and functional data processing to improve oper-ations during normal and accident conditions.
Controls and displays are arranged in functional zones.
1 The P4 controls in the control room utilize " turn push-light" (TPL) switches that require two successive operator actions.
These are (1) selection phase (turning the switch to the desired position, such as open or closed, start or stop, automatic) and (2) execution phase (pushing the switch to activate the control function).
The associated light presumably provides the operator with direct feedback on the execution of the control function.
This control switch design is expected to reduce the likelihood of operator errors involving the inadvertent selection of the wrong switch and wrong switch position.
Alarm processing in P4 plants is computerized to minimize the number of alarms in the control room.
Alarms are categorized according to four levels of impor-tance.
Only the most important category is displayed in alarm windows; cate-gories 2, 3, and 4 are shown on color CRTs.
The control boards include 11 color CRTs, with 7 of the 11 assigned to the display of alarms associated with the centralized data processing system.
Alarm processing considers the mode of operation, delay, and suppression of some parameters that return quickly to normal; inhibition of less severe alarms when conditions of higher alarm severity exist; and synthesis of several alarm points to permit more direct diagnosis of events.
The processing also distinguishes between the conditions that initiated the event and the conditions that followed as a consequence of the initiating conditions.
NUREG-1206 2-43
Analysis of Safety Significance The French P4 control room design differs significantly from current control room designs in the U.S. because the former relies heavily on computer tech-nology and sophisticated alarm processing capability. Without a detailed prob-abilistic risk assessment (PRA) related to the design of these computerized I
systems, the relative effect on safety of these computerized designs versus typically hard-wired U.S. systems cannot be evaluated.
A significant difference between the French and U.S. control room designs is the approach used to develop the design and address operator-machine interface issues. This design approach is an enhancement of the operator-machine inter-face based on user needs and can represent a potentially significant safety
)
benefit. The control room design is thus expected to enhance operator perfor-mance and significantly reduce the potential for operator error caused by con-trol room design deficiencies.
Acceptance Criteria The acceptance criteria for the DCRDR at U.S. plants are quite extensive.
The NRC staff reviews and audits the OCRDR conducted by licensees and applicants.
The staff's review confirms that the DCRDR process was adequate for the iden-tification and correction of human engineering deficiencies in the control room, and that the improved design is adequate to support safe operation of the plant.
10 CFR 50.34(f) requires that construction permit applicants provide, for NRC review, a control room design that reflects state-of-the-art human factors prin-ciples before the applicant commits to fabrication or revision of fabrication of control room panels and layouts.
Briefly, the acceptance criteria (NUREG-0800, Section 18.1) are (1) the applicant must conduct a system / function /
task analysis to identify operator-machine interface requirements and (2) the applicant must demonstrate that the design of the control room and control centers outside the main control room complies with accepted human factors engineering principles.
2.10.2 Safety Parameter Display System U.S. Plant Description U.S. plants must have a safety parameter display system (SPDS) that provides a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant.
Information provided to plant operators about critical safety functions includes reactivity control, reactor core cooling and heat removal from the primary sys-tem, reactor coolant system integrity, radioactivity control, and containment conditions.
French Plant Description The French 1300-MWe PWR units have two safety panels in the control room.
One panel is for the use of the operators or shift supervisor.
The other is used by a safety engineer to independently monitor plant conditions in the event of an accident.
The safety engineer is called to the control room within 5 to 10 minutes after an accident.
NUREG-1206 2-44
These safety panels incorporate the features of a typical U.S. SPDS, but are much more sophisticated.
The safety parameter monitoring function includes monitoring nuclear power, heat removal from the core, heat removal through the secondary system, primary coolant quantity, containment integrity, and contain-ment radioactivity.
Thirty-minute trends are available for each of these plant parameters.
The P4 plant has a KIT system that is an operator aid and an automatic param-eter recording system.
The purposes of the KIT system are (1) to aid in the control of the nuclear power plant and (2) to aid in the after-the-fact analysis of operations and incidents.
The P4 plants use programmable microprocessor cabinets (Controbloc cabinets) that feed information to the KIT system, which includes a safety parameter monitoring system.
The KIT-SPDS is designed for (1) Detection of the event:
A screen on the safety panel automatically displays (1) an identification of the protection channel involved and the time of the event, (2) an identification of the automatic safeguard action (s) ini-tiated by the protection system, and (3) an indication of the efficacy with which ea:h protective action has been executed.
(2) Verification of proper automatic operation of engineered safety feature (ESF) systems: When a fault in execution is identified, the second CRT screen displays computer generated mimics of the ESF systems with indica-tions of specific failures that have been identified.
(3) Diagnostic logic diagrams:
After a time delay, depending upon which ESF system is initiated (e.g. 5 minutes after a safety injection), one of the safety panel's CRT screens automatically displays a logic diagram showing a diagnosis of the fault and the steps by which the diagnosis was 'ceached, and the appropriate post-accident procedure.
Each step of the logic dia-gram must be validated by the operator.
The operator uses the normal con-trol systems to carry out this validation, which achieves redundancy in the acquistion of data.
(4) Application of post-incident procedures:
To minimize errors following an incident, the safety panel displays are designed to assist the operator in implementing post-incident procedures.
For instance, to aid safety injec-tion, the plot of pressurizer level versus subcooling margin shown on the safety panel has green zones permitting the operator to reduce safety injection and red zones requiring safety injection to be increased.
The display includes the current operating condition, the operating conditions during the previous 30 minutes, and the projected conditions for the next 10 minutes.
Analysis of Safety Significance Emphasis on the use of advanced technologies in the design of French plant con-trol rooms has resulted in a strong trend toward automation of the control room operator's monitoring tasks.
This automation results in an improvement in the presentation of information to the operator and a reduction of operator work-load.
This improvement in the operator-machine interface can represent a sig-nificant safety improvement.
However, it is extremely important to the safe operation of the plant that computer processed data be valid and reliable.
NUREG-1206 2-45
The four stages of analysis necessary to provide the operator with improved d
information and assistance are (1) event detection, (2) confirmation that auto-matic safeguard systems have operated properly, (3) fault diagnosis, and (4) assistance with the application of post-incident recovery procedures.
Functional validation tests on the French system are ongoing.
With a successful validation and verification program, the French SPDS design would appear to be at least of moderate safety significance.
Currently, the SPDS system is not required by technical specifications to be in operation dur-ing normal plant operations.
As soon as the validation program is completed, the French SPDS will be subject to technical specifications, which are being developed. To determine more accurately the level of risk reduction resulting from the French KIT-SPDS system, the NRC staff would have to perform a detailed human factors evaluation.
i Acceptance Criteria The NRC acceptance criteria for the SPDS include (1) a location convenient to operators, (2) a continuous display from which safety status of the plant can be readily and reliably assessed, (3) provision of information to operators about the critical safety functions (mentioned above), and (4) incorporation of accepted human factors principles.
These criteria were considered in the design of tne French safety panel.
2.11 Double Containment U.S. Plant Description The SNUPPS containment building is a prestressed concrete containment (hemi-spherical dome and cylindrical shell) supported by a reinforced concrete base.
The interior has a steel liner that provides an essentially leaktight barrier.
Although the SNUPPS design does not include a secondary containment, this feature is incorporated into various U.S. plant designs (e.g., Waterford 3);
- however, a secondary containment for large dry primary containment buildings is less common.
The principal nominal dimensions of the SNUPPS containment are Interior diameter 140 feet Interior height 205 feet Base slab thickness 10 feet Cylinder wall thickness 4 feet Dome thickness 3 feet Liner thickness 1/4 inch The major codes used for materials, design, fabrication, construction, examina-tion, testing, and surveillance of the concrete containment are the Building Code Requirements for Reinforced Concrete of the American Concrete Institute (ACI 318-71) and Article CC-3000 of the proposed Section III, Division 2, " Con-crete Reactor Vessels and Containments," of the ASME Code.
The containment is designed and proportioned to remain within elastic limits under the various postulated load combinations.
The various load combinations l
NUREG-1206 2-46 l
, - - ~
- ~,, - -
n.
e
-,~
j include dead loads; live loads; environmental loads including those due to wind and tornados, design-basis earthquakes (DBE) and safe-shutdown earthquakes (SSE); and loads generated by design-basis accidents including pressure and temperature loads.
4 French Plant Description The Paluel double containment is a dual containment design consisting of a rein-forced concrete outer containment structure and associated systems surrounding the primary containment to reduce the radiological consequences of postulated accidents.
The primary, or inner, containment is a prestressed concrete shell (without a steel liner) that is designed to withstand loads (including tempera-ture and pressure loads) resulting from design-basis accidents.
Both structures are supported by a common reinforced concrete base.
The spacing between the two shells is approximately 6 feet.
An emergency gas treatment system (EDE) is provided to maintain a negative pres-sure in the annular region between the primary and secondary containments and l
to filter the atmosphere vented f"om that region through the vent stack of the auxiliary equipment building.
The EDE circuit consists of redundant ventilation and filtration subsystems, including filters, iodine traps, and exhaust fans.
The EDE circuit is designed to the requirements of an engineered safety system.
The Paluel secondary containment EDE circuit appears to be similar in design and function to emergency gas treatment systems used in dual containment designs of U.S. plants.
l The principal nominal dimensions of the Paluel containment are:
Inner shell interior diameter 148 feet Inner shell interior height 205 feet Inner shell thickness 3 feet Base slab thickness 10 feet Outer shell thickness 1.8 feet The containment system is designed to resist loads and load combinations similar to those for U.S. plants; it meets French regulations that are equivalent to those used in the U.S.
The secondary containment dces not appear to provide any structural benefit in the event of a design-basis accident.
Table 2.1 compares several design features of the Paluel plant and two U.S.
plants (Callaway, which is a SNUPPS single containment design, and Bellefonte,
~
which has a concrete containment and concrete enclosure building).
Analysis of Safety Significance The function of a secondary containment and associated systems is to process any leakage from the primary containment during accident conditions, thereby reducing offsite radiological consequences.
The Paluel secondary containment is designed to reduce any release of radioactivity to the atmosphere resulting 4
from primary containment leakage following an accident.
Although the Paluel design appears to reduce potential offsite radiological releases more than the SNUPPS design does, the benefit of the Paluel design is somewhat lessened by the selection of a relatively high design leak rate for NUREG-1206 2-47
Table 2.1 Containment design characteristics i
SNUPPS/
]
Paluel Callaway Bellefonte Reactor power (MWt) 3800 3400 3800 Containment volume (million 2.85 2.5 3.4 cubic feet)
Design pressure (psig) 56 60 50 Secondary containment volume (million cubic
~1.4 N/A 1.36 feet)
Primary containment leak rate,-% per day 1.5 0.2 0.2 0.1 0.1 J
l Bypass leak rate 8.2% of N/A*
10% per day primary containment leak rate
-i
- N/A = not applicable n
l i
l I
a 4
i i
NUREG-1206 2-48 I
the primary containment, 1.5% per day.
(The specified design leak rate for a SNUPPS plant is on the order of 0.2% per day.) On the other hand, leakage from the containment to the environment in the French design goes through a filter, which counter-balances the slightly higher allowable leak rate.
The structural capacity of both the U.S. and French containment systems meets equivalent design codes.
The load combinations consider all postulated loads at the level applicable for the nuclear system and the site environmental param-eters. The SNUPPS thicker prestressed concrete containment, along with the liner, is capable of providing the required leaktightness when it is resisting the combination of postulated pressure, temperature, earthquake, wind, tornado, missile, dead, and live loads.
In the Paluel design, the secondary containment provides resistance to wind, exterior missiles, the general effect of earthquakes, and dead and live loads.
Along with other loads, the inner prestressed containment is designed to resist the major impact of the pressure and temperature loads resulting from a design-basis accident.
The SNUPPS design follows a generic design concept used on multiple plants iden-tified in Bechtel Power Corporation Topical Report BC-TOP-5, " Prestressed Con-crete Nuclear Reactor Containment Structures." This practice is designed to ensure comparable structural safety standards for all SNUPPs containments and therefore parallels the Paluel concept of standard design.
Other U.S. nuclear plants (e.g., Waterford ) provide an inner containment and an outer environmental shield building.
However, these facilities tend to have a steel containment with a reinforced concrete outer environmental shield struc-ture of the thickness identified for the Paluel outer containment structure.
A prestressed inner containment tends to be more forgiving under extreniy high load conditions.
Current studies sponsored by NRC and industry are evaluating in detail the mar-gins provided by some of the containment systems used in the U.S.
All of these containment systems meet the design safety margins, and the ultimate pressure capacity tends to be in the range of two to three times the design pressure.
The French are studying methods for filtered venting of containment structures following postulated severe accidents by establishing appropriate emergency operating procedures.
The implementation of filtered vented containments cur-rently under study could provide additional risk reduction.
Acceptance Criteria The U.S. and the French use similar acceptance criteria for containment struc-tures.
The French evaluation of the earthquake loads follows the U.S. practice, which uses Regulatory Guides 1.60 and 1.61 for the selection of the ground response spectra and the appropriate damping values.
Although the SNUPPS design does not use a secondary containment, such designs are employed on other domestic plants.
The acceptance criteria for U.S. reactors having a. secondary containment, include the following design areas:
(1) the pressure and temperature response of the secondary containment to a LOCA within the primary containment NUREG-1206 2-49
(2) the effect of openings in the secondary containment on the capability of the depressuri ation and filtration system to accomplish its design objec-tive of establishing a negative pressure in a prescribed time (3) the pressure and temperature response of the annular region between the primary and secondary containment to a high energy line rupture within the secondary containment (4) the functional design criteria applied to guard pipes surrounding high energy lines within the secondary containment (5) the primary containment leakage paths that bypass the secondary containment (6) the design provisions for periodic leakage testing of secondary containment bypass leakage paths (7) the pressure response of the secondary containment resulting from inadver-tent depressurization of the primary containment when there is vacuum relief from the secondary containment (8) the acceptability of the mass and energy release data used in the analysis of the secondary containment pressure response to postulated high energy line breaks As stated above, the secondary containment system in the Paluel plant appears quite similar to those in U.S. plants and is thus expected to perform in a simi-lar manner.
The French acceptance criteria appear similar to those applicable to U.S. designs.
However, it was beyond the scope of this review to determine whether the Paluel design has been analyzed for compliance with all of the appropriate U.S. acceptance criteria listed above.
2.12 Safety and Relief Valves U.S. Plant Description At the present time, 10 different PORV models are in use or planned for use on U.S. PWRs.
These different models can be generally divided into two categories:
air-actuated valves and electric-actuated valves.
Although most Westinghouse PWRs have air operated PORVs, Westinghouse has changed to a new electrical pilot-operated valve for some of the newest plants, including SNUPPS.
Air-actuated valves are relatively tall (46 to 60 inches) and require a source of air to open the valve.
In general, when air is removed from the actuator, the valve is forced closed by a large spring that is located in the upper part of the valve.
Electric-actuated PORVs are shorter (about 25 inches) and are more compact than air-actuated PORVs.
An electric-actuated solenoid is connected to a pilot valve disc. When the pilot disc is opened, the pressure on the back of the main valve disc is reduced, and the main disc is forced open by system pressure.
Most of the U.S. PWRs are not constructed with safety grade PORVs and most do not rely upon PORVs for overpressure protection except for low temperature over-pressure protection (LTOP).
The NRC staff is studying the reliability of the PORVs and block valves on U.S. PWRs as Generic Issue 70.
NUREG-1206 2-50
With the exception of those on one plant, safety valves used on U.S. PWRs are direct, self-actuating, spring-loaded valves.
About a dozen different size valves made by two different valve manufacturers (Crosby and Dresser) are in use.
One plant uses a self-actuated pilot-operated safety valve made by a third manufacturer (Target Rock).
The safety valves are constructed to safety grade requirements and are relied upon for overpressure protection of the primary system.
French Plant Description As originally designed, French PWRs had U.S.-designed safety valves and PORVs on the pressurizer.
The original safety valves, PORVs, and PORV block valves (including those at Paluel) are being replaced by six SEBIM pilot-operated pres-sure relief valves, installed as two valves in series on each of three inlet lines on the pressurizer (Figures 2.17 and 2.18).
Each of the valves also can be remotely actuated from the control room.
Thus they are similar in concept to the Target Rock pilot-operated safety / relief valves (SRVs) on boiling water reactors (BWRs).
In addition to the primary safety valves, the original residual heat removal (RHR) spring safety valves also have been replaced with two similar SEBIM valves installed in parallel on each RHR train (Figures 2.17 and 2.18).
The discussion in this section concerning the primary safety valves also generally applies to the RHR safety valves.
D'uring normal steady-state plant operation, the outer valves on each of the three lines (those farthest from the pressurizer) are normally open.
This is accomplished by setting the pilot valve set pressure lower than the steady-state reactor coolant system pressure.
The outer valve is primarily a redundant valve in series that will automatically reclose if for some reason the inner valve sticks open after relieving pressure during a plant transient.
The reseat pres-sure of the outer valve is set lower than the reseat pressure of the inner valve.
Another feature of this design is that the set pressure of one of the three inner' valves is set lower than that of the other two.
For most transients only the valve with the low set pressure will actuate, thus assuming the function pre-viously performed by the PORVs in the original plant design.
Analysis of Safety Significance The French decision to backfit with SEBIM valves was based on a desire to elim-inate a number of design and operational problems that the French had experi-enced with the original U.S.-type safetu valve /PORV configuration.
These problems included the following:
(1) Problems had been experienced at one plant with the operation of spring-actuated safety valves that were exposed to liquid on the RHR system at one plant, and at another with pressurizer safety valves after they were exposed to water and steam during " set point adjustments." These problems involved severe galling and sticking, and one valve was found stuck open.
This type of problem has not occurred at U.S. plants.
The information available to NRC about damage to the pressurizer valves that occurred dur-ing " set point adjustments" is not very definitive.
The French procedure for inservice set pressure testing is apparently quite different from that in the U.S.
NUREG-1206 2-51
D160HARGE PIPE
]
PRESSURIZER SAFETY /REUEF
) = pressure in bar (1721 (1721 (172)
ISOLATION DISCHARGE
/
\\
VALVES PRESSURlZER m
f q
DISCHARGE VALVES
(
PRESSURIZER 1
1 SAFETY / RELIEF
-=
-[
(
)
VALVES PRESSURIZER RELIEF TANK RCS J
s
(
(
/
s RHR HEAT
~
RHR PUMPS EXCHANGERS Figure 2.17 Original French design DISCHARGE PIPE PRESSURIZER SAFETY / RELIEF VALVES'(SEBIM)
'(16o)
,(too)
'(ico)
Loop seats will be 135 r- - p-i 135 1:s RHR installed in new design il SAFETY / RELIEF
( ) = pressure in bar fSEB e
e 8
P = protection valve
,,J 7,-
g 1 = isolation valve p
I
/
f R
/
(j
]
P(39)
P(44)
PRESSURIZER ii ii PRESSURIZER RELIEF TANK J
/'
s
(
(
/
w l
RHR HEAT EXCHANGERS RHR PUMPS Figure 2.18 New French design NUREG-1206 2-52
(2) After the Three Mile Island (TMI) accident, the French modifie.d PORV block valves with devices to automatically close if a PORV stuck open.
Apparently after this, there were various block valve operational problems with set-point adjustments, limit switches, torque limiters, etc.
(3) After the TMI accident the French revised their thinking about post-accident PORV operability, particularly regarding the capability of PORV actuators to function after being exposed to high levels of radiation.
(4) Because of an " unsatisfactory performance record," the French felt it nec-essary to inspect PORVs and safety valves each time the valves were exposed to full flow conditions.
The French sought a more reliable valve so that this inspection would no longer be necessary.
(5) After the TMI accident the French reevaluated the safety valves and PORV discharge piping for the effect of " water loading" and other loads asso-ciated with various post-accident scenarios.
They found that this piping had to be modified to function acceptably with the new high loads.
The original design of the piping provided for loop seals in front of the safety valves and PORVs.
The Electric Power Research Institute (EPRI) PWR safety valve tests in the U.S. showed that U.S. utilities had greatly underestimated the magnitude of the loop seal loads.
The U.S. solutions (NUREG-0737, Item II.D.1) have taken a variety of foims (raising the loop seal temperature, modifying piping supports, cutting out the loop seal piping entirely, etc.).
In order.to eliminate the piping load concern, the French originally decided to install the SEBIM valves without loop seals.
However, in early 1986, they subsequently decided loop seals are necessary to improve hydrogen leak tightness of the valve seats.
(6) The new French valve arrangement will build in more closure capability once the valve (s) has (have) opened if one fails to reseat.
The outer valve in the SEBIM arrangement (two in series) is set to close in this event.
U.S. plants rely on block valves to isolate a stuck-open PORV and have no capability to isolate a stuck-open spring safety valve.
(7) The French want to build in the capability to protect against overpressure from all types of liquid water discharge (including ATWS) as well as to have capability to feed and bleed.
These events are beyond the design basis of U.S. PWRs.
The SEBIM pilot-operated valves have been qualified to operate with more than one fluid (water, steam, two phase flow).
The EPRI tests on the U.S.-manufac-tured pilot-operated safety valve and several pilot-operated relief valves demon-strated that the pilot concept is sound for multiple fluid use.
Pilot-operated valves work in response to a pressure differential across a piston to open the main valve, and they are not sensitive to the type of fluid medium that causes j
the pressure differential.
If the proper pressure differential is applied, the valve will stay fully open and stable.
The SEBIM valves have both a safety and a relief mode of operation and can be manually actuated, in a way similar to the operation of BWR SRVs.
Because of the complexity of the double valve installation, the French probably sacrifice some overpressure protection reliability (i.e., valve opening) to obtain increased assurance of being able to isolate a stuck-open valve.
Because of the complexity of the configuration, there may be maintenance and inservice NUREG-1206 2-53
testing problems not encountered with standard safety valves.
Only highly trained specialists will be able to test or maintain the valves used in this way.
The reliability of the plant could be enhanced by a mixture of some SEBIM valves and some standard spring safety valves.
The French SEBIM valve design would provide the same functions as th' U.S. PORVs.
e These functions are (1) to reduce challenges to the safety valves (or the other SEBIM valves), (2) to provide a means for rapid depressurization of the primary system, and (3) to provide low temperature overpressure protection.
The French system with two SEBIM valves in series is also designed to provide the function provided by the U.S. block valves (i.e., to isolate a stuck-open PORV).
It also appears the design would function well for decay heat removal using feed and bleed.
~
Acceptance Crittria The primary spring safety valves in U.S. PWRs are required to relieve overpres-sure resulting from design-basis transients and accidents.
Full size valves 3
are tested as required by NUREG 0737, Item II.D.1.
In addition, the. valves must conform to the applicable edition of ASME Code,Section III, NB-7000.
It appears that the French design would meet these requirements, perhaps with the exception of the ASME Code.
Current ASME Code Section III, NB-7000 requirements were not written with dual in-series pressure relief valves of the SEBIM type in mind.
However, individual valves of the SEBIM type were envisioned in ASME Code Section III, NB-7520.
If the second valve is considered a "stop valve" and it meets the requirements of NB-7142 (in the Winter 1985 addenda), the dual SEBIM configuration prsbably would meet ASME Code Section III.
Successful opera-ting experience may provide a basis for revising the ASME Code to permit this type of installation on U.S. plants.
2.13 Fire Protection U.S. Plant Description In the SNUPPS plants, two trains of safe-shutdown systems are provided.
Except for the containment and control room, the trains are separated (in accordance with Section III.G.2.a, b, or c of Appendix R to 10 CFR 50) by a 3-hour fire barrier, a 1-hour fire barrier, or 20 feet of horizontal distance free of combu: tibles.
Inside containment, redundant trains are separated by at least 20 feet of horizontal distance free of combustibles.
For the control room, alternate shutdown capability independent from the control room is provided to permit shutdown of the plant from outside the control room.
The following other fire protection features are included in the SNUPPS design:
(1) Fire detection is provided in all safety-related areas of the plant that contain combustibles.
(2) Manual fire suppression equipment (i.e., hose stations and portable extinguishers) is provided in all safety areas of the plant.
(3) Automatic fire suppression systems are provided for specified hazards.
(4) Fire barriers are also provided between specified portions of a safe-shutdown train, as well as around specified occupied areas.
NUREG-1206 2-54
(5) Portable blowers or ducting is provided to remove smoke.
Cool smoke would be removed by the normal ventilation system.
(6) A reactor coolant pump lube oil collection system is provided.
French Plant Description In the Paluel design two trains of safety equipment are provided.
Each train is located within a separate fire section in the electrical building.
Each sector is divided into smoke extraction compartments with a volume of approxi-mately 500 m3 Redundant trains within the reactor building are separated.
For control room fire protection, a back-up panel is provided and one division of cabling in the control room is within metal conduit. The backup panels are completely separate from the control room.
The following other fire protection features are included in the Paluel design:
(1) The fire sector boundaries are concrete walls with the sealing of penetrations rated at 13s hours.
(2) Fire detection is provided for all areas of the plant.
(3) Manual fire suppression equipment (hose stations, portable extinguishers, and a mobile pump) is provided for all areas of the plant.
Fixed fire suppression equipment is provided for specified hazards.
Some of these systems are automatic, but most are remote-manually controlled or locally controlled.
Closed circuit television is used to monitor the areas where reactor coolant pumps, high press'ure safety injection pumps, and chemical volume and control system pumps are located.
(4) The electrical building has a smoke extraction system with a capacity of 20 volumes per hour (500-m3 volume).
In some larger compartments the capac-ity is 11 volumes per hour.
Redundant 100% percent capacity fans are pro-vided, and each fan is designed to operate at 400 C for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
These fans are separated by a 1-1/2-hour fire barrier.
This system is used to assist manual fire fighting and is a remote-manual operation.
(5) Reactor coolant pumps are protected by remote manual fixed suppression system and are monitored by four closed circuit TV cameras.
Analysis of Safety Significance The objective of the French fire protection design is to easure the maintenance of safety functions; the objective of both the U.S. and French designs is to minimize the effect of fire on structures, systems, and components important to safety.
However, the U.S. criteria require several more fire barriers and auto-matic suppression systems.
The French and U.S. fire protection features for maintaining safe-shutdown con-ditions in the control room, the containment, and diesel ger.erator buildings are equivalent.
In the electrical / auxiliary buildings, the French design has barrier separation between redundant trains but no separation of hazards within a fire sector.
The U.S. design does not have fire barrier separation between redundant trains within some fire areas, but has some separation between hazards within one division.
NUREG-1206 2-55
The fire detection feature and manual suppression features of both designs are equivalent.
The fixed fire suppression systems in the French design are not all automatic, while in the U.S. design they are mostly automatic.
This difference, which does not appear to be significant, results from the differences in objectives stated above.
For smoke removal, the French design relies on normal ventilation supplemented by the smoke extraction system in the electrical building.
The U.S. design re-lies on the normal ventilation system supplemented by portable blowers and duct-ing. The French extraction system is automatically triggered to improve visi-bility during the first phase of fire evolution and must ensure smoke extrac-tion after the fire is extinguished.
This appears to be a significant difference; however, the NRC has not evaluated the costs and benefits of the French smoke extraction system in detail.
In the French design, the oil hazard associated with the reactor coolant pumps is ccatrolled by a fixed remote-manual suppression system.
Both the U.S. and French designs rely on an oil collection system.
In some U.S. designs, auto-matic suppression systems have been accepted under the exemption process.
Also the French design uses demineralized water in containment'to prevent stress corrosion in the event of inadvertent operation of the fire suppression system.
The French design supplements the fire water system with an onsite mobile pumper and offsite fire departments.
The U.S. design generally relies on offsite fire departments for such equipment, although some plants have onsite pumpers also.
This does not appear to be a significant difference.
In both designs different levels of fire protection are provided for shutdown systems, safety systems, and systems important to safety.
Acceptance Criteria The U.S. acceptance criteria for fire protection programs at nuclear power plants are incorporated in Appendix R to 10 CFR 50.
2.14 Core Design U.S. Plant Description Most Westinghouse four-loop reactors, including SNUPPS, have 53 control rods.
A few have several more (up to 61). Most of these control rod systems have AgInCd as the control absorber, but recently several reactors have used either Hf or B C (with AgInCd tips) as the absorber.
SNUPPS uses either AgInCd or Hf.
4 These three absorber types are equivalent in their reactivity and power distribution control functions.
In operation the control rods are divided into eight or nine groups (of four (or five) or eight rods each) that are inserted or withdrawn sequentially with overlap.
They are divided into safety and control groups.
There are limits on group insertion as a function of power level to ensure that limits on scram worth, shutdown margin, and individual rod worth are met.
At normal full power NUREG-1206 2-56 l
l
all groups are usually out.
At 50% power the last control groups (designated D and C) are inserted no more than, and usually less than, about 75% and 25%
respectively.
During power change maneuvers, the control banks are used in conjunction with changes in moderator boron to control reactivity changes and power distribution.
There are limits (largely based on LOCA analysis) on the maximum power distribution peaking factor, F, and these limits are adhered to q
primarily by controlling axial peaks.
With the system of power distribution control used by Westinghouse (constant axial offset control (CAOC) or one of its variations), the primary function of the control banks is to control power distribution by controlling axial offset (top to bottom core half power sharing as seen by the excore axially split neutron detectors).
The role of tM control banks in controlling temperature feedback and xenon reactivity changes is some-what secondary, and their freedom for complete reactivity control is somewhat limited; therefore, load follow is limited or boron changes are required to play a significant role in controlling reactivity.
This can be slow, especially late in the fuel cycle when the moderator boron content is low and thus rapid Icad following is particularly difficult.
Westinghouse has found that load-following capability can be improved by the use of a lower reactivity worth 0 bank (five instead of nine rods, which produces less power distribution perturbation), revised offset limits, and moderator temperature deviation from the normal control program.
Recent reactors (including SNUPPS) have implemented this strategy.
Further improvement would be desirable, however, and, as an example, the recent Westinghouse advanced concept design (WAPWR) uses " gray" rodi, (weakly absorbing, in or out, auxil-iaries) to supplement the boron change late in the cycle.
Some of the desired offset control could be transferred to part-length rods, as originally designed for these reactors, but Westinghouse has found their use unnecessary for xenon control and undesirable for general use because of associated departure from nucleate boiling (DNB) problems possible with some limiting axial distributions.
Other plants do use them, however.
Load-following ease also depends on the peaking factor limits and surveillance capability.
Improved CAOC provides a generic design F of about 2.3 for 12-foot-q long cores.
It can be lower for specific reload cores.
For longer cores it may be larger, at least partially because the longer core is less axially xenon stable and produces larger swings.
Currently F limit requirements are mostly q
determined by LOCA analyses.
Improvements in this area could raise F limits q
and provide greater freedom for offset control and thus load follow, although DNB requirements would eventually set limits.
Current operational surveillance on axial distribution is by split (two axial segments) excore neutron detectors.
These provide a crude correlation-limit representation of axial peaking and consequently an artificially high F. In q
special cases the moveable incores have been used to provide a better represen-tation, but they are not considered to be generally useful.
In the Westinghouse advanced standard design RESAR-414 (and in WAPWR) Westinghouse uses a four-segment excore and associated computer design to synthesize a better representa-tion.
The NRC has partially reviewed this design for protection and surveillance characteristics, but not for procedures for possible load-follow improvement.
The CE System 80 reactors use a similar three-segment system as part of their i
protection (CPC) system.
l NUREG-1206 2-57 j
J i
French Plant Description I
The P4 core design and performance can be directly compared with either SNUPPS or South Texas (ST), which it more closely resembles.
Compared with SNUPPS, the ST core design has a higher proposed power level (11%), longer active core length (14 versus 12 feet), lower average power density (5%) but higher design q (2.5 versus 2.3) and thus higher peak power density, and more (8 C) control F
4 rods; they are otherwise similar in most respects.
Because P is nearly iden-4 tical to ST in core design, it shares these differences plus others in the inter-related areas of control rods, load-follow operation, and power distribution con-trol and surveillance.
The P4 control rods are the same as those for ST except for the following:
(1) There are 65 rods instead of 57 (plus eight spare locations versus four).
They have the same location but there are two more rods per quadrant.
(2) Twelve of the 65 are " gray" rods.
For these rods, 8 of the 24 fingers have standard AgInCd as the absorber, but the other 16 have stainless steel.
The remaining 53 rods are standard " black" B C rods with AgInCd tips, as 4
in ST.
(3) The rods have similar safety and control groups (of eight or four rods per group), but the assignments to groups and some group operations are different.
A gray rod has about half the reactivity worth of a black rod and would have a less perturbing effect on flux distributions.
The total worth of all the rods is similar to SNUPPS or ST.
In fact all of the safety-related parameters are similar. The gray rods form the last two control groups, corresponding to C and D for ST, with D having four and C having eight rods.
These produce mini-mum flux disturbance in movement at high power.
There are two additional con-trol groups, like A and B of ST, with black rods.
These four groups are also operated sequentially, with overlap. There is also an R control group of eight black (full-length) rods, which is not operated sequentially but is used in con-trol somewhat like a part-length group.
Although some aspects of the operational details associated with procedures, limits, analyses, and excore surveillance influence are not completely clear, the use of the groups in power change appears to differ significantly from cur-rent Westinghouse practice in details, even though there are superficial simi-larities. (The operation appears to be somewhat similar to a Westinghouse methodology concept using part-length rods for offset control and full-length rods for reactivity control.) For P4 the control groups (A through D) are used exclusively for reactivity follow of the direct thermal and power distribution reactivity effects of power change, and are not directly used to maintain axial offset. The design approach in group and overlap selection, however, is to produce minimum perturbation of power distribution with movement, and ideally the net change of therma' and control reactivity and power distribution effects is zero. The group positions are preassigned as a function of power and burnup parameters.
The R group is used (with alarmed insertion and withdrawal limits keeping it within bounds.within the upper half of the core) for fine tuning reactivity (from imprecisely designed A-D changes) and thus maintaining the programmed moderator average temperature for small xenon changes and for axial NUREG-1206 2-58
~-
xenon oscillation control.
Moderator boron change is manual and is used only for slow changes from burnup, xenon, and keeping R in its band.
Average modera-tor temperature deviation from the program is not part of the strategy.
The design aim is automatic turbine demand control so that (in automatic) a power change demand moves the A-D rods (in sequence) to an assigned position, followed by fine tuning with R (apparently controlled by average temperature) and, when required, manual boron changes.
Two additional differences of the P4 design could be relevant to load-follow axial power control.
First, the design Fq (which meets LOCA limits) is 2.65 versus 2.5 for ST, and thus more extreme offset variation and control ma-nuevers could be tolerated without exceeding F limits.
Second, P4 uses a six-q l
(rather than the standard two) axial-segment excore power range neutron detec-l tor system, similar to the RESAR-414 four-segment system.
This is part of the protection system for alarming and tripping on low DNBR or high power density.
The associated computer (as in RESAR-414 and System 80) synthesizes a three-dimensional power distribution. This information is also available for surveil-lance and could be used in (manual) power distribution control.
Analysis of Safety Significance There is no direct safety significance in the changes in the control rod design or their modes of operation.
No significant new geometrical configuration, dimension, or material is introduced.
The safety-related parameters associated with the control rods (e.g., scram time and worth, shutdown margin, rod worth for accident analyses) remain essentially the same. There are no apparent safety issues either introduced or solved.
The changes are evidently intended to im-prove some operational parameters related to load following.
To the extent that the changes improve the capability or ease of load following throughout the cycle, there will be potential economic gain (assuming load follow is im-portant) and, perhaps, an operational (human factors) 1.mprovement.
The use of a larger design F implies the possibility of allowing increased q
power distribution perturbations, less restricted control operations, and im-proved load following capability.
It might also lead to more adverse axial distributions for DNB (e.g., top peaks).
However, the use of the R bank in the upper half of the core tends to minimize the potential for such problems.
The use of the multi-axial segment excore detectors for protection (and sur-veillance) provides improved protection in this area because of its greatly improved (over two-segment offset systems) active determination of power dis-tributions and DNBR via the associated protection computer synthesis of relevant parameters.
These improvements, however, are also more directly related to the economic areas of freedom of load follow ontrol and to operation nearer to the "real" limits (not conservative correli tion limits) rather than to any direct safety problem.
Suitable protection exists in this area in the current standard U.S.
design, although it may be more restrictive and force operation further from "real" limits.
i NUREG-1206 2-59
Acceptance Criteria The French criteria on control rods that relate to the geometrical and material physical integrity of the rods and the reactivity effects produced by the rods appear to be the same as the NRC acceptance criteria.
Because the gray rods are dimensionally the same as the standard black rods and contain normal AgInCd or cladding type stainless steel as the absorber, no new physical or operational problem areas are indicated in the French design.
They should therefore meet the standard physical acceptance criteria.
The reactivity criteria (also similar for U.S. and French acceptance) are related to minimum scram speed and scram speed and reactivity insertion, shutdown margin, and maximum rod or bank worths as the primary elements of event analyses.
The P4 control rod changes have not significantly changed any of these characteristics (relative to SNUPPS or ST).
Acceptance criteria related to load following and power distribution control, surveillance, and protection require meeting suitable technical specifications on limiting conditions of operation and safety system settings related to maxi-mum power densities and abnormal condition detection and response.
For U.S.
reactors these technical specifications depend on the review and acceptance of analytical methodologies and the adequacy of surveillance, alarm, and protection systems.
The NRC staff has not reviewed the equivalent P4 specification and details of control methodologies.
However, the P4 relevant surveillance and protection systems are at least simi-lar to U.S proposed (RESAR-414) or operating (System 80) systems that have been found to partially or fully meet acceptance criteria. The specific load-following techniques used would likely have little direct safety-related influ-ence on the acceptability of suitable surveillance and protection systems.
Thus the overall system for load following is likely to be within established bounds of accepted systems and to meet acceptance criteria.
2.15 Remote (Auxiliary) Shutdown Panel U.S. Plant Design The remote shutdown panels at SNUPPS are provided with the instrumentation and controls necessary to achieve and maintain the plant in hot standby conditions.
This safety-related equipment is seismically and environmentally qualified for the conditions to which it could be exposed.
A train A panel and a train B panel are separated from each other by a fire barrier.
To achieve cold shut-down at SNUPPS, certain equipment cannot be operated from the remote shutdown panel and must be operated locally.
Remote operation and indication of the emergency diesel generators are at separate remote panels in the diesel generator rooms.
Table 2.2 identifies the instrumentation and controls that are provided on the SNUPPS alternate shutdown panel.
The controls (associated with train B) identi-fied with an asterisk on Table 2.2 can be totally isolated from the control room so that damage in the control room as a result of a fire does not prevent remote operation.
The isolation switches are designed with redundant control power fuses that are placed in the circuit when the switches are placed in the local position.
Train B instruments of those identified by an asterisk are also isolated from control room damage.
Other equipment needed for hot standby (such as charging pumps, CCW pumps, and ESW pumps) is operated locally at the NUREG-1206 2-60 l
Table 2.2 SNUPPS instrumentation and controls on alternate shutdown panel Controls
- 1.
Start /stop for each motor-driven AFW pump
- 2.
Start /stop for the turbine-driven AFW pump (cteam supply and trip and throttle control valves) 3.
Control for all AFW flow control valves
- 4.
Open/close ESW and CST suction valves to the AFW peops
- 5.
AFW turbine driven pump speed control
- 6.
Auto / manual for each atmospheric dump valve 7.
On/off/ auto for two pressurizer backup heater groups
- 8.
Open/close containment isolation valves in letdown line j
9.
Open/close for the shutoff valves in the letdown line upstream of the regenerative heat exchanger and for the letdown orifice isolation valves.
Indicators
- 1.
Water level (wide / narrow) for steam generators 2.
Pressure:
- 3.
Pressure:
reactor coolant system (wide range) 4.
Pressure: pressurizer
- 5.
Level:
pressurizer 6.
Pressure: AFW pump suction / discharge "7.
AFW flow to each steam generator and AFW pump turbine speed 8.
CST level
- 9.
Reactor coolant temperature:
cold leg (T ) and hot leg (T )
c h
- 10. Source range and intermediate range instruments
- 11. Indicating lights for all equipment with controls on remote shutdown panel f
NUREG-1206 2-61
,--7
respective switchgear.
Local operation of ventilation equipment and valve lineups for location is also required for extended hot standby.
French Plant Design Similar to the SNUPPS plants, the P4 design consists of two panels (A and B) separated by a fire barrier.
Automatic operation of some equipment can be relied on, even with spurious signals from the control room.
Most spurious signals generated from the control room as a result of a fire can be corrected from the shutdown panel.
Both panels can be isolated from the control room.
One channel of the P4 control room has been protected against immediate fire damage by wrap-ping all cables / wires in metal sheathing and providing metal covers around the connections at the switches.
This allows ample time to take remote control from outside the control room without relying on redundant fusing or fuse re-placement.
It also allows equipment to continue to operate during the switch-over period and to prevent spurious operation of equipment in one complete divi-sion, thus simplifying post-fire shutdown from outside the control room.
Table 2.3 lists systems and/or components that are controlled from the P4 remote shutdown panel.
Safety Significance of Design Differences The overall design of the P4 backup shutdown panels allows the plant to be brought to a safe cold shutdown condition from a centralized location outside the control room, while the U.S. designs require many local operations for the transition from hot to cold shutdown.
From a human factors standpoint, the French design provides some decrease in risk.
To determine if this decrease is significant would require analysis that is beyond the scope of this report.
i To go from remote shutdown to cold conditions in U.S. plants requires much more communication between personnel in different areas of the plant, which leads to a higher probability of an incorrect operator action.
However, unless there were a transient or accident in addition to the remote shutdown, such incorrect operator action would not likely be a major contributor to the overall plant risk due to core melt.
The French design allows all control actions to be taken at the remote shutdown panel thereby freeing other operators to visually verify these actions.
Further, the operator at the panel has substantial indication immediately available to determine if improper actions have occurred.
1 If a control room fire or fire in other plant areas makes operation from the control room impossible due to loss of control or smoke, the French design will provide a decrease in risk due to fire-induced core melt.
Even in the event of a fire in the P4 control room, safe cold shutdown can be achieved and maintained from the " backup" panel.
The U.S. design allows for operation of hot standby systems from the remete shutdown panel but requires, or may require, local operation (sometimes complicated) of equipment to overcome spurious operations.
In stressful situations such as a fire, the reliability of operator action may be significantly reduced.
The French design has enough isolated controls at the backup panel to overcome all major spurious operations.
At U.S. plants the transition from hot standby to cold shutdown conditions may often require re-pairing cables, pulling fuses, and installing jumpers in sometimes live switch-gear or panels.
Also, many local actions at switchgear, valves, and motor con-trol centers may be. required for hot standby, hot shutdown, and cold shutdown.
1 These local operations introduce a much higher probability for improper actions NUREG-1206 2-62 r
Table 2.3 Systems / components controlled on the P4 remote shutdown panel 1.
CVCS Charging and letdown paths Auxiliary spray Volume control tank (VCT) level remains in auto Charging flow rate, letdown flow, letdown line press.ee and VCT level instrumentation Boric acid pumps (operates also in auto) and flow instrument Control of seal water flow and flow instrument Centrifugal charging pumps 2.
CCW system All four CCW pumps Containment isolation valves to RHR heat exchangers Cross-connection between the two CCW trains and the fill valve for the expansion tank from the demineralized water system 3.
ESW system 4.
Safety Injection
" Blocking controls" are provided on the backup panel to block safety in-jection signals, and switches are provided for eliminating possible
" aberrant" (spurious) safety injection orders from the control room.
5.
AFW system All four AFW pumps All eight AFW flow control valves Basically the same instrumentation and controls as in the control room All four atmospheric dump valves 6.
Rea'ctor coolant system RHR system (both pumps and necessary valves)
All three PORVs and block valves Pressurizer heaters l
NUREG-1206 2-63
and inactions by operators.
Therefore, at least for fires, the P4 design appears to have a much higher probability of success in achieving a safe shutdown.
How this affects the overall plant risk depends on the probability and location of a fire and the success in controlling the fire.
Acceptance Criteria A basic acceptance criterion for U.S. plants is that they have the capability to achieve safe cold shutdown from outside the control room using only safety-grade equipment and assuming the worst case single active failure (GDC 19).
The remote shutdown panels are required to meet this same criterion.
Alternate shutdown requirements in the event of a fire (10 CFR 50, Appendix R) do not require redundant panels.
Redundancy is required (GDC 19) to allow remote shut-down using only safety grade equipment assuming no damage in the control room with the most limiting single active failure.
The Paluel and U.S. designs re-quire seismically qualified instrumentation and controls for remote shutdown of the reactor when the control room is evacuated.
(
With respect to fires preventing shutdown from the control room, the U.S. accep-tance criteria require that one division of safe hot shuMown systems be free of fire damage and capable of operation remote from the control room, consider-ing the effects of hot shorts, shorts to ground, and open circuits occurring in M
the control room.
Repairs to achieve and maintain cold shutdown are permitted.
m Reliance on safety grade equipment is not required.
Local operation of equipment is allowed if it can be demonstrated that sufficient time is available for such operations. Generally the utility meets these criteria by providing isolation switches at one of the remote shutdown panels to control the equipment necessary to achieve and maintain hot standby (which usually consisu of the AFW system and the atmospheric dump valves).
One division of minimum instrumentation to monitor primary and secondary plant conditions also must be electrically iso-lated or isolatable from control room circuits.
(For SNUPPS, the isolatable controls and instrumentation are identified in the design description above.)
At SNUPPS isolation devices / switches located elsewhere in the plant also counter-act spurious operation of equipment and allow operation of support equipment, such as ventilation equipment.
Local operation of some equipment at switchgear and motor control centers is also neccessary at SNUPPS to correct or prevent spurious operations. A local control panel in the diesel generator room (with proper isolation devices / switches) is provided for the diesel generator of the same division as the remote shutdown panel with the isolated controls and in-strumentation.
The SNUPPS design thus meets the U.S. acceptance criteria through a combination of procedures, local operation of equipment, and properly designed isolation switches and devices.
The acceptance criteria for the P4 backup panel and/or remote shutdown capa-bility are similar in nature, but the means of meeting the criteria are signi-ficantly different.
At the French plants, protection of one channel of shut-down equipment cabling from fires in the control room is provided by putting all of one channel's cabling in conduit to allow an operator ample time to take control at the remote panels before damage to that channel's cabling occura.
After the operator takes control at the remote shutdown panel, damage te control room circuits will not affect plant shutdown.
The French have identified the following general design " principles" for the panels:
NUREG-1206 2-64
(1) The relay areas, electronic, electrical equipment areas remain accessible j
and operational.
l (2) Loss of offsite power can be assumed.
(3) Scram from the control room is the only control room action required.
(4) The incident leading to the evacuation of the control room develops suffi-ciently slowly so that no aberrant orders appear that can compromise safety in the time required to resume controls from the backup panel (about 15 minutes).
(This led to having one division of cables in a conduit.)
(5) Automatic actuators controlled from the backup panel remain operational (to the extent that the signals connected with these actuators do not travel to the control room).
(6) The operations to be performed can be accomplished by the normal operational personnel during the first hours after evacuation.
2.16 Main Steam Lines and Main Steam Isolation Valves Outside Containment, No Steam Tunnel U.S. Plant Description The SNUPPS design has no main steam tunnel outside containment. Where the main steam / feed lines penetrate containment, valve compartments contain the safety-related portion of the main steam and feedwater systems.
Immediately adjacent to the valve compartments is the turbine building.
However, on other U.S. de-signs, there may be a steam tunnel somewhere between the containment and tur-bine building with areas containing safety-related equipment adjacent to the tunnel.
French Plant Description The P4 design has valve compartments similiar to those in the SNUPPS design, but the main steam and feedwater piping runs over the auxiliary building to the turbine building instead of through a tunnel in the auxiliary building as in many U.S. designs. Areas containing safety-related equipment are located below the auxiliary building roof.
Analysis of Safety Significance With regard to steam line routing, there is no signficant safety impact in the indicated differences.
Both methods protect safety equipment from pipe breaks, the French by barriers and restraints and SNUPPS by separation.
Other U.S.
plants have used the same approach as the French. If there-is any difference in risk for the two designs, the SNUPPS plants would be considered a lower risk because there is no reliance on barriers or restraints to protect against pipe breaks.
The possibility of barrier or restraint failure (however remote) would provide the difference in risk.
Acceptance Criteria Both the U.S. and French designs use the same criteria for the main steasa line design.
Pipe break protection for both is in accordance with SRP Section 3.6.1.
NUREG-1206 2-65 l
l l
(BTP ASB 3-1) and Section 3.6.2. (BTP MEB 3-1) (NUREG-0800).
Both designs use the no-break (superpipe) criterion up to the first restraint outside containment and have considered protection against the environmental effects of a nonmechan-istic break.
Beyond the restraint (because of differences in building layout) the French have used pipe whip restraints and jet impingment barriers to protect essential equipment from the effects of a pipe break because the pipes run over the top of safety-related structures. The SNUPPS plant uses separation to protect safety-related equipment from the effects of a pipe break beyond the first re-straint because the pipes run directly into the turbine building from the first restraint.
The length of superpipe for both the French and SNUPPS design is similar.
2.17 Waste Sewer Monitoring U.S. Plant Description In U.S. plants, radwaste discharge lines are monitored, but the sanitary sewage lines are not.
French Plant Description The Paluel plant has a radiation monitoring system installed on the waste sewer system (from toilets, etc.) that would isolate waste discharge when a pre-set radioactivity level is reached.
Analysis of Safety Significance The safety significance of this design difference is small.
Acceptance Criteria Because the U.S. does not require a waste sewer monitoring system, there are no U.S. acceptance criteria. The French requirement for monitoring the waste sewer systems stems from a site authorization requirement that sets a maximum limit on the amount of radioactive releases at the site per year.
Monitoring the waste sewer system is a part of the demonstration of the plant's conformance to limits on radioactive releases for the plant.
2.18 Steam Genarator Design U.S. Description All SNUPPS plants have the Westinghouse Model F steam generators, and they are designed in accordance with the requirements of ASME Code Section III.
The Model F steam generators include multiple features to minimize operating problems.
These features include (1) thermally treated Inconel-600 tubes (2) ferritic stainless steel tube supports to minimize the potential for denting (3) quatrefoil tube support designs to minimize crevices (4) elimination of open tubesheet crevices NUREG-1206 2-66
(5) improved sludge removal characteristics (6) thermal hydraulic modifications to minimize areas of unequal heat transfer and steam blanketing (7) features to improve maintenance and repair and to meet "as low as reasonably achievable" (ALARA) conditions French Plant Description The steam generators of 1300-MWe P4 plants are Framatome Model 68/19.
The earlier vintage models were designed in accordance with the requirements of ASME Code Section III.
The later generators of Model 68/19 were designed in accordance with the design and construction rules applicable to mechanical ma-terials (RCC-M).
The general design of Model 68/19 steam generators is basi-cally similar to the design of Models 51 M (thermal hydraulic) and E (pres-surized enclosure) of the Westinghouse steam generators.
These steam generators are equipped with thermally treated Inconel-600 tubes.
Analysis of Safety Significance Because the design of Framatone Model 68/19 steam generators (P4 plants) is based on that of Westinghouse Models 51 M and E, and incorporates some design ll features to eliminate the operational problems experienced in both the foreign and domestic steam generators, the
. sign differences between French and U.S.
steam generators of the same vintage are not significant.
For example, to mini-mize the denting phenomenon, the French utilize 13% chromium stainless steel tube support plates with quatrefoil tube slots.
Similar design changes have been incorporated into the Westinghouse Model F steam generators.
In fact, Model D-5 (including Models E and F) Westinghouse steam generators use ferritic stainless steel support plates to minimize denting problems.
As in the U.S., the French plants' system design and steam generator surveil-lance requirements are based on a single steam generator tube rupture rather than on multiple tube ruptures.
Thus, although there may be some minor design differences between French and U.S. steam generators of the same vintage, the safety impact of these differences is not significant.
However, this does not mean that these generators will be operated in the same way.
Differences in surveillance and secondary-side opera-tion, including secondary water chemistry, can have significant impacts on operating experience.
Acceptance Criteria The U.S. acceptance criteria for steam generator designs are basically the ASME Code Section III, SRP Sections 5.4.2.1 and 5.4.2.2, Regulatory Guide 1.83, and the Westinghouse standard technical specifications.
Because the French design is based on Models 51 M and E of Westinghouse steam generators, the French acceptance criteria are probably similar to those of U.S.
NUREG-1206 2-67
2.19 Reactor Vessel Materials and Techniques for Fracture Prevention U.S. Plant Description The reactor vessel for SNUPPS is built to meet ASME Code Section III,1971 Edition and Addenda through the Winter 1972 Addenda.
The vessel shell is made from plates of SA-533 steel, bought to a low-copper (< 0.10%) specification.
A similar limit is placed on the weld metal chemistry.
The initial reference temperature (RTNDT) of the beltline plates is 50 F.
The initial upper shelf energy was specified to exceed 75 ft-lb.
Pressure-temperature limits were calculated following the requirements of Appen-dix G to 10 CFR 50, which involves Appendix G of the ASME Code.
Because the copper content is low, RT at end of life (EOL) was expected to be less than NDT 200 F, assuming an E0L fluence of 3 x 10" n/cm2 (E > 1 MeV).
For the predic-tion of radiation damage, a Westinghouse trend curve was used.
The curve was based on recent surveillance data showing less severe shifts of RT than those NDT given in Regulatory Guide 1.99, Revision 1.
Tha latter was used in the NRC review of the pressure-temperature limits.
The staff concluded that the proposed limits were good for 25 effective full power years (EFPY), subject to further full power review when the plant surveillance results are received or when Revision 2 of Regulatory Guide 1.99 is published.
French Plant Description The P4 reactor vessel beltline is made from ring forgings, which would meet the ASME Code specification SA-508, C1 3.
The chemical requirements for the P4 reactors are slightly more restrictive than those in the ASME Code.
In addition, the French beltline forgings must have :n copper content less than 0.10% and phosphorus less than 0.015%, which is consistent with current U.S. practice.
Weld chemistry for welds in the core area is Cu 5 0.10% and P $ 0.015%.
A maxi-mum initial RT f 32 F is specified for the pressure boundary forgings, and NDT
-4 F for the beltline welds.
An initial upper shelf energy of 76.7 ft-lb is specified for the beltline welds.
The French practice concerning reactor vessel radiation damage and surveillance testing follows U.S. practice quite closely.
Analysis of Safety Significance In summary, there are only small differences between the French practice and U.S. present practice on issues involving materials selection and prevention of fracture in the reactor vessel.
Acceptance Criteria The U.S. acceptance criteria for reactor vessel materials and for fracture pre-vention of the reactor vessel are in 10 CFR 50.55a, in Appendices G and H to 10 CFR 50, and in GDC 31.
NUREG-1206 2-68
2.20 Emergency Operating Procedures U.S. Description Emergency operating procedures (EOPs) at U.S. plants have been significantly changed as the result of NRC requirements imposed after the TMI accident.
The NRC required that E0Ps (1) be based on a reanalysis of transients and accidents using "best-estimate" predictions of plant behavior rather than the previous
" design basis" plant behavior and (2) address multiple failures.
U.S. utilities responded with owners' groups efforts to develop technical guidelines for each of their respective plant designs.
This has resulted in different general approaches to respond to the analyzed transients and accidents.
For both Westinghouse and CE PWR designs, the approach includes optional recovery guide-lines for the most likely specific event sequences, with a monitoring of cri-tical safety functions to determine if the more general function recovery pro-cedures are necessary.
For Babcock and Wilcox PWR designs, the approach is based on a very small number of major plant functions and provides guidance for coping with inadequate heat transfer from the core to the primary coolant and for undercooling or overcooling the primary system.
While the utilities, through their owners' groups, were developing generic technical guidelines, the NRC staff developed human factors guidelines that addressed the preparation of the procedures themselves.
As currently implemented in the U.S., E0Ps are generally used for every reactor scram or initiation of safety injections systems.
They include guidance for operator response to conditions from ro'utine scrams to inadequate core cooling and impending core melt.
The guidance for containment systems is applicable even for a degraded core; however, work is continuing on guidance for operators for degradation beyond the onset of core melt.
French Description The French also recognized the lessons taught by the TMI accident and have re-examined the basis for their post-accident procedures.
Like the U.S. E0P upgrade effort, the French industry's studies were more " realistic" than their previous
" bounding" cnalysis and addressed the presentation of the procedures based upon plant experience and simulator tests.
Their studies resulted in sequent.ial sets of procedures to address the significance of increasing numbers of system failures including beyond-design-basis events.
These are known by the letters I, A, H, and U and are standard throughout the French nuclear industry.
This standardization is possible because there are only three similar standardized nuclear plant designs in France.
The I procedures address the loss of auxiliary systems and the control of the reactor after a scram or inadvertent safety in-jection system initiation.
The A (accidental) procedures deal with event sequences that involve the use of safety systems for design-basis events.
The H (hors-dimensionnement, beyond-design) procedures provide guidance for beyond-design-basis sequences, including loss of redundant safety systems.
All proce-dures, except U, are based on analyzed sequences.
The Ui procedure is not 2
sequence based, but provides general operator guidance based on possible plant states.
I, A, and H procedures are validated on a simulator representative of the Paluel plant.
Four H procedures have been developed:
H, total loss of heat sink; H, total i
2 loss of feedwater; H, tetal loss of ac power; and H, long-term total failure 3
4 NUREG-1206 2-69
of safety injection or containment spray systems.
If an onshift safety and protection engineer determines, independently from the operators, that either the accident in progress does not follow a previously analyzed and diagnosed sequence or that the sequential procedures I, A, or H are ineffective for the current problems, then the Ut procedure is put into effect to prevent or delay core degradation.
The other U procedures applied to Paluel include last resort methods to detect containment leakage (U ); use mobile units to supplement 2
core injection and containment spray systems (U ); and prevent ultimate contain-3 ment failure by a filtered vented system to relieve containment pressure (Us).
The French also have a U procedure to eliminate a pathway for fission product 4
release through the drain system in the basement of the containment.
Because the Ui procedure is based on the possible states of the primary system and steam generators, its guidance is intended to cover the unanalyzed accidents involving multiple equipment and operator failures and to be independent of the operator's event diagnosis.
The ultimate procedure for using mobile equipment to supplement core injection and containment spray systems for long-term post-LOCA cooling is closely related to the H4 procedure and its associated equipment (discussed in Section 2.1.2 above).
Most of the U procedures had been developed but had not yet been implemented at the plants at the time this report was written.
Analysis of Safety Significance The French approach to E0Ps is similar to the U.S. approach; however, there are some significant differences.
These differences are in the areas of technical approach, human factors approach, and implementation.
The technical approach taken by the French is very similar to the Westinghouse Owners Group (WOG) guidelines but has three significant differences.
The WOG guidelines are based on possible equipment failures rather than event sequences and specific equipment failures.
Therefore, the WOG guidelines may not be as efficient in handling the more likely minor accidents.
However, the WOG guide-lines may be better able to handle multiple failures without the need to invoke additional procedures.
The WOG guidelines also return to the basic diagnosis procedures when a threatened critical safety function is restored.
The French do not appear to use a similar approach and may, therefore, avoid some unneces-sarily redundant steps.
Finally, the U.S. procedures (all approaches) do not address the degraded core condition as directly as the French U procedures.
(However, there are efforts to extend or develop guidance for plant conditions in this domain.)
The implementation of procedures is significantly different between the two countries.
U.S. plants are not standardized as the French are, so both the de-velopment and regulation of E0Ps in the U.S. have been dispersed over the range of owners groups, resulting in the diversity of acceptable E0P approaches.
Also within the implementation area, the U.S. counterpart of the French safety and protection engineer (SPE), the shift technical advisor (STA), does not have the same authority or effectiveness.
Unlike the SPE, the STA works for the operating crew and is often quite junior.
They both provide an independent safety evaluation of the plant condition during emergency.
However, the SPE directs initiation of the U procedures and the STA only advises the senior shift supervisor on his/her observations.
NUREG-1206 2-70
Because the French E0Ps are so closely tied to specific equipment and design features in the P4 plant (other than the U procedure), it is difficult to 2
analyze the safety significance of the design features separately from the pro-cedures associated with the operation of that equipment.
Table 2.4 lists de-sign features discussed in this report that differ from U.S. practice and the French E0Ps associated with those features.
The safety significance of the design features in Table 2.4 has been evaluated by the staff and is summarized on Table 1.1 of this report.
The safety signi-ficance of the emergency procedures has not been evaluated separately.
Rather it is assumed that proper implementation of these procedures is necessary to ensure a high likelihood that this equipment will be operated successfully if needed during an emergency.
Acceptance Criteria The U.S. acceptance criteria for emergency operating procedu-es are aimed at ensuring that guidance is provided for the operators to respond to any (i.e.,
unspecified) accident sequence using all available systems.
The " design-basis accident" approach coupled with the single failure criterion takes credit for specific operator actions, but NRC does not evaluate plant-specific emergency operating procedures.
Emergency procedures are required but generally are in addition to the plant design factor that meets specified safety criteria.
The French criteria for developing procedures for design-basis events is similar to U.S. practice.
However, for some events, the French have a somewhat different approach than the U.S.
In France, the need to develop procedures for specific families of events (H procedures) was based on probabilistic assessments for total loss of redundant safety systems.
The criterion used by the French is that emergency procedures should be developed for specific families of events beyond the design basis if the estimated core melt frequency from such events is greater than 10 7 per reactor year.
This led to the development of the French H procedures discussed previously and in some cases the implementation of specific hardware associated with these procedures.
Further, the French developed the U procedure as an additional line of defense before core melt, 1
whereas the other U procedures were developed to manage a core melt condition.
NUREG-1206 2-71 3
Table 2.4 French emergency operating procedures and associated design features
- Procedure Design feature Discussion in this report H:
Total loss of heat Backup injection pump Section 2.5 isink for RCP seals to main-tain level in primary I
system Self-cooled AFW and Section 2.6 charging pumps H:
Total loss of feedwater SEBIM pressure relief Section 2.12 2
valves on pressurizer for feed and bleed Ha:
Total loss of ac power Resupply of condensate Section 2.3.2 storage tank indepen-dent of AC power Steam-driven turbine Section 2.5 generator to provide power for instrumen-tation and RCP seal injection (via the test pump)
DC power supply for Section 2.7.1 station blackout Mobile gas turbine Section 2.7.2 Interconnection for Section 2.7.2 emergency diesel generators Load rejection Section 2.9 capability H and U :
Long term
, Interconnection be-Section 2.1.2 4
3 total loss of safety
- tween containment injection or contain-spray and safety ment spray injection Mobile pump and heat Section 2.1.2 exchanger.
U:
Ultimate containment Filtered vented Section 2.11 3
failure containment
- This table lists only the design features that differ from current U.S.
PWR designs and the emergency procedures that incorporate those features.
, Equipment that is used during these procedures that is incorporated in the SNUPPS design is not listed.
NUREG-1206 2-72
3 SAFETY G0ALS AND PROBABILISTIC ASSESSMENT 3.1 Safety Goals Based on Probabilistic Criteria 3.1.1 Description of U.S. Safety Goals In May 1983 NRC published " Safety Goals for Nuclear Power Plant Operation" (NUREG-0880, Revision 1).
These NRC proposed safety goals include two qualita-tive safety goals and three supporting quantitative design objectives.
The proposed quantitative design objectives for individuals and society are based on the probabilities of early and latent fatalities that may be derived from exposure to radioactive releases.
Qualitative Safety Goals (1) "Indjvidual members of the public should be provided a level of protection from the consequences of nuclear power plant operation such that individuals bear no significant additional risk to life and health."
(2) " Societal risks of life and health from nuclear power plant operation should be comparable to or less than the risks of generating electricity by viable competing technologies and should.not be a significant addition to other societal risk."
Quantitative Design Objectives (1) Individual and Societal Mortality Risks "The risk to an average individual in the vicinity of a nuclear power plant of prompt fatalities that might result from reactor accidents should not exceed one-tenth of one percent (0.1%) of the sum of prompt fatality risk resulting from other accidents to which members of the U.S. population are generally exposed."
"The risk to the population in the area near a nuclear power plant of cancer fatalities that might result from nuclear power plant opera-tion should not exceed one-tenth of one percent (0.1%) of the sum of cancer fatality risks resulting fuom all other causes."
(2) Benefit-Cost Guideline "The uenefit of an incremental reduction of societal mortality risks should be compared with the associated costs on the basis of $1,000 per person-rem averted."
(3) Plant Performance Design Objective "The likelihood of a nuclear reactor accident that results in a large-scale core melt should normally be less than one in 10,000 per year of reactor operation."
NUREG-1206 3-1
"The importance of mitigating of consequences of a core melt accident should continue to emphasize features such as containment, siting in less populated areas, and emergency planning as integral part of the defense-in-depth concept."
3.1.2 Description of French Safety Goals The French have not published a safety goal document that is similar to NUREG-0880. However, French safety authorities have recognized the need for safety goals in terms of probabilities and consequences that address issues involving accidents beyond the design basis.
The qualitative safety goal and supporting quantitative design objectives are as follows:
l Qualitative Safety Goals The risk of an accident having consequences more serious than deemed accaptable for normal operation should be limited so that the probability of an accident is commensurate with the gravity of subsequent damage.
Acceptance should be based on risks of all types accepted in common activities of society.
Quantitative Safety Objectives (1) Plant Performance Objective The probability of unacceptable consequences due to a PWR plant should not exceed 1 x 10 8 per reactor year.
The probability of unacceptable cunsequences due to a family of events should not exceed 10 7 per reactor year.
(2) Containment Performance Objective In the case of core melt, the containment should constitute an ultimate line of defense which would reduce the radioactive release to the environ-ment to a level compatible with a feasible offsite emergency plan.*
The probabilistic safety objectives are considered goals to be sought and not regulatory requirements or rigid acceptance criteria.
If the utility (EDF) decides not to take a given family of events into account in the design, the utility should try to achieve the goal that the probability that this family will introduce unacceptable consequences is less than 10 7 per reactor year.
For Paluel, EDF demonstrated that the latter plant performance objective was met for external events such as aircraft crash, external explosions, and tur-bine missiles.
Taking this objective into account led to considering the loss of redundant systems and requiring emergency operating procedures and associated equipment.
The term " unacceptable consequences" has not been defined officially
- An emergency plan is considered feasible if a gaseous release occurs more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the beginning of an accident and the maximum radioactive release includes 100% of the noble gases inventory but only a few percent of iodine, cesium, and other volatible fission products.
(The emergency plans of most French sites do not extend beyond 10 km).
NUREG-1206 3-2
1 1
1 by regulations but has been interpreted for different applications of the safety goals.
For the 10 7 goal applied to the loss of redundant systems, "unaccept-able consequences" means core damage or core melt.
For external hazards from an aircraft crash, " unacceptable consequences" means that the site boundary releases would exceed those resulting from the design-basis accident (a large-break LOCA).
The containment performance objective led to the development of the U procedures to reduce radioactive releases for certain postulated events to be compatible with " feasible offsite emergency plans."
3.1.3 Analysis of the Safety Significance The French and U.S. proposed qualitative safety goals generally depict the r.esd for levels of public protection from potential consequences that may arise from nuclear power plant operations.
In brief, the French and U.S. proposed safety goals seek to ensure that the risks from nuclear power plant operations should be comparable to, or less than, other types of risks that are common to the public.
Direct or indirect comparisons between the design objectives used by the French and the U.S. to meet their respective safety goals would involve complex analyses and sensitivity studies that are beyond the scope of this com-parative analysis.
Such analyses would require calculations and determinations that are highly dependent on many factors such as the source term, location of the individual in relation to the plant, meteorology, environmental transport, and others.
The U.S. proposed safety goals contain benefit / cost guidelines as a secondary quantitative design objective.
The U.S. benefit / cost guideline is intended to encourage the efficient allocation of resources in safety-related activities by providing that the expected reduction in public risk that would be achieved should be commensurate with the costs of the safety improvement. The French safety goals do not contain a comparable quantitative design objective.
The U.S. proposed plant pe>formance design objectives set a quantitative goal that the overall core me?t frequency, from all accident sequences, should nor-mally be less than 10 4 per reactor year.
The French safety goals do not spe-cifically identify an overall core melt frequency objective.
The French plant performance design objective is 10 8 per reactor year for the probability of unacceptable consequences.
The French plant performance design objectives contain a probabilistic goal of 10 7 per reactor year that a given family of events should not introduce unac-ceptable consequences.
In this ca e, " unacceptable consequences" means core melt.
This goal represents 10% of the overall plant performance objective of 10 6 per reactor year and therefore strives to limit the probability of any given family of events or dominant accident sequences.
The U.S. proposed safety goals do not contain a similar apportionment of the proposed safety goal for dominant accident sequences relative to the overall plant performance ob-jectives.
During its 2 year evaluation of the proposed safety goals, the NRC staff recognized the merits of such an apportionment goal, but determined that such a goal wculd be impracticable to implement in the U.S., primarily because of the plant-to-plant variations in design and procedures.
However, any issue that by itself clearly threatens to exhaust a considerable fraction of a quan-titative design objective must be viewed as warranting attention.
NUREG-1206 3-3 u
I The French and U.S. both recognize the defense-in-depth provided by the con-tainment structure as a means to retain or delay fission product releases.
However, the U.S. proposed safety goals do not provide quantitative containment performance objectives. in terms of containment failure probabilities or delay times of radioactive releases.
During the evaluation of the proposed safety goals, the NRC staff was instructed to make judgments regarding the methodology for containment performance assessment to determine whether a containment per-formance design objective would be useful, and, if feasible, to recommend such a design objective. As a result of its evaluations, the staff recommended against implementing a containment' performance guideline at this time.
The staff recom-mended continued study of such a guideline as part of the severe accident re-search program.
Because of the multiplicity of, and variations in, the U.S.
PWR plant / containment designs and construction techniques, a containment per-formance guideline may prove to be more appropriate for future U.S. standard design plants than for the current U.S. operating plants.
In this regard, the French standard designs may be more readily adaptable to quantitative contain-ment performance design objectives.
However, the absence of quantitative con-tainment performance design objectives in the current U.S. safety goals does not represent a significant impact on safety, because the risk determinations are based on the product of the core melt frequency, the conditional probability of containment release given a core melt, the conditional source term strength given the type of release, and the environmental and meteorological transport conditions.
Therefore, the U.S. proposed quantitative design objectives impli-citly, or indirectly, provide conditional unspecified containment performance objectives that are, in effect, dependent on the specific containment responses in various accident sequences.
In summary, the French and U.S. proposed safety goals both contain qualitative safety goals that are supported by quantitative (probabilistic) design objec-tives.
Comparisons between the French and U.S. proposed quantitative risk objectives cannot be readily obtained.
Such comparisons would require analyses and sensitivity studies beyond the scope of this analysis.
3.1.4 Acceptance Criteria The purpose of the proposed safety goals is to set targets (goals) to be sought; consequently, the proposed goals were not to be-interpreted as regulatory pro-babilistic criteria, nor as regulatory requirements in the licensing of plants.
When the proposed safety goals were published, the NRC judged that a 2 year evaluation period was necessary to determine the potential effectiveness of the proposed safety goals and design objectives, and the staff was directed to de-velop information and understanding as to how to further define and use the safety goals.
During the evaluation period, the proposed safety goals were limited to uses such as examining proposed and existing requirements, establish-ing research priorities, resolving generic issues, and defining the relative importance of issues as they would arise.
In France, no official specific quantitative (probabilistic) goals are used in the licensing of plants.
At present they are used to aid in the development.
of specific operating procedures for purposes of accident management, to assess the need for supporting plant modifications, and to reclassify certain accident sequences.
NUREG-1205 3-4
In summary, the French and U.S. proposed safety goals, which are based on sup-porting probabilistic design objectives (criteria), are not used for the licens-ing (acceptance) of nuclear power plants.
Their current principal use is to aid in other regulatory decision-making procedures as described above.
3.2 Probabilistic Assessment of Design Differences 3.2.1 Scope The NRC staff performed a scoping probabilistic assessment to evaluate the potential impact of selected features of the French design that could be bene-ficial to a surrogate U.S. plant design.
No detailed analyses were conducted, but generic information obtained from the Accident Sequence Evaluation Program i
and reports prepared as part of Unresolved Safety Issue A-44, Station Blackout, were used to identify dominant sequences and their approximate importance.
The impacts of the French design features were based on the assumption that instru-ments, controls, support systems, procedures, and designs needed to implement these features in a U.S. plant would enhance the function rather than detract from it.
In other words, undefined modifications were assumed to reduce all other potential negative impacts and thus maximize the benefit of a particular feature.
3.2.2 Station Blackout Station blackout sequences were divided into two groups:
(1) AC power effects and (2) auxiliary feedwater effects.
These sequences are discussed below.
3.2.2.1 AC Power Effects The loss of offsite power (LOSP) followed by extended failure of onsite emergency AC power sources can potentially lead to core melt in the short term because of consequential leakage from the primary system that cannot be mitigated, or in the long term (if no leakage has occurred) because of the consequential loss of operator control caused by battery depletion.
The frequency of extended loss of all AC power (station blackout) is a function of the plant site (the initi-ating frequency of LOSP), the probability of recovery of offsite power within a given time frame and, in this instance, the probability of extended failure of the onsite emergency AC power system.
Based on the staff's review of Mill-stone 3, which has two diesel generators in its emergency AC power system, the central estimate of the frequency of this station blackout sequence ranges from about 10-5 to 10-4 per reactor year depending on the critical time for restora-tion of AC power before core melt occurs.
The longer the time available, the smaller the frequency.
This frequency range is a reasonable estimate for a sur-rogate U.S. plant with two diesel generators (such'as at SNUPPS).
In the short term, the critical time for restoration of AC power depends on the reliability of the AFW system to remoJe decay heat independent of AC power and the rate of primary system leakage that may occur because of the station black-out.
For purposes of this discussion, it is assumed that reactor coolant system letdown lines can be isolated without depending on AC power, and that unisolat-able safety relief valves are not a significant factor.
The primary source of consequential leakage is the reactor coolant pump (RCP) seals, which may deter-iorate when exposed to high reactor coolant temperatures when seal cooling is
~
lost during a station blackout.
Major uncertainties in evaluating station NUREG-1206 3-5
blackout with RCP seal failure are the time at which seal failure occurs and the ensuing leak rate.
As a result, the critical time for restoration of AC power may range from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (based on assumptions used in the Indian Point prob-abilistic risk assessment, NUREG/CR-2934) out to several hours, as indicated in the station blackout report (NUREG/CR-3226).
In the longer term, assuming that RCP seal failure is not a limiting factor, battery depletion becomes the controlling factor.
DC power (bat' eries) pro-vides power for instrumentation and controls and lighting that are necessary for operator control of long-term decay heat removal via the steam generators.
The nominal battery design capacity for a LOCA is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />; however, because battery loads are lower during a station blackout than during a large LOCA, 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is probably available.
The available battery power can probably be ex-tended even further with judicious shedding of nonessential loads.
Thus, the i
estimated frequency for the battery depletion sequence is on the order of 10 5 j
per reactor year.
The French design has several features that have a beneficial effect on the station blackout sequences discussed above.
An assessment of the impact of these features on a surrogate four-loop U.S. plant is discussed below.
Steam-Driven Generator (Section 2.5)
The standby steam-driven generator at the French plants provides power for a small positive displacement pump that supplies cooling for RCP seals and also provides power for instrumentation and controls and control room light-ing necessary to maintain hot standby.
This feature addresses both factors discussed above (RCP seal cooling and battery depletion) that impact the station blackout sequences.
The potential reduction in frequency of core melt for these sequences could be a factor of 10 to 30 depending on the reliability of the steam-driven generator.
If the probability of RCP seal failure and/or RCP leak rate during station blackout were reduced, the importance of these sequences, and thereby the benefit of this design dif-ference, would likewise be reduced.
Gas Turbine Generator (on site) (Section 2.7.2)
A standby gas-turbine generator located on the site could be used to resupply a safety bus, making available all the safety equipment fed by this bus, and thus terminating the loss of AC power.
The benefit of this feature depends on the timing of seal failure and core uncovery versus the time required to bring the gas turbine on line.
If the seal were to fail early and the resulting leakage were high, the gas turbine would probably have to be on line within about 60 minutes, which is just above the time threshold for actuating similar components at Indian Point.
The benefit under these circumstances could be as high as a factor of 10 reduction in core melt frequency for this sequence.
Less severe RCP seal failures would stretch out the time available to restore AC power.
Battery deple-tion time would then be the next important facter.
The longer the station can cope with a station blackout, the lower the importance of this design feature in terms of safety benefit.
Because the P4 plants are designed to cope with a station blackout for 3 days, it is highly likely that AC power could be restored in that time from some power source before the gas tur-bine was needed.
For the French design, the additional safety benefit of NUREG-1206 3-6
the gas turbine alone is relatively small.
For plants that have a shorter capability to cope with a station blackout, the safety benefit of the gas turbine generator would be greater.
Shared AC Power Between Units (Section 2.7.2)
The French design has the capability to share AC power between units at the same site.
A unit that trips on loss of offsite power could obtain power from (1) another unit on the site that has run back to provide house load, or (2) from a diesel generator at the other unit.
Administrative and operational controls limit the time to connect power from one unit to another to about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
Therefore, the potential benefit from this arrangement is for longer term sequences.
Some U.S. plants also have the capability to share AC power between units at multi-unit sites.
Twenty-Hour Battery (Section 2.7.1)
A 20-hour battery provides extended instrumentation and control capability for successful operator action during station blackout but would not reduce the effect of RCP seal failure.
Therefore, this sequence would impact longer term sequences (greater than about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) leading tu core melt associated with loss of control of the auxiliary feedwater system.
Load Rejection Capability (Section 2.9)
This feature runs the power back to a house load so that the power conver-sion system is still operable (i.e., no reactor trip).
Thus, the initiating frequency of plant trip caused by loss of offsite power is reduced.
The impact on the core melt frequency is a function of the control system dynamics (sometimes it may not be fast enough) and may provide a reduction of a factor of 2 to 5, based on judgment.
3.2.2.2 Decay Heat Removal Effects If RCP seal failure is not the limiting factor for a station blackout event, then decay heat removal via the steam generators is a dominant concern.
The estimated core melt frequency for a station blackout with subsequent loss of decay heat removal capability is about 10-6 to 10-5 per reactor year.
Here again, this frequency depends on the frequency of the loss of offsite power, the probability of recovery of offsite power, and the reliability of the onsite emergency AC power system.
The probability of failure of the auxiliary feed-water system must also be considered in evaluating this sequence.
Results of past probabilistic risk assessments have indicated that loss of aux-iliary feedwater during a station blackout is determinea in the short term by the reliability of the turbine-driven pumps, including control.
In the long term (greater than about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), the concern is an alternate supply of water after the condensate storage tanks have emptied.
The French design has several features that have a ber.eficial effect on the station blackout (auxiliary feedwater failure) sequence.
These are discussed below.
NUREG-1206 3-7
l Two Turbine-Driven Auxiliary Feedwater Pumps (Section 2.3.1)
The French design has two turbine-driven AFW pumps instead of the single turbine-driven AFW pump typical of most U.S. plants.
(Some U.S. plants do have two turbine-driven AFW pumps.) This redundancy has a direct effect on reducing the core melt frequency.
The magnitude of the impact depends j'
on potential common-mode failures of the' pumps.
Based'on U.S. PRA exper-4 ience, the reduction would be in the range of a factor of 10.
)
Gravity Feed Backup for Condensate Storage Tank (CST) (Section 2.3.2)
The demineralized water storage tank is connected to the CST.so that the
~
water supply is extended to 3 days (without any AC power) instead of'the 8-hour CST supply-in the surrogate U.S. plant.
Beyond 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, the U.S.
l plant'may be able to obtain additional water (independent of AC power) 4 from the fire _ system if there is a diesel-driven fire water pump available, or maybe even from a city water supply. The extended water supply provides I
additional time for recovery of offsite power or-failed onsite power sources.
This feature may reduce the frequency of the long-term station blackout i
sequence (with AFW failure) by about a factor of 10 below U.S. designs.
j However, this sequence is at the lower end of the core melt frequency range j
and therefore is of less importance.
A? ternate Power Sources f
~The alternate AC power sources discussed ik Section 3.2.2.1 could also reduce the AFW core melt sequences by perhaps a factor of 10.
Batteries (Section 2.7.1)
I i
The French design uses many more batteries than a typical U.S. plant;.how-ever, it is not clear whether the additional redundancy provides a signifi-cant benefit to the overall safety of the plant.
The SNUPPS plant has four l
safety-related DC power supplies and several non-safety-related DC buses.
Assuming that a reasonable. level of administrative control and surveillance i
testing are utilized, as discussed in NUREG-0666, this level of redundancy should be se'ficient to suppress any significant common-cause failure of batteries'that could result in an early loss of AFW system control.
i Load Rejection Capability (Section 2.9) j As discussed above, this feature reduces the initiating. frequency of reactor j
trips due to losses of offsite power and consequently has;a direct impact on the core melt frequency.
A summary of the various. French design features and their relation to station blackout sequences is shown in Table 3.1.
It is likely that the steam-driven 4
generator would have the largest. impact on station blackout,'followed by load rejection capability and an onsite gas turbine.
Electricitd de' France has.
. performed an evaluation of the impact of the H -procedure (loss of AC power) 3 i
and associated hardware on the probability 0f core melt from station blackout.
The general conclusion of this study is that the H3 procedure reduces the esti-mated core melt frequency from station blackout by a factor of.'70, and results in_an estimated core damage frequency due to station blackout on the order of j
10 7 per reactor year.
NUREG-1206-3 )
m,--
..-_.e m
,.,.s
1 I
s Table 3.1 Summary of French design features relative to'3tation blackout Design Feature Station Steam-Load Two-blackout driven reject Gas turbine Shared DC Gravity-sequence generator capability turbine AFW AC power power fed CST 2
RCP seal X
X X
failure (early)
RCP seal X
X X
X failure (late)
Battery X
X X
X X
X failure AFW pump X
X 1
failure AFW water X
X X
X supply I
Note:
X indicates that the design feature could have an impact on reducing i
the core melt frequency associated with the station blackout accident sequence.
4 W
V 4
NVREG-1206 3-9
3.2.3 Loss of Main Feedwater (Event Initiator)
The sequences of interest for loss-of-main feedwater. events are those where all main feedwater is lost as an event initiator.
It is assumed that main feed-water can be restored to provide decay heat removal for all other events, in-cluding loss of the condenser with offsite power available.
Decay heat removal can be accomplished by using the auxiliary feedwater system (the normal ap-proach), restoring the main feedwater system (including depressurizing the steam generator and using the condensate boost pumps with approximately 400 to 500 psi shutoff head, and feed and bleed.
The range of estimated core melt frequencies for these sequences is 10-6 to 10-5 per reactor year for plants that have a three-train AFW system.
The range of estimates is attributable to uncertainties in the probability of restoring main feedwater, common mode failure of the AFW system, and human error prob-ability associated with feed and bleed.
The French design features that impact these sequences are discussed below.
Four AFW Pumps (Section 2.3.1)
The French design has four AFW pumps compared with three in the typical U.S.
plant. This feature could reduce the core melt frequency of this secuence by as much as a factor of 10, assuming that other components in the AFWisystem are not more limiting because of common mode failures or unforeseen humari errors.
Load Rejection Capability (Section 2.9)
This feature in the French design may indirectly benefit the loss-of-main-feedwater sequence by increasing the probability of restoring the main feedwater system.
The main feedwater system would have a small bypass line and controls to facilitate operation at low heat load-These features would probably in-crease the probability of restoring main reedwater by an unknown amount.
3.2.4 Anticipated Transients Without Scram (Section 2.8)
In the U.S., recent rulemaking proceedings have required protection against an unacceptable ATWS event.
For Westinghouse plants, diverse AFW actuation and turbine trip are required.
The regulatory analysis in SECY-83-293 indicated a frequency of about 6 x 10-6 per reactor year for this event with the implementa-tion of the rule.
The French design appears to have a diverse trip actuation, which could reduce the ATWS frequency by a factor of 3, based on the analysis in SECY-83-293.
3.2.5 Automatic Switchover Following a LOCA (Recirculation Phase) (Section 2.1.1)
For large LOCAs, the refueling water storage tank (RWST) is emptied in about 30 minutes, at which time the emergency core cooling system suction must be switched from the RWST to the containment sump.
The surrogate U.S. plant uses manual switchover, while the French design incorporates a totally automatic switchover.
Based on the PRA summaries in draft NUREG/CR-3301, the core melt frequencies are in the range of 10-6 to 10-5 per reactor year for LOCA sequences failing in the recirculation phase.
The range reflects uncertainties in LOCA frequency and the probability of human error associated with manual switchover.
NUREG-1206 3-10
According to previous NRC staff studies, automatic switchover could reduce core melt frequencies by a factor of 3 to 10 compared with manual switchover.
3.2.6 Self-Cooled Safety-Related Pumps (Sectio.n 2.6)
The ability to operate the charging pumps and AFW pumps without depending on auxiliary cooling water systems decreases the probability of core melt because of (1) the loss of heat sink (AFW pumps and charging pumps), and (2) the loss of electrical power (AFW turbine-driven pumps).
The order of magnitude of the frequency of core melt from such events is estimated to range from about 10 5 to 10 8 per reactor year.
For these two cases of accidents it is difficult to quantify the safety benefit that is providing by the self-cooled punps.
In fact, to calculate this, it is necessary to know how long that the pumps are able to run without cooling water.
If the time is low (i.e., less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), the gain might be on the order of 10 to 30.
The safety benefit would be less if the pumps can continue to operate longer without auxiliary cooling water.
i 3.2.7 Safety and Relief Valves (Section 2.12) 1 The replacement of the spring safety valves and PORVs on the pressurizer by six SEBIM pilot-operated pressure relief valves (two valves in series on each inlet line of the pressurizer) has been motivated by two main reasons (1) protection against overpressure and flow of various types of fluid dis-charge (water, steam, two phase flow)
(2) capability to isolate a stuck-open valve 3
The reliability data (mean valve) that were utilized in the Midland probabilistic risk assessment (PRA) for failure to reseat on demand are after passing steam:
3 x 10 3 per demand after passing water:
1 x 10 2 per demand It is difficult to determine the reduction in core melt frequency that could be obtained by the utilization of the SEBIM valves.
However, on the basis of its evaluations, the staff estimates that core melt frequency could be reduced by i
about a factor of 10 for sequences leading to core melt due to failure of safety and re'.ief valves to close.
3.2.8 Interconnection Between the Low Pressure Injection System and the Containment Spray System (Section 2.1.2)
In case of a LOCA, the most important sequences leading to core melt result from the failure of the recirculation cooling system NUREG/CR-3300.
The main causes of the loss of recirculation cooling are (1) human error resulting from the switchover from injection to recirculation (on the P4 plant, the automatic switchover from injection to recirculation reduces potential operator error).
(2) blockage of the sump.
NUREG-1206 3-11 l
-(3) the loss of the pumps (on the P4 plant, it is possible to utilize four pumps).
Considering that the pumps may fail during operation, the pumps are the most important cause of failure of the recirculation cooling system.
One of the difficult aspects'of evaluating this sequence is estimating the mis-sion time of the recirculation cooling function.
For a mission time of 3 months, the unreliability of this function can be estimated for the following cases:
(1) no interconnection between the low pressure injection system (LPIS) and the containment spray system (CSS) and no automatic switchover (SNUPPS design)
(2) interconnection between LPIS and CSS, and automatic switchover (P4 design)
Utilizing data from the Zion PRA (NUREG/CR-3300) and the Byron study (WCAP-10526),
the safety benefit in terms of reduced core melt frequency associated with that j
design feature is estimated to be about a factor of 10.
An additional safety benefit would be obtained by providing a mobile pump and heat exchanger (also discussed in Section 2.1.2) that can be transported to the site and connected to replace an inoperable pump or an unavailable heat exchanger.
j This additional safety benefit has not been estimated quantitatively.
2 l
i NUREG-1206 3-12 e
e e - - -
[
l i
APPENDIX A
{
ACRONYMS ACI American Concrete Institute ACRS Advisory Committee on Reactor' Safeguards AFW auxiliary feedwater q
ALARA as low as reasonably achievable i
ANSI American National Standards Institute ASME American Society of Mechanical Engineers l
ATWS anticipated transient without scram BTP Branch Technical Position BWR boiling water reactor CAOC constant axial offset control CCW component cooling water
]
-CE Combustion Engineering 1
CEGB Central Electric Generating Board CRT cathode ray tube CS containment spray CST condensate storage tank CVCS chemical volume and control system DBE design-basis earthquake DCRDR detailed control room derign review l
DNB departure from nucleate boiling 1
DNBR departure from nucleate boiling ratio ECCS emergency core cooling system j
EFPY effective full power years EOL end of life E0P emergency operating procedures EPRI Electric Power Research Institute s
1 ESF engineered safety feature ESW energency service water GDC General Design Criterion (a)
IEEE Institute of Electrical and Electronics Engineers
_LOCA loss-of-coolant accident A
LOSP loss of offsite power LPSI.
10w pressure safety injection LTOP low temperature overprotection f
l NRC Nuclear Regulatory Commission PORV pilot operated relief valve PRA probabilistic risk assessment PWR pressurized water reactor NUREG-1206 A-1 1
4
. -., ~ -. -
n
..,,., -~_,-,.
ACRONYMS (Continued)
RCP reactor coolant pump RCS reactor coolant system RHR residual heat removal i
RPS reactor protection system RWST refueling water. storage tank SIS safety injection signal SPDS safety parameter display system l
SRP Standard Review Plan SRV safety-relief valve SSE safe-shutdown earthquake SSPS solid-state protection system i
SSW station service water J
TMI Three Mile Island TPL turn push-light UHS ultimate heat sink VCT volume control tank WOG Westinghouse Owners Group 4
i a
i i
i r
4 J
l 2
)
i I
k l
i J
NUREG-1206 A-2 f
I 4 -
-,~..
4
,r.
..,, - - -.., - -. _ _ _,., _ -. ~,..-.,.,,.,. _
FRENCH ACRONYMS EDE emergency gas treatment system EDF Electricits de France IPSN Institut de Protection de et de 50rets Nucidaire SCSIN Service Central de 50rets des Installations Nucidaires SPE safety and protection engineer SPIN digital integrated protection system UATP data and processing units UE exchange units UF functional unit ULS engineered safeguard logic units NUREG-1206 A-3
APPENDIX B BIBLIOGRAPHY Bechtel Power Corporation, Topical Report BC-TOP-5A, " Prestressed Concrete Nuclear Reactor Containment Structures," Revision 3, February 1985.
i U.S. Nuclear Regulatory Commission, NUREG-0666, "A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants," April 1981.
--, NUREG-0737, " Clarification of TMI Action Plan Requirements," Supplement 1,
]
" Requirements for Emergency Response Capability," January 1983.
--, NUREG-0800, " Standard Review Plan for the Safety Review of Light-Water Reactors," July 1981.
--, NUREG-0880, " Safety Goals for Nuclear Power Plant Operation," Revision 1, May 1983.
--, NUREG-0999, "Sizewell B - Analysis of British Application of U.S. PWR Tech-nology," May 1983.
--, NUREG/CR-2934, " Review and Evaluation of the Indian Point Probabilistic l
Safety Study," December 1982.
4
--, NUREG/CR-3226, " Station Blackout Accident Analysis (Part of NRC Task Action Plan A-44)," May 1983.
--, NUREG/CR-3300, " Review and Evaluation of the Zion Probabilistic Safety
]
Study:
Plant Analysis," Vol 1, May 1984.
--, NUREG/CR-3301, " Catalog of PRA Dominant Accident Sequence Information,"
August 1985.
Westinghouse Electric Corporation, WCAP-9991, "Sizewell B Probabilistic Safety Study," Revision 1.
--, WCAP-10526, " Byron Generating Station Limiting Conditions for Operation I
Relaxation Program," April 1984.
--, WCAP-10541, C. H. Campen and W. D. Tauche, " Reactor Coolant Pump Seal Performance Following a Loss of All AC Power," Westinghouse Owners Group i
report, Revision 1, April 1986.
i NUREG-1206 B-1 1
i y
U.S. NUCLET.R REGULATORY COMMISSION NUREG - 1206 BIBLIOGRAPHIC DATA SHEET
- 4. TsTLE AND SUBTITLE (Acsco Votume No.. of acormr'atel 2 ILeave rwel Analysis of French (Paluel) Pressurized Water Reactor Design Dif ferences Compared To Current U., S. PWR Designs 3 acceeNrs accession No 7.AUTHOHtSi 5 O ATE HEPOHT COMPLE TED jVEAR M ON T +e May 1986
- 9. PE RF ORMING ORG AN ' A TION N AME AND M AILING ADDHESS Itactude top Conel DATE HE POH f #SSUE D Division of Sa f *y Review and Oversight l^"
Office of Nuclea Reactor Regulation June 19 6 Nuclear Regulatory Commi ssion 6""'**'
Washington, DC 20 5 g,,,,,,,,,,,,
12 SPONSORING ORGANIZ A TION AME AND M AILING ADDRESS Itactude 20 C */
g Division of Safety Rev ?w and Oversight Office of Nuclear React Regulation ti RN NO Nuclear Regulatory Commi ion Washington, DC 20555 A
- 13. TYPE OF REPOR T PE RIOD COVE RE D (Jactunve det-s/
Technical
- 15. SUPPLEVEN T ARY NOTE S 34 Ilme tw * /
16 A 8S TH AC T (200 w aras or irss)
To understand better the regulator pproaches to reactor safety in foreign countries, the staff of the Nuclear egulatory Commission has reviewed design information on the Paluel nuclear r plant, one of the current standard 1300-KJe plants operating in Franc.
lis report provides the staff's evalua-tion of major design differences twee this standardized French plant and cur-rent U. S. pressurized water rea or pla s, as well as insights concerning French regulatory practices.
Th staff i ntified approximately 25 design differences, and an analysis of he safety ignificance of each of these design features is presented, along wi an assess. nt comparing the relative safety benefit of each.
- 17. KE Y WORDS AND DOCUME NT AN ALYSIS 1/4 DE SC HIP 1 HS Paluel Design Com rison Snupps French PWR l
PWR Design French P4 17n IDEN TIFIE RS OPE N ENDE D TE RVS 10 OF P AGE S 18 AV AIL ABILITY ST ATE ME NT 19 1,E CVHI T V C L ASS ITN ~poret 21 4
unlimited 20secoR,TyctAssa..,,,,,
u PR,c, 5
- dRC FOR V 335 ett SH
UNITED STATES 2
snciat counmctAss r.Ars NUCLEAR EEIULATOLY CEMM,oSION N"'ygges mo g
WASHINGTON, D.C. 20666
- gggot, m
C)
OFFICIAL BUSINESS PENALTY Fog PRIVATE USE, $300 E$
on
>Z>r-M vs O.
,' l i 1AN m<
12uddduteU(I m
110C NUREG 2
US NRC ADM-DIV 0FPOLICY & PUB MGT BR-PDR O
DC 20555 O
W-501 09 WASHINGTON ED o r-DC mm M 'r Oo M2 vm OCe 2 2 mY 2m
-1 0 b> h
.g
==
O >m m
E! Q '
Co-
$ :D '
O E.
5, zl m
m1 mi 3'
m; Zi OI mi v)i j
t, C'z ml
-a!
.